NTLMv1 Multitool
This tool modifies NTLMv1/NTLMv1-ESS/MSCHAPv2 hashes so they can be cracked with DES Mode 14000 in hashcat
https://github.com/evilmog/ntlmv1-multi/
@WindowsHackingLibrary
This tool modifies NTLMv1/NTLMv1-ESS/MSCHAPv2 hashes so they can be cracked with DES Mode 14000 in hashcat
https://github.com/evilmog/ntlmv1-multi/
@WindowsHackingLibrary
GitHub
GitHub - evilmog/ntlmv1-multi: NTLMv1 Multitool
NTLMv1 Multitool. Contribute to evilmog/ntlmv1-multi development by creating an account on GitHub.
Invoke-Phant0m
This noscript walks thread stacks of Event Log Service process (spesific svchost.exe) and identify Event Log Threads to kill Event Log Service Threads. So the system will not be able to collect logs and at the same time the Event Log Service will appear to be running.
https://artofpwn.com/phant0m-killing-windows-event-log.html
https://github.com/hlldz/Invoke-Phant0m
@WindowsHackingLibrary
This noscript walks thread stacks of Event Log Service process (spesific svchost.exe) and identify Event Log Threads to kill Event Log Service Threads. So the system will not be able to collect logs and at the same time the Event Log Service will appear to be running.
https://artofpwn.com/phant0m-killing-windows-event-log.html
https://github.com/hlldz/Invoke-Phant0m
@WindowsHackingLibrary
Dumping Active Directory Domain Info – with PowerUpSQL!
https://blog.netspi.com/dumping-active-directory-domain-info-with-powerupsql/
@WindowsHackingLibrary
https://blog.netspi.com/dumping-active-directory-domain-info-with-powerupsql/
@WindowsHackingLibrary
NetSPI Blog
Dumping Active Directory Domain Info - with PowerUpSQL!
This blog walks through some new Active Directory recon functions in PowerUpSQL. The PowerUpSQL functions use the OLE DB ADSI provider to query Active Directory for domain users, computers, and other configuration information through SQL Server queries.
15 Ways to Bypass the PowerShell Execution Policy
https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/
@WindowsHackingLibrary
https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/
@WindowsHackingLibrary
NetSPI
15 Ways to Bypass the PowerShell Execution Policy
NetSPI security expert Scott Sutherland covers 15 ways to bypass the PowerShell execution policy without having local administrator rights on the system.
Elevate, UAC bypass, persistence, privilege escalation, dll hijack techniques
https://github.com/rootm0s/WinPwnage
@WindowsHackingLibrary
https://github.com/rootm0s/WinPwnage
@WindowsHackingLibrary
GitHub
GitHub - rootm0s/WinPwnage: UAC bypass, Elevate, Persistence methods
UAC bypass, Elevate, Persistence methods. Contribute to rootm0s/WinPwnage development by creating an account on GitHub.
Abusing DCOM For Yet Another Lateral Movement Technique
https://bohops.com/2018/04/28/abusing-dcom-for-yet-another-lateral-movement-technique
@WindowsHackingLibrary
https://bohops.com/2018/04/28/abusing-dcom-for-yet-another-lateral-movement-technique
@WindowsHackingLibrary
bohops
Abusing DCOM For Yet Another Lateral Movement Technique
TL;DR This post discusses an alternate DCOM lateral movement discovery and payload execution method. The primary gist is to locate DCOM registry key/values that point to the path of a binary on th…
Invoke-WMILM
This is a PoC noscript for various methods to acheive authenticated remote code execution via WMI, without (at least directly) using the Win32_Process class. The type of technique is determined by the "Type" parameter.
https://github.com/Cybereason/Invoke-WMILM/blob/master/README.md
@WindowsHackingLibrary
This is a PoC noscript for various methods to acheive authenticated remote code execution via WMI, without (at least directly) using the Win32_Process class. The type of technique is determined by the "Type" parameter.
https://github.com/Cybereason/Invoke-WMILM/blob/master/README.md
@WindowsHackingLibrary
GitHub
Cybereason/Invoke-WMILM
Contribute to Cybereason/Invoke-WMILM development by creating an account on GitHub.
[Kernel Exploitation] 7: Arbitrary Overwrite (Win7 x86)
https://www.abatchy.com/2018/01/kernel-exploitation-7
@WindowsHackingLibrary
https://www.abatchy.com/2018/01/kernel-exploitation-7
@WindowsHackingLibrary
Abatchy
[Kernel Exploitation] 7: Arbitrary Overwrite (Win7 x86)
This post discusses what an arbitrary overwrite (or write-what-where) vulnerability is and how it can be exploited.
Active Directory as a C2 (Command & Control)
https://akijosberryblog.wordpress.com/2018/03/17/active-directory-as-a-c2-command-control
@WindowsHackingLibrary
https://akijosberryblog.wordpress.com/2018/03/17/active-directory-as-a-c2-command-control
@WindowsHackingLibrary
Akijosberry
Active Directory as a C2 (Command & Control)
Active Directory as a C2 Really ? I was amazed when i read a blog post on AD as a C2 on @Harmj0y’s blog. Curiosity grew into me and wanted to explore it in my lab setup. Why AD as a C2? Activ…
Bypassing Device Guard with .NET Assembly Compilation Methods
http://www.exploit-monday.com/2017/07/bypassing-device-guard-with-dotnet-methods.html
@WindowsHackingLibrary
http://www.exploit-monday.com/2017/07/bypassing-device-guard-with-dotnet-methods.html
@WindowsHackingLibrary
Exploit-Monday
Bypassing Device Guard with .NET Assembly Compilation Methods
Tl;dr This post will describe a Device Guard user mode code integrity (UMCI) bypass (or any other application whitelisting solution ...
DiskShadow: The Return of VSS Evasion, Persistence, and Active Directory Database Extraction
https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
@WindowsHackingLibrary
https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
@WindowsHackingLibrary
bohops
DiskShadow: The Return of VSS Evasion, Persistence, and Active Directory Database Extraction
[Source: blog.microsoft.com] Introduction Not long ago, I blogged about Vshadow: Abusing the Volume Shadow Service for Evasion, Persistence, and Active Directory Database Extraction. This tool was…
Jumping Network Segregation with RDP
https://rastamouse.me/2017/08/jumping-network-segregation-with-rdp/
@WindowsHackingLibrary
https://rastamouse.me/2017/08/jumping-network-segregation-with-rdp/
@WindowsHackingLibrary
PowerShell Shellcode Injection on Win 10 (v1803)
https://blog.cobaltstrike.com/2018/05/24/powershell-shellcode-injection-on-win-10-v1803/
@WindowsHackingLibrary
https://blog.cobaltstrike.com/2018/05/24/powershell-shellcode-injection-on-win-10-v1803/
@WindowsHackingLibrary
Empire Web v2 Launched, A Web Interface to Powershell empire.
https://github.com/interference-security/empire-web
@WindowsHackingLibrary
https://github.com/interference-security/empire-web
@WindowsHackingLibrary
GitHub
GitHub - interference-security/empire-web: PowerShell Empire Web Interface
PowerShell Empire Web Interface. Contribute to interference-security/empire-web development by creating an account on GitHub.
Hidden Administrative Accounts: BloodHound to the Rescue
https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/
@WindowsHackingLibrary
https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/
@WindowsHackingLibrary
crowdstrike.com
Hidden Administrative Accounts: BloodHound to the Rescue
Learn how cybercriminals use hidden administrative accounts to access your data and why BloodHound is the tool red teams use to find them.
Extracting Service Account Passwords with Kerberoasting
https://blog.stealthbits.com/extracting-service-account-passwords-with-kerberoasting/
@WindowsHackingLibrary
https://blog.stealthbits.com/extracting-service-account-passwords-with-kerberoasting/
@WindowsHackingLibrary
Netwrix
Extracting Service Account Passwords with Kerberoasting
In our LDAP reconnaissance post, we explored how an attacker can perform reconnaissance to discover service accounts to target in a Windows Active Directory (AD) domain. Now let's explore one way an attacker can use to compromise those accounts and exploit…
MSDAT (Microsoft SQL Database Attacking Tool) is an open source penetration testing tool that tests the security of Microsoft SQL Databases remotely.
https://github.com/quentinhardy/msdat
@WindowsHackingLibrary
https://github.com/quentinhardy/msdat
@WindowsHackingLibrary
GitHub
GitHub - quentinhardy/msdat: MSDAT: Microsoft SQL Database Attacking Tool
MSDAT: Microsoft SQL Database Attacking Tool. Contribute to quentinhardy/msdat development by creating an account on GitHub.
Powercat
Netcat: The powershell version.
https://github.com/besimorhino/powercat
@WindowsHackingLibrary
Netcat: The powershell version.
https://github.com/besimorhino/powercat
@WindowsHackingLibrary
GitHub
GitHub - besimorhino/powercat: netshell features all in version 2 powershell
netshell features all in version 2 powershell. Contribute to besimorhino/powercat development by creating an account on GitHub.
Windows Privilege Escalation Methods for Pentesters
https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
@WindowsHackingLibrary
https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
@WindowsHackingLibrary
Getting Domain Admin with Kerberos Unconstrained Delegation
http://www.labofapenetrationtester.com/2016/02/getting-domain-admin-with-kerberos-unconstrained-delegation.html
@WindowsHackingLibrary
http://www.labofapenetrationtester.com/2016/02/getting-domain-admin-with-kerberos-unconstrained-delegation.html
@WindowsHackingLibrary
Labofapenetrationtester
Getting Domain Admin with Kerberos Unconstrained Delegation
Home of Nikhil SamratAshok Mittal. Posts about Red Teaming, Offensive PowerShell, Active Directory and Pen Testing.