๐ [ M4yFly, Mayfly ]
GOAD v2 is out !
You can now test your AD commands and pentest skill on a multi-domain AD lab.
Have fun :)
https://t.co/Rpawi6FFl8
https://t.co/pKN8WwSDli
๐ https://github.com/Orange-Cyberdefense/GOAD
๐ https://mayfly277.github.io/posts/GOADv2/
๐ฅ [ tweet ]
GOAD v2 is out !
You can now test your AD commands and pentest skill on a multi-domain AD lab.
Have fun :)
https://t.co/Rpawi6FFl8
https://t.co/pKN8WwSDli
๐ https://github.com/Orange-Cyberdefense/GOAD
๐ https://mayfly277.github.io/posts/GOADv2/
๐ฅ [ tweet ]
๐ [ _nwodtuhs, Charlie Bromberg (Shutdown) ]
Did you know the WriteOwner ACE doesn't allow to change an object's owner arbitrarily? If userA has that privilege against userB, he can set userB's owner to itself, userA. That's it.
You'd need SeRestorePrivilege to set the owner to any other user.
Thanks @BlWasp_ for the info!
๐ https://github.com/SecureAuthCorp/impacket/pull/1323
๐ฅ [ tweet ]
Did you know the WriteOwner ACE doesn't allow to change an object's owner arbitrarily? If userA has that privilege against userB, he can set userB's owner to itself, userA. That's it.
You'd need SeRestorePrivilege to set the owner to any other user.
Thanks @BlWasp_ for the info!
๐ https://github.com/SecureAuthCorp/impacket/pull/1323
๐ฅ [ tweet ]
๐ [ tiraniddo, James Forshaw ]
Opened up one of my RCG bugs, you could use a Kerberos relay attack to authenticate as that user to an RDP server due to a lack of user checking in the ticket authentication process. https://t.co/MvGmjYa5sm
๐ https://bugs.chromium.org/p/project-zero/issues/detail?id=2268
๐ฅ [ tweet ]
Opened up one of my RCG bugs, you could use a Kerberos relay attack to authenticate as that user to an RDP server due to a lack of user checking in the ticket authentication process. https://t.co/MvGmjYa5sm
๐ https://bugs.chromium.org/p/project-zero/issues/detail?id=2268
๐ฅ [ tweet ]
๐ [ s4ntiago_p, S4ntiagoP ]
Ok, a few updates on nanodump:
1) implemented a cool new technique by @splinter_code where seclogon opens a handle to LSASS and then you duplicate it by winning a race condition using file locks
2) now you can call NtOpenProcess with a fake calling stack and produce fake telemetry, got it from @joehowwolf
https://t.co/nRVmSuZ9qP
๐ https://github.com/helpsystems/nanodump/commit/c890da208511bacb09f91c68b935915821f4f0f0
๐ฅ [ tweet ]
Ok, a few updates on nanodump:
1) implemented a cool new technique by @splinter_code where seclogon opens a handle to LSASS and then you duplicate it by winning a race condition using file locks
2) now you can call NtOpenProcess with a fake calling stack and produce fake telemetry, got it from @joehowwolf
https://t.co/nRVmSuZ9qP
๐ https://github.com/helpsystems/nanodump/commit/c890da208511bacb09f91c68b935915821f4f0f0
๐ฅ [ tweet ]
๐ [ mariuszbit, mgeeky | Mariusz Banach ]
A single slide from my Malware Development training @x33fcon .
Suprising how widespread VBA actually is. ๐
โข๏ธ Anyone fancy trying out VBA for:
- Terminal emulator serving critical systems,
- CAD projects of military equipment,
- SCADA consoles
https://t.co/8wRuj7ZGQc
๐ https://www.x33fcon.com/#!t/maldev.md
๐ฅ [ tweet ]
A single slide from my Malware Development training @x33fcon .
Suprising how widespread VBA actually is. ๐
โข๏ธ Anyone fancy trying out VBA for:
- Terminal emulator serving critical systems,
- CAD projects of military equipment,
- SCADA consoles
https://t.co/8wRuj7ZGQc
๐ https://www.x33fcon.com/#!t/maldev.md
๐ฅ [ tweet ]
This media is not supported in your browser
VIEW IN TELEGRAM
๐ [ citronneur, Sylvain Peyrefitte ]
Pamspy is a credential dumper for Linux, that use #eBPF to hook libpam ! Enjoy !
https://t.co/PwsseTe4iJ
๐ https://github.com/citronneur/pamspy
๐ฅ [ tweet ]
Pamspy is a credential dumper for Linux, that use #eBPF to hook libpam ! Enjoy !
https://t.co/PwsseTe4iJ
๐ https://github.com/citronneur/pamspy
๐ฅ [ tweet ]
๐ [ C5pider, 5pider ]
How I send over data to my server. Nothing big. maybe someone finds this useful for something.
https://t.co/DGyT7Ws55J
๐ https://gist.github.com/Cracked5pider/1857e292a9fec28cba88bed80d4e509d
๐ฅ [ tweet ]
How I send over data to my server. Nothing big. maybe someone finds this useful for something.
https://t.co/DGyT7Ws55J
๐ https://gist.github.com/Cracked5pider/1857e292a9fec28cba88bed80d4e509d
๐ฅ [ tweet ]
๐ [ NinjaParanoid, Paranoid Ninja (Brute Ratel C4) ]
A thoroughly detailed blog on Brute Ratel C4 by Palo Alto. Proper Actions have been taken to against the found licenses which were sold in the Black Market. As for existing customers, #BRc4 v1.1 release will change every aspect of IOC found in the previous releases.
๐ https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/
๐ฅ [ tweet ][ quote ]
A thoroughly detailed blog on Brute Ratel C4 by Palo Alto. Proper Actions have been taken to against the found licenses which were sold in the Black Market. As for existing customers, #BRc4 v1.1 release will change every aspect of IOC found in the previous releases.
๐ https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/
๐ฅ [ tweet ][ quote ]
๐ [ tiraniddo, James Forshaw ]
Finally I can release details about my most serious RCG bug. RCE/EoP in LSASS via CredSSP. Reachable through RDP or WinRM if configured correctly. Will try and put together a blog about it at some point๐https://t.co/ujuMXRCxNT
๐ https://bugs.chromium.org/p/project-zero/issues/detail?id=2271
๐ฅ [ tweet ]
Finally I can release details about my most serious RCG bug. RCE/EoP in LSASS via CredSSP. Reachable through RDP or WinRM if configured correctly. Will try and put together a blog about it at some point๐https://t.co/ujuMXRCxNT
๐ https://bugs.chromium.org/p/project-zero/issues/detail?id=2271
๐ฅ [ tweet ]
๐ [ SemperisTech, Semperis ]
You're familiar with the Golden Ticket attack, but what about the Diamond Ticket? Semperis Security Researcher Charlie Clark reveals the result of research into this potential #securityvulnerability. https://t.co/p7alMaSr4t
๐ https://lnkd.in/gNYf2Gxz
๐ฅ [ tweet ]
You're familiar with the Golden Ticket attack, but what about the Diamond Ticket? Semperis Security Researcher Charlie Clark reveals the result of research into this potential #securityvulnerability. https://t.co/p7alMaSr4t
๐ https://lnkd.in/gNYf2Gxz
๐ฅ [ tweet ]
๐ [ ippsec, ippsec ]
Really enjoyed reading the APT-29 Article from Unit 42. Decided to do a video talking about it and some light reversing at the malware. Its pretty sad that APT-29 has been doing the LNK in a ZIP TTP for 5+ years and remained succesful by swapping payloads https://t.co/D15cwzATDn
๐ https://www.youtube.com/watch?v=a7W6rhkpVSM
๐ฅ [ tweet ]
Really enjoyed reading the APT-29 Article from Unit 42. Decided to do a video talking about it and some light reversing at the malware. Its pretty sad that APT-29 has been doing the LNK in a ZIP TTP for 5+ years and remained succesful by swapping payloads https://t.co/D15cwzATDn
๐ https://www.youtube.com/watch?v=a7W6rhkpVSM
๐ฅ [ tweet ]
๐ [ ShitSecure, S3cur3Th1sSh1t ]
The original work author @maorkor also released an 64 bit implementation for Powershell now, worth checking out! The Providers and number of Providers are enumerated automatically here. ๐ฅ
https://t.co/13mU1Zv6iA
๐ https://github.com/deepinstinct/AMSI-Unchained/blob/main/ScanInterception_x64.ps1
๐ฅ [ tweet ][ quote ]
The original work author @maorkor also released an 64 bit implementation for Powershell now, worth checking out! The Providers and number of Providers are enumerated automatically here. ๐ฅ
https://t.co/13mU1Zv6iA
๐ https://github.com/deepinstinct/AMSI-Unchained/blob/main/ScanInterception_x64.ps1
๐ฅ [ tweet ][ quote ]
This media is not supported in your browser
VIEW IN TELEGRAM
๐ [ dani_ruiz24, daniruiz ]
๐ฅ Huge improvements to my custom BASH/ZSH reverse shell function.
If you have not seen it
๐ Wrapper for nc (same syntax)
๐ Arrows, Ctrl+C...
๐ Loads the default bashrc config
๐ Color works
๐ sets terminal size
๐ No need to `stty -echo raw; fg`
https://t.co/jkPGFMjpjJ
๐ https://gist.github.com/daniruiz/c073f631d514bf38e516b62c48366efb#file-kali-shell-aliases-and-functions-sh-L59-L85
๐ฅ [ tweet ]
๐ฅ Huge improvements to my custom BASH/ZSH reverse shell function.
If you have not seen it
๐ Wrapper for nc (same syntax)
๐ Arrows, Ctrl+C...
๐ Loads the default bashrc config
๐ Color works
๐ sets terminal size
๐ No need to `stty -echo raw; fg`
https://t.co/jkPGFMjpjJ
๐ https://gist.github.com/daniruiz/c073f631d514bf38e516b62c48366efb#file-kali-shell-aliases-and-functions-sh-L59-L85
๐ฅ [ tweet ]
๐1
๐ [ _mohemiv, Arseniy Sharoglazov ]
โก๏ธ Cool PR to Impacket by @synacktiv: displaying timestamps for DCC/DCC2 hashes in secretsdump
New format: CORP.LOCAL/user:$DCC2$10240#user#0123456789abcdef0123456789abcdef: (2022-07-05 20:09:09)
Should be helpful, DCC2 hashes are so slow!
https://t.co/EPBQAkyrBd
๐ https://github.com/SecureAuthCorp/impacket/pull/1367
๐ฅ [ tweet ]
โก๏ธ Cool PR to Impacket by @synacktiv: displaying timestamps for DCC/DCC2 hashes in secretsdump
New format: CORP.LOCAL/user:$DCC2$10240#user#0123456789abcdef0123456789abcdef: (2022-07-05 20:09:09)
Should be helpful, DCC2 hashes are so slow!
https://t.co/EPBQAkyrBd
๐ https://github.com/SecureAuthCorp/impacket/pull/1367
๐ฅ [ tweet ]
๐ [ dottor_morte, Riccardo ]
For those who care, I uploaded the slides of my talk on lateral movement that I gave at TROOPERS this year:
https://t.co/wAoGPUv1Zj
๐ https://github.com/RiccardoAncarani/talks/blob/master/F-Secure/unorthodox-lateral-movement.pdf
๐ฅ [ tweet ]
For those who care, I uploaded the slides of my talk on lateral movement that I gave at TROOPERS this year:
https://t.co/wAoGPUv1Zj
๐ https://github.com/RiccardoAncarani/talks/blob/master/F-Secure/unorthodox-lateral-movement.pdf
๐ฅ [ tweet ]
๐1
๐ [ cnotin, Clรฉment Notin ]
I did not expect a non-domain joined Windows machine, using an identity provided with "runas /netonly", to silently manage to obtain a Kerberos TGT then use it to access a service! ๐ฎ
I thought it would fallback to NTLM immediately...
That's nice though ๐
๐ฅ [ tweet ]
I did not expect a non-domain joined Windows machine, using an identity provided with "runas /netonly", to silently manage to obtain a Kerberos TGT then use it to access a service! ๐ฎ
I thought it would fallback to NTLM immediately...
That's nice though ๐
๐ฅ [ tweet ]
This media is not supported in your browser
VIEW IN TELEGRAM
๐ [ podalirius_, Podalirius ]
Today in #AwesomeRCEs, I present a technique to achieve remote code execution on Apache #Tomcat by uploading an #app as admin.
In order to do this, I wrote a WAR application exposing a JSON API to execute code on the server and download files:
https://t.co/OJIr4V4R8D
๐ https://github.com/p0dalirius/Tomcat-webshell-application
๐ฅ [ tweet ]
Today in #AwesomeRCEs, I present a technique to achieve remote code execution on Apache #Tomcat by uploading an #app as admin.
In order to do this, I wrote a WAR application exposing a JSON API to execute code on the server and download files:
https://t.co/OJIr4V4R8D
๐ https://github.com/p0dalirius/Tomcat-webshell-application
๐ฅ [ tweet ]
๐ [ ORCA10K, ORCA ]
i released i tiny poc on getting the syscalls from ntdll of a new suspended process :
https://t.co/wtCeeEpaJI
๐ https://gitlab.com/ORCA000/suspendedntdllunhook
๐ฅ [ tweet ]
i released i tiny poc on getting the syscalls from ntdll of a new suspended process :
https://t.co/wtCeeEpaJI
๐ https://gitlab.com/ORCA000/suspendedntdllunhook
๐ฅ [ tweet ]
๐ [ 0xBoku, Bobby Cooke ]
BokuLoader features update! Added Find-Beacon EggHunter, Stomp MZ Magic Bytes, PE Header Obfuscation, PE String Replacement, and Prepend ASM Instructions! Shoutouts to @passthehashbrwn & @anthemtotheego ;)
https://t.co/WnolPDNPuo
๐ https://github.com/xforcered/BokuLoader
๐ฅ [ tweet ]
BokuLoader features update! Added Find-Beacon EggHunter, Stomp MZ Magic Bytes, PE Header Obfuscation, PE String Replacement, and Prepend ASM Instructions! Shoutouts to @passthehashbrwn & @anthemtotheego ;)
https://t.co/WnolPDNPuo
๐ https://github.com/xforcered/BokuLoader
๐ฅ [ tweet ]