Solomon Sklash SolomonSklash

## kerberos_attacks_cheatsheet.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                SolomonSklash
                / kerberos_attacks_cheatsheet.md
            
            
              Created
              July 19, 2020 20:15
                — forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
            
              
                A cheatsheet with commands that can be used to perform kerberos attacks
              
          
    Kerberos cheatsheet

Bruteforcing

With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:

  
## dummy_bof.cpp
#include <windows.h>
#include <stdio.h>
#include <dsgetdc.h>
#include <psapi.h>

extern "C" {
	#include "beacon.h"
};

// Compile as C++ (/TP) for decltype

## clr_via_native.c
#include "stdafx.h"

int main()
{
	ICLRMetaHost *metaHost = NULL;
	IEnumUnknown *runtime = NULL;
	ICLRRuntimeInfo *runtimeInfo = NULL;
	ICLRRuntimeHost *runtimeHost = NULL;
	IUnknown *enumRuntime = NULL;
	LPWSTR frameworkName = NULL;

## EnumCLR.c
#include <string.h>
#include <stdio.h>
#include <windows.h>
#include <psapi.h>
#include "beacon.h"


DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcesses(DWORD *, DWORD, LPDWORD);
DECLSPEC_IMPORT WINBASEAPI HANDLE WINAPI KERNEL32$OpenProcess(DWORD, BOOL, DWORD);
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcessModulesEx(HANDLE, HMODULE*, DWORD, LPDWORD, DWORD);

## divide_and_conquer.c
/*
This is a POC for a generic technique I called internally on our red team assessment "Divide and Conquer", which can be used to bypass behavioral based NextGen AV detection. It works by splitting malicious actions and API calls into distinct processes.
*/

#include <stdio.h>
#include <tchar.h>

#include <windows.h>
#include "Commctrl.h"
#include <string>

## Resource.rc
#define APSTUDIO_READONLY_SYMBOLS
#include "winres.h"

VS_VERSION_INFO VERSIONINFO
 FILEVERSION 1,3,3,4
 PRODUCTVERSION 1,3,3,1
 FILEFLAGSMASK 0x3fL
#ifdef _DEBUG
 FILEFLAGS 0x1L
#else

## create-resource.bat
@echo off

:: This batch script should be run from a VS developer prompt.

:: rc will create a binary .res file
rc Resource.rc

:: cvtres will convert the .res file to a COFF object file
cvtres /MACHINE:x64 /OUT:Resource.o Resource.res

## create-resource.sh
#!/bin/bash

# This script needs mingw installed

# Convert a .rc resource script input file to a .res binary resource output file
x86_64-w64-mingw32-windres -J rc -i Resource.rc -O res -o Resource.res

# Convert a .res binary resource input file to a COFF object output file
x86_64-w64-mingw32-windres -J res -i Resource.res -O coff -o Resource.o

## TestAssembly.cs
/*

================================ Compile as a .Net DLL ==============================
	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library /out:TestAssembly.dll TestAssembly.cs

*/

using System.Windows.Forms;

namespace TestNamespace

## apisetlookup.c
#include <windows.h>
#include <stdint.h>
#include <stdbool.h>
#include <stdio.h>
#include <sal.h>
#include <assert.h>

#ifdef _X86_
#error "This snippet only build in 64-bit due to heavy use of uintptr arithmetics."
#endif
	#include <windows.h>
	#include <stdio.h>
	#include <dsgetdc.h>
	#include <psapi.h>

	extern "C" {
	#include "beacon.h"
	};

	// Compile as C++ (/TP) for decltype
	#include "stdafx.h"

	int main()
	{
	ICLRMetaHost *metaHost = NULL;
	IEnumUnknown *runtime = NULL;
	ICLRRuntimeInfo *runtimeInfo = NULL;
	ICLRRuntimeHost *runtimeHost = NULL;
	IUnknown *enumRuntime = NULL;
	LPWSTR frameworkName = NULL;
	#include <string.h>
	#include <stdio.h>
	#include <windows.h>
	#include <psapi.h>
	#include "beacon.h"


	DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcesses(DWORD *, DWORD, LPDWORD);
	DECLSPEC_IMPORT WINBASEAPI HANDLE WINAPI KERNEL32$OpenProcess(DWORD, BOOL, DWORD);
	DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcessModulesEx(HANDLE, HMODULE*, DWORD, LPDWORD, DWORD);
	/*
	This is a POC for a generic technique I called internally on our red team assessment "Divide and Conquer", which can be used to bypass behavioral based NextGen AV detection. It works by splitting malicious actions and API calls into distinct processes.
	*/

	#include <stdio.h>
	#include <tchar.h>

	#include <windows.h>
	#include "Commctrl.h"
	#include <string>
	#define APSTUDIO_READONLY_SYMBOLS
	#include "winres.h"

	VS_VERSION_INFO VERSIONINFO
	FILEVERSION 1,3,3,4
	PRODUCTVERSION 1,3,3,1
	FILEFLAGSMASK 0x3fL
	#ifdef _DEBUG
	FILEFLAGS 0x1L
	#else
	@echo off

	:: This batch script should be run from a VS developer prompt.

	:: rc will create a binary .res file
	rc Resource.rc

	:: cvtres will convert the .res file to a COFF object file
	cvtres /MACHINE:x64 /OUT:Resource.o Resource.res
	#!/bin/bash

	# This script needs mingw installed

	# Convert a .rc resource script input file to a .res binary resource output file
	x86_64-w64-mingw32-windres -J rc -i Resource.rc -O res -o Resource.res

	# Convert a .res binary resource input file to a COFF object output file
	x86_64-w64-mingw32-windres -J res -i Resource.res -O coff -o Resource.o
	/*

	================================ Compile as a .Net DLL ==============================
	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library /out:TestAssembly.dll TestAssembly.cs

	*/

	using System.Windows.Forms;

	namespace TestNamespace
	#include <windows.h>
	#include <stdint.h>
	#include <stdbool.h>
	#include <stdio.h>
	#include <sal.h>
	#include <assert.h>

	#ifdef _X86_
	#error "This snippet only build in 64-bit due to heavy use of uintptr arithmetics."
	#endif