R41D3NN R41D3NN

## Get-WindowsProductKey.ps1
(Get-WmiObject -query ‘select * from SoftwareLicensingService’).OA3xOriginalProductKey

## Get-NetTCPConnectionAndProcessName.ps1
Get-NetTCPConnection | %{
    $obj = New-Object -TypeName psobject;
    $obj | Add-Member -MemberType NoteProperty -Name LocalAddress -Value $_.LocalAddress;
    $obj | Add-Member -MemberType NoteProperty -Name LocalPort -Value $_.LocalPort
    $obj | Add-Member -MemberType NoteProperty -Name RemoteAddress -Value $_.RemoteAddress;
    $obj | Add-Member -MemberType NoteProperty -Name RemotePort -Value $_.RemotePort;
    $obj | Add-Member -MemberType NoteProperty -Name State -Value $_.State;
    $obj | Add-Member -MemberType NoteProperty -Name ProcessName -Value (Get-Process -Id $_.OwningProcess).ProcessName;
    $obj } | Format-Table -AutoSize

## XXE-Connect-To-Host.xml
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://127.0.0.1:7777">
]>
<r>&sp;</r>

## Convert-Base64.psm1
Function Convert-ToBase64String
{
    Param(
        [String] $Text
    )

    $Local:Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
    $Local:EncodedText = [Convert]::ToBase64String($Local:Bytes)
    Return $Local:EncodedText
}

## Get-SnkPublicKey.ps1
# Kudos Ivan G.: https://stackoverflow.com/a/43897217
function Get-SnkPublicKey([string]$FilePath)
{
    $bytes = [System.IO.File]::ReadAllBytes($FilePath)
    $pair = New-Object System.Reflection.StrongNameKeyPair -ArgumentList @(,$bytes)
    $publicKey = $pair.PublicKey

    #[System.Convert]::ToBase64String($publicKey)
    $hexes = [System.BitConverter]::ToString($publicKey);
    $hexes.Replace("-", "")

## Generate-RandomString.ps1
Function Get-RandomString {
    Param(
        [Int] $Length = 10,
        [Bool] $IncludeNumerical = $True,
        [Bool] $IncludeLowerCase = $True,
        [Bool] $IncludeUpperCase = $True
    )

    $Local:NumericalSet = (48..57)
    $Local:LowerCaseSet = (65..90)

## Secret-Server--Dependencies--AD-Account-Mapping.sql
SELECT
	[ou].[DistinguishedName] AS [OU DN],
	[c].[ComputerName],
	[sdt].[SecretDependencyTypeName],
	[cd].[DependencyName],
	CONCAT([d].[FriendlyName], '\', [cd].[AccountName]) AS [AccountName],
	CASE WHEN [ca].[AccountName] IS NULL
		THEN 'False'
		ELSE 'True'
	END AS [Account In AD Discovery]

## Secret-Server--Discovery-AD-Accounts--Total-Members-By-Group.sql
SELECT
	B.[Group],
	COUNT(B.[AccountName]) AS [Total Members]
FROM (
	SELECT
		Split.a.value('.', 'VARCHAR(1000)') AS [Group],
		A.[AccountName]
	FROM (
		SELECT
			[ca].[AccountName],

## Secret-Server--Discovery-AD-Accounts--Users-And-Groups-Filtered.sql
SELECT
	A.[OU DN],
	A.[AccountName],
	Split.a.value('.', 'VARCHAR(1000)') AS [Group]
FROM (
	SELECT
		[ou].[DistinguishedName] AS 'OU DN',
		[ca].[AccountName],
		CAST ('<M>' + REPLACE(REPLACE(REPLACE(REPLACE([ca].[SearchGroups], '&', '\u0026'), '<', '\u003C'), '>', '\u003E'), CHAR(59), '</M><M>') + '</M>' AS XML) AS [Group]
	FROM [tbComputerAccount] [ca]

## Secret-Server--Discovery-AD-Accounts--Users-And-Groups.sql
SELECT
	A.[OU DN],
	A.[AccountName],
	Split.a.value('.', 'VARCHAR(1000)') AS [Group]
FROM (
	SELECT
		[ou].[DistinguishedName] AS 'OU DN',
		[ca].[AccountName],
		CAST ('<M>' + REPLACE(REPLACE(REPLACE(REPLACE([ca].[SearchGroups], '&', '\u0026'), '<', '\u003C'), '>', '\u003E'), CHAR(59), '</M><M>') + '</M>' AS XML) AS [Group]
	FROM [tbComputerAccount] [ca]
	Get-NetTCPConnection \| %{
	$obj = New-Object -TypeName psobject;
	$obj \| Add-Member -MemberType NoteProperty -Name LocalAddress -Value $_.LocalAddress;
	$obj \| Add-Member -MemberType NoteProperty -Name LocalPort -Value $_.LocalPort
	$obj \| Add-Member -MemberType NoteProperty -Name RemoteAddress -Value $_.RemoteAddress;
	$obj \| Add-Member -MemberType NoteProperty -Name RemotePort -Value $_.RemotePort;
	$obj \| Add-Member -MemberType NoteProperty -Name State -Value $_.State;
	$obj \| Add-Member -MemberType NoteProperty -Name ProcessName -Value (Get-Process -Id $_.OwningProcess).ProcessName;
	$obj } \| Format-Table -AutoSize
	<!DOCTYPE r [
	<!ELEMENT r ANY >
	<!ENTITY sp SYSTEM "http://127.0.0.1:7777">
	]>
	<r>&sp;</r>
	Function Convert-ToBase64String
	{
	Param(
	[String] $Text
	)

	$Local:Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
	$Local:EncodedText = [Convert]::ToBase64String($Local:Bytes)
	Return $Local:EncodedText
	}
	# Kudos Ivan G.: https://stackoverflow.com/a/43897217
	function Get-SnkPublicKey([string]$FilePath)
	{
	$bytes = [System.IO.File]::ReadAllBytes($FilePath)
	$pair = New-Object System.Reflection.StrongNameKeyPair -ArgumentList @(,$bytes)
	$publicKey = $pair.PublicKey

	#[System.Convert]::ToBase64String($publicKey)
	$hexes = [System.BitConverter]::ToString($publicKey);
	$hexes.Replace("-", "")
	Function Get-RandomString {
	Param(
	[Int] $Length = 10,
	[Bool] $IncludeNumerical = $True,
	[Bool] $IncludeLowerCase = $True,
	[Bool] $IncludeUpperCase = $True
	)

	$Local:NumericalSet = (48..57)
	$Local:LowerCaseSet = (65..90)
	SELECT
	[ou].[DistinguishedName] AS [OU DN],
	[c].[ComputerName],
	[sdt].[SecretDependencyTypeName],
	[cd].[DependencyName],
	CONCAT([d].[FriendlyName], '\', [cd].[AccountName]) AS [AccountName],
	CASE WHEN [ca].[AccountName] IS NULL
	THEN 'False'
	ELSE 'True'
	END AS [Account In AD Discovery]
	SELECT
	B.[Group],
	COUNT(B.[AccountName]) AS [Total Members]
	FROM (
	SELECT
	Split.a.value('.', 'VARCHAR(1000)') AS [Group],
	A.[AccountName]
	FROM (
	SELECT
	[ca].[AccountName],
	SELECT
	A.[OU DN],
	A.[AccountName],
	Split.a.value('.', 'VARCHAR(1000)') AS [Group]
	FROM (
	SELECT
	[ou].[DistinguishedName] AS 'OU DN',
	[ca].[AccountName],
	CAST ('<M>' + REPLACE(REPLACE(REPLACE(REPLACE([ca].[SearchGroups], '&', '\u0026'), '<', '\u003C'), '>', '\u003E'), CHAR(59), '</M><M>') + '</M>' AS XML) AS [Group]
	FROM [tbComputerAccount] [ca]