w0rk3r's Windows Hacking Library
Simplifying Password Spraying https://www.trustwave.com/Resources/SpiderLabs-Blog/Simplifying-Password-Spraying/ @WindowsHackingLibrary
A Password Spraying tool for Active Directory Credentials
https://github.com/SpiderLabs/Spray
@WindowsHackingLibrary
https://github.com/SpiderLabs/Spray
@WindowsHackingLibrary
GitHub
GitHub - Greenwolf/Spray: A Password Spraying tool for Active Directory Credentials by Jacob Wilkin(Greenwolf)
A Password Spraying tool for Active Directory Credentials by Jacob Wilkin(Greenwolf) - GitHub - Greenwolf/Spray: A Password Spraying tool for Active Directory Credentials by Jacob Wilkin(Greenwolf)
Abusing SeLoadDriverPrivilege for privilege escalation
https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/
@WindowsHackingLibrary
https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/
@WindowsHackingLibrary
Tarlogic Security
Abusing SeLoadDriverPrivilege for privilege escalation
Analysis of the "Load and unload device drivers" policy (SeLoadDriverPrivilege), which specifies users allowed to load device drivers.
Exploring PowerShell AMSI and Logging Evasion
https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
@WindowsHackingLibrary
https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
@WindowsHackingLibrary
Weaponizing .SettingContent-ms Extensions for Code Execution
https://www.trustedsec.com/2018/06/weaponizing-settingcontent
@WindowsHackingLibrary
https://www.trustedsec.com/2018/06/weaponizing-settingcontent
@WindowsHackingLibrary
TrustedSec
Cybersecurity Education from the Experts | TrustedSec Blog Posts
Learn more about how to safeguard your company through our educational blog posts on everything from updated tech to the newest scams infiltrating organizations today.
WMImplant Post-Exploitation – An Introduction
https://www.fortynorthsecurity.com/wmimplant-post-exploitation-an-introduction
@WindowsHackingLibrary
https://www.fortynorthsecurity.com/wmimplant-post-exploitation-an-introduction
@WindowsHackingLibrary
FortyNorth Security Blog
An Introduction to WMImplant Post-Exploitation
Up to this point in time, I’ve explained in previous talks how WMImplant can be useful when attempting to operate on Device Guard protected systems. If the entire environment is Device Guard protected, you will first need to get code execution, but once you…
Pentester Windows NTFS tricks collection
https://sec-consult.com/en/blog/2018/06/pentesters-windows-ntfs-tricks-collection/
@WindowsHackingLibrary
https://sec-consult.com/en/blog/2018/06/pentesters-windows-ntfs-tricks-collection/
@WindowsHackingLibrary
SEC Consult
Pentester’S Windows NTFS Tricks Collection
In this blog post René Freingruber (@ReneFreingruber) from the SEC Consult Vulnerability Lab shares different filesystem tricks which were collected over the last years from various blog posts or found by himself.
PowerShell: How to get a list of all installed Software on Remote Computers
https://sid-500.com/2018/04/02/powershell-how-to-get-a-list-of-all-installed-software-on-remote-computers
@WindowsHackingLibrary
https://sid-500.com/2018/04/02/powershell-how-to-get-a-list-of-all-installed-software-on-remote-computers
@WindowsHackingLibrary
Tokenvator: A Tool to Elevate Privilege using Windows Tokens
https://blog.netspi.com/tokenvator-a-tool-to-elevate-privilege-using-windows-tokens
@WindowsHackingLibrary
https://blog.netspi.com/tokenvator-a-tool-to-elevate-privilege-using-windows-tokens
@WindowsHackingLibrary
NetSPI
Tokenvator: A Tool to Elevate Privilege using Windows Tokens
Tokenvator: A Tool to Elevate Privilege using Windows Tokens – It works by impersonating or altering authentication tokens in processes that the executing process has the appropriate level of permissions to.
Disabling AMSI in JScript with One Simple Trick
https://tyranidslair.blogspot.com/2018/06/disabling-amsi-in-jscript-with-one.html
@WindowsHackingLibrary
https://tyranidslair.blogspot.com/2018/06/disabling-amsi-in-jscript-with-one.html
@WindowsHackingLibrary
www.tiraniddo.dev
Disabling AMSI in JScript with One Simple Trick
This blog contains a very quick and dirty way to disable AMSI in the context of Windows Scripting Host which doesn't require admin privilege...
Inveigh is a PowerShell LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system.
https://github.com/Kevin-Robertson/Inveigh/blob/master/README.md
@WindowsHackingLibrary
https://github.com/Kevin-Robertson/Inveigh/blob/master/README.md
@WindowsHackingLibrary
GitHub
Inveigh/README.md at master · Kevin-Robertson/Inveigh
.NET IPv4/IPv6 machine-in-the-middle tool for penetration testers - Inveigh/README.md at master · Kevin-Robertson/Inveigh
A multithreaded tool designed to identify if credentials are valid, invalid, or local admin valid credentials within a network at-scale via SMB, plus now with a user hunter
https://github.com/Raikia/CredNinja
@WindowsHackingLibrary
https://github.com/Raikia/CredNinja
@WindowsHackingLibrary
GitHub
GitHub - Raikia/CredNinja: A multithreaded tool designed to identify if credentials are valid, invalid, or local admin valid credentials…
A multithreaded tool designed to identify if credentials are valid, invalid, or local admin valid credentials within a network at-scale via SMB, plus now with a user hunter - Raikia/CredNinja
PSScriptAnalyzer is a static code checker for Windows PowerShell modules and scripts. PSScriptAnalyzer checks the quality of Windows PowerShell code by running a set of rules. The rules are based on PowerShell best practices identified by PowerShell Team and the community. It generates DiagnosticResults (errors and warnings) to inform users about potential code defects and suggests possible solutions for improvements.
https://github.com/PowerShell/PSScriptAnalyzer
@WindowsHackingLibrary
https://github.com/PowerShell/PSScriptAnalyzer
@WindowsHackingLibrary
GitHub
GitHub - PowerShell/PSScriptAnalyzer: Download ScriptAnalyzer from PowerShellGallery
Download ScriptAnalyzer from PowerShellGallery. Contribute to PowerShell/PSScriptAnalyzer development by creating an account on GitHub.
Bypassing SQL Server Logon Trigger Restrictions
https://blog.netspi.com/bypass-sql-logon-triggers/
@WindowsHackingLibrary
https://blog.netspi.com/bypass-sql-logon-triggers/
@WindowsHackingLibrary
NetSPI Blog
Bypassing SQL Server Logon Trigger Restrictions
This shows how to bypass SQL Server logon trigger restrictions by spoofing hostnames and application names using lesser known connection string properties.
Spoof SSDP replies to phish for NTLM hashes on a network. Creates a fake UPNP device, tricking users into visiting a malicious phishing page.
https://gitlab.com/initstring/evil-ssdp
@WindowsHackingLibrary
https://gitlab.com/initstring/evil-ssdp
@WindowsHackingLibrary
GitLab
initstring / evil-ssdp · GitLab
Spoof SSDP replies to phish for credentials and NetNTLM challenge/response. Creates a fake UPNP device, tricking users into visiting a malicious phishing page. Also detects and exploits XXE...
Incapacitating Windows Defender
http://www.offensiveops.io/tools/incapacitating-windows-defender/
@WindowsHackingLibrary
http://www.offensiveops.io/tools/incapacitating-windows-defender/
@WindowsHackingLibrary
Red Team Tales 0x01: From MSSQL to RCE
https://www.tarlogic.com/en/blog/red-team-tales-0x01
@WindowsHackingLibrary
https://www.tarlogic.com/en/blog/red-team-tales-0x01
@WindowsHackingLibrary
Tarlogic Security - Cyber Security and Ethical hacking
Red Team Tales 0x01: From MSSQL to RCE
Introduction
In a Red Team operation, a perimeter asset vulnerable to SQL Injection was identified. Through this vulnerability it was possible to execute commands on the server, requiring an unusual tactic to achieve the exfiltration of the output of the…
In a Red Team operation, a perimeter asset vulnerable to SQL Injection was identified. Through this vulnerability it was possible to execute commands on the server, requiring an unusual tactic to achieve the exfiltration of the output of the…
LethalHTA - A new lateral movement technique using DCOM and HTA
https://codewhitesec.blogspot.com/2018/07/lethalhta.html
@WindowsHackingLibrary
https://codewhitesec.blogspot.com/2018/07/lethalhta.html
@WindowsHackingLibrary
Blogspot
CODE WHITE | Blog: LethalHTA - A new lateral movement technique using DCOM and HTA
The following blog post introduces a new lateral movement technique that combines the power of DCOM and HTA. The research on this t...
What is it that Makes a Microsoft Executable a Microsoft Executable? An Attacker’s and a Defender’s Perspective
https://posts.specterops.io/what-is-it-that-makes-a-microsoft-executable-a-microsoft-executable-b43ac612195e
@WindowsHackingLibrary
@BlueTeamLibrary
https://posts.specterops.io/what-is-it-that-makes-a-microsoft-executable-a-microsoft-executable-b43ac612195e
@WindowsHackingLibrary
@BlueTeamLibrary
Medium
What is it that Makes a Microsoft Executable a Microsoft Executable?
What exactly is it that separates arbitrary code from code that originates from Microsoft? I would wager that the reaction of most people…
Powershell script to Enumerate executables with auto-elevation enabled, handy for privilege escalation purposes.
https://gist.github.com/Evilcry/71e03a969689b8fd1297a1803aa4d7cf
@WindowsHackingLibrary
https://gist.github.com/Evilcry/71e03a969689b8fd1297a1803aa4d7cf
@WindowsHackingLibrary
Gist
Enumerate executables with auto-elevation enabled
Enumerate executables with auto-elevation enabled. GitHub Gist: instantly share code, notes, and snippets.