Skip to content

Instantly share code, notes, and snippets.

@jordanpotti
jordanpotti / CallTreeToJSON.py
Created October 28, 2021 16:00 — forked from matterpreter/CallTreeToJSON.py
Convert Ghidra Call Trees to JSON for Neo4j Ingestion
View CallTreeToJSON.py
#@author matterpreter
#@category
#@keybinding
#@menupath
#@toolbar
###
# To import to Neo4j:
# CREATE CONSTRAINT function_name ON (n:Function) ASSERT n.name IS UNIQUE
#
@jordanpotti
jordanpotti / Workstation-Takeover.md
Created July 26, 2021 13:42 — forked from gladiatx0r/Workstation-Takeover.md
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure
View Workstation-Takeover.md

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@jordanpotti
jordanpotti / help.md
Created January 25, 2021 15:09 — forked from Neo23x0/help.md
Offensive Research Guide to Help Defense Improve Detection
View help.md

Whenever you research a certain vulnerability ask yourself these questions and please answer them for us

Logging

Does the exploited service write a log?
(check ls -lrt /var/log or lsof +D /var/log/ or lsof | grep servicename)

Does a system service write a log?
(e.g. check with tail -f /var/log/messages)

View UACBypass.ps1
function Invoke-UACBypass {
<#
.SYNOPSIS
Bypasses UAC on Windows 10 by abusing the SilentCleanup task to win a race condition, allowing for a DLL hijack without a privileged file copy.
Author: Matthew Graeber (@mattifestation), Matt Nelson (@enigma0x3)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
@jordanpotti
jordanpotti / kerberos_attacks_cheatsheet.md
Created July 23, 2020 13:42 — forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks
View kerberos_attacks_cheatsheet.md

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

View CommonWebPorts
`-p80,81,280,443,591,593,832,981,1311,2480,4444–4445,4567,5000,5104,5800,7000-7002,8008,8042,8080,8088,8222,8243,8280,8281,8333,8530-8531,8887-8888,8000,8443,9080,9443,9981,11371,12043,12046,12443,16080,18091-18092` (edited)
@jordanpotti
jordanpotti / jenkins-decrypt.groovy
Created March 15, 2019 13:46 — forked from tuxfight3r/jenkins-decrypt.groovy
Decrypting Jenkins Password
View jenkins-decrypt.groovy
#To Decrypt Jenkins Password from credentials.xml
#<username>jenkins</username>
#<passphrase>your-sercret-hash-S0SKVKUuFfUfrY3UhhUC3J</passphrase>
#go to the jenkins url
http://jenkins-host/script
#In the console paste the script
hashed_pw='your-sercret-hash-S0SKVKUuFfUfrY3UhhUC3J'
@jordanpotti
jordanpotti / setup.sh
Created January 3, 2018 15:50
setup script for ElastAlertGrouper
View setup.sh
git clone https://github.com/jordanpotti/ElastAlertGrouper.git
cp ElastAlertGrouper/py-alert.py /bin/
chmod 755 /bin/py-alert.py
cp ElastAlertGrouper/alert_rules/* /etc/elastalert/alert_rules/
service elastalert restart
View excerpt-sysmonconfig-export.xml
<!-- Mimikatz Detection -->
<ImageLoaded condition="is">C:\Windows\System32\WinSCard.dll</ImageLoaded> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
<ImageLoaded condition="is">C:\Windows\System32\cryptdll.dll</ImageLoaded> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
<ImageLoaded condition="is">C:\Windows\System32\hid.dll</ImageLoaded> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
<ImageLoaded condition="is">C:\Windows\System32\samlib.dll</ImageLoaded> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
<ImageLoaded condition="is">C:\Windows\System32\vaultcli.dll</ImageLoaded> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/ch
View config.yml
client:
hosts:
- 127.0.0.1
port: 9200
url_prefix:
use_ssl: False
certificate:
client_cert:
client_key:
ssl_no_validate: False