mirror of
https://github.com/mgeeky/Penetration-Testing-Tools.git
synced 2024-12-22 09:05:06 +01:00
Added couple of tools
This commit is contained in:
parent
e496a1c449
commit
305492a3ee
@ -5,6 +5,17 @@
|
||||
|
||||
- **`Contoso-AD-Structure`** - Simple script intended to create a sample AD structure filled out with users and groups.
|
||||
|
||||
- **`correlateCrackedHashes.py`** - Hashcat results correlation utility.
|
||||
Takes two files on input. Tries to find every line of the second file within the first file and for every found match - extracts password value from the second file's line. Then prints these correlations.
|
||||
In other words - having the following in FileA:
|
||||
`some-user@example.com,68eacb97d86f0c4621fa2b0e17cabd8c`
|
||||
|
||||
and a line in FileB that would be a result of running hashcat:
|
||||
`68eacb97d86f0c4621fa2b0e17cabd8c:Test123`
|
||||
|
||||
the script will print out:
|
||||
`some-user@example.com,68eacb97d86f0c4621fa2b0e17cabd8c,Test123`
|
||||
|
||||
- **`encrypt.rb`** - Simple File Encryption utility (with support for Blowfish, GOST, IDEA, AES) capable of encrypting directories. ([gist](https://gist.github.com/mgeeky/751c01c4dac99871f4da))
|
||||
|
||||
- **`forticlientsslvpn-expect.sh`** - Forticlient SSL VPN Client launching script utilizing expect. Useful while working for clients exposing their local networks through a Fortinet SSL VPN. [gist](https://gist.githubusercontent.com/mgeeky/8afc0e32b8b97fd6f96fce6098615a93/raw/cf127be09d02e04c00eb578e4ef1219a773d21cf/forticlientsslvpn-expect.sh)
|
||||
|
65
others/correlateCrackedHashes.py
Executable file
65
others/correlateCrackedHashes.py
Executable file
@ -0,0 +1,65 @@
|
||||
#!/usr/bin/python3
|
||||
#
|
||||
# Takes two files on input. Tries to find every line of the second file within the first file
|
||||
# and for every found match - extracts password value from the second file's line. Then prints these correlations.
|
||||
#
|
||||
# In other words:
|
||||
#
|
||||
# FileA:
|
||||
# some-user@example.com,68eacb97d86f0c4621fa2b0e17cabd8c
|
||||
#
|
||||
# FileB - result of running hashcat:
|
||||
# 68eacb97d86f0c4621fa2b0e17cabd8c:Test123
|
||||
#
|
||||
# WILL RETURN:
|
||||
# some-user@example.com,68eacb97d86f0c4621fa2b0e17cabd8c,Test123
|
||||
#
|
||||
# Mariusz B. / mgeeky
|
||||
#
|
||||
|
||||
import sys, os
|
||||
|
||||
def main(argv):
|
||||
if len(argv) < 3:
|
||||
print('''
|
||||
Usage: ./correlateCrackedHashes.py <fileWithUsernames> <crackedHashesFile> [delimiter]
|
||||
|
||||
<fileWithUsernames> - File containing usernames and their hashes (or just hashes)
|
||||
<crackedHashesFile> - File being a result of running hashcat, in a form of hash:password
|
||||
[delimiter] - (optional) Delimiter to be prepended to the usernames file line containing password
|
||||
Default: comma
|
||||
''')
|
||||
return False
|
||||
|
||||
usernamesFile = argv[1]
|
||||
crackedHashesFile = argv[2]
|
||||
delimiter = ',' if len(argv) < 4 else argv[3]
|
||||
|
||||
if not os.path.isfile(usernamesFile):
|
||||
print(f'[!] Usernames file does not exist: "{usernamesFile}')
|
||||
return False
|
||||
|
||||
if not os.path.isfile(crackedHashesFile):
|
||||
print(f'[!] Cracked passwords file does not exist: "{crackedHashesFile}')
|
||||
return False
|
||||
|
||||
usernames = []
|
||||
cracked = []
|
||||
|
||||
with open(usernamesFile) as f: usernames = [x.strip() for x in f.readlines()]
|
||||
with open(crackedHashesFile) as f: cracked = [x.strip() for x in f.readlines()]
|
||||
|
||||
correlated = []
|
||||
|
||||
for crackedPass in cracked:
|
||||
for user in usernames:
|
||||
posOfLastColon = crackedPass.rfind(':')
|
||||
hashValue = crackedPass[:posOfLastColon]
|
||||
password = crackedPass[posOfLastColon+1:]
|
||||
|
||||
if hashValue in user:
|
||||
print(delimiter.join([user, password]))
|
||||
correlated.append(delimiter.join([user, password]))
|
||||
|
||||
if __name__ == "__main__":
|
||||
main(sys.argv)
|
79
red-teaming/Count-PrivilegedGroupMembers.ps1
Normal file
79
red-teaming/Count-PrivilegedGroupMembers.ps1
Normal file
@ -0,0 +1,79 @@
|
||||
<#
|
||||
This script enumerates privileged groups (Tier-) and counts their users.
|
||||
By knowing how many privileged users are there in examined groups, we can
|
||||
briefly estimate the configuration debt impact on the assessed Active Directory
|
||||
or domain maintenance misconfiguration impact.
|
||||
|
||||
Usage:
|
||||
PS> . .\Count-PrivilegedGroupMembers.ps1
|
||||
PS> Count-PrivilegedGroupMembers
|
||||
|
||||
Mariusz B. / mgeeky
|
||||
#>
|
||||
|
||||
# This script requires PowerView 3.0 dev branch
|
||||
# Import-Module powerview.ps1 -ErrorAction SilentlyContinue
|
||||
|
||||
Function Count-PrivilegedGroupMembers
|
||||
{
|
||||
[CmdletBinding()] Param(
|
||||
[Parameter(Mandatory=$false)]
|
||||
[String]
|
||||
$Domain,
|
||||
|
||||
[Parameter(Mandatory=$false)]
|
||||
[Switch]
|
||||
$Recurse,
|
||||
|
||||
[Parameter(Mandatory=$false)]
|
||||
[String]
|
||||
$AdditionalGroupsFile
|
||||
)
|
||||
|
||||
$PrivilegedGroups = @(
|
||||
"Enterprise Admins"
|
||||
"Domain Admins"
|
||||
"Schema Admin"
|
||||
"Account Operators"
|
||||
"Backup Operators"
|
||||
"Print Operators"
|
||||
"Server Operators"
|
||||
"Domain Controllers"
|
||||
"Read-only Domain Controllers"
|
||||
"Group Policy Creator Owners"
|
||||
"Cryptographic Operators"
|
||||
"Distributed COM Users"
|
||||
)
|
||||
|
||||
$AdditionalGroups = @()
|
||||
|
||||
if($AdditionalGroupsFile.length -gt 0) {
|
||||
[string[]]$AdditionalGroups = Get-Content -Path $AdditionalGroupsFile
|
||||
}
|
||||
|
||||
$groups = $PrivilegedGroups + $AdditionalGroups
|
||||
|
||||
$GroupsMembers = @{}
|
||||
foreach ($group in $groups)
|
||||
{
|
||||
$command = "(Get-DomainGroupMember -Identity '$group'"
|
||||
if ($Recurse)
|
||||
{
|
||||
$command += " -Recurse"
|
||||
}
|
||||
|
||||
if($Domain)
|
||||
{
|
||||
$command += " -Domain $Domain"
|
||||
}
|
||||
|
||||
$command += " ).Count"
|
||||
Write-Verbose "Running '$command'..."
|
||||
$members = (Invoke-Expression $command) -as [int]
|
||||
$GroupsMembers.Add($group, $members)
|
||||
|
||||
Write-Verbose "Got $members members in $group."
|
||||
}
|
||||
|
||||
return $GroupsMembers
|
||||
}
|
@ -54,6 +54,8 @@ $s = New-Object IO.MemoryStream(, [Convert]::FromBase64String('H4sIAMkfcloC/3u/e
|
||||
IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
|
||||
```
|
||||
|
||||
- **`Count-PrivilegedGroupMembers.ps1`** - Counts number of members in predefined (or augumented from an input file) list of privileged, sensitive groups in Active Directory. Purely for statistics and overview purposes.
|
||||
|
||||
- **`delete-warning-div-macro.vbs`** - VBA Macro function to be used as a Social Engineering trick removing "Enable Content" warning message as the topmost floating text box with given name. ([gist](https://gist.github.com/mgeeky/9cb6acdec31c8a70cc037c84c77a359c))
|
||||
|
||||
- **`Disable-Amsi.ps1`** - Tries to evade AMSI by leveraging couple of publicly documented techniqus, but in an approach to avoid signatured or otherwise considered harmful keywords.
|
||||
|
@ -1 +1 @@
|
||||
Subproject commit d367e28c4928544793580a5a381d49699f0752e6
|
||||
Subproject commit e9f2fa9f2601097d6247b6a47f285e29b1b982e0
|
Loading…
Reference in New Issue
Block a user