Added couple of tools
This commit is contained in:
parent
e496a1c449
commit
305492a3ee
|
@ -5,6 +5,17 @@
|
||||||
|
|
||||||
- **`Contoso-AD-Structure`** - Simple script intended to create a sample AD structure filled out with users and groups.
|
- **`Contoso-AD-Structure`** - Simple script intended to create a sample AD structure filled out with users and groups.
|
||||||
|
|
||||||
|
- **`correlateCrackedHashes.py`** - Hashcat results correlation utility.
|
||||||
|
Takes two files on input. Tries to find every line of the second file within the first file and for every found match - extracts password value from the second file's line. Then prints these correlations.
|
||||||
|
In other words - having the following in FileA:
|
||||||
|
`some-user@example.com,68eacb97d86f0c4621fa2b0e17cabd8c`
|
||||||
|
|
||||||
|
and a line in FileB that would be a result of running hashcat:
|
||||||
|
`68eacb97d86f0c4621fa2b0e17cabd8c:Test123`
|
||||||
|
|
||||||
|
the script will print out:
|
||||||
|
`some-user@example.com,68eacb97d86f0c4621fa2b0e17cabd8c,Test123`
|
||||||
|
|
||||||
- **`encrypt.rb`** - Simple File Encryption utility (with support for Blowfish, GOST, IDEA, AES) capable of encrypting directories. ([gist](https://gist.github.com/mgeeky/751c01c4dac99871f4da))
|
- **`encrypt.rb`** - Simple File Encryption utility (with support for Blowfish, GOST, IDEA, AES) capable of encrypting directories. ([gist](https://gist.github.com/mgeeky/751c01c4dac99871f4da))
|
||||||
|
|
||||||
- **`forticlientsslvpn-expect.sh`** - Forticlient SSL VPN Client launching script utilizing expect. Useful while working for clients exposing their local networks through a Fortinet SSL VPN. [gist](https://gist.githubusercontent.com/mgeeky/8afc0e32b8b97fd6f96fce6098615a93/raw/cf127be09d02e04c00eb578e4ef1219a773d21cf/forticlientsslvpn-expect.sh)
|
- **`forticlientsslvpn-expect.sh`** - Forticlient SSL VPN Client launching script utilizing expect. Useful while working for clients exposing their local networks through a Fortinet SSL VPN. [gist](https://gist.githubusercontent.com/mgeeky/8afc0e32b8b97fd6f96fce6098615a93/raw/cf127be09d02e04c00eb578e4ef1219a773d21cf/forticlientsslvpn-expect.sh)
|
||||||
|
|
|
@ -0,0 +1,65 @@
|
||||||
|
#!/usr/bin/python3
|
||||||
|
#
|
||||||
|
# Takes two files on input. Tries to find every line of the second file within the first file
|
||||||
|
# and for every found match - extracts password value from the second file's line. Then prints these correlations.
|
||||||
|
#
|
||||||
|
# In other words:
|
||||||
|
#
|
||||||
|
# FileA:
|
||||||
|
# some-user@example.com,68eacb97d86f0c4621fa2b0e17cabd8c
|
||||||
|
#
|
||||||
|
# FileB - result of running hashcat:
|
||||||
|
# 68eacb97d86f0c4621fa2b0e17cabd8c:Test123
|
||||||
|
#
|
||||||
|
# WILL RETURN:
|
||||||
|
# some-user@example.com,68eacb97d86f0c4621fa2b0e17cabd8c,Test123
|
||||||
|
#
|
||||||
|
# Mariusz B. / mgeeky
|
||||||
|
#
|
||||||
|
|
||||||
|
import sys, os
|
||||||
|
|
||||||
|
def main(argv):
|
||||||
|
if len(argv) < 3:
|
||||||
|
print('''
|
||||||
|
Usage: ./correlateCrackedHashes.py <fileWithUsernames> <crackedHashesFile> [delimiter]
|
||||||
|
|
||||||
|
<fileWithUsernames> - File containing usernames and their hashes (or just hashes)
|
||||||
|
<crackedHashesFile> - File being a result of running hashcat, in a form of hash:password
|
||||||
|
[delimiter] - (optional) Delimiter to be prepended to the usernames file line containing password
|
||||||
|
Default: comma
|
||||||
|
''')
|
||||||
|
return False
|
||||||
|
|
||||||
|
usernamesFile = argv[1]
|
||||||
|
crackedHashesFile = argv[2]
|
||||||
|
delimiter = ',' if len(argv) < 4 else argv[3]
|
||||||
|
|
||||||
|
if not os.path.isfile(usernamesFile):
|
||||||
|
print(f'[!] Usernames file does not exist: "{usernamesFile}')
|
||||||
|
return False
|
||||||
|
|
||||||
|
if not os.path.isfile(crackedHashesFile):
|
||||||
|
print(f'[!] Cracked passwords file does not exist: "{crackedHashesFile}')
|
||||||
|
return False
|
||||||
|
|
||||||
|
usernames = []
|
||||||
|
cracked = []
|
||||||
|
|
||||||
|
with open(usernamesFile) as f: usernames = [x.strip() for x in f.readlines()]
|
||||||
|
with open(crackedHashesFile) as f: cracked = [x.strip() for x in f.readlines()]
|
||||||
|
|
||||||
|
correlated = []
|
||||||
|
|
||||||
|
for crackedPass in cracked:
|
||||||
|
for user in usernames:
|
||||||
|
posOfLastColon = crackedPass.rfind(':')
|
||||||
|
hashValue = crackedPass[:posOfLastColon]
|
||||||
|
password = crackedPass[posOfLastColon+1:]
|
||||||
|
|
||||||
|
if hashValue in user:
|
||||||
|
print(delimiter.join([user, password]))
|
||||||
|
correlated.append(delimiter.join([user, password]))
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
main(sys.argv)
|
|
@ -0,0 +1,79 @@
|
||||||
|
<#
|
||||||
|
This script enumerates privileged groups (Tier-) and counts their users.
|
||||||
|
By knowing how many privileged users are there in examined groups, we can
|
||||||
|
briefly estimate the configuration debt impact on the assessed Active Directory
|
||||||
|
or domain maintenance misconfiguration impact.
|
||||||
|
|
||||||
|
Usage:
|
||||||
|
PS> . .\Count-PrivilegedGroupMembers.ps1
|
||||||
|
PS> Count-PrivilegedGroupMembers
|
||||||
|
|
||||||
|
Mariusz B. / mgeeky
|
||||||
|
#>
|
||||||
|
|
||||||
|
# This script requires PowerView 3.0 dev branch
|
||||||
|
# Import-Module powerview.ps1 -ErrorAction SilentlyContinue
|
||||||
|
|
||||||
|
Function Count-PrivilegedGroupMembers
|
||||||
|
{
|
||||||
|
[CmdletBinding()] Param(
|
||||||
|
[Parameter(Mandatory=$false)]
|
||||||
|
[String]
|
||||||
|
$Domain,
|
||||||
|
|
||||||
|
[Parameter(Mandatory=$false)]
|
||||||
|
[Switch]
|
||||||
|
$Recurse,
|
||||||
|
|
||||||
|
[Parameter(Mandatory=$false)]
|
||||||
|
[String]
|
||||||
|
$AdditionalGroupsFile
|
||||||
|
)
|
||||||
|
|
||||||
|
$PrivilegedGroups = @(
|
||||||
|
"Enterprise Admins"
|
||||||
|
"Domain Admins"
|
||||||
|
"Schema Admin"
|
||||||
|
"Account Operators"
|
||||||
|
"Backup Operators"
|
||||||
|
"Print Operators"
|
||||||
|
"Server Operators"
|
||||||
|
"Domain Controllers"
|
||||||
|
"Read-only Domain Controllers"
|
||||||
|
"Group Policy Creator Owners"
|
||||||
|
"Cryptographic Operators"
|
||||||
|
"Distributed COM Users"
|
||||||
|
)
|
||||||
|
|
||||||
|
$AdditionalGroups = @()
|
||||||
|
|
||||||
|
if($AdditionalGroupsFile.length -gt 0) {
|
||||||
|
[string[]]$AdditionalGroups = Get-Content -Path $AdditionalGroupsFile
|
||||||
|
}
|
||||||
|
|
||||||
|
$groups = $PrivilegedGroups + $AdditionalGroups
|
||||||
|
|
||||||
|
$GroupsMembers = @{}
|
||||||
|
foreach ($group in $groups)
|
||||||
|
{
|
||||||
|
$command = "(Get-DomainGroupMember -Identity '$group'"
|
||||||
|
if ($Recurse)
|
||||||
|
{
|
||||||
|
$command += " -Recurse"
|
||||||
|
}
|
||||||
|
|
||||||
|
if($Domain)
|
||||||
|
{
|
||||||
|
$command += " -Domain $Domain"
|
||||||
|
}
|
||||||
|
|
||||||
|
$command += " ).Count"
|
||||||
|
Write-Verbose "Running '$command'..."
|
||||||
|
$members = (Invoke-Expression $command) -as [int]
|
||||||
|
$GroupsMembers.Add($group, $members)
|
||||||
|
|
||||||
|
Write-Verbose "Got $members members in $group."
|
||||||
|
}
|
||||||
|
|
||||||
|
return $GroupsMembers
|
||||||
|
}
|
|
@ -54,6 +54,8 @@ $s = New-Object IO.MemoryStream(, [Convert]::FromBase64String('H4sIAMkfcloC/3u/e
|
||||||
IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
|
IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
|
||||||
```
|
```
|
||||||
|
|
||||||
|
- **`Count-PrivilegedGroupMembers.ps1`** - Counts number of members in predefined (or augumented from an input file) list of privileged, sensitive groups in Active Directory. Purely for statistics and overview purposes.
|
||||||
|
|
||||||
- **`delete-warning-div-macro.vbs`** - VBA Macro function to be used as a Social Engineering trick removing "Enable Content" warning message as the topmost floating text box with given name. ([gist](https://gist.github.com/mgeeky/9cb6acdec31c8a70cc037c84c77a359c))
|
- **`delete-warning-div-macro.vbs`** - VBA Macro function to be used as a Social Engineering trick removing "Enable Content" warning message as the topmost floating text box with given name. ([gist](https://gist.github.com/mgeeky/9cb6acdec31c8a70cc037c84c77a359c))
|
||||||
|
|
||||||
- **`Disable-Amsi.ps1`** - Tries to evade AMSI by leveraging couple of publicly documented techniqus, but in an approach to avoid signatured or otherwise considered harmful keywords.
|
- **`Disable-Amsi.ps1`** - Tries to evade AMSI by leveraging couple of publicly documented techniqus, but in an approach to avoid signatured or otherwise considered harmful keywords.
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
Subproject commit d367e28c4928544793580a5a381d49699f0752e6
|
Subproject commit e9f2fa9f2601097d6247b6a47f285e29b1b982e0
|
Loading…
Reference in New Issue