Search the Community

Using fibers to run in-memory code in a different and stealthy way. Description A fiber is a unit of execution that must be manually scheduled by the application rather than rely on the priority-based scheduling mechanism built into Windows. Fibers are often called lightweight threads. For more detailed information about what are and how fibers work consult the official documentation. Fibers allow to have multiple execution flows in a single thread, each one with its own registers' state and stack. On the other hand, fibers are invisible to the kernel, which makes them a stealthier (and cheaper) method to execute in-memory code than spawning new threads. Advantages The use of fibers may be advantageous for some types of payloads (like a C2 beacon) for some of these reasons: Fibers allow to run in-memory code without the need of using the instructions JMP or CALL from the loader pointing to unbacked memory regions. This execution is performed without the creation of new threads, preventing the generation of callbacks from the kernel that can be collected by an EDR. The payload fiber's stack can be hidden when the payload enters on an alertable state or when it needs to wait for a pending I/O operation. This is done using a control fiber with a normal stack that runs code from disk. This "hiding" is cheaper and easier to implement that the regular thread stack spoofing process. The fibers are invisible to the kernel and all the switching procedure happens on user space, which makes it easier to hide from an EDR. [hide][Hidden Content]]

NOTE: THIS VIDEO IS ONLY FOR EDUCATIONAL ACTIVITIES, AND DOES NOT PROMOTE ANY ILLEGAL STUFFS. [hide][Hidden Content]]

ForceAdmin is a c# payload builder, creating infinate UAC pop-ups until the user allows the program to be ran. The inputted commands are ran via powershell calling cmd.exe and should be using the batch syntax. Why use? Well some users have UAC set to always show, so UAC bypass techniques are not possible. However - this attack will force them to run as admin. Bypassing these settings [hide][Hidden Content]]

[Hidden Content]

vopono is a tool to run applications through VPN tunnels via temporary network namespaces. This allows you to run only a handful of applications through different VPNs simultaneously, whilst keeping your main connection as normal. vopono includes built-in killswitches for both Wireguard and OpenVPN. Currently, Mullvad, AzireVPN, MozillaVPN, TigerVPN, ProtonVPN, iVPN, NordVPN, HMA (HideMyAss), and PrivateInternetAccess are supported directly, with custom configuration files also supported with the –custom argument. For custom connections, the OpenConnect and OpenFortiVPN protocols are also supported (e.g. for enterprise VPNs). Supported Providers Provider OpenVPN support Wireguard support Mullvad ✅ ✅ AzireVPN ✅ ✅ iVPN ✅ ✅ PrivateInternetAccess ✅ ❌ TigerVPN ✅ ❌ ProtonVPN ✅ ❌ MozillaVPN ❌ ✅ NordVPN ✅ ❌ HMA (HideMyAss) ✅ ❌ AirVPN ✅ ❌ [hide][Hidden Content]]

Skrull There is a well-known feature by which anti-virus or EDR can capture ambiguous or suspicious program files and send them back to security response center for researcher analysis. For malware designers, playing cat and mouse with security solutions in the post exploitation stage while hiding their backdoors from malware detection and forensics is a crucial mental challenge. Many methods used in the wild by hackers against researchers have already been discussed, for example using a COM hijack to obscure their malware, deploying a kernel hook-based rootkit, bypassing signature-based scanning, and others besides. There’s still no method robust enough to counter these techniques, as researchers often cannot totally understand how the malware works internally even if it’s caught and analyzed. Imagine a situation: malware acquires DRM protection, and thereby naturally damages itself when copied from the infected machine. Is it possible? How would it happen? In short, security vendors should be prepared to handle this situation within the Maginot line of their own defenses. Skrull is a malware DRM, that prevents Automatic Sample Submission by AV/EDR and Signature Scanning from Kernel. It generates launchers that can run malware on the victim using the Process Ghosting technique. Also, launchers are totally anti-copy and naturally broken when got submitted. Skrull ( v1.0BETA ) Latest [+] only support 64-bit PE right now. [hide][Hidden Content]]

Unmanaged PowerShell execution using DLLs or a standalone executable. Introduction PowerShx is a rewrite and expansion on the PowerShdll project. PowerShx provide functionalities for bypassing AMSI and running PS Cmdlets. Features Run Powershell with DLLs using rundll32.exe, installutil.exe, regsvcs.exe or regasm.exe, regsvr32.exe. Run Powershell without powershell.exe or powershell_ise.exe AMSI Bypass features. Run Powershell scripts directly from the command line or Powershell files Import Powershell modules and execute Powershell Cmdlets. [hide][Hidden Content]]

A web application that makes it easy to run your pentest and bug bounty projects. Description The app provides a convenient web interface for working with various types of files that are used during the pentest, automate port scan and subdomain search. [hide][Hidden Content]]

AutoDirbuster Automatically run and save Dirbuster scans for multiple IPs Why? OWASP Dirbuster is a great directory buster but running it against multiple IPs and ports is a very manual process with a lot of downtime between scans. This script attempts to automate that process and eliminates downtime between scans. What is the recommended usage? If attacking multiple targets: Run Nmap and find open ports, outputting the results with -oG or -oA Run AutoDirbuster with the Nmap results and a timeout (closed ports or non-HTTP based services are ignored) python AutoDirbuster.py -g Nmap_results.gnmap -to 15 As the pentest progresses, periodically review the Dirbust results using dirbust_read.py, which will ignore all Dirbuster error lines and only print the found directories and files If attacking a single target: python AutoDirbuster.py -st example.com:80 What data does this need? The script can take three data sources: List of IP:port or hostname:port, one per line python AutoDirbuster.py ip_port_list.txt An Nmap Gnmap result file python AutoDirbuster.py -g Nmap_results.gnmap A single target python AutoDirbuster.py -st example.com:80 How does this script work? A list of targets is provided A TCP connect scan is done on the target port to test if it’s open If it’s open, HTTP and HTTPS requests are sent to determine if the service is HTTP-based and whether it requires SSL If the service is HTTP, a check is done to determine if a previous report file is in the same directory. Report files follow the format: DirBuster-Report-IP-port.txt Dirbuster is run using Python’s subprocess.Popen(). If a timeout is specified, then after the timeout period, a SIGINT signal is sent to Dirbuster so it can safely shut down and write results to disk. A note is added to the report indicating that the scan timed out. The next IP:port goes through the same process (TCP connect, HTTP service query, dirbust) This script isn’t working Ensure the following Are all of the dependencies listed in requirements.txt installed? Is there a directory called “DirBuster” inside the same directory as AutoDirbuster.py? Does this “DirBuster” directory contain the Dirbuster JAR file named “DirBuster.jar”? Is “DirBuster.jar” version 0.12? Does this “DirBuster” directory contain a file called “directory-list-2.3-small.txt” (the default wordlist)? Does this “DirBuster” directory contain a subdirectory called “lib” with the default 13 required Dirbuster JAR dependencies? Is Java installed? Is Java in your path? Run AutoDirbuster with the –debug flag to view the subprocess command that AutoDirbuster is using to launch Dirbuster. Run this command from the terminal to view standard error as AutoDirbuster is configured to send subprocess standard error to /dev/null [hide][Hidden Content]]

[Hidden Content]

[Hidden Content]

[Hidden Content]