๐ [ tiraniddo, James Forshaw ]
Finally I can release details about my most serious RCG bug. RCE/EoP in LSASS via CredSSP. Reachable through RDP or WinRM if configured correctly. Will try and put together a blog about it at some point๐https://t.co/ujuMXRCxNT
๐ https://bugs.chromium.org/p/project-zero/issues/detail?id=2271
๐ฅ [ tweet ]
Finally I can release details about my most serious RCG bug. RCE/EoP in LSASS via CredSSP. Reachable through RDP or WinRM if configured correctly. Will try and put together a blog about it at some point๐https://t.co/ujuMXRCxNT
๐ https://bugs.chromium.org/p/project-zero/issues/detail?id=2271
๐ฅ [ tweet ]
๐ [ SemperisTech, Semperis ]
You're familiar with the Golden Ticket attack, but what about the Diamond Ticket? Semperis Security Researcher Charlie Clark reveals the result of research into this potential #securityvulnerability. https://t.co/p7alMaSr4t
๐ https://lnkd.in/gNYf2Gxz
๐ฅ [ tweet ]
You're familiar with the Golden Ticket attack, but what about the Diamond Ticket? Semperis Security Researcher Charlie Clark reveals the result of research into this potential #securityvulnerability. https://t.co/p7alMaSr4t
๐ https://lnkd.in/gNYf2Gxz
๐ฅ [ tweet ]
๐ [ ippsec, ippsec ]
Really enjoyed reading the APT-29 Article from Unit 42. Decided to do a video talking about it and some light reversing at the malware. Its pretty sad that APT-29 has been doing the LNK in a ZIP TTP for 5+ years and remained succesful by swapping payloads https://t.co/D15cwzATDn
๐ https://www.youtube.com/watch?v=a7W6rhkpVSM
๐ฅ [ tweet ]
Really enjoyed reading the APT-29 Article from Unit 42. Decided to do a video talking about it and some light reversing at the malware. Its pretty sad that APT-29 has been doing the LNK in a ZIP TTP for 5+ years and remained succesful by swapping payloads https://t.co/D15cwzATDn
๐ https://www.youtube.com/watch?v=a7W6rhkpVSM
๐ฅ [ tweet ]
๐ [ ShitSecure, S3cur3Th1sSh1t ]
The original work author @maorkor also released an 64 bit implementation for Powershell now, worth checking out! The Providers and number of Providers are enumerated automatically here. ๐ฅ
https://t.co/13mU1Zv6iA
๐ https://github.com/deepinstinct/AMSI-Unchained/blob/main/ScanInterception_x64.ps1
๐ฅ [ tweet ][ quote ]
The original work author @maorkor also released an 64 bit implementation for Powershell now, worth checking out! The Providers and number of Providers are enumerated automatically here. ๐ฅ
https://t.co/13mU1Zv6iA
๐ https://github.com/deepinstinct/AMSI-Unchained/blob/main/ScanInterception_x64.ps1
๐ฅ [ tweet ][ quote ]
This media is not supported in your browser
VIEW IN TELEGRAM
๐ [ dani_ruiz24, daniruiz ]
๐ฅ Huge improvements to my custom BASH/ZSH reverse shell function.
If you have not seen it
๐ Wrapper for nc (same syntax)
๐ Arrows, Ctrl+C...
๐ Loads the default bashrc config
๐ Color works
๐ sets terminal size
๐ No need to `stty -echo raw; fg`
https://t.co/jkPGFMjpjJ
๐ https://gist.github.com/daniruiz/c073f631d514bf38e516b62c48366efb#file-kali-shell-aliases-and-functions-sh-L59-L85
๐ฅ [ tweet ]
๐ฅ Huge improvements to my custom BASH/ZSH reverse shell function.
If you have not seen it
๐ Wrapper for nc (same syntax)
๐ Arrows, Ctrl+C...
๐ Loads the default bashrc config
๐ Color works
๐ sets terminal size
๐ No need to `stty -echo raw; fg`
https://t.co/jkPGFMjpjJ
๐ https://gist.github.com/daniruiz/c073f631d514bf38e516b62c48366efb#file-kali-shell-aliases-and-functions-sh-L59-L85
๐ฅ [ tweet ]
๐1
๐ [ _mohemiv, Arseniy Sharoglazov ]
โก๏ธ Cool PR to Impacket by @synacktiv: displaying timestamps for DCC/DCC2 hashes in secretsdump
New format: CORP.LOCAL/user:$DCC2$10240#user#0123456789abcdef0123456789abcdef: (2022-07-05 20:09:09)
Should be helpful, DCC2 hashes are so slow!
https://t.co/EPBQAkyrBd
๐ https://github.com/SecureAuthCorp/impacket/pull/1367
๐ฅ [ tweet ]
โก๏ธ Cool PR to Impacket by @synacktiv: displaying timestamps for DCC/DCC2 hashes in secretsdump
New format: CORP.LOCAL/user:$DCC2$10240#user#0123456789abcdef0123456789abcdef: (2022-07-05 20:09:09)
Should be helpful, DCC2 hashes are so slow!
https://t.co/EPBQAkyrBd
๐ https://github.com/SecureAuthCorp/impacket/pull/1367
๐ฅ [ tweet ]
๐ [ dottor_morte, Riccardo ]
For those who care, I uploaded the slides of my talk on lateral movement that I gave at TROOPERS this year:
https://t.co/wAoGPUv1Zj
๐ https://github.com/RiccardoAncarani/talks/blob/master/F-Secure/unorthodox-lateral-movement.pdf
๐ฅ [ tweet ]
For those who care, I uploaded the slides of my talk on lateral movement that I gave at TROOPERS this year:
https://t.co/wAoGPUv1Zj
๐ https://github.com/RiccardoAncarani/talks/blob/master/F-Secure/unorthodox-lateral-movement.pdf
๐ฅ [ tweet ]
๐1
๐ [ cnotin, Clรฉment Notin ]
I did not expect a non-domain joined Windows machine, using an identity provided with "runas /netonly", to silently manage to obtain a Kerberos TGT then use it to access a service! ๐ฎ
I thought it would fallback to NTLM immediately...
That's nice though ๐
๐ฅ [ tweet ]
I did not expect a non-domain joined Windows machine, using an identity provided with "runas /netonly", to silently manage to obtain a Kerberos TGT then use it to access a service! ๐ฎ
I thought it would fallback to NTLM immediately...
That's nice though ๐
๐ฅ [ tweet ]
This media is not supported in your browser
VIEW IN TELEGRAM
๐ [ podalirius_, Podalirius ]
Today in #AwesomeRCEs, I present a technique to achieve remote code execution on Apache #Tomcat by uploading an #app as admin.
In order to do this, I wrote a WAR application exposing a JSON API to execute code on the server and download files:
https://t.co/OJIr4V4R8D
๐ https://github.com/p0dalirius/Tomcat-webshell-application
๐ฅ [ tweet ]
Today in #AwesomeRCEs, I present a technique to achieve remote code execution on Apache #Tomcat by uploading an #app as admin.
In order to do this, I wrote a WAR application exposing a JSON API to execute code on the server and download files:
https://t.co/OJIr4V4R8D
๐ https://github.com/p0dalirius/Tomcat-webshell-application
๐ฅ [ tweet ]
๐ [ ORCA10K, ORCA ]
i released i tiny poc on getting the syscalls from ntdll of a new suspended process :
https://t.co/wtCeeEpaJI
๐ https://gitlab.com/ORCA000/suspendedntdllunhook
๐ฅ [ tweet ]
i released i tiny poc on getting the syscalls from ntdll of a new suspended process :
https://t.co/wtCeeEpaJI
๐ https://gitlab.com/ORCA000/suspendedntdllunhook
๐ฅ [ tweet ]
๐ [ 0xBoku, Bobby Cooke ]
BokuLoader features update! Added Find-Beacon EggHunter, Stomp MZ Magic Bytes, PE Header Obfuscation, PE String Replacement, and Prepend ASM Instructions! Shoutouts to @passthehashbrwn & @anthemtotheego ;)
https://t.co/WnolPDNPuo
๐ https://github.com/xforcered/BokuLoader
๐ฅ [ tweet ]
BokuLoader features update! Added Find-Beacon EggHunter, Stomp MZ Magic Bytes, PE Header Obfuscation, PE String Replacement, and Prepend ASM Instructions! Shoutouts to @passthehashbrwn & @anthemtotheego ;)
https://t.co/WnolPDNPuo
๐ https://github.com/xforcered/BokuLoader
๐ฅ [ tweet ]
๐ [ tiraniddo, James Forshaw ]
Another of my recent Kerberos bugs has been opened, this time _another_ way of bypassing AppContainer enterprise authentication capability this time by using LsaCallAuthenticationPackage https://t.co/axda3g2XDm
๐ https://bugs.chromium.org/p/project-zero/issues/detail?id=2273
๐ฅ [ tweet ]
Another of my recent Kerberos bugs has been opened, this time _another_ way of bypassing AppContainer enterprise authentication capability this time by using LsaCallAuthenticationPackage https://t.co/axda3g2XDm
๐ https://bugs.chromium.org/p/project-zero/issues/detail?id=2273
๐ฅ [ tweet ]
๐ [ harmj0y, Will Schroeder ]
Very cool Kerberoasting implementation using LsaCallAuthenticationPackage, all through a macro https://t.co/BswTJvqzHg
๐ https://github.com/Adepts-Of-0xCC/VBA-macro-experiments/blob/main/kerberoast.vba
๐ฅ [ tweet ]
Very cool Kerberoasting implementation using LsaCallAuthenticationPackage, all through a macro https://t.co/BswTJvqzHg
๐ https://github.com/Adepts-Of-0xCC/VBA-macro-experiments/blob/main/kerberoast.vba
๐ฅ [ tweet ]
๐ [ 0xdf_, 0xdf ]
What Happens In a "Shell Upgrade" video released:
https://t.co/ql6kIj6RK5
I love this one because I learned so much making it. Hopefully that knowledge transfers to you as well.
๐ https://youtu.be/DqE6DxqJg8Q
๐ฅ [ tweet ][ quote ]
What Happens In a "Shell Upgrade" video released:
https://t.co/ql6kIj6RK5
I love this one because I learned so much making it. Hopefully that knowledge transfers to you as well.
๐ https://youtu.be/DqE6DxqJg8Q
๐ฅ [ tweet ][ quote ]
๐ [ 0xBoku, Bobby Cooke ]
Dannnggggg.. @CaptMeelo has some great blog posts ๐ฅ Thanks @FuzzySec for directing me back there :)
https://t.co/0gbd1VHqRl
๐ https://captmeelo.com/category/maldev
๐ฅ [ tweet ]
Dannnggggg.. @CaptMeelo has some great blog posts ๐ฅ Thanks @FuzzySec for directing me back there :)
https://t.co/0gbd1VHqRl
๐ https://captmeelo.com/category/maldev
๐ฅ [ tweet ]
๐ [ podalirius_, Podalirius ]
Heard of #Printerbug, #PetitPotam, #ShadowCoerce and #DFSCoerce ? These are only the tip of the Iceberg and there is probably many more to find. ๐
Want to find a new call ? Here is 242 probable #RPC calls with python poc ready to be triaged! ๐
https://t.co/WjmEzuSOcz
๐ https://github.com/p0dalirius/windows-coerced-authentication-methods
๐ฅ [ tweet ]
Heard of #Printerbug, #PetitPotam, #ShadowCoerce and #DFSCoerce ? These are only the tip of the Iceberg and there is probably many more to find. ๐
Want to find a new call ? Here is 242 probable #RPC calls with python poc ready to be triaged! ๐
https://t.co/WjmEzuSOcz
๐ https://github.com/p0dalirius/windows-coerced-authentication-methods
๐ฅ [ tweet ]
This media is not supported in your browser
VIEW IN TELEGRAM
๐ [ podalirius_, Podalirius ]
Ever wanted to trigger a #NTLM authentication to a machine using every possible RPC call ? You can do this using #Coercer ๐ฅณ๐
This tool automatically detects available pipes and protocols and call every possible functions to trigger an #authentication.
https://t.co/6aVELSP4NC
๐ https://github.com/p0dalirius/Coercer
๐ฅ [ tweet ]
Ever wanted to trigger a #NTLM authentication to a machine using every possible RPC call ? You can do this using #Coercer ๐ฅณ๐
This tool automatically detects available pipes and protocols and call every possible functions to trigger an #authentication.
https://t.co/6aVELSP4NC
๐ https://github.com/p0dalirius/Coercer
๐ฅ [ tweet ]
๐ฅ2
๐ [ harmj0y, Will Schroeder ]
Hey, do you like tokens? Have you always wanted to "harvest" tokens for offensive purposes? If so check out my new post https://t.co/5Tr9UxYuh1 where I show I can (finally) write a technical post without memes, and then check out the Koh toolset at https://t.co/l77vlPDQrj
๐ https://posts.specterops.io/koh-the-token-stealer-41ca07a40ed6
๐ https://github.com/GhostPack/Koh
๐ฅ [ tweet ]
Hey, do you like tokens? Have you always wanted to "harvest" tokens for offensive purposes? If so check out my new post https://t.co/5Tr9UxYuh1 where I show I can (finally) write a technical post without memes, and then check out the Koh toolset at https://t.co/l77vlPDQrj
๐ https://posts.specterops.io/koh-the-token-stealer-41ca07a40ed6
๐ https://github.com/GhostPack/Koh
๐ฅ [ tweet ]
๐ [ theluemmel, S4U2LuemmelSec ]
Created a pull request (https://t.co/P40XZVrCrC) for @porchetta_ind 's CrackMapExec to query for LDAP Signing and Channel Binding. Big thanks to @zyn3rgy for his awesome work: https://t.co/8bfwJiSl4E which I just ported.
Thx @byt3bl33d3r and @mpgn_x64 for this awesome tool.
๐ https://github.com/Porchetta-Industries/CrackMapExec/pull/606
๐ https://github.com/zyn3rgy/LdapRelayScan
๐ฅ [ tweet ]
Created a pull request (https://t.co/P40XZVrCrC) for @porchetta_ind 's CrackMapExec to query for LDAP Signing and Channel Binding. Big thanks to @zyn3rgy for his awesome work: https://t.co/8bfwJiSl4E which I just ported.
Thx @byt3bl33d3r and @mpgn_x64 for this awesome tool.
๐ https://github.com/Porchetta-Industries/CrackMapExec/pull/606
๐ https://github.com/zyn3rgy/LdapRelayScan
๐ฅ [ tweet ]