{"id":20751467,"url":"https://github.com/bitsadmin/lofl","last_synced_at":"2025-04-09T15:07:27.854Z","repository":{"id":188437117,"uuid":"668299630","full_name":"bitsadmin/lofl","owner":"bitsadmin","description":"Living Off the Foreign Land setup scripts","archived":false,"fork":false,"pushed_at":"2025-02-26T19:02:41.000Z","size":48,"stargazers_count":67,"open_issues_count":0,"forks_count":14,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-09T15:07:12.907Z","etag":null,"topics":["dns","ldap","living-off-the-foreign-land","lofl","socks"],"latest_commit_sha":null,"homepage":"https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bitsadmin.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-07-19T13:33:57.000Z","updated_at":"2025-03-24T01:24:29.000Z","dependencies_parsed_at":null,"dependency_job_id":"acf1d84e-3912-48e6-814d-c92f4d5c1430","html_url":"https://github.com/bitsadmin/lofl","commit_stats":{"total_commits":18,"total_committers":2,"mean_commits":9.0,"dds":0.4444444444444444,"last_synced_commit":"c3c7f383ed57ca60e32f370d9238c9479d6178fb"},"previous_names":["bitsadmin/lofl"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitsadmin%2Flofl","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitsadmin%2Flofl/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitsadmin%2Flofl/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitsadmin%2Flofl/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bitsadmin","download_url":"https://codeload.github.com/bitsadmin/lofl/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248055284,"owners_count":21040157,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dns","ldap","living-off-the-foreign-land","lofl","socks"],"created_at":"2024-11-17T08:33:43.193Z","updated_at":"2025-04-09T15:07:27.835Z","avatar_url":"https://github.com/bitsadmin.png","language":"PowerShell","readme":"# Living Off the Foreign Land\nScripts to setup and run the Living Off the Foreign Land (LOFL) attacker infrastructure. Refer to the following article at the BITSADMIN Blog for details on how to use the scripts in this repository.\n\n## Living Off the Foreign Land: Using Windows as Attack Platform\n* Part 1: Setup Linux VM for SOCKS routing - \u003chttps://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform\u003e\n* Part 2: Configuring the Offensive Windows VM - \u003chttps://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform-part-2\u003e\n* Part 3: Using Windows as Offensive Platform - \u003chttps://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform-part-3\u003e\n\n## Scripts\n| Name                                   | Description                                                                                                                                                  |\n|----------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| [`dns_over_tcp.py`](#dns_over_tcppy)   | DNS server which based on the dnsmasq configuration file, selectively converts UDP DNS requests to TCP DNS requests so they can be sent over SOCKS4          |\n| [`cldaproxy.sh`](#cldaproxysh)         | Script which makes use of `iptables` and `socat` to transform Connectionless LDAP (CLDAP/UDP) requests in to LDAP (TCP) so they can be forwarded over SOCKS4 |\n| [`create_tun.sh`](#create_tunsh)       | Helper script to create a new `tun` interface and configure its IP                                                                                           |\n| [`iptables_nat.sh`](#iptables_natsh)   | Helper script to add `iptables` NAT rules to interfaces                                                                                                      |\n| [`add_routes.sh`](#add_routessh)       | Helper script to add routes over a certain interface                                                                                                         |\n| [`CollectCerts.ps1`](#collectcertsps1) | Connects to a TLS port and saves the server certificate(s) as .crt files to disk                                                                             |\n| [`DisableWindowsDefender.ps1`](#disablewindowsdefenderps1) | Mostly automates the [Pre-Install procedures of Mandiant's Commando VM repository](https://github.com/mandiant/commando-vm#pre-install-procedures) to disable Windows Defender on the Offensive Windows VM |\n\n## dns\\_over\\_tcp.py\n### Description\nDNS server which based on the dnsmasq configuration file, selectively converts UDP DNS requests to TCP DNS requests so they can be sent over SOCKS4\n\n### Usage\n```\nDNSOverTCP v1.00 ( https://github.com/bitsadmin/lofl )\n\nusage: dns_over_tcp.py [-h] [-v] [-i] [-s [DNS_SERVER]]\n\nSelectively forward UDP DNS requests over TCP\n\noptions:\n  -h, --help            show this help message and exit\n  -v, --verbose         By default shows requests to hosts specified in the dnsmasq.conf; verbose shows all DNS requests\n  -i, --ignore          Ignore DNSMasq configuration\n  -s [DNS_SERVER], --server [DNS_SERVER]\n                        Specify upstream DNS server, default 127.0.0.1:5353\n```\n\n## cldaproxy.sh\n### Description\nScript which makes use of `iptables` and `socat` to transform Connectionless LDAP (CLDAP/UDP) requests in to LDAP (TCP) so they can be forwarded over SOCKS4\n\n### Usage\n```\nCLDAProxy v1.0\n@bitsadmin - https://github.com/bitsadmin/lofl\n\nConvert CLDAP (UDP) traffic to LDAP (TCP)\n\nUsage: cldaproxy.sh \u003cdomain\u003e [dc_ip]\n\nParameters:\n  domain:    Domain name to resolve and use to proxy to\n  dc_ip:     Use explicit server IP instead of deriving it from the domain\n\nExamples:\n  Proxy CLDAP to LDAP for domain ad.bitsadmin.com\n  cldaproxy.sh ad.bitsadmin.com\n\n  Proxy CLDAP to LDAP making use of DC 10.0.10.10\n  cldaproxy.sh ad.bitsadmin.com 10.0.10.10\n```\n\n## create\\_tun.sh\n### Description\nHelper script to create a new `tun` interface and configure its IP\n\n### Usage\n```\nCreate Tun v1.0\n@bitsadmin - https://github.com/bitsadmin/lofl\n\nUsage: create_tun.sh [-d] INTERFACE [IPSUBNET]\n\nParameters:\n  -d:        Delete the interface\n  INTERFACE: Name of the interface to be created, for example tun1\n  IPSUBNET:  IP address and subnet mask that will be assigned to the new interface.\n             Noted down in CIDR notation, for example: 198.18.0.1/15\n\nExamples:\n  Create new tunnel interface tun1\n  create_tun.sh tun1\n\n  Create new tunnel interface tun1 with specific IP/subnet\n  create_tun.sh tun1 198.18.0.1/15\n\n  Delete tunnel interface tun1\n  create_tun.sh -d tun1\n```\n\n## iptables\\_nat.sh\n### Description\nHelper script to add `iptables` NAT rules to interfaces\n\n### Usage\n```\nCreate iptables NAT v1.0\n@bitsadmin - https://github.com/bitsadmin/lofl\n\nUsage: iptables_nat.sh [-d] [-f] INPUT OUTPUT\n\nParameters:\n  -d:       Delete the iptables rule\n  -f:       Skip user confirmation prompt\n  INPUT:    Input interface\n  OUTPUT:   Output interface\n\nExamples:\n  Create NAT from ens36 to tun1\n  iptables_nat.sh ens36 tun1\n\n  Delete NAT from ens36 to tun1\n  iptables_nat.sh -d ens36 tun1\n\n  Delete NAT from ens36 to tun1 without prompt\n  iptables_nat.sh -d -f ens36 tun1\n```\n\n## add\\_routes.sh\n### Description\nHelper script to add routes over a certain interface\n\n### Usage\n```\nAdd Routes v1.1\n@bitsadmin - https://github.com/bitsadmin/lofl\n\nUsage: add_routes.sh \u003csubnet_file\u003e \u003cinterface\u003e [gateway_ip]\n\nParameters:\n  subnet_file:  File containing list of subnets in CIDR notation\n  interface:    Interface over which these interfaces must be tunneled\n  gateway_ip:   Optional explicit gateway IP, by default 198.18.0.1\n\nExamples:\n  Route IPs from subnets.txt over tun1\n  add_routes.sh subnets.txt tun1\n\nExample subnet.txt contents\n10.0.10.0/24    # Domain X\n10.0.20.0/24    # Domain Y\n10.0.30.0/24\n192.168.0.0/16\n```\n\n## CollectCerts.ps1\n### Description\nConnects to a TLS port and saves the server certificate(s) as .crt files to disk\n\n### Usage\n```\nNAME\n    CollectCerts.ps1\n\nSYNOPSIS\n    This script connects to a TLS port and saves the server certificate(s) as `.crt` files to disk.\n\nSYNTAX\n    CollectCerts.ps1 [-Server] \u003cObject\u003e [[-Port] \u003cInt32\u003e] [\u003cCommonParameters\u003e]\n\nDESCRIPTION\n    The 'CollectCerts.ps1' script establishes a connection to the specified server using either the default port 636 (LDAPS) or alternatively a custom port can be specified.\n```\n\n\n## DisableWindowsDefender.ps1\n### Description\nMostly automates the [Pre-Install procedures of Mandiant's Commando VM repository](https://github.com/mandiant/commando-vm#pre-install-procedures) to disable Windows Defender on the Offensive Windows VM.\n\n### Usage\nSimply right click the script and choose Run with PowerShell.\n\n```\n -=[ Windows Defender Disable v1.1 ]=-\n\n\nFully disables Windows Defender in three reboots\nby @bitsadmin - https://github.com/bitsadmin/lofl\n\n[+] Tamper Protection is disabled\n[+] Real-Time Protection is disabled\n[+] Disabled Microsoft Defender Antivirus\n[+] Disabled Cloud-Delivered Protection\n[+] Disabled Automatic Sample Submission\n[+] Systray Security Health icon is disabled\n[+] Killed Systray Security Health icon\n[+] Disabled task \"Windows Defender Verification\"\n[+] Disabled task \"Windows Defender Cleanup\"\n[+] Disabled task \"Windows Defender Scheduled Scan\"\n[+] Disabled task \"Windows Defender Cache Maintenance\"\n[+] Disabled Windows Defender scheduled tasks\n[+] Cleanup\n    [+] Re-enabling UAC\n    [+] Unregistering script from automatic startup\n[+] The final step is to boot into Safe Mode and disable the services/drivers related to Windows Defender\n1. Reboot the machine in Safe Mode: Start -\u003e Power -\u003e Shift+Click on Reboot\n   -\u003e Troubleshoot -\u003e Advanced options -\u003e Startup Settings -\u003e Restart\n   -\u003e Choose: '4) Enable Safe Mode'\n2. Once booted in Safe Mode, launch PowerShell and execute the following oneliner:\n   'Sense','WdBoot','WdFilter','WdNisDrv','WdNisSvc','WinDefend' | % { Set-ItemProperty -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\$_ -Name Start -Value 4 -Verbose }\n3. Reboot to Normal Mode and Windows Defender will be disabled!\n4. Because disabling Windows Defender sometimes causes slow downs with software installations, make sure to also disable Smart App Control through either:\n   - windowsdefender://SmartApp/\n   - Searching the Settings for 'Smart App Control'\n```\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbitsadmin%2Flofl","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbitsadmin%2Flofl","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbitsadmin%2Flofl/lists"}