Skip to content

Instantly share code, notes, and snippets.

View leechristensen's full-sized avatar

Lee Chagolla-Christensen leechristensen

709 followers · 0 following
View GitHub Profile
@leechristensen
leechristensen / UltraVNCPasswordDecoder.cs
Last active November 15, 2024 19:17
using System;
using System.Collections.Generic;
using System.Security.Cryptography;
using System.Text;
namespace UltraVNCPasswordDecoder
{
class Program
{
public static string ByteArrayToHex(byte[] bytes)
@leechristensen
leechristensen / Find-MisconfiguredCertificateTemplates.ps1
Last active November 15, 2024 19:12
<#
Author: Lee Christensen (@tifkin_)
License: BSD 3-Clause
Required Dependencies: None
Usage Example:
1. On a Linux or OS X machine with ldapsearch installed, run the following replacing "DC=domain,DC=local" with the DN of the organization's domain:
ldapsearch -o ldif-wrap=no -h dc.domain.local -p 389 -D 'username@domain.local' -w P@ssw0rd -E 'pr=1000/noprompt' -E '!1.2.840.113556.1.4.801=::MAMCAQc=' -b 'CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=local' > ldap_dump.txt
@leechristensen
leechristensen / Get-DriversWithCallbacks.ps1
Last active November 15, 2024 19:11
Enumerates loaded Kernel drivers that import callback APIs
# Find loaded kernel drivers that register callbacks
# Requirements: NtObjectManager (https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/tree/master/NtObjectManager)
function Get-DriversWithCallbacks {
[CmdletBinding()]
Param()
Get-NtKernelModule | ForEach-Object {
$ModulePath = $_.FullPathName
$FilePath = $null
@leechristensen
leechristensen / Get-KerberoastHash.ps1
Created October 16, 2017 06:08
# load up the slightly-stripped BouncyCastle library, adapted from https://github.com/bcgit/bc-csharp
# Copyright (c) 2000 - 2015 The Legion of the Bouncy Castle Inc. (http://www.bouncycastle.org)
# see LICENSE_Bouncy_Castles for license information
try {
$null = [Org.BouncyCastle.Asn1.Asn1InputStream]
} catch {
$EncodedCompressedFile = 'xL0LnBxFtT/e293Tj3nsTu/sds/uZnc2j12amdlHZiEsAZIoBCHyJuDsxmSTzRLYBTI4E0ATs8QXokIkuKA3xuiNwL1yRb2IiMhLVFTeRhEFCQjIQ+Wh8Ptdvdcb/uecqurHzCwE7/9///lktqu+51TVqapTVedUV3efOHqlpEiSpMLvzTcl6VaJ/Vsmvf2/bfBrzNzWKN1sPjj31oYTHpy78pzJSvcF5dLZ5XXnd69ft3FjaVP3+Fnd5Qs3dk9u7D7m5NO7zy9NnNWfSEQX8DxOWS5JJzQo0o2XbC6KfJ+W5nXHGgYlSWuVJINh249rkaRuFKwVo0kKy0xuSfKv0rZWwsvrWqFeyz6BrPjfv3oX+nck5HuyxPI9QZVq/61tleIH0BY1/7o90emfAfHjAvH+TWd9cBNcfxRpZfXSmNxVWaztL1fK6yFMsmHdNcysNcS3DP73l886rwSMcS4z5dVYw/fuajEvwHaVmGyyFJEOWR+VLnvOlMwqvtvf00L9/Xb/9k03QGf0ZV1bkqIlB/+k8U8b/NmGJEaPTreHgGyX7HYAktWyo7IyJDtZOa8ofbKdlRU3BrWuA8frwwmE50FAw0BqUJV6QS4oxJK3T0Y1ZftkPzDasVyj5oxEdVnboWg71q2NaX2v6vb+hjo5NtYvqInlr0gZart
@leechristensen
leechristensen / cmd_spoolss.c
Created September 17, 2017 20:27
addprinternotification
/*
Unix SMB/CIFS implementation.
RPC pipe client
Copyright (C) Gerald Carter 2001-2005
Copyright (C) Tim Potter 2000
Copyright (C) Andrew Tridgell 1992-1999
Copyright (C) Luke Kenneth Casson Leighton 1996-1999
Copyright (C) Guenther Deschner 2009
@leechristensen
leechristensen / ParseRpcServer.md
Created November 8, 2024 21:22
Example of using NtObjectManager to parse RPC server method

These commands demonstrate how you can extract RPC server information from Windows binary. This data is embed inside of any Windows RPC server binary and includes general information about the RPC server and the methods it exposes(including parameter counts and type/struct info).

Run all these commands in a PowerShell window.

Install NtObjectManager

In a PowerShell window, install NtObjectManager:

Install-Module NtObjectManager -Scope CurrentUser
@leechristensen
leechristensen / PetitPotam.ps1
Created July 30, 2021 21:47
Install-Module NtObjectManager
Import-Module NtObjectManager
$Servers = Get-RpcServer -Path C:\Windows\system32\efssvc.dll `
-DbgHelpPath 'C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\dbghelp.dll'
$EfsInterace = $Servers | Where-Object { $_.InterfaceId -eq 'df1941c5-fe89-4e79-bf10-463657acf44d' }
$client = Get-RpcClient -Server $EfsInterace
$client.Connect()
@leechristensen
leechristensen / Test-NtlmVersion.ps1
Created December 6, 2023 05:57
function Test-NtlmVersion {
[CmdletBinding()]
Param(
[Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True, Mandatory = $True)]
[ValidateNotNullOrEmpty()]
[String]
$IpAddress,
[Parameter(Position = 1, Mandatory = $True)]
[ValidateNotNullOrEmpty()]
@leechristensen
leechristensen / CES.py
Last active August 26, 2024 02:28
Crude example of how to build a CSR and issue an HTTP request a certificate via AD CS's Certificate Enrollment Web Service's SOAP endpoint
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography import x509
from cryptography.x509.extensions import ExtensionType
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
from cryptography.x509.general_name import GeneralName, IPAddress, OtherName
import base64
import pyasn1
@leechristensen
leechristensen / BorlandCPPDemangler.cpp
Created July 30, 2024 17:39
A script for Ghidra to demangle function names and apply types to functions. Note: Ghidra supports only adding C types to functions. If a C++ type is detected by the demangler, the function will receive a type substituted with "undefined4" instead.. Original source from https://github.com/egorolegovichyakovlev/BorlandCPPDemangler
/*
* This is free and unencumbered software released into the public domain.
*
* Anyone is free to copy, modify, publish, use, compile, sell, or
* distribute this software, either in source code form or as a compiled
* binary, for any purpose, commercial or non-commercial, and by any
* means.
*
* In jurisdictions that recognize copyright laws, the author or authors
* of this software dedicate any and all copyright interest in the