Michael Eder edermi

## bloodhoundce_import.py
import requests
import json
import time
import argparse
import getpass
import os
import sys


def main():

## kerberoast_pws.xz

      
              1 file
            
          
              10 forks
            
          
              1 comment
            
          
              37 stars
            
          
                edermi
                / kerberoast_pws.xz
            
            
              Last active
              January 22, 2024 12:40
            
              
                edermi Kerberoast PW list (XZ format)
              
          
      This file has been truncated, but you can view the full file.
    

            View raw
        
    
## CIPolicyParser.ps1
# Ensure System.Security assembly is loaded.
Add-Type -AssemblyName System.Security

function ConvertTo-CIPolicy {
<#
.SYNOPSIS

Converts a binary file that contains a Code Integrity policy into XML format.

Author: Matthew Graeber (@mattifestation)

## unbound.conf
server:
    # log verbosity
    verbosity: 1

    use-syslog: yes

    interface: 127.0.0.1
    interface: ::1

    do-ip6: yes

## shellcode_to_hex_array.py
import sys

def main():
    with open(sys.argv[1], 'rb') as f:
        shellcode = f.read()
    hexlified = ['0x{:02X}'.format(b) for b in shellcode]
    with open(sys.argv[2], 'w') as f:
        f.write(','.join(hexlified))
    sys.stderr.write("Shellcode length: {}".format(len(shellcode)))

## SharpApprover.cs
using System;
using System.DirectoryServices;

namespace SharpApprover
{
    class Program
    {

        public static void SetAdInfo(string objectFilter,
                int objectValue, string LdapDomain)

## Workstation-Takeover.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                edermi
                / Workstation-Takeover.md
            
            
              Created
              September 19, 2021 18:52
                — forked from gladiatx0r/Workstation-Takeover.md
            
              
                From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure
              
          
    Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
Relaying that machine authentication to LDAPS for configuring RBCD
RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

  
## go-sharp-loader.go
package main

/*
Example Go program with multiple .NET Binaries embedded

This requires packr (https://github.com/gobuffalo/packr) and the utility. Install with:
	$ go get -u github.com/gobuffalo/packr/packr

Place all your EXEs are in a "binaries" folder

## shell.php
<?php

function escapetext($text) {
    return str_replace("\n", "<br>", htmlentities($text));
}

function exec_command($cmd, $internal = false) {
    try {
        $shell_exec = shell_exec($cmd);
    } catch (Exception $e) {

## pydefendercheck.py
##################################################
## PyDefenderCheck - Python implementation of DefenderCheck
##################################################
## Author: daddycocoaman
## Based on: https://github.com/matterpreter/DefenderCheck
##################################################


import argparse
import enum
	import requests
	import json
	import time
	import argparse
	import getpass
	import os
	import sys


	def main():
	# Ensure System.Security assembly is loaded.
	Add-Type -AssemblyName System.Security

	function ConvertTo-CIPolicy {
	<#
	.SYNOPSIS

	Converts a binary file that contains a Code Integrity policy into XML format.

	Author: Matthew Graeber (@mattifestation)
	server:
	# log verbosity
	verbosity: 1

	use-syslog: yes

	interface: 127.0.0.1
	interface: ::1

	do-ip6: yes
	import sys

	def main():
	with open(sys.argv[1], 'rb') as f:
	shellcode = f.read()
	hexlified = ['0x{:02X}'.format(b) for b in shellcode]
	with open(sys.argv[2], 'w') as f:
	f.write(','.join(hexlified))
	sys.stderr.write("Shellcode length: {}".format(len(shellcode)))
	using System;
	using System.DirectoryServices;

	namespace SharpApprover
	{
	class Program
	{

	public static void SetAdInfo(string objectFilter,
	int objectValue, string LdapDomain)
	package main

	/*
	Example Go program with multiple .NET Binaries embedded

	This requires packr (https://github.com/gobuffalo/packr) and the utility. Install with:
	$ go get -u github.com/gobuffalo/packr/packr

	Place all your EXEs are in a "binaries" folder
	<?php

	function escapetext($text) {
	return str_replace("\n", "<br>", htmlentities($text));
	}

	function exec_command($cmd, $internal = false) {
	try {
	$shell_exec = shell_exec($cmd);
	} catch (Exception $e) {
	##################################################
	## PyDefenderCheck - Python implementation of DefenderCheck
	##################################################
	## Author: daddycocoaman
	## Based on: https://github.com/matterpreter/DefenderCheck
	##################################################


	import argparse
	import enum