π [ mikeloss, l0ss ]
Hey kids, you ever wanted to use Snaffler or Group3r via inlineExecuteAssembly or whatever, but couldn't because it used Environment.Exit() and that would kill your beacon? Well, I fixed that, so now it's not a problem any more. https://t.co/Ts8WFVojcY and https://t.co/QePyTfNcbm
π http://github.com/SnaffCon/Snaffler
π http://github.com/Group3r/Group3r
π₯ [ tweet ]
Hey kids, you ever wanted to use Snaffler or Group3r via inlineExecuteAssembly or whatever, but couldn't because it used Environment.Exit() and that would kill your beacon? Well, I fixed that, so now it's not a problem any more. https://t.co/Ts8WFVojcY and https://t.co/QePyTfNcbm
π http://github.com/SnaffCon/Snaffler
π http://github.com/Group3r/Group3r
π₯ [ tweet ]
π [ 0gtweet, Grzegorz Tworek ]
As a fan of non-obvious persistence mechanisms I had to try to collect (and categorize!) them all. It has just started, first 10 entries appeared, and more is coming each day.
I am happy to share it. Enjoy, contribute, use freely - https://t.co/PWb2ofSZjQ
π https://persistence-info.github.io/
π₯ [ tweet ]
As a fan of non-obvious persistence mechanisms I had to try to collect (and categorize!) them all. It has just started, first 10 entries appeared, and more is coming each day.
I am happy to share it. Enjoy, contribute, use freely - https://t.co/PWb2ofSZjQ
π https://persistence-info.github.io/
π₯ [ tweet ]
π [ SkelSec, SkelSec ]
YOUπDON'TπNEEDπAπREDTEAMπ
The security consultants identified that the domain controller XXX uses an outdated Apache server running as βNT/SYSTEMβ which uses the default βcgi-binβ folder to host the application logic. This folder was found to be writable by any domain user..
π₯ [ tweet ]
YOUπDON'TπNEEDπAπREDTEAMπ
The security consultants identified that the domain controller XXX uses an outdated Apache server running as βNT/SYSTEMβ which uses the default βcgi-binβ folder to host the application logic. This folder was found to be writable by any domain user..
π₯ [ tweet ]
This media is not supported in your browser
VIEW IN TELEGRAM
π [ podalirius_, Podalirius ]
Want to play around with @Microsoft #RPC? I'm releasing a few #tools that I use in my lab π
Today I'm releasing a tool that lists all open #SMB #pipes remotely in live mode. With this you can easily see which pipes will open when starting services. π₯³
https://t.co/PWNQFkGDag
π https://github.com/p0dalirius/microsoft-rpc-fuzzing-tools
π₯ [ tweet ]
Want to play around with @Microsoft #RPC? I'm releasing a few #tools that I use in my lab π
Today I'm releasing a tool that lists all open #SMB #pipes remotely in live mode. With this you can easily see which pipes will open when starting services. π₯³
https://t.co/PWNQFkGDag
π https://github.com/p0dalirius/microsoft-rpc-fuzzing-tools
π₯ [ tweet ]
π [ mariuszbit, mgeeky | Mariusz Banach ]
- "... and then he said to sign my malware.exe with faked Microsoft cert to evade AVs/EDRs. Would you believe?"
(οΏ£yβ½οΏ£)β Ohohoho.....
Sign-Artifact.ps1 - based on @mattifestation research & implementation shamelessly borrowed here:
https://t.co/6LAVgCrOVN
π https://github.com/mgeeky/Penetration-Testing-Tools/tree/master/red-teaming/Self-Signed%20Threat
π₯ [ tweet ]
- "... and then he said to sign my malware.exe with faked Microsoft cert to evade AVs/EDRs. Would you believe?"
(οΏ£yβ½οΏ£)β Ohohoho.....
Sign-Artifact.ps1 - based on @mattifestation research & implementation shamelessly borrowed here:
https://t.co/6LAVgCrOVN
π https://github.com/mgeeky/Penetration-Testing-Tools/tree/master/red-teaming/Self-Signed%20Threat
π₯ [ tweet ]
π [ harmj0y, Will Schroeder ]
After an awesome back and forth with @cnotin and @SteveSyfuhs on the effects of "TokenLeakDetectDelaySecs" and "Protected Users" for mitigating token theft, I've updated the Koh README to reflect this (and updated the post to point to the README as well) https://t.co/AGViEV0stq
π https://github.com/GhostPack/Koh/blob/main/README.md#mitigations
π₯ [ tweet ]
After an awesome back and forth with @cnotin and @SteveSyfuhs on the effects of "TokenLeakDetectDelaySecs" and "Protected Users" for mitigating token theft, I've updated the Koh README to reflect this (and updated the post to point to the README as well) https://t.co/AGViEV0stq
π https://github.com/GhostPack/Koh/blob/main/README.md#mitigations
π₯ [ tweet ]
π [ ptswarm, PT SWARM ]
π₯ New attack! Our researcher Arseniy Sharoglazov discovered a PHP's Arbitrary Object Instantiation with no user-defined classes. It was turned to RCE!
Read the research: https://t.co/PJZHLRM8xq
π https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/
π₯ [ tweet ]
π₯ New attack! Our researcher Arseniy Sharoglazov discovered a PHP's Arbitrary Object Instantiation with no user-defined classes. It was turned to RCE!
Read the research: https://t.co/PJZHLRM8xq
π https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/
π₯ [ tweet ]
π [ 404death, sailay(valen) ]
I just recently found out the way
XSS <a> tag without user action
<a/autofocus/onfocus=alert(0) href>valen</a>
<a/href="#"/autofocus/onfocus=alert`valen`>you don't need user action on a tag</a>
Tested on:
https://t.co/RkGdfpNWli
https://t.co/bPvMeBlba1
π https://xss-game.appspot.com/level1/frame
π http://testphp.vulnweb.com/search.php?test=query
π₯ [ tweet ]
I just recently found out the way
XSS <a> tag without user action
<a/autofocus/onfocus=alert(0) href>valen</a>
<a/href="#"/autofocus/onfocus=alert`valen`>you don't need user action on a tag</a>
Tested on:
https://t.co/RkGdfpNWli
https://t.co/bPvMeBlba1
π https://xss-game.appspot.com/level1/frame
π http://testphp.vulnweb.com/search.php?test=query
π₯ [ tweet ]
π [ tiraniddo, James Forshaw ]
Final LSA bug from last month is now open. An interesting one which breaks common assumptions of impersonation security over the LSA's RPC interface. Me and @monoxgas will describe a way of abusing the bug at BH next month to get SYSTEM privileges. https://t.co/v523Q1EXLD
π https://bugs.chromium.org/p/project-zero/issues/detail?id=2278
π₯ [ tweet ]
Final LSA bug from last month is now open. An interesting one which breaks common assumptions of impersonation security over the LSA's RPC interface. Me and @monoxgas will describe a way of abusing the bug at BH next month to get SYSTEM privileges. https://t.co/v523Q1EXLD
π https://bugs.chromium.org/p/project-zero/issues/detail?id=2278
π₯ [ tweet ]
π [ aniqfakhrul, Aniq Fakhrul ]
Our version of PywerView is now publicly available. Python version or PowerView, remotely interacts with ldap server. Also included with mini interactive console with auto completion. Yeet! @h0j3n @imnirfn
https://t.co/c0cdk2fGPr
π https://github.com/aniqfakhrul/PywerView
π₯ [ tweet ]
Our version of PywerView is now publicly available. Python version or PowerView, remotely interacts with ldap server. Also included with mini interactive console with auto completion. Yeet! @h0j3n @imnirfn
https://t.co/c0cdk2fGPr
π https://github.com/aniqfakhrul/PywerView
π₯ [ tweet ]
π [ eric_capuano, Eric Capuano ⬑ ]
Interesting API details on how a process is launched in Windows
Specifically dig the part on Protected Processes
https://t.co/V5lWrEqKaT
π https://fourcore.io/blogs/how-a-windows-process-is-created-part-1
π₯ [ tweet ]
Interesting API details on how a process is launched in Windows
Specifically dig the part on Protected Processes
https://t.co/V5lWrEqKaT
π https://fourcore.io/blogs/how-a-windows-process-is-created-part-1
π₯ [ tweet ]
π [ aniqfakhrul, Aniq Fakhrul ]
TIL: If ldap/ldaps ports are blocked by firewall but gc port (3268) is accessible. In my case, kerberoasting with impacket can't be achieved. Simply switch ldap:// protocol to gc:// in impacket and win!
π₯ [ tweet ]
TIL: If ldap/ldaps ports are blocked by firewall but gc port (3268) is accessible. In my case, kerberoasting with impacket can't be achieved. Simply switch ldap:// protocol to gc:// in impacket and win!
π₯ [ tweet ]
This media is not supported in your browser
VIEW IN TELEGRAM
π [ citronneur, Sylvain Peyrefitte ]
Disable SSL certificate verification using #eBPF :
https://t.co/UBsT4TU43H
π https://github.com/citronneur/blindssl
π₯ [ tweet ]
Disable SSL certificate verification using #eBPF :
https://t.co/UBsT4TU43H
π https://github.com/citronneur/blindssl
π₯ [ tweet ]