Aruba produces two different software loads for their Access Point hardware. The first is called ArubaOS and the second is called Aruba Instant. With ArubaOS, the AP requires a Mobility Controller (hardware) to be installed in the network. With the Aruba Instant it is possible to run AP’s independently (standalone mode) or in a cluster, with no Mobility Controller in the network.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
from scapy.all import * | |
import time, sys | |
pkts = rdpcap(sys.argv[1]) | |
clk = pkts[0].time | |
for p in pkts: | |
time.sleep(p.time - clk) | |
clk = p.time | |
sendp(p) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
''' | |
NameMash by superkojiman | |
Generate a list of possible usernames from a person's first and last name. | |
https://blog.techorganic.com/2011/07/17/creating-a-user-name-list-for-brute-force-attacks/ | |
''' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
##TCP FLAGS## | |
Unskilled Attackers Pester Real Security Folks | |
============================================== | |
TCPDUMP FLAGS | |
Unskilled = URG = (Not Displayed in Flag Field, Displayed elsewhere) | |
Attackers = ACK = (Not Displayed in Flag Field, Displayed elsewhere) | |
Pester = PSH = [P] (Push Data) | |
Real = RST = [R] (Reset Connection) | |
Security = SYN = [S] (Start Connection) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
""" | |
Simple tool to extract local users and passwords from most Huawei routers/firewalls config files. | |
Will extract plain-text passwords and crypted credentials. Huawei config files use DES encryption with | |
a known key. Using this information, the script will decrypt credentials found in the config file. | |
Author: Etienne Stalmans (etienne@sensepost.com) | |
Version: 1.0 (12/01/2014) | |
""" | |
from Crypto.Cipher import DES |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
wget -c --no-cookies --no-check-certificate --header "Cookie: oraclelicense=accept-securebackup-cookie" https://download.oracle.com/otn-pub/java/jdk/12.0.2+10/e482c34c86bd4bf8b56c0b35558996b9/jdk-12.0.2_linux-x64_bin.tar.gz |
In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;
- Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
- Relaying that machine authentication to LDAPS for configuring RBCD
- RBCD takeover
The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"queries": [{ | |
"name": "List all owned users", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (m:User) WHERE m.owned=TRUE RETURN m" | |
}] | |
}, | |
{ | |
"name": "List all owned computers", |
- NetBIOS name should match your forest FQDN. So if
FQDN=adlunches.net
, NetBIOS name isADLUNCHES
- Every AD forest has a server which indexes all the objects in the forest. This is known as the Global Catalog server.
- Each domain needs at least 1 GC server, can have more for redundancy. This is so it can find objects in other domains.
- Any DC can be GC.
- By default all DCs will be GCs. GCs take up disk space and bandwidth, but both are plentiful.
- Microsoft Exchange requires GC server to run.
- Allow logins via UPN eg. user@highcosttraining.com, which may be on same domain.
- GC servers should be deployed at sites with poor WAN links or filtered connections.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
:: plink from here: http://the.earth.li/~sgtatham/putty/latest/x86/plink.exe | |
:: Guide available here: http://blog.buttewifi.com/2010/01/dynamic-ssh-tunneling-with-putty-to-secure-web-traffic/ | |
:: Connects to 192.168.1.2 on port 5900. Sets up a SOCKS proxy that listens on 127.0.0.1 port 9876 and forwards all connections through the connection to 192.168.1.2. | |
:: You then need to configure your system to use 127.0.0.1:9876 as a SOCKS proxy. | |
putty\PLINK.EXE 192.168.1.2 -P 5900 -D 127.0.0.1:9876 -N | |
:: Gotcha: In Windows, you need to specifically enable it as a SOCKS proxy, and disable all other proxies. |