πΉ [ snovvcrash, snπ₯Άvvcrπ₯sh ]
[#HackStory π§΅] (1/4) Hereβs a generic case of reaching a locked-down PC from a firewalled segment in AD. The background is: 172.16.66.6 (the target) can talk to 192.168.1.11 (a PWNed server) but not vice versa and to no one else in the foreseeable network π
#ad #pentest
π₯ [ tweet ]
[#HackStory π§΅] (1/4) Hereβs a generic case of reaching a locked-down PC from a firewalled segment in AD. The background is: 172.16.66.6 (the target) can talk to 192.168.1.11 (a PWNed server) but not vice versa and to no one else in the foreseeable network π
#ad #pentest
π₯ [ tweet ]
π₯1
πΉ [ snovvcrash, snπ₯Άvvcrπ₯sh ]
(2/4) Being a DA an adversary can create an evil GPO that will coerce Immediate Scheduled Task execution on the target. The task downloads and executes a PS cradle pointing to the PWNed server. Sure, thereβre fancy (py|Sharp)GPOAbuse, etcβ¦ But when itβs a pentest, who cares π
π₯ [ tweet ]
(2/4) Being a DA an adversary can create an evil GPO that will coerce Immediate Scheduled Task execution on the target. The task downloads and executes a PS cradle pointing to the PWNed server. Sure, thereβre fancy (py|Sharp)GPOAbuse, etcβ¦ But when itβs a pentest, who cares π
π₯ [ tweet ]
πΉ [ snovvcrash, snπ₯Άvvcrπ₯sh ]
(3/4) Meanwhile, some v4tov4 port proxies are configured on the pivot point by the adversary via netsh π
π₯ [ tweet ]
(3/4) Meanwhile, some v4tov4 port proxies are configured on the pivot point by the adversary via netsh π
π₯ [ tweet ]
πΉ [ snovvcrash, snπ₯Άvvcrπ₯sh ]
(4/4) After 90 to 120 minutes the GPO gets applied and the adversary receives a reverse shell / C2 agent on his box with a further ability to spawn a reverse SOCKS proxy π
π₯ [ tweet ]
(4/4) After 90 to 120 minutes the GPO gets applied and the adversary receives a reverse shell / C2 agent on his box with a further ability to spawn a reverse SOCKS proxy π
π₯ [ tweet ]
π₯2
πΉ [ snovvcrash, snπ₯Άvvcrπ₯sh ]
(5/4) Not the last to be mentioned that GPOs are not the only way to coerce job execution on a group of targets. Thereβre also some lovely control centers that some commercial AV/EDR developers gently provide pentesters with π€«
π₯ [ tweet ]
(5/4) Not the last to be mentioned that GPOs are not the only way to coerce job execution on a group of targets. Thereβre also some lovely control centers that some commercial AV/EDR developers gently provide pentesters with π€«
π₯ [ tweet ]
π [ mariuszbit, Mariusz Banach ]
π Can't count in how many Active Directory audits this monstrous Cypher query helped me swiftly collect stats of a #BloodHound collection!β‘
Simply Find & Replace "contoso.com" w/ your target domain aaaand you have it
https://t.co/2ChJ1n7Qzo
Helpful? Lemme know!π
π https://github.com/mgeeky/Penetration-Testing-Tools/blob/master/red-teaming/bloodhound/Handy-BloodHound-Cypher-Queries.md
π₯ [ tweet ]
π Can't count in how many Active Directory audits this monstrous Cypher query helped me swiftly collect stats of a #BloodHound collection!β‘
Simply Find & Replace "contoso.com" w/ your target domain aaaand you have it
https://t.co/2ChJ1n7Qzo
Helpful? Lemme know!π
π https://github.com/mgeeky/Penetration-Testing-Tools/blob/master/red-teaming/bloodhound/Handy-BloodHound-Cypher-Queries.md
π₯ [ tweet ]
π [ 0xdf_, 0xdf ]
Undetected from @hackthebox_eu has me following in the steps of a previous attacker. There's an insecure PHP module, reversing a malicious kernel exploit and a backdoored sshd. Lots of Ghidra and understanding the attackers steps and reusing them.
https://t.co/ItYsl66OVM
π https://0xdf.gitlab.io/2022/07/02/htb-undetected.html
π₯ [ tweet ]
Undetected from @hackthebox_eu has me following in the steps of a previous attacker. There's an insecure PHP module, reversing a malicious kernel exploit and a backdoored sshd. Lots of Ghidra and understanding the attackers steps and reusing them.
https://t.co/ItYsl66OVM
π https://0xdf.gitlab.io/2022/07/02/htb-undetected.html
π₯ [ tweet ]
π [ HuskyHacksMK, Matt | HuskyHacks ]
the user said it looked safeπ€¦ββοΈ New PMAT bonus binary sample is up!
Difficulty: π¨(med)
Available here (the labs are free and always will be):
https://t.co/YvMIe2D0DR
https://t.co/H9OaPt1XtJ
π https://github.com/HuskyHacks/PMAT-labs/tree/main/labs/X-X.BonusBinaries/Dropper.installer.msi.malz
π https://github.com/HuskyHacks/PMAT-labs
π₯ [ tweet ]
the user said it looked safeπ€¦ββοΈ New PMAT bonus binary sample is up!
Difficulty: π¨(med)
Available here (the labs are free and always will be):
https://t.co/YvMIe2D0DR
https://t.co/H9OaPt1XtJ
π https://github.com/HuskyHacks/PMAT-labs/tree/main/labs/X-X.BonusBinaries/Dropper.installer.msi.malz
π https://github.com/HuskyHacks/PMAT-labs
π₯ [ tweet ]
π [ cry__pto, Ammar AmerπΈπΎ ]
AMSI Unchained: Review of Known AMSI Bypass Techniques and Introducing a New One
https://t.co/uGpsIOkplP
π https://www.blackhat.com/asia-22/briefings/schedule/#amsi-unchained-review-of-known-amsi-bypass-techniques-and-introducing-a-new-one-26120
π₯ [ tweet ]
AMSI Unchained: Review of Known AMSI Bypass Techniques and Introducing a New One
https://t.co/uGpsIOkplP
π https://www.blackhat.com/asia-22/briefings/schedule/#amsi-unchained-review-of-known-amsi-bypass-techniques-and-introducing-a-new-one-26120
π₯ [ tweet ]
π [ _nwodtuhs, Charlie Bromberg (Shutdown) ]
So apparently Microsoft ninja-patched two things lately in KB5014692 (06/14/2022)
1. ShadowCoerce (auth coercion abusing MS-FSRVP)
2. Self-RBCD trick to bypass limitations of Kerberos Constrained Delegation without Protocol Transition
Identified this with @Geiseric4 and @mkolsek
π₯ [ tweet ]
So apparently Microsoft ninja-patched two things lately in KB5014692 (06/14/2022)
1. ShadowCoerce (auth coercion abusing MS-FSRVP)
2. Self-RBCD trick to bypass limitations of Kerberos Constrained Delegation without Protocol Transition
Identified this with @Geiseric4 and @mkolsek
π₯ [ tweet ]
π [ mpgn_x64, mpgn ]
CrackMapExec version 5.3.0 "OPERATION C01NS πͺ" is now public πππ
Lot's of new features and fixed issues. All private features from the @porchetta_ind repo have been integrated to the public repository (rdp, audit mode, laps winrm etc)π
https://t.co/ozLmJNyUmn
π https://github.com/Porchetta-Industries/CrackMapExec/releases/tag/v5.3.0
π https://mpgn.gitbook.io/crackmapexec/news-2022/operation-c01ns
π₯ [ tweet ]
CrackMapExec version 5.3.0 "OPERATION C01NS πͺ" is now public πππ
Lot's of new features and fixed issues. All private features from the @porchetta_ind repo have been integrated to the public repository (rdp, audit mode, laps winrm etc)π
https://t.co/ozLmJNyUmn
π https://github.com/Porchetta-Industries/CrackMapExec/releases/tag/v5.3.0
π https://mpgn.gitbook.io/crackmapexec/news-2022/operation-c01ns
π₯ [ tweet ]
GitHub
Release 5.3.0 - Operation C01NS Β· Porchetta-Industries/CrackMapExec
More on https://mpgn.gitbook.io/crackmapexec/
What's Changed
Add RDP protocol thanks to @skelsec
Set computer accounts as owned in BloodHound by @snovvcrash in #532
fix filename for IPv6 on wi...
What's Changed
Add RDP protocol thanks to @skelsec
Set computer accounts as owned in BloodHound by @snovvcrash in #532
fix filename for IPv6 on wi...
π [ EricaZelic, malCOM ]
New UAC bypass credited to @filip_dragovic
https://t.co/yVo7xnbWJj
π https://github.com/Wh04m1001/IDiagnosticProfileUAC
π₯ [ tweet ]
New UAC bypass credited to @filip_dragovic
https://t.co/yVo7xnbWJj
π https://github.com/Wh04m1001/IDiagnosticProfileUAC
π₯ [ tweet ]
π [ ShitSecure, S3cur3Th1sSh1t ]
Just added the two new AMSI bypass PoC's via Provider Patching into my Amsi-Bypass-Powershell repo. Plus one PoC in Nim as pull request for OffensiveNim:
https://t.co/CSqnqAuUaz
https://t.co/4W8RSPuzVG
Tested both, works perfectly fine. π
π https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell
π https://github.com/byt3bl33d3r/OffensiveNim/pull/51
π₯ [ tweet ]
Just added the two new AMSI bypass PoC's via Provider Patching into my Amsi-Bypass-Powershell repo. Plus one PoC in Nim as pull request for OffensiveNim:
https://t.co/CSqnqAuUaz
https://t.co/4W8RSPuzVG
Tested both, works perfectly fine. π
π https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell
π https://github.com/byt3bl33d3r/OffensiveNim/pull/51
π₯ [ tweet ]
π [ mrd0x, mr.d0x ]
Nothing too crazy in this blog post, but thought it may be useful for some people. Enjoy!
Social engineering your way into the network.
https://t.co/uPVBiClrXc
π https://mrd0x.com/social-engineering-your-way-into-the-network/
π₯ [ tweet ]
Nothing too crazy in this blog post, but thought it may be useful for some people. Enjoy!
Social engineering your way into the network.
https://t.co/uPVBiClrXc
π https://mrd0x.com/social-engineering-your-way-into-the-network/
π₯ [ tweet ]
π [ ReconOne_, ReconOne ]
Easy trick: From Shodan to nuclei one liner ππ₯
Credits: @pdnuclei, @PhilippeDelteil
#recontips #AttackSurface #shodan #bugbountytips #nuclei #recon
π₯ [ tweet ]
Easy trick: From Shodan to nuclei one liner ππ₯
Credits: @pdnuclei, @PhilippeDelteil
#recontips #AttackSurface #shodan #bugbountytips #nuclei #recon
π₯ [ tweet ]