Misc

Windows Packet Capture

Localhost

https://www.netresec.com/index.ashx?page=RawCap :

To File:

RawCap.exe 127.0.0.1 localhost_capture.pcap

To Wireshark:

RawCap.exe -q 127.0.0.1 - | "C:\Program Files\Wireshark\Wireshark.exe" -i - -k

Remove Obfuscation from .NET Binaries

  • de4dot

  • confuserexstringdecryptor

  • confuserexswitchkiller

Esoteric Language / Other Decodings

Update all pip installed python packages

pip freeze --user | cut -d'=' -f1 | xargs -n1 pip install -U

Find what program listens on a port on linux

sudo lsof -i -P -n | grep LISTEN

Delete all docker container & images

docker rm -vf $(docker ps -a -q)
docker rmi -f $(docker images -a -q)

Json to NDJson

cat file.json | jq -c '.[]' > converted.json

Domain Fronting

Connect to a benign domain where you know it will be served by a big CDN (SNI is set to this domain). Change the host header to your malicious site which is hosted on the same CDN.

Screenshot from PowerShell

[Reflection.Assembly]::LoadWithPartialName("System.Drawing")
function screenshot([Drawing.Rectangle]$bounds, $path) {
$bmp = New-Object Drawing.Bitmap $bounds.width, $bounds.height
$graphics = [Drawing.Graphics]::FromImage($bmp)
$graphics.CopyFromScreen($bounds.Location, [Drawing.Point]::Empty, $bounds.size)
$bmp.Save($path)
$graphics.Dispose()
$bmp.Dispose()
}
$bounds = [Drawing.Rectangle]::FromLTRB(0, 0, 1920, 1080)
screenshot $bounds "C:\programdata\screenshot.png"

Simple HTTP Server

This short snippet will print the request headers & allow graceful shutdown.

#!/usr/bin/env python3
import http.server as SimpleHTTPServer
import socketserver as SocketServer
class StoppableHTTPServer(SimpleHTTPServer.HTTPServer):
def run(self):
try:
self.serve_forever()
except KeyboardInterrupt:
pass
finally:
self.server_close()
class GetHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
def do_GET(self):
print(self.headers)
SimpleHTTPServer.SimpleHTTPRequestHandler.do_GET(self)
server = StoppableHTTPServer(("", 80), GetHandler)
server.run()

NetBSD useful commands

List ports

netstat -na -f inet