Skip to content

Instantly share code, notes, and snippets.

View firefalc0n's full-sized avatar

firefalc0n firefalc0n

5 followers · 0 following
View GitHub Profile
@firefalc0n
firefalc0n / powerset_creds.ps1
Created September 10, 2017 12:50
"creds.ps1" will wait for user to open iexplore.exe. Upon the execution of iexplore.exe, the script will stop it and pop up a window telling the user to "Input his/her username and password to use it".
########################################################################################################################
#creds.ps1
#Used to socially steal a user's credentials
#Script by: LogoiLab
#
#synopsis:
#
#When run: "creds.ps1" will wait for user to open iexplore.exe(internet explorer). Upon the execution of iexplore.exe
#the script will stop iexplore.exe and pop up a window telling the user to "Input his/her username and password to use
#Internet Explorer" it will then check the creds agianst the SAM Module, if they dont match the current user's, it will
@firefalc0n
firefalc0n / Invoke-ExcelMacroPivot.ps1
Created September 14, 2017 00:42 — forked from enigma0x3/Invoke-ExcelMacroPivot.ps1
function Invoke-ExcelMacroPivot{
<#
.AUTHOR
Matt Nelson (@enigma0x3)
.SYNOPSIS
Pivots to a remote host by using an Excel macro and Excel's COM object
.PARAMETER Target
Remote host to pivot to
.PARAMETER RemoteDocumentPath
Local path on the remote host where the payload resides
@firefalc0n
firefalc0n / UACBypass.ps1
Created September 23, 2017 00:33 — forked from enigma0x3/UACBypass.ps1
function Invoke-UACBypass {
<#
.SYNOPSIS
Bypasses UAC on Windows 10 by abusing the SilentCleanup task to win a race condition, allowing for a DLL hijack without a privileged file copy.
Author: Matthew Graeber (@mattifestation), Matt Nelson (@enigma0x3)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
@firefalc0n
firefalc0n / ExcelXLL.md
Created September 23, 2017 00:51 — forked from ryhanson/ExcelXLL.md
Execute a DLL via .xll files and the Excel.Application object's RegisterXLL() method

DLL Execution via Excel.Application RegisterXLL() method

A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.

When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.

The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN

The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc

@firefalc0n
firefalc0n / PowerSkype.ps1
Created September 25, 2017 12:50
<#
File: PowerSkype.ps1
Author: Karl Fosaaen (@kfosaaen), NetSPI - 2016
Description: PowerShell functions for enumerating and attacking federated Skype for Business instances.
Thanks: @nyxgeek for the http-ntlm authentication endpoints
#>
# To Do:
# Add proper error handling on all inputs/functions
# Add attachment functionality to send files w/messages
@firefalc0n
firefalc0n / UAC-TokenMagic.ps1
Created September 27, 2017 12:34
function UAC-TokenMagic {
<#
.SYNOPSIS
Based on James Forshaw's three part post on UAC, linked below, and possibly a technique
used by the CIA!
Essentially we duplicate the token of an elevated process, lower it's mandatory
integrity level, use it to create a new restricted token, impersonate it and
use the Secondary Logon service to spawn a new process with High IL. Like
playing hide-and-go-seek with tokens! ;))
@firefalc0n
firefalc0n / Invoke-Kerberoast.ps1
Created September 27, 2017 14:40
Invoke-Kerberoast.ps1
<#
Invoke-Kerberoast.ps1
Author: Will Schroeder (@harmj0y), @machosec
License: BSD 3-Clause
Required Dependencies: None
Credit to Tim Medin (@TimMedin) for the Kerberoasting concept and original toolset implementation (https://github.com/nidem/kerberoast).
Note: the primary method of use will be Invoke-Kerberoast with various targeting options.
@firefalc0n
firefalc0n / RC4.ps1
Created September 27, 2017 15:10 — forked from HarmJ0y/RC4.ps1
PowerShell RC4 Implementation
function ConvertTo-Rc4ByteStream {
<#
.SYNOPSIS
Converts an input byte array to a RC4 cipher stream using the specified key.
Author: @harmj0y
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
@firefalc0n
firefalc0n / Updates_Hotfix_Enumerator.ps1
Created October 7, 2017 08:55
# Gives a list of all Microsoft Updates sorted by KB number/HotfixID
# By Tom Arbuthnot. Lyncdup.com
$wu = new-object -com “Microsoft.Update.Searcher”
$totalupdates = $wu.GetTotalHistoryCount()
@firefalc0n
firefalc0n / Install-ADModule.ps1
Created October 7, 2017 09:34
#requires -RunAsAdministrator
<#-----------------------------------------------------------------------------
Ashley McGlone, Microsoft Premier Field Engineer
http://aka.ms/goateepfe
February 2016
Install-ADModule
For Windows 10 performs the following tasks:
- Downloads and installs Windows 10 RSAT for the appropriate system architecture
- Enables the RSAT AD PowerShell feature