Skip to content

Instantly share code, notes, and snippets.

View shelld0n's full-sized avatar

Amine shelld0n

6 followers · 6 following
View GitHub Profile
@shelld0n
shelld0n / wmiexec_server_mode.py
Created September 20, 2019 15:25
Impacket wmiexec.py implementation supporting SERVER mode
#!/usr/bin/env python
# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
#
# This software is provided under under a slightly modified version
# of the Apache Software License. See the accompanying LICENSE file
# for more information.
#
# A similar approach to smbexec but executing commands through WMI.
# Main advantage here is it runs under the user (has to be Admin)
# account, not SYSTEM, plus, it doesn't generate noisy messages
@shelld0n
shelld0n / gist:36e34399e3fea54d65d4b6aef9e5bc70
Created December 23, 2018 19:09
TTY SHELL
# In reverse shell
$ python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z
# In Kali
$ stty raw -echo
$ fg
# In reverse shell
$ reset
@shelld0n
shelld0n / gist:cd9838ce773982a70a8ef4a4072f8d32
Last active February 5, 2019 16:27
REadme.md
Extraire la chaine de certification client du p12
openssl pkcs12 -in -cacerts -nokeys -chain -out
Extraire le certificat client
openssl pkcs12 -in -clcerts -nokeys -out
Extraire lma clée privée chiffrée du client
openssl pkcs12 -in yourP12File.pfx -nocerts -out privateKey.pem
Importer le certificat PEM dans le truststore des brokers kafka (Un Ajout pour chaque certificat dans la chaine)
@shelld0n
shelld0n / msfvenom-reverse-tcp-WaitForSingleObject.md
Created January 14, 2019 21:25 — forked from mgeeky/msfvenom-reverse-tcp-WaitForSingleObject.md
(OSCE/CTP, Module #3: Backdooring PE Files) Document explaining how to locate WaitForSingleObject(..., INFINITE) within msfvenom's (4.12.23-dev) generated payload and how to fix the payload's glitches.

Looking for WaitForSingleObject call within modern msfvenom generated payload.

Abstract

This is a document explaining how to locate WaitForSingleObject(..., INFINITE) within msfvenom's (4.12.23-dev) generated payload and how to fix the payload's glitches. It goes through the analysis of a windows/shell_reverse_tcp payload, touching issues like stack alignment, WaitForSingleObject locating & patching. It has been written when I realised there are many topics on the Offensive-Security OSCE/CTP forums touching problem of finding this particular Windows API. Since RE is one of my stronger FU's I decided to write down my explanation of the subject.

Contents:

@shelld0n
shelld0n / WMIPersistence.vbs
Created January 14, 2019 15:27 — forked from mgeeky/WMIPersistence.vbs
Visual Basic Script implementing WMI Persistence method (as implemented in SEADADDY malware and further documented by Matt Graeber) to make the Macro code schedule malware startup after roughly 3 minutes since system gets up.
'
' SYNOPSIS:
' WMI Persistence method as originally presented by SEADADDY malware
' (https://github.com/pan-unit42/iocs/blob/master/seaduke/decompiled.py#L887)
' and further documented by Matt Graeber.
'
' The scheduled command will be launched after roughly 3 minutes since system
' gets up. Also, even if the command shall spawn a window - it will not be visible,
' since the command will get invoked by WmiPrvSE.exe that's running in Session 0.
'
@shelld0n
shelld0n / muti-stage-1.md
Created January 14, 2019 15:27 — forked from mgeeky/muti-stage-1.md
Multi-Stage Malicious Document creation process (ala APT)

Multi-Stage Penetration-Testing / Red Teaming Malicious Word document creation process

The below paper documents the process of creating a multi-stage IPS/AV transparent malicious document for purposes of Red Teaming / Penetration-Testing assignments.

The resulted document will be:

  • using OLE event autorun method
  • removing it's pretext shapes
  • Obtaining commands to be executed from document's Author property and passing them to StdIn of Powershell.exe process
  • Leveraging certutil technique to receive Base64 encoded malicious HTA document
  • Having Base64 encoded Powershell command in that Author property