CVE-2021-42278

noPac CVE-2021-42287/CVE-2021-42278 Scanner & Exploiter Yet another low effort domain user to domain admin exploit If a Domain Controller is vulnerable it will return a TGT without a PAC, all eyes on small size tickets Mitigation Patch your Domain Controllers! Credits Charlie Clark for his Rubeus fork and Kevin Robertson for SharpMad

Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user Known issues it will not work outside kali , i will update it later on :) Check out CVE-2021-42287/CVE-2021-42278 Weaponisation sAMAccountName spoofing

Exploiting CVE-2021-42278 and CVE-2021-42287

noPac Exploiting CVE-2021-42278 and CVE-2021-42287 原项目noPac在实现上可能有点问题，导致在本地没有打通，于是参考sam-the-admin项目进行修改。 使用 pip3 install -r requirementstxt # GetShell python3 exppy "domain/Username:Passw0rd" -dc-ip 1921680254 -shell # DumpHash python3 exppy "domain/Username:Passw0rd" -dc-ip 192

Detection script for CVE-2021-42278 and CVE-2021-42287

About Detection script for CVE-2021-42278 and CVE-2021-42287 Usage The detection script uses the domain account credentials to determine the possibility of the vulnerabilities usage: noPac-detectionpy [-h] [-debug] -dc-ip <IP address> -targetUser <Target Username> credentials optional arguments: -h, --help show this help message and

Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user

About Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user Changed from sam-the-admin Usage SAM THE ADMIN CVE-2021-42278 + CVE-2021-42287 chain positional arguments: [domain/]username[:password] Account used to authenticate to DC options: -h, --help show this help message and exit --impersonate IMP

.Net Assembly loader for the [CVE-2021-42287 - CVE-2021-42278] Scanner & Exploit noPac

Invoke-noPac The Net assembly is based on my fork githubcom/ricardojba/noPac that has a few code changes to improve upon the original PowerSharpPack style Net Assembly loader for the [CVE-2021-42287 - CVE-2021-42278] Scanner & Exploit noPac Usage: Set-PSReadlineOption -HistorySaveStyle SaveNothing <Insert-Your-AMSI-Bypass-From-AMSIFAIL-Here>

CVE-2021-42287/CVE-2021-42278 Exploiter

noPac 这个项目的由来是出于对 noPac 的原理学习, 在 cube0x0 的项目基础上进行了一些更改 源码中添加了个人的理解注释 删除了 Scan 功能, 个人觉得 Scan 功能用处比较鸡肋 增加了 MachineAccountQuota 值的判断, 如果为 0 则退出程序 优化了添加计算机帐户时的判断处理 增加了 TGT 的输出 漏洞

Python implementation for CVE-2021-42278 (Active Directory Privilege Escalation)

Pachine Python implementation for CVE-2021-42278 (Active Directory Privilege Escalation) Installation $ pip3 install impacket Usage Impacket v0923 - Copyright 2021 SecureAuth Corporation usage: pachinepy [-h] [-scan] [-spn SPN] [-impersonate IMPERSONATE] [-domain-netbios NETBIOSNAME] [-computer-name NEW-COMPUTER-NAME$] [-computer-pass

Introduction LDAP Firewall is an open-source tool for Windows servers that lets you audit and restrict incoming LDAP requests Its primary use-cases are to protect Domain Controllers, block LDAP-based attacks and tightly control access to the Active Directory schema (eg enforcing read-only access for users) The tool is written in C++ and makes use of the Microsoft Detours and

noPac This Fork now supports more encryption schemes (default is now AES256) for better OPSEC and improved usage in cases that the target domain disabled RC4 support CVE-2021-42287/CVE-2021-42278 Scanner & Exploiter Yet another low effort domain user to domain admin exploit If a Domain Controller is vulnerable it will return a TGT without a PAC, so keep an eye on sma

Windows Privilege Escalation Cheatsheet This cheatsheet is aimed at OSCP aspirants to help them understand the various methods of escalating privilege on Windows-based machines and CTFs with examples There are multiple ways to perform the same task We have performed and compiled this list based on our experience Please share this with your connections and direct queries and

获取域控权限方法枚举

获取域控权限的几种思路 对于入侵者来说，进入企业后，为了获取最大权限，通常会将目标瞄准在域控上。下面是针对不同的域控环境，列举的几种不同的攻击攻击手法。 一、通过域控相关的漏洞 此思路主要针对域控补丁没有打完整，导致能直接进行域提权漏洞攻击。一般出现在一些�

Windows Privilege Escalation Cheatsheet This cheatsheet is aimed at OSCP aspirants to help them understand the various methods of escalating privilege on Windows-based machines and CTFs with examples There are multiple ways to perform the same task We have performed and compiled this list based on our experience Please share this with your connections and direct queries and

Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user

Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user Known issues it will not work outside kali , i will update it later on :) Check out CVE-2021-42287/CVE-2021-42278 Weaponisation sAMAccountName spoofing

CVE-2021-42287/CVE-2021-42278 Scanner & Exploiter.

noPac CVE-2021-42287/CVE-2021-42278 Scanner & Exploiter Yet another low effort domain user to domain admin exploit If a Domain Controller is vulnerable it will return a TGT without a PAC, all eyes on small size tickets Mitigation Patch your Domain Controllers! Credits Charlie Clark for his Rubeus fork and Kevin Robertson for SharpMad

Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user usage: $ python3 sam_the_adminpy "jas502n/hr:Admin@12" -dc-ip 17216242135 -shell or $ python3 sam_the_adminpy "jas502n/John:Admin@123" -dc-ip 17216242135 -dump Known issues it will not work outside kali , i will update it later on :) Check out CVE-2021-42287/C

Windows Privilege Escalation Cheatsheet This cheatsheet is aimed at the OSCP aspirants to help them understand the various methods of Escalating Privilege on Windows based Machines and CTFs with examples There are multiple ways to perform the same tasks We have performed and compiled this list based on our experience Please share this with your connections and direct queries

Windows Privilege Escalation Cheatsheet This cheatsheet is aimed at OSCP aspirants to help them understand the various methods of escalating privilege on Windows-based machines and CTFs with examples There are multiple ways to perform the same task We have performed and compiled this list based on our experience Please share this with your connections and direct queries and

A checklist to follow when assessing a client's internal infrastructure for security & compliance testing. It is advised to focus more on the Active Directory section to get maximum information out of it for further attacks and enumeration.

External Recon & Testing One should gather the probable email addressess of the employees working at XYZ company using the methods given below It is possible to craft the email address by finding out the domain name and the email format of the company Reconnaissance using the tools given below phonebookcz theHarvester hunterio (Paid) linkedincom (gistgit

hAcKtive Directory Forensics Compiled by 1nTh35h311 (#yossi_sassi) Page last updated on September 18th 2023 (tools in links may update routinely) Comments and improvements are welcome Talks, slides & videos: 'HackCon' 2023 talk: Hacktive Directory Forensics - a toolkit for understanding who|what|when in your domain Slides - Presentation slides 'Hack In

CVE-2021-42287/CVE-2021-42278 exploits in powershell

Invoke-sAMSpoofing CVE-2021-42287/CVE-2021-42278 exploits in powershell Table of content Overview Menu Screenshots References Overview A simple script to attack AD with CVE-2021-42287/CVE-2021-42278 exploits automatically Menu Invoke-sAMSpooofing Invoke-GoldenTicket Invoke-GoldenTips RemoveMachineAccount Invoke-Rubeus ADSIHound Invoke-DCSync Screenshots Invoke-sAMSpooofi

samAccountName Spoofing (CVE-2021–42278) & Domain Controller Impersonation (CVE-2021–42287)

sAMAccountName-Spoofing samAccountName Spoofing (CVE-2021–42278) & Domain Controller Impersonation (CVE-2021–42287) Make sure to unzip the tools to the Downloads folder before running the script as unelevated domain user from Desktop

A checklist to follow when assessing a client's internal infrastructure for security & compliance testing. It is advised to focus more on the Active Directory section to get maximum information out of it for further attacks and enumeration.

External Recon & Testing One should gather the probable email addressess of the employees working at XYZ company using the methods given below It is possible to craft the email address by finding out the domain name and the email format of the company Reconnaissance using the tools given below phonebookcz theHarvester hunterio (Paid) linkedincom (gistgit

This work includes testing and improvement tools for CVE-2021-44228(log4j).

This work includes testing and improvement tools for CVE-2021-44228(log4j) The purpose of this study is to list useful tools that the blue and red team can use against the Log4j vulnerability Github links bypass tools, scanning, detection mechanisms, etc can be used for Scanning or POC 🔴 Title: log4j-shell-poc 🔴 Description: A Proof-Of-Concept for the recently found CV

Windows Privilege Escalation Cheatsheet This cheatsheet is aimed at OSCP aspirants to help them understand the various methods of escalating privilege on Windows-based machines and CTFs with examples There are multiple ways to perform the same task We have performed and compiled this list based on our experience Please share this with your connections and direct queries and

NoPacScan is a CVE-2021-42287/CVE-2021-42278 Scanner,it scan for more domain controllers than other script

NoPacScan NoPacScan is a CVE-2021-42287/CVE-2021-42278 Scanner,it scan for more domain controllers than the original script, and more accurate than itIt scan DC with DNS search _msdcsaaacom,it's better than LDAP and SAMR, and it will automatically scan all DC we findIf you use LDAP or SAMR ,maybe you will miss some DC that remove from Primary DC For more accurate,It

内网渗透学习的一份记录 mark

学习的一份记录 占坑 涉及比较多的文档内容，一开始看比较抽象并且抓不住重点，可以先搜索引擎上搜索一下文章看一看有什么内容，哪些是重点，了解一些基础知识，再去看官方文档。 0x00 kerberos协议 0x01 ntlm协议 0x02 看两个项目 0x03 管道 0x04 smb协议 0x05 windows访问控制 0x06 令牌窃取 0x0

LDAP Firewall

Introduction LDAP Firewall is an open-source tool for Windows servers that lets you audit and restrict incoming LDAP requests Its primary use-cases are to protect Domain Controllers, block LDAP-based attacks and tightly control access to the Active Directory schema (eg enforcing read-only access for users) The tool is written in C++ and makes use of the Microsoft Detours and

网上阅读过的文章记录

2021-Read-article 有兴趣可以看看我的云渗透课程：wwwyuquecom/u8047536/supvqp/ri4ft0 渗透 githubcom/ihebski/DefaultCreds-cheat-sheet 网络设备默认密码 JumpServer 从信息泄露到远程代码执行漏洞分析 标题描述有问题，泄漏机器user_id等，通过websocket获取token，再利用token通过相关的API来执行机�

Set of EVTX samples (>270) mapped to MITRE Att@k tactic and techniques to measure your SIEM coverage or developed new use cases.

EVTX to MITRE Att@ck Project purpose EVTX to MITRE Att@ck is a Security Information Management System orientated project It provides >270 Windows IOCs indicators classified per Tactic and Technique in order to address different security scenarios with your SIEM: Measure your security coverage Enhance your detection capacities Identify security gaps or uncovered threats

Static standalone binaries for Linux and Windows (x64) of Python offensive tools. Compiled using PyInstaller, Docker for Windows, WSL2, and Make.

OffensivePythonPipeline This repository contains the following static standalone binaries of Python offensive tools: Tool Operating System(s) Binary output(s) Certipy Linux / Windows x64 certipy_linux certipy_windowsexe CrackMapExec Linux / Windows x64 crackmapexec_linux crackmapexec_windowsexe dirkjanm's CVE-2020-1472 (ZeroLogon) Linux / Windows x64 cve-202

Static standalone binaries for Linux and Windows (x64) of Python offensive tools. Compiled using PyInstaller, Docker for Windows, WSL2, and Make.

OffensivePythonPipeline This repository contains the following static standalone binaries of Python offensive tools: Tool Operating System(s) Binary output(s) Certipy Linux / Windows x64 certipy_linux certipy_windowsexe CrackMapExec Linux / Windows x64 crackmapexec_linux crackmapexec_windowsexe dirkjanm's CVE-2020-1472 (ZeroLogon) Linux / Windows x64 cve-202

Set of SIGMA rules (>320) mapped to MITRE Att@k tactic and techniques

SIGMA detection rules Project purpose: SIGMA detection rules provides a free set of >320 advanced correlation rules to be used for suspicious hunting activities How to use the rules: The SIGMA rules can be used in different ways together with your SIEM: Using the native SIGMA converter: githubcom/SigmaHQ/sigma Using SOC Prime online SIGMA converter: un

Static standalone binaries for Linux and Windows (x64) of Python offensive tools. Compiled using PyInstaller, Docker for Windows, WSL2, and Make.

OffensivePythonPipeline This repository contains the following static standalone binaries of Python offensive tools: Tool Operating System(s) Binary output(s) Certipy Linux / Windows x64 certipy_linux certipy_windowsexe CrackMapExec Linux / Windows x64 crackmapexec_linux crackmapexec_windowsexe dirkjanm's CVE-2020-1472 (ZeroLogon) Linux / Windows x64 cve-202

INTRODUCTION TO ACTIVE DIRECTORY xfreerdp /v:10129202146 /u:htb-student_adm /p:Academy_student_DA! Para este modulo se van a hacer tareas que haria alguien que administra un active directory primero xfreerdp /v:10129202146 /u:htb-student_adm /p:Academy_student_DA! Estructura La estructura basica de active directory es FOREST (que

Basic Tools Command Description General sudo openvpn userovpn Connect to VPN ifconfig/ip a Show our IP address netstat -rn Show networks accessible via the VPN ssh user@10101010 SSH to a remote server ftp 1012942253 FTP to a remote server tmux tmux Start tmux ctrl+b tmux: default prefix prefix c tmux: new window prefix 1 tmux: switch to windo

Active directory Attacks and Scripts

Bloodhound Bloodhound Sharphound Cred dump AS-REP Roasting crackmapexec ntds Impacket secretsdump Kerberoasting Lazagne Mimikatz dcsync Mimikatz Logonpasswords Mimikatz minidump Pwdump READ NTDSdit File with Shadow Copy USEFULL Enumeration Active Directory Enumeration Bruteforce Check smb version and server info Enum Local Users Enum Shares rpcclient Lateral Movement Checking