Skip to content

Instantly share code, notes, and snippets.

View thesubtlety's full-sized avatar

Noah thesubtlety

43 followers · 52 following
View GitHub Profile
@thesubtlety
thesubtlety / natlas-docker-howto.md
Last active August 13, 2020 23:15
tl;dr natlas/docker install
@thesubtlety
thesubtlety / Get-GroupsRec.ps1
Created January 23, 2019 17:14
Get all AD group membership recursively (requires AD module)
function Get-GroupsRec {
[CmdletBinding()]
param
(
[Parameter(Mandatory)]
[string]$User
)
$dn = (Get-ADUser $User).DistinguishedName
Get-ADGroup -LDAPFilter ("(member:1.2.840.113556.1.4.1941:={0})" -f $dn) | select -expand Name | sort Name
@thesubtlety
thesubtlety / stalebacon.cna
Created March 26, 2021 21:59
Stale beacon slacker, only messages once
# CNA script to alert on dead beacons. Doesn't repeat messages.
# author: noah @thesubtlety
# credit https://github.com/bluscreenofjeff/AggressorScripts/blob/master/stale-beacon-notifier.cna - bluescreenofjeff
$webhook_url = "https://hooks.slack.com/services/xxxxx";
$slack_channel = "#crackers";
%beacon_status = %();
# default stale value of 5 minutes (300000ms)
$stale_value = 300000;
@thesubtlety
thesubtlety / decrypt_jenkins2.rb
Last active July 6, 2021 18:49
Decrypt Jenkins 2 passwords and tokens - https://www.thesubtlety.com/post/2017-06-21-decrypting-jenkins2-credentials/
#!/usr/bin/env ruby
require 'base64'
require 'digest'
require 'openssl'
# Author: @thesubtlety
# Decrypts Jenkins 2 encrypted strings, code change introduced around Jenkins ver 2.44
# Based off work by juyeong, https://gist.github.com/juyeong/081379bd1ddb3754ed51ab8b8e535f7c
@thesubtlety
thesubtlety / rundeck-commands.md
Created October 14, 2021 15:06
Rundeck Takeover Reference

Rundeck Compromise

Reference notes to run commands on nodes controlled by Rundeck given a valid API token.

RUNDECK="https://host"
TOKEN="x-rundeck-auth-token:<secret>"

# Identify projects
curl -H $TOKEN $RUNDECK/api/16/projects/ -H accept:application/json | jq  .
@thesubtlety
thesubtlety / custom_john.conf
Created December 18, 2017 23:03
Based on https://www.gracefulsecurity.com/custom-rules-for-john-the-ripper-examples/
[List.Rules:Try]
cAz"[0-9]"
cAz"[£!$@#-=_]"
cAz"[0-9][0-9]"
cAz"[0-9][£!$@#-=_]"
cAz"[£!$@#-=_][0-9]"
cAz"[0-9][0-9][0-9]"
cAz"[0-9][0-9][0-9][0-9]"
cA0"[0-9]"
cA0"[£!$@#-=_]"
@thesubtlety
thesubtlety / _notes.md
Created April 25, 2022 14:53 — forked from djhohnstein/_notes.md
AppDomainManager Injection

Let's turn Any .NET Application into an LOL Bin

We can do this by experimenting with .config files.

Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name

In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.

We do this by directing the application to read a config file we provide.

@thesubtlety
thesubtlety / bulkip-shodan-scanner.py
Created December 11, 2019 00:24
Submit IPs/CIDRs to Shodan for scanning and download results
#!/usr/bin/env python3
import os
import sys
import time
import shodan
import netaddr
import ipaddress
'''
@thesubtlety
thesubtlety / Get-Exports.ps1
Created February 12, 2020 17:59
DLL Hijack with exports
function Get-Exports {
<#
.SYNOPSIS
Get-Exports, fetches DLL exports and optionally provides
C++ wrapper output (idential to ExportsToC++ but without
needing VS and a compiled binary). To do this it reads DLL
bytes into memory and then parses them (no LoadLibraryEx).
Because of this you can parse x32/x64 DLL's regardless of
the bitness of PowerShell.
@thesubtlety
thesubtlety / jxarunner.m
Created September 30, 2022 18:15
Obj JXA runner
#import <Foundation/Foundation.h>
#import <Appkit/AppKit.h>
#import <CoreFoundation/CoreFoundation.h>
#import <OSAKit/OSAKit.h>
#import <Cocoa/Cocoa.h>
#import <OSAKit/OSALanguage.h>
#import <Foundation/NSString.h>
#include <string.h>
//jxarunner file.js