INSERT GRAPHIC HERE (include hyperlink in image)
Subtitle or Short Description Goes Here
ideally one sentence >
Kurosh Dabbagh Escalante Kudaes
FrancesCoronel
/ sampleREADME.md
Last active
November 14, 2025 13:37
A sample README for all your GitHub projects.
Kevin-Robertson
/ Get-KerberosAESKey.ps1
Last active
September 21, 2025 11:03
Generate Kerberos AES keys from a known password
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-KerberosAESKey | |
| { | |
| <# | |
| .SYNOPSIS | |
| Generate Kerberos AES 128/256 keys from a known username/hostname, password, and kerberos realm. The | |
| results have been verified against the test values in RFC3962, MS-KILE, and my own test lab. | |
| https://tools.ietf.org/html/rfc3962 | |
| https://msdn.microsoft.com/library/cc233855.aspx |
This is a variation of the technique originally discovered by subtee and described here
TL;DR It essentially allows you to turn any .NET application into a lolbin by providing a configuration file and specifying the <appDomainManagerAssembly> element pointing to a specially crafted .NET assembly which executes when the application is loaded.
This variation allows you to load the AppDomainManager assembly from a UNC path or HTTP(s) server. Also disables ETW thanks to the <etwEnable> element :)
- Copy some binary you love to say,
C:\Test. Lets useaspnet_compiler.exeas an example - Compile
test.cstotest.dllwith a signed strong name, this is required to load an assembly outside of a .NET applications base directory. - Host
test.dllon a remote SMB or HTTP(S) server