Skip to content

Instantly share code, notes, and snippets.

Avatar

Joshua Small technion

View GitHub Profile
@technion
technion / Scan-Netlogon-Secure.ps1
Last active Aug 16, 2020
Search domain controllers for events relating to Netlogon vulnerability
View Scan-Netlogon-Secure.ps1
# More information: https://support.microsoft.com/en-au/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc
Set-StrictMode -Version 2
# Fetch all Domain Controllers. Use this pattern to fetch from all sites.
$addomain = Get-ADDomain
$controllers = Get-ADComputer -filter * -SearchBase "OU=Domain Controllers,$($addomain.DistinguishedName)"
foreach ($dc in $controllers) {
# Errors are ignored so as not to throw an exception if there are no such logs found
Get-WinEvent -FilterHashtable @{logname='system'; id=5827,5828,5829,5830,5831} -ComputerName $dc.Name -ErrorAction Ignore
@technion
technion / phishing.js
Last active Aug 12, 2020
blog of phishing code
View phishing.js
'use strict';
/** @type {!Array} */
var _0xd60a = ["call", "unknown BTYPE: ", "innerHTML", "lazy", "invalid code length: ", "subarray", "createElement", "invalid compression type", "decompress", "input buffer is broken", "POSITIVE_INFINITY", "index", "verify", "charCodeAt", "bufferSize", "invalid uncompressed block header: LEN", "var ", "compile", "fromCodePoint", "finish", "bufferType", "shift", "compressionType", "input", "Zlib.Inflate.prototype.decompress", "invalid inflate mode", "slice", "NONE", "appendChild", "length", "string",
"Zlib.Inflate", "textContent", "prototype", "Zlib.Deflate.compress", "resize", "number", "invalid index", "documentElement", "buffer", "undefined", "trim", "unsupported compression type", "keys", "constructor", "Inflate", "unsupported compression method", "a9ae92d3-ee4f-4bc1-a8c5-7cff21373a99", "split", 'return /" + this + "/', "invalid adler-32 checksum", "getParent", "close", "invalid length: ", "push", "fromCharCode", "invalid code: ", "Zlib.Deflate.CompressionType", "write"
@technion
technion / Hyper-V VM Use Report.ps1
Created Jul 14, 2020
Report on whole VM cluster in csv format
View Hyper-V VM Use Report.ps1
$nodelist = Get-Clusternode -Cluster cls
$vmdata = @()
foreach ($node in $nodelist) {
$vmList = Get-VM -ComputerName $node.Name | where { $_.name -notlike '*_replica' }
foreach ($vm in $vmList) {
$UtilSummaryObj = New-Object System.Object
View User duplicate provisioning.ps1
Set-StrictMode -Version 2
Add-Type -AssemblyName 'System.Web'
$adusers = Get-ADGroupMember "Team"
foreach ($user in $adusers) {
$newname = "$($user.Samaccountname).delegate"
$password = [System.Web.Security.Membership]::GeneratePassword(12, 0)
$secPw = ConvertTo-SecureString -String $password -AsPlainText -Force
@technion
technion / AzureGroups.ps1
Created Apr 30, 2020
Adds all AzureAD users with a certain license to a group
View AzureGroups.ps1
$skus = Get-AzureADSubscribedSku
# Exchange Online E1
$skue1 = ( $skus | where { $_.skupartnumber -eq 'EXCHANGESTANDARD' } ).SkuID
$members = Get-AzureADUser -All $true
foreach($member in $members) {
if ($member.ImmutableId -eq $null) {
# Cloud user - skip
@technion
technion / Check-CVE-2020-0688.ps1
Created Apr 7, 2020
Scan Exchange server for CVE-2020-0688 vulnerability
View Check-CVE-2020-0688.ps1
Set-Strictmode -Version 2
$path = Get-WebApplication ecp
$ecppath = $path | where { $_.PhysicalPath -match 'Client' }
$found = Select-String validationKey -Path "$($ecppath.PhysicalPath)\web.config"
if ($found) {
Write-host "Server is vulnerable" -ForegroundColor Yellow
} else {
write-host "Server is not vulnerable"
}
View dlimportexport.ps1
# Export
$allGroups = Get-DistributionGroup | select Name, primarysmtpaddress
$exportlist = @()
foreach($group in $allGroups) {
$obj = New-Object -TypeName psobject
$obj | Add-Member -MemberType NoteProperty -Name Name -Value $group.Name
$obj | Add-Member -MemberType NoteProperty -Name Email -Value $group.PrimarySMTPAddress
@technion
technion / otxhashget.ps1
Created Jul 26, 2019
Alien Vault OTX file hash IOC download Powershell
View otxhashget.ps1
# Script to create current IOC hash file from Alien Vault Open Threat Exchange
$apikey = "KEY"
$feedurl = "https://otx.alienvault.com/api/v1/pulses/subscribed/?limit=10&page=1"
Start-Transcript -Path E:\custom-hash-iocs.txt
function fetchOTX($url) {
$indicators = Invoke-RestMethod -Uri $url -Headers @{"X-OTX-API-KEY"="$apikey"}
foreach($ioc in $indicators.results.indicators) {
if ($ioc.type -like "FileHash-*") {
View phishget.rb
#!/usr/bin/env ruby
require 'httparty'
FILELIST = [
'/dropbox.zip',
'/robots.txt', # Not from the original list - this serves as a sanity check as it usually exists
'/css/business-frontpage.css',
'/newphase.zip',
'/Doc.zip',
'/wp-content.zip',
@technion
technion / assertions.c
Created Apr 27, 2019
Assertion testing
View assertions.c
$ cat assertion.c
#include <stdio.h>
#include <assert.h>
int main()
{
int i = 7;
assert(i > 10);
printf("Just printing something\n");
return 0;
You can’t perform that action at this time.