Scott Sutherland nullbind
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Get All User SPNs | |
| $UserSPNs = Get-ADObject -LDAPFilter "(&(objectClass=user)(ServicePrincipalName=*))" -Properties samaccountname,description,serviceprincipalname | |
| # Get All Domain Admins | |
| $DomainAdmins = Get-ADGroupMember -Recursive -Identity "Domain Admins“ | select SamAccountName –expandproperty SamAccountName | |
| # Get Domain Admins with SPNs | |
| $DomainAdmins | | |
| ForEach-Object { | |
| $DA = $_; |
nullbind
/ Import-ADandGPO.ps1
Last active
July 11, 2020 12:12
This is an example of how to import the Active Directory and GPO command PowerShell modules on the fly.
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # --------------------------------------------------- | |
| # Load the Active Directory PowerShell module | |
| # --------------------------------------------------- | |
| # $ADModuleBytes = [System.IO.File]::ReadAllBytes("C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ActiveDirectory.Management\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.ActiveDirectory.Management.dll") | |
| # $ADModuleString = [System.Convert]::ToBase64String($ADModuleBytes) | |
| # Set the string | |
| $ADModuleString = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAHYH/eAAAAAAAAAAAOAAIiALATAAAOgRAAAIAAAAAAAAxtQRAAAgAAAAIBIAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAABgEgAAAgAA9F8SAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAHPUEQBPAAAAACASACQFAAAAAAAAAAAAAAAAAAAAAAAAAEASAAwAAADA0xEAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAA5OcRAAAgAAAA6BEAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNy |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # https://gist.githubusercontent.com/oscitancy/387e7d0d73af03eb8ba56139efdfac85/raw/58d9c6bac40dabe559d6d9e2c92876677243680f/Get-DHCPResponse.ps1 | |
| <# | |
| .SYNOPSIS | |
| Sends out a DHCP Discover packet to see who responds. | |
| .DESCRIPTION | |
| Creates a DHCP Discover Packet then broadcasts it on Port 67 then waits for | |
| responses sent back on Port 68. Does a basic parsing of the bytes recieved so | |
| that you can diagnose problems manually. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-Providers | |
| { | |
| Get-WmiObject -NameSpace $ns -Class __Win32Provider | select Name,__PATH, __NAMESPACE, CLSID, AssemblyPath, ImpersonationLevel | | |
| ForEach-Object { | |
| # Check for registery provider | |
| $Check = Get-PSProvider | where name -like registry | where drives -like "*hkcr*" | |
| if($Check -eq ""){ | |
| New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# Questions / todo | |
| #check for namespace privs | |
| #check for reg key privs | |
| #check for dll hijacking due to missing quotes | |
| #check for dll file privs | |
| #check for impersonation - named pipe, token duplication, scheduled task,other? | |
| #identify managed vs unmanaged; native vs custom | |
| # what else? | |
| References |
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # DLL bytes as a string | |
| $ADModuleString = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAHYH/eAAAAAAAAAAAOAAIiALATAAAOgRAAAIAAAAAAAAxtQRAAAgAAAAIBIAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAABgEgAAAgAA9F8SAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAHPUEQBPAAAAACASACQFAAAAAAAAAAAAAAAAAAAAAAAAAEASAAwAAADA0xEAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAA5OcRAAAgAAAA6BEAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAACQFAAAAIBIAAAYAAADqEQAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAEASAAACAAAA8BEAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACn1BEAAAAAAEgAAAACAAUAfHkFAEyGCwAJAAAAAAAAAMj/EAB40wAAQNMRAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKFAAAAoqkgIoUAAACgIDfQEAAAQCBH0CAAAEAgV9AwAABAIOBH0EAAAEKh4CKFAAAAoqOgIoUAAACgIDfQUAAAQqHgIoUAAACiqyAihQAAAKAgN9BgAABAIEfQcAAAQCBX0IAAAEAg4EfQkAAAQCDgV9CgAABCoeAihQAAAKKjoCKFAAAAoCA |
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-DCSync | |
| { | |
| <# | |
| .SYNOPSIS | |
| Uses dcsync from mimikatz to collect NTLM hashes from the domain. | |
| Author: @monoxgas | |
| Improved by: @harmj0y |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" > | |
| <Target Name="Hello" > | |
| <!-- Call ANY .NET API --> | |
| <!-- | |
| Author: Casey Smith, Twitter: @subTee | |
| License: BSD 3-Clause | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # PowerShellery | |
| # Source: https://github.com/0xbadjuju/TellMeYourSecrets | |
| # Note: This was hacked together for the sake of portability. | |
| # Note: To refresh TellMeYourSecrets.dll do the following: | |
| # $Bytes = [System.IO.File]::ReadAllBytes("C:\temp\TellMeYourSecrets.dll") | |
| # $MyString = [System.Convert]::ToBase64String($Bytes) | |
| # or | |
| # $Bytes = [System.IO.File]::ReadAllBytes("C:\users\istest1\Desktop\TellMeYourSecrets.dll") | |
| # [System.Reflection.Assembly]::Load($Bytes) | |
| # [TellMeYourSecrets.LSA]::DumpLsa() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This script uses the ActiveDirectory module to enumerate live Windows system on the domain that support WMI/PS Remoting, | |
| # and filters out win7 and 2k3 | |
| # Run on domain system or via 'runas /netonly /user:domain\user powershell.exe' | |
| # Initial DC | |
| $InitialDc = '10.4.222.205' | |
| # Create connection to initial dc | |
| Import-Module ActiveDirectory |