With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>With Rubeus version with brute module:
dslusser
h4x0r-dz
/ Generic keys
Created
May 5, 2022 09:15
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| (?i)((access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret|application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket|aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password|bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver|cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret|client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password|cloudflare_api_key|cloudflare_auth_k |
Chick3nman
/ Apple_M1_Ultra_v6.2.5-340
Created
March 19, 2022 16:23
Hashcat v6.2.5-340 benchmark on the Apple M1 Ultra
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Apple M1 Ultra, 20 Core CPU, 48 Core GPU, 64GB of RAM, 1TB SSD | |
| Thanks to @fhlipZero(https://twitter.com/fhlipZero) for running the benchmark on his hardware and allowing me to publish it. | |
| A copy of both a short benchmark and the following full run can be found at https://gist.github.com/fhlip0 | |
| hashcat (v6.2.5-340-g98b89e43d) starting in benchmark mode | |
| Benchmarking uses hand-optimized kernel code by default. |
acbart
/ download_canvas_rubric.js
Created
October 11, 2021 02:35
Snippet to download Canvas rubric data for current assignment as a CSV file
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| (async function(){ | |
| // https://stackoverflow.com/questions/8735792/how-to-parse-link-header-from-github-api | |
| const linkParser = (linkHeader)=>{ | |
| let re = /,[\s]*<(.*?)>;[\s]*rel="next"/g; | |
| let result = re.exec(linkHeader); | |
| if (result == null) { | |
| return null; | |
| } | |
| return result[1]; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Java.perform(function() { | |
| console.log('\n[.] Cert Pinning Bypass'); | |
| // Create a TrustManager that trusts everything | |
| console.log('[+] Creating a TrustyTrustManager that trusts everything...'); | |
| var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager'); | |
| var TrustyTrustManager = Java.registerClass({ | |
| name: 'com.example.TrustyTrustManager', | |
| implements: [X509TrustManager], | |
| methods: { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apt update | |
| apt -y install wget gnupg dirmngr | |
| wget -q -O - https://archive.kali.org/archive-key.asc | gpg --import | |
| gpg --keyserver hkp://keys.gnupg.net --recv-key 44C6513A8E4FB3D30875F758ED444FF07D8D0BF6 | |
| echo "deb http://http.kali.org/kali kali-rolling main non-free contrib" >> /etc/apt/sources.list | |
| gpg -a --export ED444FF07D8D0BF6 | sudo apt-key add - | |
| apt update | |
| apt -y upgrade | |
| apt -y dist-upgrade | |
| apt -y autoremove --purge |
jakekarnes42
/ host_getter.svg
Created
August 13, 2019 23:44
An SVG "image" that uses an XXE attack to embed the hostname file of whichever system processes it into the image itself
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
TarlogicSecurity
/ kerberos_attacks_cheatsheet.md
Created
May 14, 2019 13:33
A cheatsheet with commands that can be used to perform kerberos attacks
DavidKuennen
/ minimal-analytics-snippet.js
Last active
December 5, 2025 02:19
Minimal Analytics Snippet
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| (function (context, trackingId, options) { | |
| const history = context.history; | |
| const doc = document; | |
| const nav = navigator || {}; | |
| const storage = localStorage; | |
| const encode = encodeURIComponent; | |
| const pushState = history.pushState; | |
| const typeException = 'exception'; | |
| const generateId = () => Math.random().toString(36); | |
| const getId = () => { |
dslusser
/ gist:4457c79651611d77e44809ce2b0a4305
Created
October 25, 2018 13:51
— forked from mazuhl/gist:392141
Bookmarklet to add stylesheet to web page
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| javascript: (function () { | |
| var linkNode = document.createElement('link'); | |
| linkNode.rel = 'stylesheet'; | |
| linkNode.href = 'http://www.website.com/stylesheets/style.css'; | |
| document.getElementsByTagName('head')[0].appendChild(linkNode); | |
| })(); |
fransr
/ bucket-disclose.sh
Last active
November 7, 2025 17:35
Using error messages to decloak an S3 bucket. Uses soap, unicode, post, multipart, streaming and index listing as ways of figure it out. You do need a valid aws-key (never the secret) to properly get the error messages
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Written by Frans Rosén (twitter.com/fransrosen) | |
| _debug="$2" #turn on debug | |
| _timeout="20" | |
| #you need a valid key, since the errors happens after it validates that the key exist. we do not need the secret key, only access key | |
| _aws_key="AKIA..." | |
| H_ACCEPT="accept-language: en-US,en;q=0.9,sv;q=0.8,zh-TW;q=0.7,zh;q=0.6,fi;q=0.5,it;q=0.4,de;q=0.3" | |
| H_AGENT="user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.146 Safari/537.36" |