​​AADInternals

AADInternals toolkit - PowerShell module containing tools for administering and hacking Azure AD / Office 365

https://github.com/Gerenios/AADInternals

Research:
http://o365blog.com/aadinternals

#ad #powershell #Azure
@NetPentesters

​​SharpWSUS

Today, we’re releasing a new tool called SharpWSUS. This is a continuation of existing WSUS attack tooling such as WSUSPendu and Thunder_Woosus. It brings their complete functionality to .NET, in a way that can be reliably and flexibly used through command and control (C2) channels, including through PoshC2.

https://github.com/nettitude/SharpWSUS

Research:
https://labs.nettitude.com/blog/introducing-sharpwsus/

#wsus
@NetPentesters

Active Directory Penetration Testing Checklist

https://gbhackers.com/active-directory-penetration-testing-checklist/

#AD
#checklist
#pentest
@NetPentesters

​​pinecone

WLAN networks auditing tool, suitable for red team usage. It is extensible via modules, and it is designed to be run in Debian-based operating systems. Pinecone is specially oriented to be used with a Raspberry Pi, as a portable wireless auditing box.

https://github.com/pinecone-wifi/pinecone

#wlan
#tools
@NetPentesters

​​Rubeus

Rubeus is a C# toolkit for Kerberos interaction and abuses. Kerberos, as we all know, is a ticket-based network authentication protocol and is used in Active Directories.

Unfortunately, due to human error, oftentimes AD is not configured properly keeping security in mind. Rubeus can exploit vulnerabilities arising out of these misconfigurations and perform functions such as crafting keys and granting access using forged certificates. The article serves as a guide on using Rubeus in various scenarios.

https://github.com/GhostPack/Rubeus

Research:
https://www.hackingarticles.in/a-detailed-guide-on-rubeus/

@NetPentesters

Diamond ticket

https://www.trustedsec.com/blog/a-diamond-in-the-ruff/

@NetPentesters

This tool uses LDAP to check a domain for known abusable Kerberos delegation settings. Currently, it supports RBCD, Constrained, Constrained w/Protocol Transition, and Unconstrained Delegation checks.

https://github.com/IcebreakerSecurity/DelegationBOF

#LDAP
@NetPentesters

The first step in a targeted attack – or a penetration test or red team activity – is gathering intelligence on the target. While there are ways and means to do this covertly, intelligence gathering usually starts with scraping information from public sources, collectively known as open source intelligence or OSINT. There is such a wealth of legally collectible OSINT available now thanks to social media and the prevalence of online activities that this may be all that is required to give an attacker everything they need to successfully profile an organization or individual.

In this Channel , we’ll get you up to speed on what OSINT is all about and how you can learn to use OSINT tools to better understand your own digital footprint.

Join : @OsintBlackBox

​​Access Checking Active Directory

https://www.tiraniddo.dev/2022/07/access-checking-active-directory.html

#ad
@NetPentesters

​​BOF - RDPHijack

Cobalt Strike Beacon Object File (BOF) that uses WinStationConnect API to perform local/remote RDP session hijacking. With a valid access token / kerberos ticket (e.g., golden ticket) of the session owner, you will be able to hijack the session remotely without dropping any beacon/tool on the target server.

To enumerate sessions locally/remotely, you could use Quser-BOF.

https://github.com/netero1010/RDPHijack-BOF
@NetPentesters

A python wrapper to run a command on against all users/computers/DCs of a Windows Domain

https://github.com/p0dalirius/TargetAllDomainObjects
#DC
@NetPentesters

​​PcapXray

A Network Forensics Tool - To visualize a Packet Capture offline as a Network Diagram including device identification, highlight important communication and file extraction

https://github.com/Srinivas11789/PcapXray
#Forensic
#tools
@NetPentesters

​​AD denoscription password finder

The purpose of this tool is to check if passwords are stored in clear text in the denoscription of Active Directory accounts.

https://github.com/AssuranceMaladieSec/AD-denoscription-password-finder

#ad
@NetPentesters

Find vulnerabilities in AD Group Policy, but do it better than Grouper2 did.

https://github.com/Group3r/Group3r

#AD
@NetPentesters

Previously, Microsoft announced macros will be disabled in Office products by default to improve user security.

Today, Microsoft announced they have decided to undo this decision. Macros will now be enabled by default again.

@NetPentesters

[ Kerberoast implemented in VBA Macro ]
Retrieve SPNs via #LDAP queries, then ask a TGS Ticket with RC4 Etype for each one.
The ticket is exported in KiRBi format (like mimikatz does)

tool:
https://github.com/Adepts-Of-0xCC/VBA-macro-experiments/blob/main/kerberoast.vba

article:
https://adepts.of0x.cc/kerberoast-vba-macro/
#vba #kerberoast
@NetPentesters

​​Code Signing Certificate Cloning Attack

A Powershell noscript that signs input Executable file with fake Microsoft code-signing certificate to demonstrate risks of cloned-certificate sign attacks.

https://github.com/mgeeky/Penetration-Testing-Tools/tree/master/red-teaming/Self-Signed%20Threat

Research:
https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec

@NetPentesters

​​PywerView

Remotely interacts with ldap server. Also included with mini interactive console with auto completion.

Alternative for the awesome original PowerView noscript. Most of the modules used in PowerView are available in this project ( some of the flags are changed ).

Interesting Features:
▫️ Embeded user session
▫️ Mini PywerView console to make you feel like home when using PowerView in Powershell
▫️ Auto-completer, so no more memorizing commands
▫️ Cross-Domain interactions (might or might not work) Maybe more?

https://github.com/aniqfakhrul/PywerView

#ad
@NetPentesters

LDAP shell

https://github.com/PShlyundin/ldap_shell

#LDAP
@NetPentesters

#sysmon #evasion

[ SysmonQuiet Reflective DLL ]
Automatically locate sysmon process and patch its EtwEventWrite API,
causing sysmon malfunctioning while the process and its threads are still running.
(requires SeDebugPrivilege privilege)

https://github.com/ScriptIdiot/SysmonQuiet

@NetPentesters

​​vsctool

Implements Powershell functions which allow you to interact with volume shadow copies. Available functions are explained below in more detail.

https://github.com/cfalta/vsctool

#ad
@NetPentesters