With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
//////////////////////////////////////////////////////////////////////////////////////////////////////// | |
/// Print to kernel debugger from user mode | |
/// | |
/// Usage: | |
/// | |
/// ULONG getKdPrintPointers(void); | |
/// int isKdPrintAvailable(void); | |
/// | |
/// ULONG KdPrintEx((ULONG ComponentId, ULONG Level, PCHAR Format, ...)); | |
/// ULONG KdPrintExWithPrefix((PCHAR prefix, ULONG ComponentId, ULONG Level, PCHAR Format, ...)); |
TL;DR: Using symbolic execution to recover driver IOCTL codes that are computed at runtime.
The goal here is to find valid IOCTL codes for the HackSysExtremeVulnerableDriver by analyzing the binary. The control flow varies between the binary and source due to compiler optimizations. This results in a situation where only a few IOCTL codes in the assembly are represented as a constant with the remaining being computed at runtime.
The code in hevd_ioctl.py is a approximation of the control flow of the compiled IrpDeviceIoCtlHandler
function. The effects of the compiler optimization are more pronounced when comparing this code to the original C function. To comply with requirements of the PyExZ3 module, the target function is named after the script's filename, and the `ex
# | |
# TO-DO: set |DESTINATIONURL| below to be whatever you want e.g. www.google.com. Do not include "http(s)://" as a prefix. All matching requests will be sent to that url. Thanks @Meatballs__! | |
# | |
# Note this version requires Apache 2.4+ | |
# | |
# Save this file into something like /etc/apache2/redirect.rules. | |
# Then in your site's apache conf file (in /etc/apache2/sites-avaiable/), put this statement somewhere near the bottom | |
# | |
# Include /etc/apache2/redirect.rules | |
# |
''' | |
A simple demonstration of obtaining, modifying and executing code objects in python without relying | |
on commonly blocked keywords such as exec, compile, etc... | |
-Patrick Biernat. | |
''' | |
import __builtin__ | |
mydict = {} |
# This software released into the public domain. Anyone is free to copy, | |
# modify, publish, use, compile, sell, or distribute this software, | |
# either in source code form or as a compiled binary, for any purpose, | |
# commercial or non-commercial, and by any means. | |
import socket | |
import ctypes | |
class sockaddr(ctypes.Structure): | |
_fields_ = [("sa_family", ctypes.c_short), |
cribbed from http://pastebin.com/xgzeAmBn
Templates to remind you of the options and formatting for the different types of objects you might want to document using YARD.
import sys | |
from gi.repository import Gtk, Gdk, WebKit | |
class BrowserTab(Gtk.VBox): | |
def __init__(self, *args, **kwargs): | |
super(BrowserTab, self).__init__(*args, **kwargs) | |
go_button = Gtk.Button("go to...") | |
go_button.connect("clicked", self._load_url) | |
self.url_bar = Gtk.Entry() |