Skip to content

Collection of random scripts that don't deserve their own repo

Notifications You must be signed in to change notification settings

deadjakk/script-pit

Repository files navigation

script-pit

Few quick and dirty scripts that I find extremely useful on engagments, frequently used. Will try and keep a short description of everything listed below.

parsemimi.py

Simple script that parses mimikatz output, can be used from CLI or as an import.
To clarify: this parses the sekurlsa::logonPasswords command's OUTPUT only. Nothing else. Primary use-case for this is when you're finding yourself with dozens or hunreds of mimikatz logonPasswords output files. This can parse the unique credentials so they can be placed in CSV for quick filtering/reading.

nmap-parser.py

Parses the .nmap file for hosts that have any information containing the provided substring.
There are a number of NMAP output parsers out there but they all seem to favor the XML format which I find lacks the output of some scripts.
example command: ./nmap-parser.py vuln-test.nmap <search string> example output:

$ ./nmap-parser.py vuln-test.nmap VULN
[INFO]Host: 192.168.1.28 Port: 445 --- |   VULNERABLE:
[INFO]Host: 192.168.1.28 Port: 445 --- |     State: VULNERABLE
[INFO]Host: host-0.test.local (192.168.1.29) Port: 445 --- |   VULNERABLE:
[INFO]Host: host-0.test.local (192.168.1.29) Port: 445 --- |     State: VULNERABLE

parse-ips.py

Outputs unique IP addresses from files or piped stdin, works great with nmap-parser.py script above.
Example use case using both:

# example of output from previous command to be piped in following command
└──╼ \>./nmap-parser.py test-nmap-scan.nmap 53 
[PORT]Host: 192.168.43.34 Port: 53/tcp open  domain
[PORT]Host: 192.168.43.199 Port: 53/tcp open  domain

# reading piped data
└──╼ \>./nmap-parser.py test-nmap-scan.nmap 53 | ./parseips.py 
192.168.43.34
192.168.43.199

# reading from file
./parseips.py test-nmap-scan.nmap 
192.168.43.0
192.168.43.34
192.168.43.198
192.168.43.199

ldd.py (fork of ldapdomaindump for custom queries)

A small fork of ldapdomaindump that allows for use of custom one-off queries using the --query and --props flags, as well as batch queries using the --batch flag directing it to a query.py file containing a dictionary with the query info.

output formatting is only raw right now, and has not yet been fixed.

$ cat queries.py
queries={
    1:{
    "name":"file servers",
    "filter":"(&(samAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(homedirectory=*)(scriptpath=*)(profilepath=*)))",
    "properties":"homedirectory,scriptpath,profilepath"
    },
    2:{
    "name":"all users, all properties",
    "filter":"(objectClass=user)",
    "properties":"*"
    }
}

$ python3 ldd.py -o ldap -u sprawl.local\\administrator -p Password1 sprawl.local --batch queries.py
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
available queries:
1 : file servers
2 : all users, all properties
enter index of desired queries, (comma delimited numbers are accepted as well)
example: 1,3,5
>1,2
[DN: CN=user2,CN=Users,DC=sprawl,DC=local - STATUS: Read - READ TIME: 2021-10-26T18:50:45.506744
    accountExpires: 1601-01-01 00:00:00+00:00
    badPasswordTime: 1601-01-01 00:00:00+00:00
    badPwdCount: 0
    cn: user2
    ...

passbackfinder.py (threaded)

Looks for xerox machines that you may be able to perform LDAP pass back attack against.

$ python3 passbackfinder.py printers 2
running with 2 threads against 2 host(s)
trying 10.20.101.50
started thread
trying 10.20.101.46
started thread
10.20.101.46 may be vulnerable -> https://10.20.101.46/properties/index.php
10.20.101.50 may be vulnerable -> https://10.20.101.50/properties/index.php
finished

adcsfinder.py (threaded)

Provided a list of ip addresses, will perform something like a banner grab to locate an active directory certificate authority server on the network. Useful when looking for the ADCS services for the petitpotam attack.

python3 adcs-finder.py adcs.lst
running with 1 threads against 1 host(s)
started thread
possible ca-> ADCS-1.sprawl.local
finished

hashmatcher.py

Provided the 'standard' hashcat format of the NTDS.dit (generated by secretsdump and similar tools), hashmatcher will generate output showing what users are sharing passwords by matching ntlm hashes. It also includes a redaction and search function to make the output screenshot-ready.

(x) host 06261557 ~
$ python ~/tools/script-pit/hashmatcher.py --help
usage: hashmatcher.py [-h] [-d] [-r REDACT] [-s SEARCH] [-l] [-t] [-j JACCARD] input

positional arguments:
  input                 the NTDS.dit dump output to parse

options:
  -h, --help            show this help message and exit
  -d, --debug           display debug output
  -r REDACT, --redact REDACT
                        redact the first N characters of the output
  -s SEARCH, --search SEARCH
                        return only matched hashes shared by users with provided substring
  -l, --limited         return only matched hashes shared by users with provided substring and only return the users associated with accounts containing that substring (requires -s arg)
  -t, --test-jaccard    runs and outputs the jaccard similarity for the limited search function
  -j JACCARD, --jaccard JACCARD
                        set the acceptable greater than or equal jaccard similary value to denote a matchfor the limited search function

# basic usage example
(x) host 06261558 ~
$ python ~/tools/script-pit/hashmatcher.py /tmp/fake.dit
the hash 8846f7eaee8fb117ad06bdd830b7586c is shared by ['fake.domain.com\\user.one', 'fake.domain.com\\user.one-admin']

# showing the output format:
(x) host 06261558 ~
$ cat /tmp/fake.dit
fake.domain.com\user.one:11111:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::
fake.domain.com\user.one-admin:11111:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::

About

Collection of random scripts that don't deserve their own repo

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published