Credit: Sergey Bliznyuk from PT Swarm
Original post: The Guest Who Could: Exploiting LPE in VMWare Tools
ThePirateWhoSmellsOfSunflowers
/ README.md
Last active
October 19, 2025 11:39
XML examples to exploit LPE in VMWare Tools
ThePirateWhoSmellsOfSunflowers
/ badsuccessordumper_postpatch.py
Created
August 31, 2025 17:54
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import argparse | |
| import datetime | |
| import logging | |
| import os | |
| import random | |
| import struct | |
| import sys | |
| from binascii import hexlify, unhexlify | |
| from six import ensure_binary |
ThePirateWhoSmellsOfSunflowers
/ badsuccessordumper.py
Last active
October 27, 2025 16:42
This script retrieves NT hashes of all domain users and computers using a dMSA
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import argparse | |
| import datetime | |
| import logging | |
| import os | |
| import random | |
| import struct | |
| import sys | |
| from binascii import hexlify, unhexlify | |
| from six import ensure_binary |
ThePirateWhoSmellsOfSunflowers
/ netdumper.py
Last active
July 1, 2025 14:39
This script perform a netsync attack. No SMB involved
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from impacket.dcerpc.v5 import epm, rpcrt, transport, nrpc, samr | |
| from impacket.uuid import bin_to_uuidtup | |
| from impacket.crypto import SamDecryptNTLMHash | |
| from impacket.nt_errors import STATUS_MORE_ENTRIES | |
| from impacket.dcerpc.v5.rpcrt import DCERPCException | |
| from binascii import unhexlify, hexlify | |
| from random import randbytes | |
| import sys | |
| import argparse |
ThePirateWhoSmellsOfSunflowers
/ lsarlookupsids3_aes.py
Created
February 6, 2025 22:16
Perform a lsarlookupsids3 with a trust account, it uses netlogon as SSP (see [MS-NRPC] 3.3) (AES version)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from impacket.dcerpc.v5 import epm, lsad, rpcrt, transport, lsat, ndr, nrpc | |
| from impacket.uuid import bin_to_uuidtup | |
| from binascii import unhexlify | |
| from random import randbytes | |
| import sys | |
| # Perform a lsarlookupsids3 with a trust account, it uses netlogon as SSP (see [MS-NRPC] 3.3) | |
| # Pure TCP RPC is used (ncacn_ip_tcp option) | |
| # AES is used, so you need impacket #1848 (https://github.com/fortra/impacket/pull/1848) | |
| # Tested with impacket 0.12.0 on GOAD |
ThePirateWhoSmellsOfSunflowers
/ netrlogonsamlogonwithflags.py
Created
December 12, 2024 23:03
Perform a netrlogonsamlogonwithflags (LogonNetworkTransitive) with a server account, it uses netlogon as SSP
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from impacket.dcerpc.v5 import epm, lsad, rpcrt, transport, lsat, ndr, nrpc | |
| from impacket.uuid import bin_to_uuidtup | |
| from binascii import unhexlify, hexlify | |
| from struct import pack, unpack | |
| from random import randbytes | |
| import sys | |
| # Perform a netrlogonsamlogonwithflags with a server account, it uses netlogon as SSP (see [MS-NRPC] 3.3) | |
| # Pure TCP RPC is used (ncacn_ip_tcp option) | |
| # RC4 is used here because to use AES, impacket must be patched |
ThePirateWhoSmellsOfSunflowers
/ atexec_rpc.py
Last active
August 15, 2025 12:15
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # Impacket - Collection of Python classes for working with network protocols. | |
| # | |
| # Copyright Fortra, LLC and its affiliated companies | |
| # | |
| # All rights reserved. | |
| # | |
| # This software is provided under a slightly modified version | |
| # of the Apache Software License. See the accompanying LICENSE file | |
| # for more information. |
ThePirateWhoSmellsOfSunflowers
/ lsarlookupsids3.py
Created
November 22, 2024 13:01
Perform a lsarlookupsids3 with a trust account, it uses netlogon as SSP (see [MS-NRPC] 3.3)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from impacket.dcerpc.v5 import epm, lsad, rpcrt, transport, lsat, ndr, nrpc | |
| from impacket.uuid import bin_to_uuidtup | |
| from binascii import unhexlify | |
| from random import randbytes | |
| import sys | |
| # Perform a lsarlookupsids3 with a trust account, it uses netlogon as SSP (see [MS-NRPC] 3.3) | |
| # Pure TCP RPC is used (ncacn_ip_tcp option) | |
| # RC4 is used here because to use AES, impacket must be patched | |
| # Tested with impacket 0.12.0 on GOAD |