Skip to content

Instantly share code, notes, and snippets.

View nullbind's full-sized avatar

Scott Sutherland nullbind

570 followers · 50 following
View GitHub Profile
@nullbind
nullbind / Get-DASPNs.ps1
Created January 29, 2020 16:16
Get-DASPNs.ps1
# Get All User SPNs
$UserSPNs = Get-ADObject -LDAPFilter "(&(objectClass=user)(ServicePrincipalName=*))" -Properties samaccountname,description,serviceprincipalname
# Get All Domain Admins
$DomainAdmins = Get-ADGroupMember -Recursive -Identity "Domain Admins“ | select SamAccountName –expandproperty SamAccountName
# Get Domain Admins with SPNs
$DomainAdmins |
ForEach-Object {
$DA = $_;
@nullbind
nullbind / Import-ADandGPO.ps1
Last active July 11, 2020 12:12
This is an example of how to import the Active Directory and GPO command PowerShell modules on the fly.
This file has been truncated, but you can view the full file.
# ---------------------------------------------------
# Load the Active Directory PowerShell module
# ---------------------------------------------------
# $ADModuleBytes = [System.IO.File]::ReadAllBytes("C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ActiveDirectory.Management\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.ActiveDirectory.Management.dll")
# $ADModuleString = [System.Convert]::ToBase64String($ADModuleBytes)
# Set the string
$ADModuleString = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAHYH/eAAAAAAAAAAAOAAIiALATAAAOgRAAAIAAAAAAAAxtQRAAAgAAAAIBIAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAABgEgAAAgAA9F8SAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAHPUEQBPAAAAACASACQFAAAAAAAAAAAAAAAAAAAAAAAAAEASAAwAAADA0xEAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAA5OcRAAAgAAAA6BEAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNy
@nullbind
nullbind / Get-DHCPResponse.ps1
Created October 1, 2019 21:54
Get-DHCPResponse.ps1
# https://gist.githubusercontent.com/oscitancy/387e7d0d73af03eb8ba56139efdfac85/raw/58d9c6bac40dabe559d6d9e2c92876677243680f/Get-DHCPResponse.ps1
<#
.SYNOPSIS
Sends out a DHCP Discover packet to see who responds.
.DESCRIPTION
Creates a DHCP Discover Packet then broadcasts it on Port 67 then waits for
responses sent back on Port 68. Does a basic parsing of the bytes recieved so
that you can diagnose problems manually.
@nullbind
nullbind / Get-WmiProviderInfo.ps1
Last active July 22, 2020 16:53
Get-WmiProviderInfo.ps1
function Get-Providers
{
Get-WmiObject -NameSpace $ns -Class __Win32Provider | select Name,__PATH, __NAMESPACE, CLSID, AssemblyPath, ImpersonationLevel |
ForEach-Object {
# Check for registery provider
$Check = Get-PSProvider | where name -like registry | where drives -like "*hkcr*"
if($Check -eq ""){
New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR
}
@nullbind
nullbind / Get-WmiNamespaceDacl.ps1
Last active August 27, 2019 15:08
Get-WmiNamespaceDacl.ps1
<# Questions / todo
#check for namespace privs
#check for reg key privs
#check for dll hijacking due to missing quotes
#check for dll file privs
#check for impersonation - named pipe, token duplication, scheduled task,other?
#identify managed vs unmanaged; native vs custom
# what else?
References
@nullbind
nullbind / portable-adps.ps1
Created August 23, 2019 21:38
portable-adps.ps1
This file has been truncated, but you can view the full file.
# DLL bytes as a string
$ADModuleString = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAHYH/eAAAAAAAAAAAOAAIiALATAAAOgRAAAIAAAAAAAAxtQRAAAgAAAAIBIAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAABgEgAAAgAA9F8SAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAHPUEQBPAAAAACASACQFAAAAAAAAAAAAAAAAAAAAAAAAAEASAAwAAADA0xEAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAA5OcRAAAgAAAA6BEAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAACQFAAAAIBIAAAYAAADqEQAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAEASAAACAAAA8BEAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACn1BEAAAAAAEgAAAACAAUAfHkFAEyGCwAJAAAAAAAAAMj/EAB40wAAQNMRAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKFAAAAoqkgIoUAAACgIDfQEAAAQCBH0CAAAEAgV9AwAABAIOBH0EAAAEKh4CKFAAAAoqOgIoUAAACgIDfQUAAAQqHgIoUAAACiqyAihQAAAKAgN9BgAABAIEfQcAAAQCBX0IAAAEAg4EfQkAAAQCDgV9CgAABCoeAihQAAAKKjoCKFAAAAoCA
@nullbind
nullbind / test.ps1
Created June 5, 2019 21:08
test.ps1
This file has been truncated, but you can view the full file.
function Invoke-DCSync
{
<#
.SYNOPSIS
Uses dcsync from mimikatz to collect NTLM hashes from the domain.
Author: @monoxgas
Improved by: @harmj0y
@nullbind
nullbind / poc.png
Created May 22, 2019 20:56
MSBuild - Property functions -
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" >
<Target Name="Hello" >
<!-- Call ANY .NET API -->
<!--
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
@nullbind
nullbind / TellMeYourSecrets.ps1
Created May 2, 2019 17:19
TellMeYourSecrets.ps1
# PowerShellery
# Source: https://github.com/0xbadjuju/TellMeYourSecrets
# Note: This was hacked together for the sake of portability.
# Note: To refresh TellMeYourSecrets.dll do the following:
# $Bytes = [System.IO.File]::ReadAllBytes("C:\temp\TellMeYourSecrets.dll")
# $MyString = [System.Convert]::ToBase64String($Bytes)
# or
# $Bytes = [System.IO.File]::ReadAllBytes("C:\users\istest1\Desktop\TellMeYourSecrets.dll")
# [System.Reflection.Assembly]::Load($Bytes)
# [TellMeYourSecrets.LSA]::DumpLsa()
@nullbind
nullbind / Get-DomainComputerWSMAN.ps1
Created May 1, 2019 17:36
Get-DomainComputerWSMAN.ps1
# This script uses the ActiveDirectory module to enumerate live Windows system on the domain that support WMI/PS Remoting,
# and filters out win7 and 2k3
# Run on domain system or via 'runas /netonly /user:domain\user powershell.exe'
# Initial DC
$InitialDc = '10.4.222.205'
# Create connection to initial dc
Import-Module ActiveDirectory