With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
param ( [string]$SourceExe, [string]$DestinationPath, [string]$IconPath) | |
$WshShell = New-Object -comObject WScript.Shell | |
$Shortcut = $WshShell.CreateShortcut($DestinationPath) | |
$Shortcut.RelativePath = "..\..\..\..\..\..\..\..\..\$SourceExe" | |
$Shortcut.IconLocation = $IconPath | |
$Shortcut.TargetPath = $SourceExe | |
$Shortcut.Save() |
<# | |
.SYNOPSIS | |
Generates a GUID from a given string value using MD5 hashing. | |
.PARAMETER Value | |
The string value to generate a GUID from. | |
.EXAMPLE | |
Get-Guid -Value "example string" | |
Returns a GUID generated from the string "example string". |
Add-Type -TypeDefinition @' | |
using System; | |
using System.Runtime.InteropServices; | |
using System.Security.Cryptography.X509Certificates; | |
public enum DSREG_JOIN_TYPE { | |
DSREG_UNKNOWN_JOIN = 0, | |
DSREG_DEVICE_JOIN = 1, | |
DSREG_WORKPLACE_JOIN = 2 | |
} |
function Get-RdpLogonEvent | |
{ | |
[CmdletBinding()] | |
param( | |
[Int32] $Last = 10 | |
) | |
$RdpInteractiveLogons = Get-WinEvent -FilterHashtable @{ | |
LogName='Security' | |
ProviderName='Microsoft-Windows-Security-Auditing' |
javascript: (function () { | |
new_window = window.open(); | |
new_window.document.body.innerHTML = $("iframe") | |
.contents() | |
.find("iframe") | |
.contents() | |
.find("body") | |
.get(1).innerHTML; | |
new_window.document.body.querySelector("#content-overlays").remove(); | |
})(); |
### Original script and research by commial | |
### https://github.com/commial/experiments/tree/master/windows-defender | |
### Set LUADec_Path to binary | |
### https://github.com/viruscamp/luadec | |
import struct | |
import argparse | |
import sys | |
import os | |
import io | |
import subprocess |
## Find dangerous API permissions as a user | |
$AzureTenantID = '<Your tenant ID>' | |
$AccountName = '<Username>@<Domain.com>' | |
$Password = ConvertTo-SecureString '<Your password>' -AsPlainText -Force | |
$Credential = New-Object System.Management.Automation.PSCredential($AccountName, $Password) | |
Connect-AzAccount -Credential $Credential -TenantID $AzureTenantID | |
function Get-AzureGraphToken | |
{ |
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
# to generate your dhparam.pem file, run in the terminal | |
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 |
In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;
The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.