Added couple of tools

This commit is contained in:
mgeeky 2020-03-04 16:51:29 +01:00
parent e496a1c449
commit 305492a3ee
5 changed files with 158 additions and 1 deletions

View File

@ -5,6 +5,17 @@
- **`Contoso-AD-Structure`** - Simple script intended to create a sample AD structure filled out with users and groups.
- **`correlateCrackedHashes.py`** - Hashcat results correlation utility.
Takes two files on input. Tries to find every line of the second file within the first file and for every found match - extracts password value from the second file's line. Then prints these correlations.
In other words - having the following in FileA:
`some-user@example.com,68eacb97d86f0c4621fa2b0e17cabd8c`
and a line in FileB that would be a result of running hashcat:
`68eacb97d86f0c4621fa2b0e17cabd8c:Test123`
the script will print out:
`some-user@example.com,68eacb97d86f0c4621fa2b0e17cabd8c,Test123`
- **`encrypt.rb`** - Simple File Encryption utility (with support for Blowfish, GOST, IDEA, AES) capable of encrypting directories. ([gist](https://gist.github.com/mgeeky/751c01c4dac99871f4da))
- **`forticlientsslvpn-expect.sh`** - Forticlient SSL VPN Client launching script utilizing expect. Useful while working for clients exposing their local networks through a Fortinet SSL VPN. [gist](https://gist.githubusercontent.com/mgeeky/8afc0e32b8b97fd6f96fce6098615a93/raw/cf127be09d02e04c00eb578e4ef1219a773d21cf/forticlientsslvpn-expect.sh)

View File

@ -0,0 +1,65 @@
#!/usr/bin/python3
#
# Takes two files on input. Tries to find every line of the second file within the first file
# and for every found match - extracts password value from the second file's line. Then prints these correlations.
#
# In other words:
#
# FileA:
# some-user@example.com,68eacb97d86f0c4621fa2b0e17cabd8c
#
# FileB - result of running hashcat:
# 68eacb97d86f0c4621fa2b0e17cabd8c:Test123
#
# WILL RETURN:
# some-user@example.com,68eacb97d86f0c4621fa2b0e17cabd8c,Test123
#
# Mariusz B. / mgeeky
#
import sys, os
def main(argv):
if len(argv) < 3:
print('''
Usage: ./correlateCrackedHashes.py <fileWithUsernames> <crackedHashesFile> [delimiter]
<fileWithUsernames> - File containing usernames and their hashes (or just hashes)
<crackedHashesFile> - File being a result of running hashcat, in a form of hash:password
[delimiter] - (optional) Delimiter to be prepended to the usernames file line containing password
Default: comma
''')
return False
usernamesFile = argv[1]
crackedHashesFile = argv[2]
delimiter = ',' if len(argv) < 4 else argv[3]
if not os.path.isfile(usernamesFile):
print(f'[!] Usernames file does not exist: "{usernamesFile}')
return False
if not os.path.isfile(crackedHashesFile):
print(f'[!] Cracked passwords file does not exist: "{crackedHashesFile}')
return False
usernames = []
cracked = []
with open(usernamesFile) as f: usernames = [x.strip() for x in f.readlines()]
with open(crackedHashesFile) as f: cracked = [x.strip() for x in f.readlines()]
correlated = []
for crackedPass in cracked:
for user in usernames:
posOfLastColon = crackedPass.rfind(':')
hashValue = crackedPass[:posOfLastColon]
password = crackedPass[posOfLastColon+1:]
if hashValue in user:
print(delimiter.join([user, password]))
correlated.append(delimiter.join([user, password]))
if __name__ == "__main__":
main(sys.argv)

View File

@ -0,0 +1,79 @@
<#
This script enumerates privileged groups (Tier-) and counts their users.
By knowing how many privileged users are there in examined groups, we can
briefly estimate the configuration debt impact on the assessed Active Directory
or domain maintenance misconfiguration impact.
Usage:
PS> . .\Count-PrivilegedGroupMembers.ps1
PS> Count-PrivilegedGroupMembers
Mariusz B. / mgeeky
#>
# This script requires PowerView 3.0 dev branch
# Import-Module powerview.ps1 -ErrorAction SilentlyContinue
Function Count-PrivilegedGroupMembers
{
[CmdletBinding()] Param(
[Parameter(Mandatory=$false)]
[String]
$Domain,
[Parameter(Mandatory=$false)]
[Switch]
$Recurse,
[Parameter(Mandatory=$false)]
[String]
$AdditionalGroupsFile
)
$PrivilegedGroups = @(
"Enterprise Admins"
"Domain Admins"
"Schema Admin"
"Account Operators"
"Backup Operators"
"Print Operators"
"Server Operators"
"Domain Controllers"
"Read-only Domain Controllers"
"Group Policy Creator Owners"
"Cryptographic Operators"
"Distributed COM Users"
)
$AdditionalGroups = @()
if($AdditionalGroupsFile.length -gt 0) {
[string[]]$AdditionalGroups = Get-Content -Path $AdditionalGroupsFile
}
$groups = $PrivilegedGroups + $AdditionalGroups
$GroupsMembers = @{}
foreach ($group in $groups)
{
$command = "(Get-DomainGroupMember -Identity '$group'"
if ($Recurse)
{
$command += " -Recurse"
}
if($Domain)
{
$command += " -Domain $Domain"
}
$command += " ).Count"
Write-Verbose "Running '$command'..."
$members = (Invoke-Expression $command) -as [int]
$GroupsMembers.Add($group, $members)
Write-Verbose "Got $members members in $group."
}
return $GroupsMembers
}

View File

@ -54,6 +54,8 @@ $s = New-Object IO.MemoryStream(, [Convert]::FromBase64String('H4sIAMkfcloC/3u/e
IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
```
- **`Count-PrivilegedGroupMembers.ps1`** - Counts number of members in predefined (or augumented from an input file) list of privileged, sensitive groups in Active Directory. Purely for statistics and overview purposes.
- **`delete-warning-div-macro.vbs`** - VBA Macro function to be used as a Social Engineering trick removing "Enable Content" warning message as the topmost floating text box with given name. ([gist](https://gist.github.com/mgeeky/9cb6acdec31c8a70cc037c84c77a359c))
- **`Disable-Amsi.ps1`** - Tries to evade AMSI by leveraging couple of publicly documented techniqus, but in an approach to avoid signatured or otherwise considered harmful keywords.

@ -1 +1 @@
Subproject commit d367e28c4928544793580a5a381d49699f0752e6
Subproject commit e9f2fa9f2601097d6247b6a47f285e29b1b982e0