Chris Campbell obscuresec

## Get-AdDnsRecords
function Get-ADDNSRecords {
<#
update of dns-dump.ps1 by Michael B. Smith
michael at smithcons dot com
https://github.com/mmessano/PowerShell/blob/master/dns-dump.ps1
#>
Param(
	[string]$zone = "$env:USERDNSDOMAIN",
	[string]$dc = "$(($env:LOGONSERVER).trim('\'))"
)

## gist:d40270da694322bfee75
$DirEntry = New-Object DirectoryServices.DirectoryEntry('LDAP://dc=demo,dc=lab',$user,$pass)
$AdsiSearcher = New-Object DirectoryServices.DirectorySearcher($ADSI,"(objectCategory=User)")
$AdsiSearcher.findall()

## dirtywebserver.ps1
$Hso = New-Object Net.HttpListener
$Hso.Prefixes.Add("http://+:8000/")
$Hso.Start()
While ($Hso.IsListening) {
    $HC = $Hso.GetContext()
    $HRes = $HC.Response
    $HRes.Headers.Add("Content-Type","text/plain")
    $Buf = [Text.Encoding]::UTF8.GetBytes((GC (Join-Path $Pwd ($HC.Request).RawUrl)))
    $HRes.ContentLength64 = $Buf.Length
    $HRes.OutputStream.Write($Buf,0,$Buf.Length)

## gist:b6c97b423fedc4500c10
$LdapFilter = #Query Goes Here
([adsisearcher]"$LdapFilter").Findall()

## gist:d1bafa3013ced1b38f08
([adsisearcher]"objectCategory=User").Findall() | ForEach {$_.properties.cn}

## gist:bd30a8431ee4bc32f1cd
powershell.exe -com '([adsisearcher]'objectCategory=Computer').Findall() | ForEach {$_.properties.cn}'

## gist:bba41defe6db2aaf09bd
(cmd /c echo {([adsisearcher]'objectCategory=Computer').Findall() | ForEach {$_.properties.cn}}).split(' ')[1]

## gist:7faa11676c21ab84b888
powershell.exe -enc KABbAGEAZABzAGkAcwBlAGEAcgBjAGgAZQByAF0AJwBvAGIAagBlAGMAdABDAGEAdABlAGcAbwByAHkAPQBDAG8AbQBwAHUAdABlAHIAJwApAC4ARgBpAG4AZABhAGwAbAAoACkAIAB8ACAARgBvAHIARQBhAGMAaAAgAHsAJABfAC4AcAByAG8AcABlAHIAdABpAGUAcwAuAGMAbgB9AA==

## gist:7ee41139bada41b7c737
powershell.exe -com "((([adsisearcher]"objectCategory=User").Findall())[0].properties).PropertyNames"

## psproxy.ps1
#simple and dirty proxy
#usage: http://127.0.0.1:8000/?url=http://www.obscuresec.com
$Up = "http://+:8000/"
$Hso = New-Object Net.HttpListener
$Wco = New-Object Net.Webclient

#ignore self-signed/invalid ssl certs
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$True}

Foreach ($P in $Up) {$Hso.Prefixes.Add($P)}
	function Get-ADDNSRecords {
	<#
	update of dns-dump.ps1 by Michael B. Smith
	michael at smithcons dot com
	https://github.com/mmessano/PowerShell/blob/master/dns-dump.ps1
	#>
	Param(
	[string]$zone = "$env:USERDNSDOMAIN",
	[string]$dc = "$(($env:LOGONSERVER).trim('\'))"
	)
	$DirEntry = New-Object DirectoryServices.DirectoryEntry('LDAP://dc=demo,dc=lab',$user,$pass)
	$AdsiSearcher = New-Object DirectoryServices.DirectorySearcher($ADSI,"(objectCategory=User)")
	$AdsiSearcher.findall()
	$Hso = New-Object Net.HttpListener
	$Hso.Prefixes.Add("http://+:8000/")
	$Hso.Start()
	While ($Hso.IsListening) {
	$HC = $Hso.GetContext()
	$HRes = $HC.Response
	$HRes.Headers.Add("Content-Type","text/plain")
	$Buf = [Text.Encoding]::UTF8.GetBytes((GC (Join-Path $Pwd ($HC.Request).RawUrl)))
	$HRes.ContentLength64 = $Buf.Length
	$HRes.OutputStream.Write($Buf,0,$Buf.Length)
	$LdapFilter = #Query Goes Here
	([adsisearcher]"$LdapFilter").Findall()
	#simple and dirty proxy
	#usage: http://127.0.0.1:8000/?url=http://www.obscuresec.com
	$Up = "http://+:8000/"
	$Hso = New-Object Net.HttpListener
	$Wco = New-Object Net.Webclient

	#ignore self-signed/invalid ssl certs
	[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$True}

	Foreach ($P in $Up) {$Hso.Prefixes.Add($P)}