Skip to content

Instantly share code, notes, and snippets.

View jordanpotti's full-sized avatar
🏠
no

JP jordanpotti

🏠
no
218 followers · 10 following
View GitHub Profile
@gladiatx0r
gladiatx0r / Workstation-Takeover.md
Last active April 25, 2024 13:23
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@deltronzero
deltronzero / bh_split.py
Last active September 14, 2023 10:06
split one large bloodhound file into multiple smaller files to work around memory limitations
import json
file_name = "20210312152708_computers.json"
type = "computers"
object_limit = 10000
print(f"[*] loading {file_name}")
data = json.loads(open(file_name,'r').read().encode().decode('utf-8-sig'))
total_objects = data['meta']['count']
@Marshall-Hallenbeck
Marshall-Hallenbeck / install_sliver_service.sh
Last active March 8, 2022 07:32
install sliver-server as a systemd service
#!/bin/bash
FILE=/etc/systemd/system/sliver-server.service
if [ ! -f "$FILE" ];then
sudo echo "[Unit]
Description=Sliver Server
[Service]
Type=simple
ExecStart=/usr/local/bin/sliver-server" > $FILE
@marzavec
marzavec / run.js
Created August 8, 2019 16:43
Browser-based subdomain bruteforcing using DNS over HTTP(s) (DoH)
/*
Developer: Marzavec ( https://github.com/marzavec )
Description: A simple browser-based subdomain bruteforcing script, using DoH providers. Developed as a 5 minute hack, just to see it's preformance. Many improvements could be made, such as adding error handling or informing the user when the script is done.
Usage: Open the browsers dev console (usually F12), paste this script, change the `rootTld`, press enter to run. Ezpz.
*/
const rootTld = 'lyka.pro'; // change to your target's root tld
// url to newline seperated wordlist
const wordlistUrl = 'https://raw.githubusercontent.com/rbsec/dnscan/master/subdomains.txt';
@avuko
avuko / ldapsearch.py
Last active July 29, 2019 09:38
ldap search queries in python (with NTLM + SSL)
#!/usr/bin/env python3
import secrets
import sys
from ldap3 import Server, Connection, ALL, NTLM
try:
username = sys.argv[1]
except IndexError:
exit('please provide a username: {} <name>'.format(sys.argv[0]))
@jeffmcjunkin
jeffmcjunkin / gist:7b4a67bb7dd0cfbfbd83768f3aa6eb12
Last active November 12, 2023 16:35
Useful Cypher queries for BloodHound
MATCH (u:User)-[r:AdminTo|MemberOf*1..]->(c:Computer
RETURN u.name
That’ll return a list of users who have admin rights on at least one system either explicitly or through group membership
---------------
MATCH
(U:User)-[r:MemberOf|:AdminTo*1..]->(C:Computer)
WITH
U.name as n,
@HarmJ0y
HarmJ0y / cobaltstrike_sa.txt
Created September 28, 2018 22:22
Cobalt Strike Situational Awareness Commands
Windows version:
reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Users who have authed to the system:
ls C:\Users\
System env variables:
reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
Saved outbound RDP connections:
@curi0usJack
curi0usJack / Bash Prompt
Last active July 16, 2019 21:38
# Add to your .bashrc. May need to tweak the ifconfig output for your distro.
# Ubuntu
PROMPT_COMMAND='PS1="\[\033[01;34m\][\u.\h \[\033[0;33m\]`ifconfig eth0 2>/dev/null | sed -n 2,2p | cut -d":" -f 2| cut -d" " -f 1`: \[\033[32m\]\`if [[ `pwd|wc -c|tr -d " "` > 18 ]]; then echo "\\W"; else echo "\\w"; fi\`]\$\[\033[0m\] "'
# Kali
PROMPT_COMMAND='PS1="\[\033[01;34m\][\u.\h \[\033[0;33m\]`ifconfig eth1 2>/dev/null | sed -n 2,2p | awk {'"'"'print $2'"'"'}`: \[\033[32m\]\`if [[ `pwd|wc -c|tr -d " "` > 18 ]]; then echo "\\W"; else echo "\\w"; fi\`]\$\[\033[0m\] "'
# AWS EC2
PROMPT_COMMAND='PS1="\[\033[01;34m\][\u.\h \D{%F %T} \[\033[0;33m\]`curl http://169.254.169.254/latest/meta-data/public-ipv4 2>/dev/null`: \[\033[32m\]\`if [[ `pwd|wc -c|tr -d " "` > 18 ]]; then echo "\\W"; else echo "\\w"; fi\`]\n\$\[\033[0m\] "'
@mgeeky
mgeeky / sep-directory-exclusion.reg
Last active February 21, 2023 18:42
Symantec Endpoint Protection directory exclusion registry key. According to M-Trends 2018, one of techniques used to overcome active AV scanning is to create a directory for files drop and to add it into AV's exclusion via registry.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines\Directory\Client\1733004144]
"Owner"=dword:00000004
"ProtectionTechnology"=dword:00000001
"FirstAction"=dword:00000011
"SecondAction"=dword:00000011
"DirectoryName"="C:\\to\\be\\excluded\\"
"ThreatName"="C:\\to\\be\\excluded\\"
"ExcludeSubDirs"=dword:00000001
@glenndevenish
glenndevenish / FormToCalendar.gs
Created February 19, 2018 10:01
Google Forms to Google Calendar integration
/*
From the Google Form, go to script editor. Enter this code.
You will need:
Calendar ID
Form ID
License:
Share — copy and redistribute the material in any medium or format
Adapt — remix, transform, and build upon the material for any purpose, even commercially.