Skip to content

Instantly share code, notes, and snippets.

Avatar
💭
geeking out about Kerberos

Will HarmJ0y

💭
geeking out about Kerberos
View GitHub Profile
@HarmJ0y
HarmJ0y / 44con_demo.ps1
Created Sep 17, 2016
Demo for the 44con "Trusts You Might Have Missed" presentation
View 44con_demo.ps1
# import PowerView and Invoke-Mimikatz
Import-Module .\powerview.ps1
Import-Module .\mimikatz.ps1
# map all reachable domain trusts
Invoke-MapDomainTrust
# enumerate groups with 'foreign' users users, and convert the foreign principal SIDs to names
Find-ForeignGroup -Domain external.local
Find-ForeignGroup -Domain external.local | Select-Object -ExpandProperty UserName | Convert-SidToName
View EncryptedStoreTests.ps1
$RSA = New-RSAKeyPair
# local tests
$ComputerName = 'localhost'
$StorePath = 'C:\Temp\temp.bin'
Write-Host "`n[$ComputerName] AES Storepath : $StorePath"
".\secret.txt" | Write-EncryptedStore -StorePath $StorePath -Key 'Password123!'
Read-EncryptedStore -StorePath $StorePath -Key 'Password123!' -List
Get-EncryptedStoreData -StorePath $StorePath | Remove-EncryptedStore
@HarmJ0y
HarmJ0y / rotate.ps1
Last active Aug 6, 2018
PowerShell binary rotate right/left on individual bytes
View rotate.ps1
function Rotate-Byte {
<#
.SYNOPSIS
Performs left/right binary rotation on individual bytes.
Author: @harmj0y
.DESCRIPTION
Implements the logic to perform per-byte binary rotates right and left.
@HarmJ0y
HarmJ0y / KeeThief.markdown
Last active Mar 20, 2020
KeeThief clarification points
View KeeThief.markdown

A few clarification points for the "KeeThief – A Case Study in Attacking KeePass Part 2" post:

  1. KeeThief doesn't require local administrator rights, only rights to access the KeePass.exe process space you're targeting.

  2. KeeThief.ps1 is fully-self self-contained (no dependencies and no files dropped to disk) and PowerShell Version 2 compliant (so it will work on Windows 7+).

  3. Secure desktop doesn't matter/come into play as a keylogger isn't used or needed.

  4. This approach is different from KeeFarce - KeeThief recovers the plaintext master password and other key material from memory instead of calling internal methods to export the database contents.

@HarmJ0y
HarmJ0y / LNKBackdoor.ps1
Created Jul 4, 2016
Functions to 'backdoor' .LNK files with additional functionality and enumerate all 'backdoored' .LNKs on a system.
View LNKBackdoor.ps1
function Set-LNKBackdoor {
<#
.SYNOPSIS
Backdoors an existing .LNK shortcut to trigger the original binary and a payload specified by
-ScriptBlock or -Command.
Author: @harmj0y
License: BSD 3-Clause
Required Dependencies: None
@HarmJ0y
HarmJ0y / Find-KeePassconfig.ps1
Created Jul 4, 2016
Finds and parses any KeePass.config.xml (2.X) and KeePass.ini (1.X) files.
View Find-KeePassconfig.ps1
function Find-KeePassconfig {
<#
.SYNOPSIS
Finds and parses any KeePass.config.xml (2.X) and KeePass.ini (1.X) files.
Author: @harmj0y
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
@HarmJ0y
HarmJ0y / Restore-UserDPAPI.ps1
Last active Jun 20, 2020
Restore a user's stolen DPAPI master key folder and optional KeePass DPAPI data blob.
View Restore-UserDPAPI.ps1
function Restore-UserDPAPI {
<#
.SYNOPSIS
Restores a user account's DPAPI master key on a new system.
Author: @harmj0y
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
@HarmJ0y
HarmJ0y / keepass2john.py
Created Jun 30, 2016
Python port of John the Ripper's keepass2john - extracts a HashCat/john crackable hash from KeePass 1.x/2.X databases
View keepass2john.py
#!/usr/bin/python
# Python port of keepass2john from the John the Ripper suite (http://www.openwall.com/john/)
# ./keepass2john.c was written by Dhiru Kholia <dhiru.kholia at gmail.com> in March of 2012
# ./keepass2john.c was released under the GNU General Public License
# source keepass2john.c source code from: http://fossies.org/linux/john/src/keepass2john.c
#
# Python port by @harmj0y, GNU General Public License
#
@HarmJ0y
HarmJ0y / RC4.ps1
Last active Oct 28, 2020
PowerShell RC4 Implementation
View RC4.ps1
function ConvertTo-Rc4ByteStream {
<#
.SYNOPSIS
Converts an input byte array to a RC4 cipher stream using the specified key.
Author: @harmj0y
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
@HarmJ0y
HarmJ0y / ADC2.ps1
Last active Jan 23, 2020
Command and Control channel through Active Directory Object Properties
View ADC2.ps1
#Requires -Version 2
function New-ADPayload {
<#
.SYNOPSIS
Stores PowerShell logic in the mSMQSignCertificates of the specified -TriggerAccount and generates
a one-line launcher.
Author: @harmj0y
You can’t perform that action at this time.