Skip to content

Instantly share code, notes, and snippets.

View burnnotice's full-sized avatar

burnnotice

14 followers · 27 following
View GitHub Profile
@burnnotice
burnnotice / gcp_enum.sh
Created May 24, 2022 20:05 — forked from carnal0wnage/gcp_enum.sh
use the gcloud utilities to enumerate as much access as possible from a GCP service account json file. see blog post: <to insert>
# gcloud auth activate-service-account --key-file=85.json
# gcloud projects list
project="my-project"
space=""
echo "gcloud auth list"
gcloud auth list
echo -e "$space"
@burnnotice
burnnotice / namemash.py
Created October 7, 2021 19:25 — forked from superkojiman/namemash.py
Creating a user name list for brute force attacks.
#!/usr/bin/env python
import sys
import os.path
if __name__ == "__main__":
if len(sys.argv) != 2:
print("usage: {} names.txt".format((sys.argv[0])))
sys.exit(0)
if not os.path.exists(sys.argv[1]):
@burnnotice
burnnotice / Workstation-Takeover.md
Created August 12, 2021 15:24 — forked from gladiatx0r/Workstation-Takeover.md
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@burnnotice
burnnotice / GPPDecrypt.ps1
Created August 9, 2021 19:20 — forked from andreafortuna/GPPDecrypt.ps1
Group Policy Preferences Decoder
param (
[string]$cpassword
)
function Get-DecryptedCpassword {
[CmdletBinding()]
Param (
[string] $Cpassword
)
@burnnotice
burnnotice / GPPDecrypt.py
Created August 9, 2021 19:19 — forked from andreafortuna/GPPDecrypt.py
Group Policy Preference Password Decoder
#!/usr/bin/env python3
import base64
from Crypto.Cipher import AES
def decrypt(encrypt_str):
padding = "=" * (4 - len(encrypt_str) % 4)
encrypt_str = encrypt_str + padding
encrypt_str = base64.b64decode(encrypt_str)
# Public available AES key on https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspx?f=255&MSPPError=-2147217396
@burnnotice
burnnotice / oauthServer.go
Created July 28, 2021 14:24 — forked from invokethreatguy/oauthServer.go
A mini OAuth server for Azure
package main
import (
"crypto/tls"
"fmt"
"io/ioutil"
"net/http"
"net/url"
"strings"
)
@burnnotice
burnnotice / tmux.conf
Created March 26, 2021 03:09 — forked from swtornio/tmux.conf
tmux config
#############################################
## DEFAULT GENERAL SETTINGS (tmux show -g) ##
#############################################
set-option -g activity-action other
set-option -g assume-paste-time 1
set-option -g base-index 0
set-option -g bell-action any
set-option -g default-command ""
set-option -g default-shell "/bin/bash"
@burnnotice
burnnotice / AWS API calls that return credentials.md
Created February 24, 2021 21:59 — forked from kmcquade/AWS API calls that return credentials.md
AWS API calls that return credentials
@burnnotice
burnnotice / MITRE_Attack_WindowsAppControl.csv
Created February 12, 2021 18:32 — forked from mgraeber-rc/MITRE_Attack_WindowsAppControl.csv
Windows-specific MITRE ATT&CK techniques application control prevention assessment. This is a first attempt to assess the extent to which application control solutions would mitigate/prevent attack techniques. Note: this highly subjective assessment assumes a system that enforces an application control solution that at a minimum allows all Windo…
ID Name MitigatedByAppControl Notes
T1001 Data Obfuscation Not Applicable Relevant sub-techniques addressed below
T1001.001 Junk Data No Technique is not necessarily related to the execution of arbitrary code on an endpoint.
T1001.002 Steganography Limited If custom attacker code were necessary to perform this technique, it would be prevented.
T1001.003 Protocol Impersonation Limited If custom attacker code were necessary to perform this technique, it would be prevented.
T1003 OS Credential Dumping Not Applicable Relevant sub-techniques addressed below
T1003.001 LSASS Memory Limited Built-in utilities exist to perform this technique. They would have to be explicitly blocked.
T1003.002 Security Account Manager Limited Built-in utilities exist to perform this technique. They would have to be explicitly blocked.
T1003.003 NTDS Limited Built-in utilities exist to perform this technique. They would have to be explicitly blocked.
T1003.004 LSA Secrets Limited Built-in utilities exist to perform this technique.
@burnnotice
burnnotice / PPID Spoof & BlockDLLs
Created January 12, 2020 21:07 — forked from rasta-mouse/PPID Spoof & BlockDLLs
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
namespace BlockDllTest
{
class Program
{
static void Main(string[] args)
{