jsecurity101

gladiatx0r

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

• Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
• Relaying that machine authentication to LDAPS for configuring RBCD
• RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

bmaupin

Installation

Prerequisites

• Winbind (e.g. sudo apt install winbind)
• Wine
• Winetricks

Install NSUI

bruvv

I want to disable monitor mode for the interal wlan0 card of the pi. If you want to do that too and use wlan1 as mon0 do:

sed -i 's/phy0/phy1/g' /usr/bin/pwnlib

If you want wlan0 and wlan1 in monitor mode and want to use wlan1 as pwnagotchi device, use this ps did didn't work for me but above example

sudo su
rm /etc/network/interfaces.d/wlan1-cfg

G0ldenGunSec

As always, only for use on networks you own or have permission to test against. 

Similar functionality to SpiderLabs SCShell (https://github.com/SpiderLabs/SCShell) but from the command line using WMIC to run commands on other systems remotely.
If attempting to run multiple commands, SCShell will probably be move convenient as it automates the below steps.  However, for one-offs this works fine as well.

The process involves a total of four commands, three of which can be combined on the command line to form one large block.

Step 1: Get the current pathName of your target service so we can restore it once we've ran our command (in our case XblAuthManager)
    wmic /user:DOMAIN\USERNAME /password:PASSWORD /node:TARGET_IP service where name='XblAuthManager' get pathName

darconeous

Tesla Key Card Protocol

Researched by Robert Quattlebaum darco@deepdarc.com.

Last updated 2020-02-03.

tg12

from datetime import datetime
import time
import threading
###########################
from multiprocessing import Process
import random
###########################
import dns.resolver
import dns.reversename
import ftplib

cubehouse

// start with:
//   frida -U -l pinning.js -f [APP_ID] --no-pause

Java.perform(function () {
    console.log('')
    console.log('===')
    console.log('* Injecting hooks into common certificate pinning methods *')
    console.log('===')

    var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');

azhe403

Windows.10.and.Office.2016.gVLK

#####################################################################
# Install/Uninstall keys                                            #
#####################################################################

1.) Uninstall the current product by entering the “uninstall product key” extension:
slmgr.vbs /upk

2.) Install the key that you obtained above for “Windows Srv 2012R2 DataCtr/Std KMS for Windows 10”

shvchk

Install Signal Desktop as a standalone app, without Chrome dependency *

UPD 2: Official standalone Signal Desktop is released!
Install official Signal Desktop, old version and this guide using it should now be considered deprecated.

---

UPD 1: There is now an easier way with automatic Signal Desktop installer, which also keeps Signal updated.

---