├── .gitignore └── .gitignore ├── C# ├── CS-A1.cs ├── CS_A1.exe └── README.md ├── bash ├── dcFinder.sh └── screenLogging │ ├── termLog.sh │ └── todayLog.sh ├── ldap └── ldapsearch │ └── README.md └── python └── user_parser.py /.gitignore/.gitignore: -------------------------------------------------------------------------------- 1 | payload.exe 2 | -------------------------------------------------------------------------------- /C#/CS-A1.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Net; 3 | using System.Linq; 4 | using System.Diagnostics; 5 | using System.Management; 6 | using System.Net.NetworkInformation; 7 | using ConsoleTables; 8 | using System.DirectoryServices; 9 | using System.Collections; 10 | using System.DirectoryServices.ActiveDirectory; 11 | using System.DirectoryServices.AccountManagement; 12 | 13 | // CS-A1 14 | // 15 | // Author: 16 | // @bigb0ss 17 | // 18 | // Usage: 19 | // CS> execute-assembly CS-A1.exe 20 | // 21 | // Enumeration: 22 | // (1) Computer Name 23 | // (2) User Info 24 | // (3) Local Admin Enum 25 | // (4) Domain Enum 26 | // (5) DC Enum 27 | // (6) Network Interface Info 28 | // (7) TCP Connections 29 | // (8) Process List 30 | 31 | namespace csA1 32 | { 33 | class Program 34 | { 35 | static void Main(string[] args) 36 | { 37 | banner(); 38 | HostName(); 39 | UserInfo(); 40 | 41 | Console.Out.WriteLine(""); 42 | localAdmins(); 43 | 44 | Console.Out.WriteLine(""); 45 | EnumerateDomains(); 46 | 47 | Console.Out.WriteLine(""); 48 | EnumerateDCs(); 49 | 50 | Console.Out.WriteLine(""); 51 | NetworkInfo(); 52 | //DefaltGateway(); 53 | 54 | Console.Out.WriteLine(""); 55 | Console.Out.WriteLine("[+] Netstat"); 56 | netstat(); 57 | 58 | Console.Out.WriteLine(""); 59 | Console.Out.WriteLine("[*] Querying Process list..."); 60 | GetProcessInfo(); 61 | 62 | Console.Out.WriteLine(""); 63 | Console.Out.WriteLine("[+] Completed!"); 64 | Console.ReadKey(); 65 | } 66 | 67 | // Banner 68 | static void banner() 69 | { 70 | string banner = @" 71 | 72 | _____ _____ __ 73 | / ____|/ ____| /\ /_ | 74 | | | | (___ ______ / \ | | 75 | | | \___ |______/ /\ \ | | 76 | | |____ ____) | / ___\ \| | 77 | \_____|_____/ /_/ \_|_| 78 | [bigb0ss] 79 | 80 | v 1.0.0 81 | "; 82 | Console.Out.WriteLine(banner); 83 | } 84 | 85 | // Hostname 86 | static void HostName() 87 | { 88 | string hostName = Dns.GetHostName(); 89 | Console.Out.WriteLine("[+] Hostname : {0}", 90 | hostName); 91 | //Console.Out.WriteLine(" [+] Hostname: {0}", Environment.MachineName); 92 | } 93 | 94 | // Network Information 95 | static void NetworkInfo() 96 | { 97 | Console.Out.WriteLine("[+] Network Information: "); 98 | NetworkInterface[] Interfaces = NetworkInterface.GetAllNetworkInterfaces(); 99 | foreach (NetworkInterface i in Interfaces) 100 | { 101 | if (i.NetworkInterfaceType == NetworkInterfaceType.Loopback) continue; 102 | Console.WriteLine("- Interface: {0}", i.Description); 103 | UnicastIPAddressInformationCollection UnicastIPInfoCol = i.GetIPProperties().UnicastAddresses; 104 | foreach (UnicastIPAddressInformation UnicatIPInfo in UnicastIPInfoCol) 105 | { 106 | Console.WriteLine("\t[+] IP Address : {0}", UnicatIPInfo.Address); 107 | Console.WriteLine("\t[+] Subnet Mask: {0}", UnicatIPInfo.IPv4Mask); 108 | } 109 | } 110 | } 111 | 112 | /* 113 | static void DefaltGateway() 114 | { 115 | var defaultGateway = 116 | from nics in NetworkInterface.GetAllNetworkInterfaces() 117 | from props in nics.GetIPProperties().GatewayAddresses 118 | where nics.OperationalStatus == OperationalStatus.Up 119 | select props.Address.ToString(); 120 | 121 | Console.WriteLine("- Default Gateway: {0}", defaultGateway.First()); 122 | } 123 | */ 124 | 125 | // User Info 126 | static void UserInfo() 127 | { 128 | Console.Out.WriteLine("[+] User_Info : {0}\\{1}", 129 | Environment.UserDomainName, 130 | Environment.UserName); 131 | } 132 | 133 | // Local Admin Enumeration 134 | static void localAdmins() 135 | { 136 | DirectoryEntry localMachine = new DirectoryEntry("WinNT://" + Environment.MachineName + ",Computer"); 137 | DirectoryEntry admGroup = localMachine.Children.Find("administrators", "group"); 138 | object members = admGroup.Invoke("members", null); 139 | 140 | Console.WriteLine("[+] Local Administrators: "); 141 | foreach (object groupMember in (IEnumerable)members) 142 | { 143 | DirectoryEntry member = new DirectoryEntry(groupMember); 144 | Console.WriteLine("\t{0}", member.Name); 145 | } 146 | } 147 | 148 | // Domain Enumerations 149 | public static void EnumerateDomains() 150 | { 151 | Forest currentForest = Forest.GetCurrentForest(); 152 | Console.Out.WriteLine("[+] Current Domain: {0}", currentForest); 153 | Console.Out.WriteLine("[+] All Forest Domains: "); 154 | 155 | // Querying Forest Domains 156 | DomainCollection myDomains = currentForest.Domains; 157 | foreach (Domain objDomain in myDomains) 158 | { 159 | Console.Out.WriteLine("\t{0}", objDomain.Name); 160 | } 161 | } 162 | 163 | // DC Enumerations 164 | public static void EnumerateDCs() 165 | { 166 | Domain domain = Domain.GetCurrentDomain(); 167 | Console.Out.WriteLine("[+] Domain Controllers: "); 168 | 169 | foreach (DomainController dc in domain.DomainControllers) 170 | { 171 | Console.Out.WriteLine("\t{0}", dc.Name); 172 | } 173 | } 174 | 175 | // Netstat Information 176 | static void netstat() 177 | { 178 | IPGlobalProperties ipProperties = IPGlobalProperties.GetIPGlobalProperties(); 179 | IPEndPoint[] endPoints = ipProperties.GetActiveTcpListeners(); 180 | TcpConnectionInformation[] tcpConnections = ipProperties.GetActiveTcpConnections(); 181 | 182 | var table = new ConsoleTable("Local Address", "Foreign Address", "State"); 183 | 184 | foreach (TcpConnectionInformation info in tcpConnections) 185 | { 186 | string local = info.LocalEndPoint.Address.ToString() + ":" + info.LocalEndPoint.Port.ToString(); 187 | string remote = info.RemoteEndPoint.Address.ToString() + ":" + info.RemoteEndPoint.Port.ToString(); 188 | string state = info.State.ToString(); 189 | // Only Established Connections 190 | if (state.Contains("Established") == true) 191 | { 192 | table.AddRow(local, remote, state); 193 | } 194 | // For Every Connection 195 | //table.AddRow(local, remote, state); 196 | } 197 | table.Write(Format.Alternative); 198 | } 199 | 200 | // Get Process Info 201 | static void GetProcessInfo() 202 | { 203 | var table = new ConsoleTable("Process", "PID", "Owner"); 204 | 205 | foreach (var process in Process.GetProcesses()) 206 | { 207 | string name = process.ProcessName; 208 | int processId = process.Id; 209 | string owner = GetProcessOwner(processId); 210 | table.AddRow(name, processId, owner); 211 | } 212 | table.Write(Format.Alternative); 213 | 214 | } 215 | 216 | // Get Process Owner 217 | static string GetProcessOwner(int processId) 218 | { 219 | string query = "Select * From Win32_Process Where ProcessID = " + processId; 220 | ManagementObjectSearcher moSearcher = new ManagementObjectSearcher(query); 221 | ManagementObjectCollection moCollection = moSearcher.Get(); 222 | 223 | foreach (ManagementObject mo in moCollection) 224 | { 225 | string[] args = new string[] { string.Empty }; 226 | int returnVal = Convert.ToInt32(mo.InvokeMethod("GetOwner", args)); 227 | if (returnVal == 0) 228 | return args[0]; 229 | } 230 | return "Null"; 231 | } 232 | } 233 | } 234 | -------------------------------------------------------------------------------- /C#/CS_A1.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bigb0sss/Offensive-Scripts/d929c0a260641c9eeb540ba7cd0debb89b266876/C#/CS_A1.exe -------------------------------------------------------------------------------- /C#/README.md: -------------------------------------------------------------------------------- 1 | # C# Tools 2 | 3 | C# code repository for Cobalt Strike `execute-assembly` 4 | 5 | | Name | Ver. | Description | Command | 6 | | :--- | :---: | :--- | :--- | 7 | | CS-A1 | v1.0.0 | REALLY Basic enum to lick the surface | `execute-assembly CS-A1.exe` | 8 | 9 | ### Additional References (Package Manager) 10 | * ConsoleTable 11 | ``` 12 | PM> Install-Package ConsoleTables -Version 2.4.1 13 | ``` 14 | -------------------------------------------------------------------------------- /bash/dcFinder.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # 3 | # Version : 1.0 4 | # Created date : 10/29/2020 5 | # Last update : 10/29/2020 6 | # Author : bigb0ss 7 | # Description : Initial Domain Controller Enumeration > Potential Target Range Generation 8 | # Note : 9 | 10 | #usage() { 11 | # exit(0) 12 | #} 13 | 14 | hostnameLookup() { 15 | h=$(hostname) 16 | echo "[INFO] Hostname:" $h 17 | } 18 | 19 | dnsServerLookup() { 20 | d=$(nslookup $h | grep "Server" | cut -d ":" -f 2) 21 | echo "[INFO] DNS Server:" $d 22 | } 23 | 24 | fqdn() { 25 | f=$(host $d | awk '{print $5}' | cut -d "." -f 2-3) 26 | #f=$(host $d | awk '{print $5}' | cut -d "." -f 2-4) 27 | echo "[INFO] FQDN:" $f 28 | } 29 | 30 | dcLookup() { 31 | echo "[INFO] Generating dc_hostname.txt..." && 32 | dc=$(nslookup -type=srv _ldap._tcp.dc._msdcs.$f $d) 33 | echo $dc | sed 's/ /\n/g' | grep $f | grep -v msdcs | sed 's/.$//' > dc_hostname.txt && 34 | 35 | dcCount=$(wc -l dc_hostname.txt | awk '{print $1}') 36 | echo "[INFO]" $dcCount "DC Found!" && 37 | 38 | echo "[INFO] Generating dc_ip.txt..." && 39 | while read i; do host $i; done < dc_hostname.txt >> tmp && cat tmp | cut -d " " -f 4 | sort -u > dc_ip.txt && rm tmp && 40 | 41 | echo "[INFO] Generating dc_range.txt..." && 42 | awk '{print $0"/24"}' dc_ip.txt > dc_ip_range.txt 43 | #awk '{print $0"/22"}' dc_ip.txt > dc_ip_range.txt 44 | #awk '{print $0"/19"}' dc_ip.txt > dc_ip_range.txt 45 | echo "[INFO] Done!" 46 | } 47 | 48 | hostnameLookup 49 | dnsServerLookup 50 | fqdn 51 | dcLookup 52 | -------------------------------------------------------------------------------- /bash/screenLogging/termLog.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # 4 | # Terminal_log Directory Check 5 | if [ -d "/root/terminal_log" ] 6 | then 7 | echo "[+] Directory /root/terminal_log Already Exists." 8 | else 9 | echo "[*] Creating /root/terminal_log Directory." 10 | mkdir -p /root/terminal_log 11 | fi 12 | 13 | # Logging Begins 14 | todayDate=$(date) 15 | todayFile=$(date +"%m_%d_%Y_%H_%M_%S") 16 | filename="/root/terminal_log/termLog_$todayFile.log" 17 | 18 | echo "[*] Terminal Logging Starts for $todayDate" 19 | echo "[*] Log File Created: $filename" 20 | echo "[*] You are currently in the terminal log session." 21 | echo " Type \"exit\" to terminate the session." 22 | echo "" 23 | script -q $filename 24 | 25 | # Logging Terminated 26 | echo "[*] Terminal Logging is ending..." 27 | sleep 0.3 28 | echo "[*] Log File Location: $filename" 29 | echo "" -------------------------------------------------------------------------------- /bash/screenLogging/todayLog.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # 4 | today=$(date) 5 | host=$(hostname) 6 | ip=$(ifconfig) 7 | 8 | # Display 9 | echo "" 10 | echo "[*] Terminal Log Begins..." 11 | echo "--------------------------------------------------------------------------" 12 | echo "Date: $today Host:$host" 13 | echo "" 14 | echo "IP:" 15 | echo "$ip" 16 | echo "--------------------------------------------------------------------------" 17 | echo "" -------------------------------------------------------------------------------- /ldap/ldapsearch/README.md: -------------------------------------------------------------------------------- 1 | # Ldapsearch Commands 2 | 3 | ### User Search 4 | ```bash 5 | ldapsearch -LLL -x -H ldap://ldap.domain.com -D "admin@domain.com" -w Password123 -b dc=domain,dc=com sAMAccountName=danmin memberOf 6 | ``` 7 | 8 | ### User Search (Nested Lookup using OID) 9 | ```bash 10 | ldapsearch -LLL -x -H ldap://ldap.domain.com -D "admin@domain.com" -w Password123 -b dc=domain,dc=com "(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=cn=Domain Admins,cn=users,dc=domainm,dc=com))" sAMAccountName | grep sAMAccountName | cut -d: -f 2 11 | ``` 12 | 13 | ### Admin-Count 14 | ```bash 15 | ldapsearch -LLL -x -H ldap://ldap.domain.com -D "admin@domain.com" -w Password123 -b dc=domain,dc=com "adminCount=1" dn 16 | ``` 17 | 18 | ### User Object Search with SPN (Kerberoasting) 19 | ```bash 20 | ldapsearch -LLL -x -H ldap://ldap.domain.com -D "admin@domain.com" -w Password123 -b dc=domain,dc=com "(&(&(servicePrincipalName=*)(UserAccountControl:1.2.84011356.1.4.803:=512))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))" 21 | ``` 22 | 23 | ### User and Computer Search with Unconstratined Delegation 24 | ```bash 25 | ldapsearch -LLL -x -H ldap://ldap.domain.com -D "admin@domain.com" -w Password123 -b dc=domain,dc=com "(&(&(objectCategory=person)(objectClass=user))(userAccountControl:1.2.840.113556.1.4.803:=524288))" 26 | 27 | ldapsearch -LLL -x -H ldap://ldap.domain.com -D "admin@domain.com" -w Password123 -b dc=domain,dc=com "(&(objectCategory=computer)(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" 28 | ``` -------------------------------------------------------------------------------- /python/user_parser.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | # When I want to convert a username from fist.last to flast 3 | 4 | import sys 5 | 6 | def userParser(): 7 | 8 | userList = sys.argv[1] 9 | 10 | for i in open(userList, "r"): 11 | firstInitial = i[0] 12 | lastname = i.split(".")[1] 13 | print(f"{firstInitial}{lastname}", end="") 14 | 15 | if __name__ == '__main__': 16 | userParser() --------------------------------------------------------------------------------