Skip to content

Instantly share code, notes, and snippets.

View Sw1tchWolf's full-sized avatar

Sw1tchWolf

14 followers · 19 following
View GitHub Profile
@gladiatx0r
gladiatx0r / Workstation-Takeover.md
Last active April 25, 2024 13:23
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@TarlogicSecurity
TarlogicSecurity / kerberos_attacks_cheatsheet.md
Created May 14, 2019 13:33
A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

@seajaysec
seajaysec / customqueries.json
Last active May 1, 2024 15:59
bloodhound custom queries
{
"queries": [{
"name": "List all owned users",
"queryList": [{
"final": true,
"query": "MATCH (m:User) WHERE m.owned=TRUE RETURN m"
}]
},
{
"name": "List all owned computers",
@mccabe615
mccabe615 / phpdangerousfuncs.md
Last active April 21, 2024 17:04
Dangerous PHP Functions

Command Execution

exec           - Returns last line of commands output
passthru       - Passes commands output directly to the browser
system         - Passes commands output directly to the browser and returns last line
shell_exec     - Returns commands output
\`\` (backticks) - Same as shell_exec()
popen          - Opens read or write pipe to process of a command
proc_open      - Similar to popen() but greater degree of control
pcntl_exec - Executes a program
@dylanmckay
dylanmckay / facebook-contact-info-summary.rb
Last active March 12, 2024 22:46
A Ruby script for collecting phone record statistics from a Facebook user data dump
#! /usr/bin/env ruby
# NOTE: Requires Ruby 2.1 or greater.
# This script can be used to parse and dump the information from
# the 'html/contact_info.htm' file in a Facebook user data ZIP download.
#
# It prints all cell phone call + SMS message + MMS records, plus a summary of each.
#
# It also dumps all of the records into CSV files inside a 'CSV' folder, that is created
@youkergav
youkergav / import.py
Last active August 29, 2022 22:55
Python script to import BreachCompilation to PostgreSQL database.
# Define imports.
from time import time, strftime
from datetime import datetime
from glob import iglob
from os import path, system
from sys import exc_info
from subprocess import Popen, PIPE
from curses import initscr, noecho, cbreak, echo, nocbreak, endwin
from psycopg2 import connect
@nlitsme
nlitsme / breachquery.sh
Created December 14, 2017 08:10
query.sh for older bash versions - from magnet:?xt=urn:btih:7ffbcd8cee06aba2ce6561688cf68ce2addca0a3
#!/bin/bash
# query.sh from BreachCompilation - magnet:?xt=urn:btih:7ffbcd8cee06aba2ce6561688cf68ce2addca0a3
# works with older bash versions.
# patch by Willem <itsme@xs4all.nl>
dir=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
if [ "$1" != "" ]; then
word1=$(echo $1 | tr A-Z a-z)
letter1=$(echo $word1|cut -b1)
if [[ $letter1 == [a-zA-Z0-9] ]]; then
@xbb
xbb / README
Last active April 17, 2024 20:21
IDRAC6 Virtual Console Launcher
Use this as an example on how to start the virtual console without the need of Java Web Start or accessing it from the web interface.
You can use the user and password that you use for the web interface.
You need an old JRE... I used 1.7.0_80 from the Server JRE package, also I have tested successfully 1.7.0_79 with MacOS.
You don't need to install it, just extract it or copy the files in "jre" folder.
Open the viewer.jnlp file that you get by launching the virtual console from the web interface with a text editor.
Note the urls to the jar files. Download the main jar file avctKVM.jar and the libs for your operating system and architecture.
Extract the dlls (.so Linux, .jnilib MacOS) from the jar libs.
@glamrock
glamrock / data_brokers.txt
Created December 5, 2016 20:40
A simply complicated guide to removing your info from data brokers
I've compiled a list of data
aggregators, data brokers, direct marketing firms, and others who trade
personal data. Many of these are very quickly dealt with via web forms,
but others require a letter and a copy of a photo ID. Many of the data
brokers came from my notes, but others have come from Reddit threads,
and stopdatamining.me. All sources were fairly out of date, so I've gone
through and listed the current contact info and process for each. Feel
free to pass it along and let me know if there are any errors or
omissions. ^_^
@unfo
unfo / how-to-oscp-final.md
Last active February 26, 2024 08:39

How to pass the OSCP

  1. Recon
  2. Find vuln
  3. Exploit
  4. Document it

Recon

Unicornscans in cli, nmap in msfconsole to help store loot in database.