glides

using System.Runtime.InteropServices;
using System;

/* 
 * Simple C# PoC to enable WebClient Service Programmatically
 * Based on the C++ version from @tirannido (James Forshaw)
 * Twitter: https://twitter.com/tiraniddo
 * URL: https://www.tiraniddo.dev/2015/03/starting-webclient-service.html
 * 
 * Compile with:

glides

using System;
using System.Linq;
using Org.BouncyCastle.Asn1.X9;
using Org.BouncyCastle.Crypto;
using Org.BouncyCastle.Crypto.Generators;
using Org.BouncyCastle.Crypto.Parameters;
using Org.BouncyCastle.Security;

namespace Program
{

glides

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

glides

########## Connect to o365 ##########
## Change $username and $pass to match your environment
## See: https://blogs.technet.microsoft.com/robcost/2008/05/01/powershell-tip-storing-and-using-password-credentials/ for how to create a cred file.
$username = "[email protected]"
$pass = gc "F:\PSScripts\Office365-PowershellCreds.txt" | convertto-securestring
$creds = New-Object -typename System.Management.Automation.PSCredential `
            -argumentlist $username, $pass
$MESession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Creds -Authentication Basic -AllowRedirection
Import-PSSession $MESession -AllowClobber
Connect-MsolService -Credential $creds

glides

## There are oneliners that try to enable logging for all users but in a large environment you will run into a data cap for the session - that is why this is split up using a foreach loop

$mailboxes = Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox" -or RecipientTypeDetails -eq "SharedMailbox" -or RecipientTypeDetails -eq "RoomMailbox" -or RecipientTypeDetails -eq "DiscoveryMailbox"} 

foreach($m in $mailboxes) {
Set-Mailbox $m.Identity.ToString() -AuditEnabled $true -AuditLogAgeLimit 180 -AuditOwner Create,HardDelete,MailboxLogin,Move,MoveToDeletedItems,SoftDelete,Update,UpdateFolderPermissions -AuditDelegate Create,HardDelete,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update,UpdateFolderPermissions -AuditAdmin Copy,Create ,HardDelete ,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update,UpdateFolderPermissions
Start-Sleep -Milliseconds 75
}

glides

# AES-256 with key decryption function Boo Lang

public static def decrypt(ciphertext as (byte), key as string) as (byte):
        using aesAlg = Aes.Create():
            salt = array(byte,[0x12,0x35,0x56,0x78,0x90,0xAB,0xAD,0xEF,0xDD,0x31])
            rfc = Rfc2898DeriveBytes(key,salt)
            aesAlg.Padding = PaddingMode.PKCS7
            aesAlg.KeySize = 256
            aesAlg.Key = rfc.GetBytes(32)
            aesAlg.IV = rfc.GetBytes(16)

glides

# AES-256 with key encryption function Boo Lang

public static def encrypt(cleartext as (byte), key as string) as (byte):
        using aesAlg = Aes.Create():
            salt = array(byte,[0x12,0x35,0x56,0x78,0x90,0xAB,0xAD,0xEF,0xDD,0x31])
            rfc = Rfc2898DeriveBytes(key,salt)
            aesAlg.Padding = PaddingMode.PKCS7
            aesAlg.KeySize = 256
            aesAlg.Key = rfc.GetBytes(32)
            aesAlg.IV = rfc.GetBytes(16)

glides

def all_interfaces():
    max_possible = 128
    bytes = max_possible * 32
    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    names = array.array('B', '\0' * bytes)
    outbytes = struct.unpack('iL', fcntl.ioctl(s.fileno(), 0x8912, struct.pack('iL', bytes, names.buffer_info()[0])))[0]
    namestr = names.tostring()
    lst = []
    for i in range(0, outbytes, 40):
        name = namestr[i:i + 16].split('\0', 1)[0]