Not too long ago I worked up an SMB credential spraying script using rpcclient. I haven’t really been using this much as I tend to favor byt3bl33d3r’s CrackMapExec when attacking SMB. On a recent engagement, I accidentally locked out a good number of Windows domain accounts during…
Credential spraying SMB servers with rpcclient
I’ve been wanting an efficient way to credential spray SMB servers. I typically use byt3bl33d3r’s CrackMapExec when poking SMB servers but wanted a way to rotate single users over multiple passwords and then force the process to sleep for a while (for the sake of account lock-out).…
Cooking up shells with a compromised Chef server
I was able to compromise a Chef server on one of my recent engagements. Owning a Chef server means having the keys to the castle. I wasn’t quite sure how to go about using this tool. I’m familiar with Puppet as I’ve spent the majority of my…
Encrypting project directories with ecryptfs-utils
I worked up a way to store engagement/project data in an encrypted directory. I had originally wanted to dd a blob to the current file-system and then format & encrypt it. I found an easier way to go about this using the ecryptfs-utils suite. I worked up…
Recursive gobuster script
I was working on some automated tasks to include in my workflow and realized I wanted to use gobuster for launching dictionary-based enumeration on targets. I was currently using dirb for this but gobuster seems to be the faster tool to use. I fell behind on my…
Pulling web hosts from Nessus output
I hacked a python script together to parse out web hosts (and their corresponding URLs) from nessus XML output. I’m using this as part of my pentesting workflow to feed to other web-based tools like, EyeWitness, Nikto, dirb, gobuster, etc. Feed it a single argument that points…
Enumerating hosts with nmap
This is a script I use to enumerate hosts with the nmap scanning tool. Feed it a host/ip and base directory (under which another directory will be created to store enumeration data). Something like: You can also find this in my Gists at github at https://gist.github.com/ryan-wendel/2266751e23641ed0ff38fb7a2c3502cf The…