Enumerating remote access policies through GPO
https://labs.mwrinfosecurity.com/blog/enumerating-remote-access-policies-through-gpo/
@WindowsHackingLibrary
https://labs.mwrinfosecurity.com/blog/enumerating-remote-access-policies-through-gpo/
@WindowsHackingLibrary
MailSniper
MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email, or by an administrator to search the mailboxes of every user in a domain.
https://github.com/dafthack/MailSniper
@WindowsHackingLibrary
MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email, or by an administrator to search the mailboxes of every user in a domain.
https://github.com/dafthack/MailSniper
@WindowsHackingLibrary
GitHub
GitHub - dafthack/MailSniper: MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment…
MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It ca...
DomainPasswordSpray
DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain.
https://github.com/dafthack/DomainPasswordSpray
@WindowsHackingLibrary
DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain.
https://github.com/dafthack/DomainPasswordSpray
@WindowsHackingLibrary
GitHub
GitHub - dafthack/DomainPasswordSpray: DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against…
DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain. BE VERY CAR...
5 Ways to Find Systems Running Domain Admin Processes
https://blog.netspi.com/5-ways-to-find-systems-running-domain-admin-processes/
@WindowsHackingLibrary
https://blog.netspi.com/5-ways-to-find-systems-running-domain-admin-processes/
@WindowsHackingLibrary
NetSPI
5 Ways to Find Systems Running Domain Admin Processes
Migrating to Domain Admin processes is a common way penetration testers are able to impersonate Domain Admin accounts on the network. However, before a pentester can do that, they need to know what systems those processes are running on. In this blog I’ll…
How to bypass GPO Policy restriction for Powershell usage
https://github.com/p3nt4/PowerShdll
@WindowsHackingLibrary
https://github.com/p3nt4/PowerShdll
@WindowsHackingLibrary
GitHub
GitHub - p3nt4/PowerShdll: Run PowerShell with rundll32. Bypass software restrictions.
Run PowerShell with rundll32. Bypass software restrictions. - p3nt4/PowerShdll
ADAPE - Active Directory Assessment and Privilege Escalation Script
https://github.com/hausec/ADAPE-Script
@WindowsHackingLibrary
https://github.com/hausec/ADAPE-Script
@WindowsHackingLibrary
GitHub
GitHub - hausec/ADAPE-Script: Active Directory Assessment and Privilege Escalation Script
Active Directory Assessment and Privilege Escalation Script - hausec/ADAPE-Script
Kerberoasting, exploiting unpatched systems – a day in the life of a Red Teamer
http://niiconsulting.com/checkmate/2018/05/kerberoasting-exploiting-unpatched-systems-a-day-in-the-life-of-a-red-teamer/
@WindowsHackingLibrary
http://niiconsulting.com/checkmate/2018/05/kerberoasting-exploiting-unpatched-systems-a-day-in-the-life-of-a-red-teamer/
@WindowsHackingLibrary
Network Intelligence
Kerberoasting, exploiting unpatched systems – a day in the life of a Red Teamer - Network Intelligence
The Scope Recently, we conducted a red team assessment for a large enterprise client where the scenarios allowed were to either use the hardened laptop of the client or to try and connect our own laptop to the network (though they did have a Network Access…
Understanding and Evading Get-InjectedThread
https://blog.xpnsec.com/undersanding-and-evading-get-injectedthread/
@WindowsHackingLibrary
https://blog.xpnsec.com/undersanding-and-evading-get-injectedthread/
@WindowsHackingLibrary
XPN InfoSec Blog
@_xpn_ - Understanding and Evading Get-InjectedThread
One of the many areas of this field that I really enjoy is the "cat and mouse" game played between RedTeam and BlueTeam, each forcing the other to up their game. Often we see some awesome tools being released to help defenders detect malware or shellcode…
PowerLessShell rely on MSBuild.exe to remotely execute PowerShell noscripts and commands without spawning powershell.exe. You can also execute raw shellcode using the same approach.
https://github.com/Mr-Un1k0d3r/PowerLessShell
@WindowsHackingLibrary
https://github.com/Mr-Un1k0d3r/PowerLessShell
@WindowsHackingLibrary
GitHub
GitHub - Mr-Un1k0d3r/PowerLessShell: Run PowerShell command without invoking powershell.exe
Run PowerShell command without invoking powershell.exe - Mr-Un1k0d3r/PowerLessShell
Dumping Clear-Text Credentials
https://pentestlab.blog/2018/04/04/dumping-clear-text-credentials/
@WindowsHackingLibrary
https://pentestlab.blog/2018/04/04/dumping-clear-text-credentials/
@WindowsHackingLibrary
Penetration Testing Lab
Dumping Clear-Text Credentials
Passwords in clear-text that are stored in a Windows host can allow penetration testers to perform lateral movement inside an internal network and eventually fully compromise it. Therefore in a sys…
Office365 ActiveSync Username Enumeration
https://www.sec-1.com/blog/2017/office365-activesync-username-enumeration
@WindowsHackingLibrary
https://www.sec-1.com/blog/2017/office365-activesync-username-enumeration
@WindowsHackingLibrary
Sec-1 Labs
Office365 ActiveSync Username Enumeration - Sec-1 Labs
Summary There is a simple username enumeration issue in Office365’s ActiveSync, Microsoft do not consider this a vulnerability so Sec-1 do not expect this issue to be fixed. Sec-1 Penetration Tester Oliver Morton has written a noscript to exploit this which…
This noscript will attempt to list and get TGTs for those users that have the property
'Do not require Kerberos preauthentication' set (UF_DONT_REQUIRE_PREAUTH).
For those users with such configuration, a John The Ripper output will be generated so
you can send it for cracking.
https://github.com/CoreSecurity/impacket/commit/bada8a719f8ed7be4633514eea94bc768dbaf019
@WindowsHackingLibrary
'Do not require Kerberos preauthentication' set (UF_DONT_REQUIRE_PREAUTH).
For those users with such configuration, a John The Ripper output will be generated so
you can send it for cracking.
https://github.com/CoreSecurity/impacket/commit/bada8a719f8ed7be4633514eea94bc768dbaf019
@WindowsHackingLibrary
GitHub
Adding GetNPUsers.py noscript · SecureAuthCorp/impacket@bada8a7
This noscript will attempt to list and get TGTs for those users that have the property
'Do not require Kerberos preauthentication' set (UF_DONT_REQUIRE_PREAUTH).
For those users with ...
'Do not require Kerberos preauthentication' set (UF_DONT_REQUIRE_PREAUTH).
For those users with ...
NTLMv1 Multitool
This tool modifies NTLMv1/NTLMv1-ESS/MSCHAPv2 hashes so they can be cracked with DES Mode 14000 in hashcat
https://github.com/evilmog/ntlmv1-multi/
@WindowsHackingLibrary
This tool modifies NTLMv1/NTLMv1-ESS/MSCHAPv2 hashes so they can be cracked with DES Mode 14000 in hashcat
https://github.com/evilmog/ntlmv1-multi/
@WindowsHackingLibrary
GitHub
GitHub - evilmog/ntlmv1-multi: NTLMv1 Multitool
NTLMv1 Multitool. Contribute to evilmog/ntlmv1-multi development by creating an account on GitHub.
Invoke-Phant0m
This noscript walks thread stacks of Event Log Service process (spesific svchost.exe) and identify Event Log Threads to kill Event Log Service Threads. So the system will not be able to collect logs and at the same time the Event Log Service will appear to be running.
https://artofpwn.com/phant0m-killing-windows-event-log.html
https://github.com/hlldz/Invoke-Phant0m
@WindowsHackingLibrary
This noscript walks thread stacks of Event Log Service process (spesific svchost.exe) and identify Event Log Threads to kill Event Log Service Threads. So the system will not be able to collect logs and at the same time the Event Log Service will appear to be running.
https://artofpwn.com/phant0m-killing-windows-event-log.html
https://github.com/hlldz/Invoke-Phant0m
@WindowsHackingLibrary
Dumping Active Directory Domain Info – with PowerUpSQL!
https://blog.netspi.com/dumping-active-directory-domain-info-with-powerupsql/
@WindowsHackingLibrary
https://blog.netspi.com/dumping-active-directory-domain-info-with-powerupsql/
@WindowsHackingLibrary
NetSPI Blog
Dumping Active Directory Domain Info - with PowerUpSQL!
This blog walks through some new Active Directory recon functions in PowerUpSQL. The PowerUpSQL functions use the OLE DB ADSI provider to query Active Directory for domain users, computers, and other configuration information through SQL Server queries.
15 Ways to Bypass the PowerShell Execution Policy
https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/
@WindowsHackingLibrary
https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/
@WindowsHackingLibrary
NetSPI
15 Ways to Bypass the PowerShell Execution Policy
NetSPI security expert Scott Sutherland covers 15 ways to bypass the PowerShell execution policy without having local administrator rights on the system.
Elevate, UAC bypass, persistence, privilege escalation, dll hijack techniques
https://github.com/rootm0s/WinPwnage
@WindowsHackingLibrary
https://github.com/rootm0s/WinPwnage
@WindowsHackingLibrary
GitHub
GitHub - rootm0s/WinPwnage: UAC bypass, Elevate, Persistence methods
UAC bypass, Elevate, Persistence methods. Contribute to rootm0s/WinPwnage development by creating an account on GitHub.
Abusing DCOM For Yet Another Lateral Movement Technique
https://bohops.com/2018/04/28/abusing-dcom-for-yet-another-lateral-movement-technique
@WindowsHackingLibrary
https://bohops.com/2018/04/28/abusing-dcom-for-yet-another-lateral-movement-technique
@WindowsHackingLibrary
bohops
Abusing DCOM For Yet Another Lateral Movement Technique
TL;DR This post discusses an alternate DCOM lateral movement discovery and payload execution method. The primary gist is to locate DCOM registry key/values that point to the path of a binary on th…
Invoke-WMILM
This is a PoC noscript for various methods to acheive authenticated remote code execution via WMI, without (at least directly) using the Win32_Process class. The type of technique is determined by the "Type" parameter.
https://github.com/Cybereason/Invoke-WMILM/blob/master/README.md
@WindowsHackingLibrary
This is a PoC noscript for various methods to acheive authenticated remote code execution via WMI, without (at least directly) using the Win32_Process class. The type of technique is determined by the "Type" parameter.
https://github.com/Cybereason/Invoke-WMILM/blob/master/README.md
@WindowsHackingLibrary
GitHub
Cybereason/Invoke-WMILM
Contribute to Cybereason/Invoke-WMILM development by creating an account on GitHub.