Skip to content

Instantly share code, notes, and snippets.

View eversinc33's full-sized avatar
🗝️

еверсинц33 eversinc33

🗝️
427 followers · 220 following
View GitHub Profile
@3xocyte
3xocyte / rbcd_relay.py
Last active March 15, 2024 05:31
poc resource-based constrain delegation relay attack tool
#!/usr/bin/env python
# for more info: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
# this is a *very* rough PoC
import SimpleHTTPServer
import SocketServer
import base64
import random
import struct
@jmassardo
jmassardo / Invoke-WebRequest_Ignore_SSL.ps1
Created February 26, 2019 15:19
PowerShell hack to ignore ssl certificates when using Invoke-WebRequest
add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
public bool CheckValidationResult(
ServicePoint srvPoint, X509Certificate certificate,
WebRequest request, int certificateProblem) {
return true;
}
}
@llimllib
llimllib / mssql_to_csv.bash
Last active April 15, 2024 16:00
This is a script to convert every table in a Microsoft SQL Server database backup (.bak file) to a .csv file
#!/usr/bin/env bash
# import an MS SQL .bak backup file to an MS SQL database, then export all
# tables to csv. run this script as `import.sh <filename>`. It expects to be
# run in the same directory as the backup file.
# this is only tested on my mac (OS X Catalina). I tried to stick to posix, but
# It will probably require some tweaking for you. I hope it gives a general
# sense of what you need to do at the very least.
@N4kedTurtle
N4kedTurtle / CredGuard_PoC
Created August 25, 2020 14:17
PoC for enabling wdigest to bypass credential guard
#define _CRT_SECURE_NO_WARNINGS
#include <Windows.h>
#include <Psapi.h>
#include <TlHelp32.h>
#include <iostream>
DWORD GetLsassPid() {
PROCESSENTRY32 entry;
entry.dwSize = sizeof(PROCESSENTRY32);
@kaimi-
kaimi- / gist:6b3c99538dce9e3d29ad647b325007c1
Last active July 5, 2024 14:59
Possible IP Bypass HTTP Headers
CACHE_INFO: 127.0.0.1
CF_CONNECTING_IP: 127.0.0.1
CF-Connecting-IP: 127.0.0.1
CLIENT_IP: 127.0.0.1
Client-IP: 127.0.0.1
COMING_FROM: 127.0.0.1
CONNECT_VIA_IP: 127.0.0.1
FORWARD_FOR: 127.0.0.1
FORWARD-FOR: 127.0.0.1
FORWARDED_FOR_IP: 127.0.0.1
@S3cur3Th1sSh1t
S3cur3Th1sSh1t / Workstation-Takeover.md
Created July 27, 2021 07:44 — forked from gladiatx0r/Workstation-Takeover.md
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@EvanMcBroom
EvanMcBroom / no_strings.hpp
Last active July 20, 2024 08:43
Encrypt Strings at Compile Time
// Copyright (C) 2022 Evan McBroom
//
// Permission is hereby granted, free of charge, to any person obtaining a copy
// of this software and associated documentation files (the "Software"), to deal
// in the Software without restriction, including without limitation the rights
// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
// copies of the Software, and to permit persons to whom the Software is
// furnished to do so, subject to the following conditions:
//
// The above copyright notice and this permission notice shall be included in
@zimnyaa
zimnyaa / iocpipe.py
Created February 17, 2022 11:10
Check whether an SMB pipe name for pivoting is a known IoC
import re, sys
def rule_startswith(ioc_string):
def __match(pipename):
if pipename.startswith(ioc_string):
print("\tMATCH startswith({})".format(ioc_string))
return True
return False
return __match
@OtterHacker
OtterHacker / bin2c.py
Last active February 3, 2024 18:42
"""
Transform a binary file into a C header file.
The binary file is splitted into 16 char strings and rebuild at execution time.
The function buildsc() must be called in your main to rebuild the binary file into the sc C variable.
The length is set in the sc_length variable.
Be carefull, try to avoid compiler code optimization as it will remove all these modifications in the final binary.
"""
@LuemmelSec
LuemmelSec / GBC.ps1
Created December 9, 2022 07:43
Give Back Control over Windows functions script
$elevated = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
function Show-Menu {
Clear-Host
Write-Host "======================================================"
Write-Host "================ Give Back Control ================"
Write-Host "======================================================"
if($elevated -eq $true){
Write-Host "Local Admin: " -ForegroundColor white -NoNewline; Write-Host $elevated -ForegroundColor Green
Write-Host "We have superpowers. Ready to continue."