Skip to content

Instantly share code, notes, and snippets.

View 3xocyte's full-sized avatar

Matt Bush 3xocyte

  • Atlassian
  • Melbourne, Australia
View GitHub Profile
@3xocyte
3xocyte / lazykatz.py
Last active April 24, 2023 12:26
quickly dump creds from a box you've pwned while living off the land (feat. obfuscation and pypykatz automation)
#!/usr/bin/env python3
import argparse
import sys
import logging
import random
import string
import os
from time import sleep
@3xocyte
3xocyte / chromedump2.py
Last active February 8, 2021 10:22
agentless Google Chrome post-exploitation script
#!/usr/bin/env python3
# by Matt Bush (@3xocyte)
import os
import sys
import logging
import argparse
import traceback
import time
@3xocyte
3xocyte / adidns_records.py
Last active November 23, 2023 21:20
get /etc/hosts entries from ADIDNS
#!/usr/bin/env python
import argparse
import sys
import binascii
import socket
import re
from ldap3 import Server, Connection, NTLM, ALL, SUBTREE, ALL_ATTRIBUTES
# get /etc/hosts entries for domain-joined computers from A and AAAA records (via LDAP/ADIDNS) (@3xocyte)
@3xocyte
3xocyte / bad_sequel.py
Last active January 11, 2024 01:42
PoC MSSQL RCE exploit using Resource-Based Constrained Delegation
#!/usr/bin/env python
# for more info: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
# this is a rough PoC
# requirements for RCE:
# - the attacker needs to either have or create an object with a service principal name
# - the MSSQL server has to be running under the context of System/Network Service/a virtual account
# - the MSSQL server has the WebClient service installed and running (not default on Windows Server hosts)
# - NTLM has to be in use
@3xocyte
3xocyte / rbcd_relay.py
Last active March 15, 2024 05:31
poc resource-based constrain delegation relay attack tool
#!/usr/bin/env python
# for more info: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
# this is a *very* rough PoC
import SimpleHTTPServer
import SocketServer
import base64
import random
import struct
@3xocyte
3xocyte / resolve_domain_computers.py
Last active July 23, 2020 22:34
get /etc/hosts entries for computers in Active Directory
#!/usr/bin/env python
# resolve domain computers by @3xocyte
import argparse
import sys
import string
# requires dnspython and ldap3
import dns.resolver
from ldap3 import Server, Connection, NTLM, ALL, SUBTREE
@3xocyte
3xocyte / create_machine_account.py
Last active February 21, 2023 03:50
simple script for experimenting with machine account creation
#!/usr/bin/env python
import argparse
import sys
import string
import random
# https://support.microsoft.com/en-au/help/243327/default-limit-to-number-of-workstations-a-user-can-join-to-the-domain
# create machine account utility by @3xocyte
# with thanks to Kevin Robertson for https://github.com/Kevin-Robertson/Powermad/blob/master/Powermad.ps1
@3xocyte
3xocyte / dementor.py
Last active February 11, 2024 14:10
rough PoC to connect to spoolss to elicit machine account authentication
#!/usr/bin/env python
# abuse cases and better implementation from the original discoverer: https://github.com/leechristensen/SpoolSample
# some code from https://www.exploit-db.com/exploits/2879/
import os
import sys
import argparse
import binascii
import ConfigParser
@3xocyte
3xocyte / scriptinjector.cs
Last active October 6, 2018 00:19
a small buggy utility inspired by chapter 10 of Black Hat Python by Justin Seitz
using System;
using System.IO;
using System.Text;
using System.Linq;
using System.Collections.Generic;
// ephemeral script injector by @3xocyte
// takes a target directory to watch, and an OS command to attempt to inject into any scripts that get modified
namespace FileContentInjector
@3xocyte
3xocyte / icmpshell.cs
Created August 13, 2018 10:30
ICMP reverse shell (icmpsh compatible)
using System;
using System.IO;
using System.Text;
using System.Net.NetworkInformation;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using System.Threading;
using System.Collections.ObjectModel;
// .NET ICMP reverse shell client with PowerShell runspace by @3xocyte