tothi

## bh_split2.py
#!/usr/bin/python3
# Based on https://gist.github.com/deltronzero/7c23bacf97b4b61c7a2f2950ef6f35d8
# updated to current BloodHound JSON format (compatible with SharpHound 2.x and BloodHound CE)
# pip install simplejson
import simplejson
import sys

def splitfile(file_name, object_limit):
    print(f"[*] Loading {file_name}")
    with open(file_name) as f:

## PrtSc_Screenshotter.ps1
# dependency
Add-Type -AssemblyName System.Windows.Forms

# send PrtSc key (= capture the screen to the clipboard)
[Windows.Forms.Sendkeys]::SendWait("{PrtSc}")

# save the image as PNG in memory
$png = New-Object System.IO.MemoryStream
[Windows.Forms.Clipboard]::GetImage().Save($png, [System.Drawing.Imaging.ImageFormat]::Png)

## kali-fde-tpm.md

      
              1 file
            
          
              1 fork
            
          
              0 comments
            
          
              8 stars
            
          
                tothi
                / kali-fde-tpm.md
            
            
              Last active
              June 30, 2023 15:03
            
              
                Full Disk Encryption with unattended auto-unlock using TPM2; hardened with Secure Boot on Kali
              
          
      View kali-fde-tpm.md
  
      
    Full Disk Encryption w/ TPM2 on Kali
Short HOWTO about setting up Full Disk Encryption with unattended auto-unlock using TPM2 on Kali.
Useful for rogue devices (auto-connecting to C2), headless pentest boxes, etc. storing confidential information
but lacking physical security.
NOTE: In order to maintain integrity and protect the encryption key, hardening the boot process with Secure Boot is a must.
For making Secure Boot work (without messing up the default UEFI keys stored in the hardware), the Microsoft-signed
UEFI shim loader is used (available in the Kali repo) which is able to load securely an arbitrary ELF image as 2nd stage

  
## config.nims
# original idea: https://github.com/nim-lang/Nim/issues/20007#issue-1300915309

# use case for https://github.com/chvancooten/NimPlant
#   - put this config.nims into NimPlant/client folder and build should work without errors on ArchLinux also

import std/strutils
import std/sequtils

# remove -fstack-clash-protection
switch("gcc.options.always", replace(get("gcc.options.always"), "-fstack-clash-protection", ""))

## msmq_detect.py
#!/usr/bin/env python3
#
# detect whether the remote MSMQ service on 1801/tcp is enabled or not
# by sending a valid message to the target
#
# resources:
#  https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mqmq/b7cc2590-a617-45df-b6a3-1f31102b36fb
#  https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mqqb/85498b96-f2c8-43b3-a108-c9d6269dc4af
#

## PidLidReminderPwn.py
#!/usr/bin/python -u

from exchangelib import Credentials, Configuration, Account, DELEGATE, Message, Mailbox, ExtendedProperty
from exchangelib.ewsdatetime import EWSDateTime, EWSTimeZone, UTC_NOW

from exchangelib.protocol import BaseProtocol, NoVerifyHTTPAdapter
BaseProtocol.HTTP_ADAPTER_CLS = NoVerifyHTTPAdapter

import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

## openssl-legacy-md4.md

      
              2 files
            
          
              2 forks
            
          
              2 comments
            
          
              8 stars
            
          
                tothi
                / openssl-legacy-md4.md
            
            
              Last active
              September 4, 2023 12:51
            
              
                /etc/ssl/openssl.cnf supporting legacy digests like MD4 (useful for offensive tools requiring NTLM support)
              
          
      View openssl-legacy-md4.md
  
      
    This is a minimal /etc/ssl/openssl.cnf supporting legacy algorithms on modern openssl installations
where it is disabled by default.
The marked (######) lines should be added to your openssl.cnf (other parts may be unchanged).
For checking if legacy providers are enabled successfully:
$ openssl list -providers
Providers:


## DInjectQueuerAPC.cs
/// Using with GadgetToJScript (e.g. for VBS payload):
/// 1.) compile to DLL: c:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:DInjectQueuerAPC.dll /r:System.Net.Http.dll DInjectQueuerAPC.cs
/// 2.) generate VBS: GadgetToJScript.exe -w vbs -b -o DInjectQueuerAPC -a DInjectQueuerAPC.dll
/// 3.) test: cscript.exe DInjectQueuerAPC.vbs

using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
using System.Threading.Tasks;

## mmimikatz.cna
#
# multi-command mimikatz in a Cobalt Strike beacon extending the built-in mimikatz functionality
#
# cmd separator is |
#
# practical example: export machine certificates (including non-exportable private key :)):
#
# mmimikatz "crypto::capi|crypto::certificates /systemstore:local_machine /store:my /export"
#

## mitmproxy-jwt-refresh-addon.py
# run: mitmproxy -k -p 8090 -s mitmproxy-jwt-refresh-addon.py
# set burp upstream proxy to localhost:8090
#
# use case:
#   - application authorization is implemented by OAuth 2.0
#   - testing is performed using Burp as primary and mitmproxy as upstream proxy
#   - mitmproxy takes care of the Authorization tokens using this addon
#   - user gets an access_token and a refresh_token during the 1st login (e.g. password login)
#   - mitmproxy addon caches access_token and refresh_token
#   - mitmproxy addon adds Authorization: Bearer [access_token from cache] header for every request
	#!/usr/bin/python3
	# Based on https://gist.github.com/deltronzero/7c23bacf97b4b61c7a2f2950ef6f35d8
	# updated to current BloodHound JSON format (compatible with SharpHound 2.x and BloodHound CE)
	# pip install simplejson
	import simplejson
	import sys

	def splitfile(file_name, object_limit):
	print(f"[*] Loading {file_name}")
	with open(file_name) as f:
	# dependency
	Add-Type -AssemblyName System.Windows.Forms

	# send PrtSc key (= capture the screen to the clipboard)
	[Windows.Forms.Sendkeys]::SendWait("{PrtSc}")

	# save the image as PNG in memory
	$png = New-Object System.IO.MemoryStream
	[Windows.Forms.Clipboard]::GetImage().Save($png, [System.Drawing.Imaging.ImageFormat]::Png)
	# original idea: https://github.com/nim-lang/Nim/issues/20007#issue-1300915309

	# use case for https://github.com/chvancooten/NimPlant
	# - put this config.nims into NimPlant/client folder and build should work without errors on ArchLinux also

	import std/strutils
	import std/sequtils

	# remove -fstack-clash-protection
	switch("gcc.options.always", replace(get("gcc.options.always"), "-fstack-clash-protection", ""))
	#!/usr/bin/env python3
	#
	# detect whether the remote MSMQ service on 1801/tcp is enabled or not
	# by sending a valid message to the target
	#
	# resources:
	# https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mqmq/b7cc2590-a617-45df-b6a3-1f31102b36fb
	# https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mqqb/85498b96-f2c8-43b3-a108-c9d6269dc4af
	#
	#!/usr/bin/python -u

	from exchangelib import Credentials, Configuration, Account, DELEGATE, Message, Mailbox, ExtendedProperty
	from exchangelib.ewsdatetime import EWSDateTime, EWSTimeZone, UTC_NOW

	from exchangelib.protocol import BaseProtocol, NoVerifyHTTPAdapter
	BaseProtocol.HTTP_ADAPTER_CLS = NoVerifyHTTPAdapter

	import urllib3
	urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
	/// Using with GadgetToJScript (e.g. for VBS payload):
	/// 1.) compile to DLL: c:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:DInjectQueuerAPC.dll /r:System.Net.Http.dll DInjectQueuerAPC.cs
	/// 2.) generate VBS: GadgetToJScript.exe -w vbs -b -o DInjectQueuerAPC -a DInjectQueuerAPC.dll
	/// 3.) test: cscript.exe DInjectQueuerAPC.vbs

	using System;
	using System.Diagnostics;
	using System.IO;
	using System.Runtime.InteropServices;
	using System.Threading.Tasks;
	#
	# multi-command mimikatz in a Cobalt Strike beacon extending the built-in mimikatz functionality
	#
	# cmd separator is \|
	#
	# practical example: export machine certificates (including non-exportable private key :)):
	#
	# mmimikatz "crypto::capi\|crypto::certificates /systemstore:local_machine /store:my /export"
	#
	# run: mitmproxy -k -p 8090 -s mitmproxy-jwt-refresh-addon.py
	# set burp upstream proxy to localhost:8090
	#
	# use case:
	# - application authorization is implemented by OAuth 2.0
	# - testing is performed using Burp as primary and mitmproxy as upstream proxy
	# - mitmproxy takes care of the Authorization tokens using this addon
	# - user gets an access_token and a refresh_token during the 1st login (e.g. password login)
	# - mitmproxy addon caches access_token and refresh_token
	# - mitmproxy addon adds Authorization: Bearer [access_token from cache] header for every request