Forwarded from Ralf Hacker Channel (Ralf Hacker)
CVE-2024-21413: Microsoft Outlook Leak Hash
https://github.com/duy-31/CVE-2024-21413
#exploit #pentest #redteam #ad
https://github.com/duy-31/CVE-2024-21413
#exploit #pentest #redteam #ad
GitHub
GitHub - duy-31/CVE-2024-21413: Microsoft Outlook Information Disclosure Vulnerability (leak password hash) - Expect Script POC
Microsoft Outlook Information Disclosure Vulnerability (leak password hash) - Expect Script POC - duy-31/CVE-2024-21413
🔥5❤2👍1
🔐 Spray Passwords, Avoid Lockouts
In this blog post, learn how to effectively use password spraying in Active Directory environments without triggering account lockouts. Dive into authentication mechanisms, password policies, GPO and PSOs.
Research
🔗 https://en.hackndo.com/password-spraying-lockout/
Tool
🔗 https://github.com/login-securite/conpass
#ad #spraying #passpol
In this blog post, learn how to effectively use password spraying in Active Directory environments without triggering account lockouts. Dive into authentication mechanisms, password policies, GPO and PSOs.
Research
🔗 https://en.hackndo.com/password-spraying-lockout/
Tool
🔗 https://github.com/login-securite/conpass
#ad #spraying #passpol
🔥11👍7❤2
Tool for monitor Active Directory changes in real time without getting all objects. Instead of this it use replication metadata and Update Sequence Number (USN) to filter current properties of objects.
🔗 Research:
https://habr.com/ru/companies/angarasecurity/articles/697938/
🔗 Source:
https://github.com/DrunkF0x/ADSpider
———
Наконец-то появилась на свет,
#ad #windows #monitoring #tools
Please open Telegram to view this post
VIEW IN TELEGRAM
Хабр
Паук в Active Directory так лапками тыдык тыдык
В чем соль: у нас уже есть достаточно известные утилиты , чтобы «отслеживать» изменения в Active Directory. Почему в кавычках? Потому что все подобные утилиты (ну, практически) используют...
🔥10❤4👍4👎1
🔑 Three-Headed Potato Dog: NTLM and Kerberos Coercion
New research demonstrates how DCOM can coerce Windows systems to authenticate remotely, allowing attackers to relay NTLM or Kerberos authentication to AD CS over HTTP. This enables remote and cross-session authentication relay attacks, targeting both machine and user accounts.
🔗 Research:
https://blog.compass-security.com/2024/09/three-headed-potato-dog/
🔗 Source:
https://github.com/sploutchy/impacket/blob/potato/examples/potato.py
#ad #windows #dcom #relay #potato
New research demonstrates how DCOM can coerce Windows systems to authenticate remotely, allowing attackers to relay NTLM or Kerberos authentication to AD CS over HTTP. This enables remote and cross-session authentication relay attacks, targeting both machine and user accounts.
🔗 Research:
https://blog.compass-security.com/2024/09/three-headed-potato-dog/
🔗 Source:
https://github.com/sploutchy/impacket/blob/potato/examples/potato.py
#ad #windows #dcom #relay #potato
❤13👍3
📜 DGPOEdit
Disconnected GPO Editor - A Group Policy Manager launcher to allow editing of domain GPOs from non-domain joined machines
🔗 Source:
https://github.com/CCob/DGPOEdit
#ad #windows #gpo #policy
Disconnected GPO Editor - A Group Policy Manager launcher to allow editing of domain GPOs from non-domain joined machines
🔗 Source:
https://github.com/CCob/DGPOEdit
#ad #windows #gpo #policy
GitHub
GitHub - CCob/DRSAT: Disconnected RSAT - A method of running Group Policy Manager, Certificate Authority and Certificate Templates…
Disconnected RSAT - A method of running Group Policy Manager, Certificate Authority and Certificate Templates MMC snap-ins from non-domain joined machies - CCob/DRSAT
🔥6👍2
🔔Call and Register — Relay Attack on WinReg RPC Client
A critical vulnerability (CVE-2024-43532) has been identified in Microsoft’s Remote Registry client. This flaw allows attackers to exploit insecure fallback mechanisms in the WinReg client, enabling them to relay authentication details and make unauthorized certificate requests through Active Directory Certificate Services (ADCS).
🔗 Research:
https://www.akamai.com/blog/security-research/winreg-relay-vulnerability
🔗 RPC Visibility Tool:
https://github.com/akamai/akamai-security-research/tree/main/rpc_toolkit/rpc_visibility
🔗 PoC:
https://github.com/akamai/akamai-security-research/tree/main/PoCs/cve-2024-43532
#ad #adcs #rpc #ntlm #relay #etw #advapi
A critical vulnerability (CVE-2024-43532) has been identified in Microsoft’s Remote Registry client. This flaw allows attackers to exploit insecure fallback mechanisms in the WinReg client, enabling them to relay authentication details and make unauthorized certificate requests through Active Directory Certificate Services (ADCS).
🔗 Research:
https://www.akamai.com/blog/security-research/winreg-relay-vulnerability
🔗 RPC Visibility Tool:
https://github.com/akamai/akamai-security-research/tree/main/rpc_toolkit/rpc_visibility
🔗 PoC:
https://github.com/akamai/akamai-security-research/tree/main/PoCs/cve-2024-43532
#ad #adcs #rpc #ntlm #relay #etw #advapi
1🔥9👍6❤2
📜 ADCS Attack Techniques Cheatsheet
This is a handy table outlining the various methods of attack against Active Directory Certificate Services (ADCS)
🔗 Source:
https://docs.google.com/spreadsheets/d/1E5SDC5cwXWz36rPP_TXhhAvTvqz2RGnMYXieu4ZHx64/edit?gid=0#gid=0
#ad #adcs #esc #cheatsheet
This is a handy table outlining the various methods of attack against Active Directory Certificate Services (ADCS)
🔗 Source:
https://docs.google.com/spreadsheets/d/1E5SDC5cwXWz36rPP_TXhhAvTvqz2RGnMYXieu4ZHx64/edit?gid=0#gid=0
#ad #adcs #esc #cheatsheet
Google Docs
ADCS Attack Techniques Cheatsheet
👍17🔥3
Forwarded from Ralf Hacker Channel (Ralf Hacker)
CVE-2024-43468: ConfigMgr/SCCM 2403 Unauth SQLi to RCE
PATCHED: Oct 8, 2024
Exploit: https://github.com/synacktiv/CVE-2024-43468
Blog: https://www.synacktiv.com/advisories/microsoft-configuration-manager-configmgr-2403-unauthenticated-sql-injections
#git #exploit #ad #rce #sccm #pentest #redteam
PATCHED: Oct 8, 2024
Exploit: https://github.com/synacktiv/CVE-2024-43468
Blog: https://www.synacktiv.com/advisories/microsoft-configuration-manager-configmgr-2403-unauthenticated-sql-injections
#git #exploit #ad #rce #sccm #pentest #redteam
GitHub
GitHub - synacktiv/CVE-2024-43468
Contribute to synacktiv/CVE-2024-43468 development by creating an account on GitHub.
🔥5👍2❤1
🔍 Exploring WinRM plugins for lateral movement
In this blog, the process of leveraging WinRM plugins to perform lateral movement to other systems is explored. Additionally, the use of the
🔗 Research:
https://falconforce.nl/exploring-winrm-plugins-for-lateral-movement/
🔗 Source:
https://github.com/FalconForceTeam/bof-winrm-plugin-jump
#ad #winrm #cobaltstrike #bof #redteam
In this blog, the process of leveraging WinRM plugins to perform lateral movement to other systems is explored. Additionally, the use of the
CIM_LogicFile WMI class to bypass certain tricky detections by Microsoft Defender is examined. Finally, all the logic is incorporated into a Cobalt Strike BOF.🔗 Research:
https://falconforce.nl/exploring-winrm-plugins-for-lateral-movement/
🔗 Source:
https://github.com/FalconForceTeam/bof-winrm-plugin-jump
#ad #winrm #cobaltstrike #bof #redteam
FalconForce
Exploring WinRM plugins for lateral movement - FalconForce
We explore how to leverage WinRM plugins to perform lateral movement to other systems and put all the logic in a Cobalt Strike BOF.
🔥6❤3👍3🤔1
This article discusses a vulnerability in Active Directory (CVE-2025-21293) related to the Network Configuration Operators group, which has excessive permissions to create subkeys in the registry for DnsCache and NetBT. This allows attackers to leverage Performance Counters to execute code with NT\SYSTEM privileges, potentially leading to privilege escalation.
🔗 Source:
https://birkep.github.io/posts/Windows-LPE/
#ad #network #group #lpe #cve
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥13❤2👍1🤔1
🛠 PsExeSVC - Remote Execution via Python
PsExeSVC is a Python-based tool that interacts with the PsExec service to execute remote commands without relying on Windows binaries. It enables privilege escalation, remote shell access, and user authentication via primary tokens, mimicking legitimate PsExec.exe behavior while bypassing security controls like EDR detection.
🔗 Research:
https://sensepost.com/blog/2025/psexecing-the-right-way-and-why-zero-trust-is-mandatory/
🔗 Source:
https://github.com/sensepost/susinternals
#windows #ad #psexec #edr #bypass
PsExeSVC is a Python-based tool that interacts with the PsExec service to execute remote commands without relying on Windows binaries. It enables privilege escalation, remote shell access, and user authentication via primary tokens, mimicking legitimate PsExec.exe behavior while bypassing security controls like EDR detection.
🔗 Research:
https://sensepost.com/blog/2025/psexecing-the-right-way-and-why-zero-trust-is-mandatory/
🔗 Source:
https://github.com/sensepost/susinternals
#windows #ad #psexec #edr #bypass
👍7🔥4❤2
🔍 Exploring NTDS.dit
This blog post examines the structure of the NTDS.dit file, which stores data for Active Directory. It also introduces DIT Explorer, a new open-source tool designed for analyzing NTDS.dit, demonstrating how it interprets the database to provide a structured view of the directory.
🔗 Research:
https://trustedsec.com/blog/exploring-ntds-dit-part-1-cracking-the-surface-with-dit-explorer
🔗 Source:
https://github.com/trustedsec/DitExplorer
#ad #windows #ntds #dnt
This blog post examines the structure of the NTDS.dit file, which stores data for Active Directory. It also introduces DIT Explorer, a new open-source tool designed for analyzing NTDS.dit, demonstrating how it interprets the database to provide a structured view of the directory.
🔗 Research:
https://trustedsec.com/blog/exploring-ntds-dit-part-1-cracking-the-surface-with-dit-explorer
🔗 Source:
https://github.com/trustedsec/DitExplorer
#ad #windows #ntds #dnt
1👍12🔥7👏2
A cross-platforms tool to find and decrypt Group Policy Preferences passwords from the SYSVOL share using low-privileged domain accounts.
🚀 Features:
— Only requires a low privileges domain user account.
— Automatically gets the list of all domain controllers from the LDAP.
— Finds all the Group Policy Preferences Passwords present in SYSVOL share on each domain controller.
— Decrypts the passwords and prints them in cleartext.
— Outputs to a Excel file.
🔗 Source:
https://github.com/p0dalirius/FindGPPPasswords
#ad #windows #gpo #credentials
Please open Telegram to view this post
VIEW IN TELEGRAM
1🔥15👍5❤4🤔1
Forwarded from Ralf Hacker Channel (Ralf Hacker)
NTLM релей в WinRMS, не ждали? А вот...
Blog: https://sensepost.com/blog/2025/is-tls-more-secure-the-winrms-case./
Soft: https://github.com/fortra/impacket/pull/1947
#pentest #redteam #relay #ad #lateralmovement
Blog: https://sensepost.com/blog/2025/is-tls-more-secure-the-winrms-case./
Soft: https://github.com/fortra/impacket/pull/1947
#pentest #redteam #relay #ad #lateralmovement
🔥11❤3👍3😁1
Forwarded from Ralf Hacker Channel (Ralf Hacker)
CVE-2025-33073: Reflective Kerberos Relay (LPE)
Blog: https://blog.redteam-pentesting.de/2025/reflective-kerberos-relay-attack/
Patched: June 10, 2025
Интересная LPE с релеем на себя... Даже CVE есть)
#lpe #ad #relay #pentest #redteam
Blog: https://blog.redteam-pentesting.de/2025/reflective-kerberos-relay-attack/
Patched: June 10, 2025
Интересная LPE с релеем на себя... Даже CVE есть)
#lpe #ad #relay #pentest #redteam
RedTeam Pentesting - Blog
A Look in the Mirror - The Reflective Kerberos Relay Attack
It is a sad truth in IT security that some vulnerabilities never quite want to die and time and time again, vulnerabilities that have long been fixed get revived and come right back at you. While researching relay attacks, the bane of Active …
❤8🔥4👍2
🔍 NauthNRPC
A Python tool that introduces a new method for gathering domain information, including the enumeration of domain users. The tool leverages auth-level = 1 (No authentication) against the MS-NRPC (Netlogon) interface on domain controllers. All that's required is the domain controller's IP address, and the entire process can be completed without providing any credentials.
🔗 Research:
https://securelist.com/no-auth-domain-information-enumeration/112629/
🔗 Source:
https://github.com/sud0Ru/NauthNRPC
#ad #enum #netlogon #rpc
A Python tool that introduces a new method for gathering domain information, including the enumeration of domain users. The tool leverages auth-level = 1 (No authentication) against the MS-NRPC (Netlogon) interface on domain controllers. All that's required is the domain controller's IP address, and the entire process can be completed without providing any credentials.
🔗 Research:
https://securelist.com/no-auth-domain-information-enumeration/112629/
🔗 Source:
https://github.com/sud0Ru/NauthNRPC
#ad #enum #netlogon #rpc
4🔥26👍6❤1
This is a tool for red and blue teams that transforms BloodHound data into a fully functional, Active Directory replica environment via the Ludus framework for controlled testing. This tool can be used to replicate most AD objects and permissions or can be used to replicate a specific Attack Path.
🔗 Research:
https://specterops.io/blog/2025/07/14/ludushound-raising-bloodhound-attack-paths-to-life/
🔗 Source:
https://gitlab.com/badsectorlabs/ludus
#ad #bloodhound #ludus #replica
Please open Telegram to view this post
VIEW IN TELEGRAM
1❤7👍4🔥3👎2
🔑 Golden DMSA
Critical vulnerability in Windows Server 2025 allows attackers with KDS root key access to generate passwords for all dMSA/gMSA accounts forest-wide. New research reveals design flaw in ManagedPasswordId structure - only 1,024 possible combinations makes brute-force trivial.
🔗 Research:
https://www.semperis.com/blog/golden-dmsa-what-is-dmsa-authentication-bypass/
🔗 Source:
https://github.com/Semperis/GoldenDMSA
#ad #windows #dmsa #kerberos #persistence
Critical vulnerability in Windows Server 2025 allows attackers with KDS root key access to generate passwords for all dMSA/gMSA accounts forest-wide. New research reveals design flaw in ManagedPasswordId structure - only 1,024 possible combinations makes brute-force trivial.
🔗 Research:
https://www.semperis.com/blog/golden-dmsa-what-is-dmsa-authentication-bypass/
🔗 Source:
https://github.com/Semperis/GoldenDMSA
#ad #windows #dmsa #kerberos #persistence
❤14🔥11👍4👎3🤔3
Critical deserialization of untrusted data vulnerability in Microsoft SharePoint allows unauthenticated remote code execution over the network. The exploit uses POST requests to
/_layouts/15/ToolPane.aspx with HTTP Referer header /_layouts/SignOut.aspx to bypass authentication, then extracts MachineKey configuration to generate valid __VIEWSTATE payloads for arbitrary code execution via a single HTTP request.🔗 Research:
https://research.eye.security/sharepoint-under-siege/
🔗 PoC:
https://gist.github.com/gboddin/6374c04f84b58cef050f5f4ecf43d501
🔗 Exploit:
https://github.com/soltanali0/CVE-2025-53770-Exploit
#ad #sharepoint #deserialization #toolshell #rce
Please open Telegram to view this post
VIEW IN TELEGRAM
❤14🔥13👍4
🎯 SpearSpray
Advanced password spraying tool for Active Directory environments. Combines LDAP user enumeration with intelligent pattern-based password generation. Uses Kerberos pre-authentication and leverages user-specific data (pwdLastSet, displayName) to create personalized passwords per user.
🔗 Source:
https://github.com/sikumy/spearspray
#ad #password #spraying #kerberos #bloodhound
Advanced password spraying tool for Active Directory environments. Combines LDAP user enumeration with intelligent pattern-based password generation. Uses Kerberos pre-authentication and leverages user-specific data (pwdLastSet, displayName) to create personalized passwords per user.
🔗 Source:
https://github.com/sikumy/spearspray
#ad #password #spraying #kerberos #bloodhound
2🔥14👍6