Spain

Ricardo J. Ruiz

Elite
@ricardojoserf

NativeDump. Dump lsass using only NTAPI functions by hand-crafting Minidump files (without MiniDumpWriteDump!!!)

739

wifi-pentesting-guide. WiFi Penetration Testing Guide

718

TrickDump. Dump lsass using only NTAPI functions creating 3 JSON and 1 ZIP file... and generate the MiniDump file later!

560

instagram-followers-bot. A bot for Instagram. You can follow users using a tag or in a specific location, unfollow those who dont follow-you-back, and follow-back those who follow you

527

NativeBypassCredGuard. Bypass Credential Guard by patching WDigest.dll using only NTAPI functions

270

WhoamiAlternatives. Different methods to get current username without using whoami

187

adfsbrute. A script to test credentials against Active Directory Federation Services (ADFS), allowing password spraying or bruteforce attacks.

182

covert-tube. Youtube as covert-channel - Control systems remotely and execute commands by uploading videos to Youtube

105

SharpCovertTube. Youtube as C2 channel - Control Windows systems uploading QR videos to Youtube

101

NativeTokenImpersonate. Impersonate Tokens using only NTAPI functions

85

twitter-followers-bot. A bot for Twitter. You can follow users in a specific location or tweeting specific words and unfollow those who do not follow you back (and are not included in whitelist.txt). Also generates REPORTS!

77

covert-control. Google Drive, OneDrive and Youtube as covert-channels - Control systems remotely by uploading files to Google Drive, OneDrive, Youtube or Telegram

70

wpa2-enterprise-attack. Virtual machines and scripts to attack WPA2-Enterprise networks through Rogue Access Points downgrading the authentication method to GTC

64

DoubleTeam. Listener that spawns a new tmux window for each incoming reverse shell + Supports listening on many ports

59

emqx-RCE. EMQX Dashboard Malicious Plugin leading to RCE

47

MemorySnitcher. Vulnerable (on purpose) programs to leak NtReadVirtualMemory address for stealthier API resolution (no GetProcAddress, GetModuleHandle or LoadLibrary in the IAT)

43

instagram-user-id. Get the user ID of any user in instagram

40

Portswigger-Labs. All Apprentice and Practitioner-level Portswigger labs

39

SharpSelfDelete. PoC to self-delete a binary in C#

36

NativeNtdllRemap. Remap ntdll.dll using only NTAPI functions with a suspended process

28

spotify-playlist-downloader. Downloading Spotify Playlists

28

OSED-prep. Exploits written while preparing for the OSED exam

27

SSSD-creds. Script to extract the cached credentials from SSSD, getting Active Directory credentials from Unix systems

25

http-protocol-exfil. Exfiltrate files using the HTTP protocol version ("HTTP/1.0" is a 0 and "HTTP/1.1" is a 1)

24

SharpObfuscate. Obfuscate payloads using IPv4, IPv6, MAC or UUID strings

24

p-invoke.net. P/Invoke definitions from the most-of-the-time offline offline pinvoke.net. Website: https://ricardojoserf.gitbook.io/pinvoke

23

slae32. The SecurityTube Linux Assembly Expert (SLAE) is an online course and certification which focuses on teaching the basics of 32-bit assembly language for the Intel Architecture (IA-32) family of processors on the Linux platform and applying it to Infosec

22

Tinder-Searcher-and-DB-creation. Tinder user searcher and DB creation. Proof of concept for Tinder security team

19

SharpNado. Repository to gather the .NET malware I will be developing

18

CESP-ADCS-cheatsheet. Cheatsheet for Altered Security's CESP ADCS course

17

ddos_simulation. DDoS simulation written in Python using "scapy" and "multiprocessing" libraries. Used for educational purposes

17

ntds-analyzer. A tool to analyze Ntds.dit files once the NTLM and LM hashes have been cracked.

16

s7-parser. Parser of the industrial protocol S7 (S7comm) using Libpcap

15

subdoler. Easy subdomain finder from a list of company names, IP ranges or domains.

15

MinidumpParser. C# program to parse Microsoft Minidump files and their streams

14

vulnserver-exploits. Vulnserver exploits

14

BOF_Files. Repository to gather the BOF files I will be developing

11

jeringuilla. Process injection framework in C#. It uses dynamic function loading using delegates and AES-encryption for strings and payloads

10

SharpNtdllOverwrite. Overwrite ntdll.dll's ".text" section to bypass API hooking. Getting the clean dll from disk, Knowndlls folder, a debugged process or a URL

10

webmin-tor-bruteforce. Script to bruteforce Webmin allowing to rotate the IP address using Tor

9

triangle-position. Triangle a coordinate given 3 or 4 coordinates

9

omrs-rce-exploit. Online Marriage Registration System (OMRS) 1.0 - Remote code execution

9

instagram-liker-all-posts. Like all posts of a user given the username in Instagram

8

network-providers. Tests with Network Providers DLLs, adding some extra functionality to NPPSpy2 by @gtworek

8

GetProcAddress. GetProcAddress implementation in C# walking the PEB using only NtReadVirtualMemory

8

LM_original_password_cracker. Having the NTLM and a cracked LM hash it is possible to get the original password by testing all the combinations of upper and lowercases. This is useful if a ntds.dit file has both NTLM and LM hashes

7

GetModuleHandle. GetModuleHandle implementation in C# using only NtQueryInformationProcess by walking the PEB

7

amazon-mwaa-RCE. RCE in Amazon Managed Workflows for Apache Airflow (MWAA) service

7

SharpProcessDump. Dump memory regions of a process using NtQueryVirtualMemory and NtReadVirtualMemory

7

pywisam. A Wifi pentesting framework written in Python

7

SharpEA. Read, write and delete Extended Attributes (EAs) within NTFS, to hide malicious payloads

6

github-bot. Easy bot for starring or branching a huge number of repositories. Using pyGithub

6

ipv4info_scraper. Get the IP blocks and domains from a company name by scrapping IPv4info

6

username-generator. Generate list of possible usernames for attacks such as password spraying

5

StealthyEnv. Stealthier alternative to whoami.exe in C#, it gets environment variables from PEB (PRTL_USER_PROCESS_PARAMETERS)

5

pyNtdllOverwrite. Overwrite ntdll.dll's ".text" section to bypass API hooking. Getting the clean dll from disk, Knowndlls folder or a debugged process

5

coinhive-example. Easy example using Coinhive in a simple page

4

goNtdllOverwrite. Overwrite ntdll.dll's ".text" section to bypass API hooking. Getting the clean dll from disk, Knowndlls folder or a debugged process

4

lsass-dumper. Dump lsass.exe generating a file with the hostname and date in txt format using C++.

3

nodejs_webshell. Node.js webshell created using AngularJS. It is a MEAN app (MongoDB + Express + AngularJs + Node.js) with a CLI in a text box

3
60
Apply