Start nessus running against all in scope hosts
Check out-of-scope hosts and make sure they're not scanned!
Curtis Houghton curtishoughton
curtishoughton
/ Pentest-Redteam-Helpful-commands.md
Last active
January 9, 2025 21:52
curtishoughton
/ dementor.py
Created
November 15, 2023 23:18
— forked from 3xocyte/dementor.py
rough PoC to connect to spoolss to elicit machine account authentication
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # abuse cases and better implementation from the original discoverer: https://github.com/leechristensen/SpoolSample | |
| # some code from https://www.exploit-db.com/exploits/2879/ | |
| import os | |
| import sys | |
| import argparse | |
| import binascii | |
| import ConfigParser |
curtishoughton
/ gist:928e2a85d6a7478969370d98cf2b88db
Created
June 10, 2023 20:19
— forked from kaimi-/gist:6b3c99538dce9e3d29ad647b325007c1
Possible IP Bypass HTTP Headers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| CACHE_INFO: 127.0.0.1 | |
| CF_CONNECTING_IP: 127.0.0.1 | |
| CF-Connecting-IP: 127.0.0.1 | |
| CLIENT_IP: 127.0.0.1 | |
| Client-IP: 127.0.0.1 | |
| COMING_FROM: 127.0.0.1 | |
| CONNECT_VIA_IP: 127.0.0.1 | |
| FORWARD_FOR: 127.0.0.1 | |
| FORWARD-FOR: 127.0.0.1 | |
| FORWARDED_FOR_IP: 127.0.0.1 |
curtishoughton
/ krbrelay_privesc_howto.md
Created
May 26, 2022 21:33
— forked from tothi/krbrelay_privesc_howto.md
Privilege Escalation using KrbRelay and RBCD
Short HOWTO about one use case of the work from Cube0x0 (KrbRelay) and others.
No-Fix Local Privilege Escalation from low-priviliged domain user to local system on domain-joined computers.
Prerequisites:
- LDAP signing not required on Domain Controller (default!)
curtishoughton
/ PowerView-3.0-tricks.ps1
Created
May 26, 2022 21:02
— forked from HarmJ0y/PowerView-3.0-tricks.ps1
PowerView-3.0 tips and tricks
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/ | |
| # tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c | |
| # the most up-to-date version of PowerView will always be in the dev branch of PowerSploit: | |
| # https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 | |
| # New function naming schema: | |
| # Verbs: | |
| # Get : retrieve full raw data sets | |
| # Find : ‘find’ specific data entries in a data set |
curtishoughton
/ fuck.js
Created
February 13, 2022 17:08
— forked from ujin5/fuck.js
WebKit RCE on ios 14.1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function sleep( sleepDuration ){ | |
| var now = new Date().getTime(); | |
| while(new Date().getTime() < now + sleepDuration){ /* do nothing */ } | |
| } | |
| function gc() { | |
| for (let i = 0; i < 0x10; i++) { | |
| new ArrayBuffer(0x1000000); | |
| } | |
| } | |
| let data_view = new DataView(new ArrayBuffer(8)); |
curtishoughton
/ kernelcallback.cs
Created
December 30, 2021 23:23
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Runtime.InteropServices; | |
| using System.Text; | |
| namespace SendMessageKernelCallback | |
| { | |
| /*References: | |
| * 1. https://t0rchwo0d.github.io/windows/Windows-Process-Injection-Technique-KernelCallbackTable/ | |
| * 2. https://modexp.wordpress.com/2019/05/25/windows-injection-finspy/ | |
| */ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Runtime.InteropServices; | |
| /* References | |
| * 1. https://www.ired.team/offensive-security/defense-evasion/detecting-hooked-syscall-functions | |
| * 2. https://github.com/Mr-Un1k0d3r/EDRs | |
| */ | |
| namespace SharpHookCheck | |
| { |
curtishoughton
/ FodhelperUACBypass.ps1
Created
October 20, 2021 19:38
— forked from netbiosX/FodhelperUACBypass.ps1
Bypass UAC via Fodhelper binary in Windows 10 systems
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .SYNOPSIS | |
| This script can bypass User Access Control (UAC) via fodhelper.exe | |
| It creates a new registry structure in: "HKCU:\Software\Classes\ms-settings\" to perform UAC bypass and starts | |
| an elevated command prompt. | |
| .NOTES | |
| Function : FodhelperUACBypass | |
| File Name : FodhelperUACBypass.ps1 |
curtishoughton
/ concat_exploit.js
Created
October 18, 2021 11:25
— forked from cd789/concat_exploit.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| class Helpers { | |
| constructor() { | |
| this.buf = new ArrayBuffer(8); | |
| this.f64 = new Float64Array(this.buf); | |
| this.f32 = new Float32Array(this.buf); | |
| this.u32 = new Uint32Array(this.buf); | |
| this.u64 = new BigUint64Array(this.buf); | |
| this.state = {}; | |
| } |
NewerOlder