Phrozen InfoSec Tools - Papers

PowerRunAsAttached is a ported version of RunAsAttachedLocal in Powershell with inline CSharp.

This script allows to spawn a new interactive console as another user account in the same calling console (console instance/window).

One possible example is that this tool gives you with ease the possibility to do vertical / horizontal privilege escalation through your already established Netcat / WinRM session.



Read more...

PowerBruteLogon is a ported version of WinBruteLogon in pure PowerShell

⚠️ Notice: this version is slower than WinBruteLogon but has the serious advantage of being 100% entirely coded in PowerShell. In a near future, password attempts will be distributed to separate threads to speed up the process. Also keep in mind that this method is very noisy, each failed attempt will get logged on Microsoft Windows Event Logs.

You might find useful information about the technique used in this PoC here



Read more...

PowerAssembly

Map in current PowerShell Instance Memory .NET Assemblies from remote web server.

When Assembly is mapped, you can invoke it's main with a command line argument.

The advantage of this technique is to avoid having assemblies written on disk. Everything happens in memory.

I'm using this script during my penetration tests / labs right after getting an initial shell on Windows to load other .NET Tools (Ex: ShapHound, ShapUp etc..)



Read more...

NASM Shell++ is an enhanced version of the Metasploit Framework NASM Shell.

You can edit instructions, specify bad characters and finally export your final payload in Python, C or CPP

Read more...

This tool will help you to find code caves in target x86-32 bit Microsoft Windows PE files.

This tool automatically patch application entry point to redirect code execution to chosen code cave, where your payload is stored. When payload execution is over, code execution is redirected back to original program entry point.

Code Cave Helper supports main section encryption.

This tool is considered as a PoC, it was created during my preparation for OSCE Certification in order to master the art of Backdooring PE Files.

A good improvement would be to support x86-64 bit files and offer an option to create a new section instead of searching for natural code caves.

Read more...

YASE (Yet Another Sub Encoder) is a tiny but efficient Sub Encoder to quickly encode your shellcode payloads and thus bypass some common restricted character while exploiting buffer overflows.

This tool will brute force any possible combination to achieve expected result. The advantage of a such approach is to have an output result that always look different.

Read more...

Bellow script demonstrate how to create a very basic multithreaded web file and directory fuzzer.

It is far from being as fast as other famous web fuzzers (wfuzz, dirb, gobuster etc..) but it is at least a good start to understand how to create yours.

#!/bin/python3

'''
    -= Just a web fuzzer example =-
    (@DarkCoderSc)

    Dependencies:
        - pip install progressbar2
'''

import requests
import progressbar 
from multiprocessing import Pool
from multiprocessing.dummy import Pool as ThreadPool
from multiprocessing import Lock
import argparse

#
# Acquire parameters
#
parser = argparse.ArgumentParser(description="Just a web fuzzer example")

parser.add_argument('-u', '--url', action="store", dest="base_url", required=True, help="Target base URL to fuzz (ex: http://example.com/")
parser.add_argument('-w', '--wordlist', action="store", dest="wordlist_file", metavar="in-file", type=argparse.FileType('r'), required=True, help="Plain text wordlist file location.")
parser.add_argument('-x', '--extensions', action="store", dest="extensions", nargs='*', required=False, help="Append file extension at the end of each candidates (ex: .php .php5 .html .html5)")

try:
    argv = parser.parse_args()
except IOError:
    parser.error()


#
# Log Defs
#
def success(message):
    print("[\033[32mOK\033[39m] " + message)

def fail(message):
    print("[\033[31mKO\033[39m] " + message)

def debug(message):
    print("[\033[33m!!\033[39m] " + message)


#
# Fuzzer
#
def fuzz(args):
    lock = args[0]
    pbar = args[2]

    global base_url

    target_url = base_url + args[1]

    req = requests.head(target_url)

    status = req.status_code

    message = "{} - {}".format(status, target_url)

    if (status == 200):
        success(message)
    elif (status != 404):
        debug(message)

    lock.acquire()
    try:                   
        global progress

        progress += 1

        pbar.update(progress)
    finally:
        lock.release()   
    return

base_url = argv.base_url
if not base_url.endswith("/"):
    base_url += "/"

with open(argv.wordlist_file.name, "r", errors="ignore") as file:
    candidates = file.readlines()

    widgets = [
        ' [', progressbar.Timer(), '] ',
        progressbar.Bar(),
        ' (', progressbar.ETA(), ') ',
    ]

    ext_count = 1
    if argv.extensions:
        ext_count = len(argv.extensions) +1

    pbar = progressbar.ProgressBar(maxval=(len(candidates) * ext_count), widgets=widgets, redirect_stdout=True)         

    progress = 0

    pbar.start()
    try:
        pool = ThreadPool()
        try:    
            lock = Lock()

            for index, candidate in enumerate(candidates):
                candidate = candidate.strip()            

                if not candidate:
                    continue

                pool.map(fuzz, [[lock, candidate, pbar]])

                if (ext_count > 1):
                    for extension in argv.extensions:
                        pool.map(fuzz, [[lock, (candidate + extension), pbar]])            

        finally:
            pool.close()
            pool.join()
    finally:
        pbar.finish()
Read more...

Local version

You can find another variant of this program which doesn't requires Networking function and also compatible with any application like Netcat, Telnet etc... here : (RunAsAttached)[https://www.phrozen.io/paper/infosec-tools/runasattached]

RunAsAttached (Local) version is more stable.

The goal of Networked version was to demonstrate inter-process communication using Socket programming.

RunAsAttached (Networked) - 32bit / 64bit

RunAsAttached is a program to run a console as another user and keep new console attached to caller console. Support reverse shell mode (Ex: Netcat)

Read more...

RunAs Attached (Local) - 32bit / 64bit

Create a new application process as another Microsoft Windows user and attach its inputs / outputs (stdin, stdout, stderr) to caller console.

The new process is interactivly Attached to caller console.

Usage

RunAsAttached.exe -u <username> -p <password> [-d <domain>]

Available on download section

Read more...

RunAs (Microsoft Windows) - 32bit / 64bit.

This program is an example about how to easily run any programs as any user.

Usage

Mandatory

  • -u <username> : Launch program as defined username.
  • -p <password> : Password associated to username account.
  • -e <program> : Executable path (Ex: notepad.exe).
Read more...