Skip to content

Instantly share code, notes, and snippets.

View caoimhinp's full-sized avatar

caoimhinp

27 followers · 29 following
View GitHub Profile
@caoimhinp
caoimhinp / win32.mak
Created March 28, 2017 09:14 — forked from ynkdir/win32.mak
win32.mak
# Win32.Mak - Win32 application master NMAKE definitions file for the
# Microsoft Windows SDK programming samples
# Copyright (C) Microsoft Corporation
# -------------------------------------------------------------------------
# This files should be included at the top of all MAKEFILEs as follows:
# !include <Win32.Mak>
# -------------------------------------------------------------------------
#
# Define APPVER = [ 4.0 | 5.0 | 5.01 | 5.02 | 6.0 | 6.1] prior to including win32.mak to get
# build time checking for version dependencies and to mark the executable
@caoimhinp
caoimhinp / win32.mak
Created March 28, 2017 09:14 — forked from ynkdir/win32.mak
win32.mak
# Win32.Mak - Win32 application master NMAKE definitions file for the
# Microsoft Windows SDK programming samples
# Copyright (C) Microsoft Corporation
# -------------------------------------------------------------------------
# This files should be included at the top of all MAKEFILEs as follows:
# !include <Win32.Mak>
# -------------------------------------------------------------------------
#
# Define APPVER = [ 4.0 | 5.0 | 5.01 | 5.02 | 6.0 | 6.1] prior to including win32.mak to get
# build time checking for version dependencies and to mark the executable
@caoimhinp
caoimhinp / attack.md
Created February 1, 2017 22:25 — forked from timruffles/attack.md
Chrome/Gmail attack received 11/03/2016. Not sure if the Chrome meta refresh + data:text,html technique is novel.

The following attack will display a "you've been signed out" page for GMail, and attempt to steal your account credentials.

DO NOT PUT ANY ACCOUNT CREDENTIALS INTO ANY TABS CREATED AFTER VISITING THESE LINKS :)

I received an email in my GMail inbox with a fake attachment image, styled to look like the real GMail attachment UI:

fake

This linked to a page that ended up displaying a fake "you've been signed out" link, via the data:text/html... URL feature of Chrome:

@caoimhinp
caoimhinp / Backdoor-Minimalist.sct
Created January 6, 2017 08:21
Execute Remote Scripts Via regsvr32.exe - Referred to As "squiblydoo" Please use this reference...
<?XML version="1.0"?>
<scriptlet>
<registration
progid="PoC"
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
<!-- Proof Of Concept - Casey Smith @subTee -->
<!-- License: BSD3-Clause -->
<script language="JScript">
<![CDATA[
@caoimhinp
caoimhinp / EAgentSummary.rb
Last active October 13, 2016 09:15
Short script to shorten Empire agent logs for quick review.
#!/usr/bin/env ruby
#
# EAgentSummary
#
# This short script provides a summary of Empire agent
# timelines and loot without the output.
# I may or may not do anything else to this.
# I just wrote it to make reviewing agents logs a bit
# faster.
#
@caoimhinp
caoimhinp / MS_cpass_check.ps1
Created October 3, 2016 20:41
<#
.SYNOPSIS
Group Policy objects in your domain can have preferences that store passwords for different tasks, such as the following:
1. Data Sources
2. Drive Maps
3. Local Users
4. Scheduled Tasks (both XP and up-level)
5. Services
These passwords are stored in SYSVOL as part of GP preferences and are not secure because of weak encryption (32-byte AES).
Therefore, we recommend that you not deploy such preferences in your domain environment and remove any such existing
@caoimhinp
caoimhinp / file_changed.sh
Created September 13, 2016 21:30
#!/usr/bin/env bash
# Based upon script posted by ItsMe on here:
# http://unix.stackexchange.com/questions/166341/constantly-check-if-file-is-modified-bash
# Provides : Check if a file is changed
# Requirements : bash, md5sum, cut
#####################################
# what file do we want to monitor?
file=/root/responder/Responder.db
@caoimhinp
caoimhinp / lolbandwidth.py
Created February 8, 2016 17:54 — forked from atucom/lolbandwidth.py
automatically log speedtest results to file with timestamp for logging.
#!/usr/bin/python
#stolen and modified from the reddit post about the raspbeery pi tweeting at comcast
#run this every 10 minutes (or w/e) with cron:
#"crontab -e"
#*/10 * * * * /home/pi/lolbandwidth.py
import os
import sys
import csv
import datetime
import time
@caoimhinp
caoimhinp / WMI_recon_and_attacks.ps1
Created January 23, 2016 21:50 — forked from mattifestation/WMI_recon_and_attacks.ps1
BlueHat 2016 - WMI recon and attack demo
#############
### SETUP ###
#############
# Set up remote session
$Credential = Get-Credential TestUser
$AdminCred = Get-Credential Administrator
$SessionOption = New-CimSessionOption -Protocol Dcom
$CimSession = New-CimSession -Credential $Credential -ComputerName TestPC -SessionOption $SessionOption
$AdminCimSession = New-CimSession -Credential $AdminCred -ComputerName TestPC -SessionOption $SessionOption
@caoimhinp
caoimhinp / compare_wifi.rb
Created January 19, 2016 00:27 — forked from 0x1F602/compare_wifi.rb
#!/usr/bin/env ruby
require 'rubygems'
require 'json'
require 'pony'
require 'text-table'
# We write a file with the following format:
# ip_address,mac_address,accepted,alerted,first_seen_timestamp
email_to_alert = "email"
gmail_username = 'email'
gmail_app_password = 'password'