Rami drunkrhin0

## AD domain offline cracking #pentest
Microsoft stores the Active Directory data in tables in a proprietary ESE database format. The database is contained in the NTDS.dit (%SystemRoot%\ntds\NTDS.dit) file.
This file is encrypted to prevent any data extraction, so we will need to acquire the key to be able to perform the extraction of the target data.
The required Password Encryption Key is stored in the NTDS.dit file, but is encrypted itself with the BOOTKEY.
To obtain this BOOTKEY, we need to acquire a copy of the SYSTEM registry hive (%SystemRoot%\System32\config\System) from the same Domain Controller as we acquired the NTDS.dit file.

Extract NTDS/SYSTEM from a domain controller:
    net start vss
    vssadmin create shadow /for=c:
    vssadmin list shadows
    copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\ntds\ntds.dit C:\temp

## mitigating-cve-2019-0708.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              1 star
            
          
                krejac
                / mitigating-cve-2019-0708.md
            
            
              Created
              June 27, 2019 14:47
            
          
    When Microsoft chooses to release security updates for OS's that are way out of support security specialists grabs a cup of coffee and starts reading. BlueKeep (also known as CVE-2019-0708) is a flaw in Microsofts Remote Desktop Services that allows an attacker to gain full control over an affected system.
The vulnerability occurs during pre-authorization, and has the potential to run arbitrary malicious code in the "NT Authority\SYSTEM" user security context. Which means that you don't need to know any credentials to exploit the flaw and that you get to execute code as a privileged user.
Oh, and Microsoft says that it's potentially wormable like WannaCry, meaning that someone could write code that makes this self-replicating, making it possible to spread throughout a (inter-)network without intervention.
The vulnerable systems are Windows Server 2003, Windows XP, Windows Vista, Windo

  
## WindowsCommandLineShortcutsAndTips.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              2 stars
            
          
                7MinSec
                / WindowsCommandLineShortcutsAndTips.md
            
            
              Created
              April 25, 2019 00:09
            
              
                Windows command line shortcuts and tips
              
          
    As heard on 7MS #357
Windows command line shortcuts and tips:

Creative ways to play with cmd

Basically, you can do Windows Key + R then type cmd and Enter for quick access to command line.
But lets do some more fun stuff.  Wanna open a command window from the desktop and launch a command in one swoop?  Try this:


## AutomatedLab: DC, Client with Office 2013, 2 Exchange 2016 servers
#The is almost the same like '05 SQL Server and client, domain joined.ps1' but installs an Exchange 2013 server instead
#of a SQL Server.
#
# IMPORTANT NOTE: Make sure you have installed at least the CU KB3206632 before installing Exchange 2016, this is a requirement.
# Refer to the introduction script '11 ISO Offline Patching.ps1' for creating a new ISO that contains patches.
#
# You will need 5 files to download before start this script
# 1. AutomatedLab latest https://github.com/AutomatedLab/AutomatedLab/releases
#    Download msi and just install wherever folder you like. ( C:\LabSources for example )

## Pentest_lab_GPOs.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              1 star
            
          
                7MinSec
                / Pentest_lab_GPOs.md
            
            
              Last active
              April 7, 2021 06:40
            
          
    Pentest lab GPOs

Note: this set of GPOs accompany's a YouTube video all about building your own pentest lab
Personally, when I setup an internal/test/pentest Active Directory environment I like to leave some settings the way most client environments are setup - both for ease of management and easier attacks, so that includes spinning up the following GPOs:
Enable RDP on desktops
Create a new GPO and link it whatever OU your workstations are in, and set Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections and set Allow users to connect remotely using Remote Desktop Services to Enable
Then, create a security group in AD, called RDP-peeps for example, that you want to allow to RDP into all workstations.

  
## Active_Directory_dump_n_crack.md

      
              1 file
            
          
              3 forks
            
          
              2 comments
            
          
              3 stars
            
          
                7MinSec
                / Active_Directory_dump_n_crack.md
            
            
              Last active
              April 15, 2021 16:17
            
              
                Active Directory hash dump n' crack methodology
              
          
    Creating AD backup dump of user accounts and hashes

Upgrade to latest version of PowerShell

Check your version with:
$Psversiontable.psversion

If you are below Major: 5, Minor:1 head to Microsoft's download site to get the latest.

  
## get-winners.py
from glob import glob
from random import shuffle

import requests

coupon_codes = [
    'mlbookcamp-1',
    'mlbookcamp-2',
    'mlbookcamp-3',
    'mlbookcamp-4',

## lowhanging.md

      
              1 file
            
          
              3 forks
            
          
              0 comments
            
          
              8 stars
            
          
                7MinSec
                / lowhanging.md
            
            
              Last active
              June 9, 2022 13:15
            
              
                Low-hanging hacker fruit (and how to remove it)
              
          
    Low Hanging Hacker Fruit

This gist focuses on (relatively) free and (relatively) easy things organizations can do to better protect their networks without buying yet another black box with blinking lights.
Got some ideas of your own that should be on this list?  Please leave a comment below!
Implementing a stronger AD password policy

Microsoft has a great paper on the topic that gives some nice high level recommendations:

Use a unique password per site
Enable complexity


## foxyproxyBB.json
{
  "84kr3q1592995213323": {
    "type": 1,
    "color": "#cc883a",
    "title": "Burp",
    "active": true,
    "address": "127.0.0.1",
    "port": 8080,
    "proxyDNS": false,
    "username": "",

## antiautosploit.py
#!/usr/bin/python3
import os

shodan = ["104.131.0.69", "104.236.198.48", "155.94.222.12","155.94.254.133", "155.94.254.143", "162.159.244.38", "185.181.102.18", "188.138.9.50", "198.20.69.74", "198.20.69.98", "198.20.70.114", "198.20.87.98", "198.20.99.130", "208.180.20.97", "209.126.110.38",  "216.117.2.180", "66.240.192.138", "66.240.219.146", "66.240.236.119", "71.6.135.131", "71.6.146.185", "71.6.158.166", "71.6.165.200", "71.6.167.142",  "82.221.105.6", "82.221.105.7", "85.25.103.50", "85.25.43.94", "93.120.27.62", "98.143.148.107",  "98.143.148.135"]

for ip in shodan:
    os.system("iptables -A INPUT -s {} -j DROP".format(ip))
	Microsoft stores the Active Directory data in tables in a proprietary ESE database format. The database is contained in the NTDS.dit (%SystemRoot%\ntds\NTDS.dit) file.
	This file is encrypted to prevent any data extraction, so we will need to acquire the key to be able to perform the extraction of the target data.
	The required Password Encryption Key is stored in the NTDS.dit file, but is encrypted itself with the BOOTKEY.
	To obtain this BOOTKEY, we need to acquire a copy of the SYSTEM registry hive (%SystemRoot%\System32\config\System) from the same Domain Controller as we acquired the NTDS.dit file.

	Extract NTDS/SYSTEM from a domain controller:
	net start vss
	vssadmin create shadow /for=c:
	vssadmin list shadows
	copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\ntds\ntds.dit C:\temp
	#The is almost the same like '05 SQL Server and client, domain joined.ps1' but installs an Exchange 2013 server instead
	#of a SQL Server.
	#
	# IMPORTANT NOTE: Make sure you have installed at least the CU KB3206632 before installing Exchange 2016, this is a requirement.
	# Refer to the introduction script '11 ISO Offline Patching.ps1' for creating a new ISO that contains patches.
	#
	# You will need 5 files to download before start this script
	# 1. AutomatedLab latest https://github.com/AutomatedLab/AutomatedLab/releases
	# Download msi and just install wherever folder you like. ( C:\LabSources for example )
	from glob import glob
	from random import shuffle

	import requests

	coupon_codes = [
	'mlbookcamp-1',
	'mlbookcamp-2',
	'mlbookcamp-3',
	'mlbookcamp-4',
	{
	"84kr3q1592995213323": {
	"type": 1,
	"color": "#cc883a",
	"title": "Burp",
	"active": true,
	"address": "127.0.0.1",
	"port": 8080,
	"proxyDNS": false,
	"username": "",
	#!/usr/bin/python3
	import os

	shodan = ["104.131.0.69", "104.236.198.48", "155.94.222.12","155.94.254.133", "155.94.254.143", "162.159.244.38", "185.181.102.18", "188.138.9.50", "198.20.69.74", "198.20.69.98", "198.20.70.114", "198.20.87.98", "198.20.99.130", "208.180.20.97", "209.126.110.38", "216.117.2.180", "66.240.192.138", "66.240.219.146", "66.240.236.119", "71.6.135.131", "71.6.146.185", "71.6.158.166", "71.6.165.200", "71.6.167.142", "82.221.105.6", "82.221.105.7", "85.25.103.50", "85.25.43.94", "93.120.27.62", "98.143.148.107", "98.143.148.135"]

	for ip in shodan:
	os.system("iptables -A INPUT -s {} -j DROP".format(ip))