rokenSMTP
Small python noscript to look for common #vulnerabilities on the #SMTP server.
Supported Vulnerability:
▫️ Spoofing - The ability to send an email by impersonating another user.
▫️ User Enumeration - Looking for the possibility to enumerate users with the SMTP VFRY command.
https://github.com/mrlew1s/BrokenSMTP
@NetPentesters
Small python noscript to look for common #vulnerabilities on the #SMTP server.
Supported Vulnerability:
▫️ Spoofing - The ability to send an email by impersonating another user.
▫️ User Enumeration - Looking for the possibility to enumerate users with the SMTP VFRY command.
https://github.com/mrlew1s/BrokenSMTP
@NetPentesters
Vulnerabilities Scan: 15000+PoCs; 20 kinds of application password crack; 7000+Web fingerprints; 146 protocols and 90000+ rules Port scanning; Fuzz, HW, awesome BugBounty...
https://github.com/hktalent/scan4all
@NetPentesters
https://github.com/hktalent/scan4all
@NetPentesters
GitHub
GitHub - GhostTroops/scan4all: Official repository vuls Scan: 15000+PoCs; 23 kinds of application password crack; 7000+Web fingerprints;…
Official repository vuls Scan: 15000+PoCs; 23 kinds of application password crack; 7000+Web fingerprints; 146 protocols and 90000+ rules Port scanning; Fuzz, HW, awesome BugBounty( ͡° ͜ʖ ͡°)... - ...
PPLDump
RIPPL is a tool that abuses a usermode only exploit to manipulate PPL processes on Windows.
https://github.com/last-byte/RIPPL
#ad
#ppl
#lsass
#tools
@NetPentesters
RIPPL is a tool that abuses a usermode only exploit to manipulate PPL processes on Windows.
https://github.com/last-byte/RIPPL
#ad
#ppl
#lsass
#tools
@NetPentesters
Azure_Workshop
#Azure #RedTeam Attack and Detect Workshop
This is a vulnerable-by-design Azure lab, containing 2 x attack paths with common misconfigurations. If you would like to see what alerts your attack path vectors are causing, recommend signing up for a Microsoft E5 trial which has Microsoft Defender for Cloud as well as Azure AD premium P2 plan. Links for signing up to an Azure Developer account can be found in the resources.txt file.
Each kill-chain has in its folder the Terraform noscript (and other pre-reqs files needed for deployment) as well as the solutions to the challenges.
https://github.com/mandiant/Azure_Workshop
@NetPentesters
#Azure #RedTeam Attack and Detect Workshop
This is a vulnerable-by-design Azure lab, containing 2 x attack paths with common misconfigurations. If you would like to see what alerts your attack path vectors are causing, recommend signing up for a Microsoft E5 trial which has Microsoft Defender for Cloud as well as Azure AD premium P2 plan. Links for signing up to an Azure Developer account can be found in the resources.txt file.
Each kill-chain has in its folder the Terraform noscript (and other pre-reqs files needed for deployment) as well as the solutions to the challenges.
https://github.com/mandiant/Azure_Workshop
@NetPentesters
GitHub
GitHub - mandiant/Azure_Workshop
Contribute to mandiant/Azure_Workshop development by creating an account on GitHub.
Certipy 4.0: ESC9 & ESC10, BloodHound GUI, New Authentication and Request Methods — and more!
https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7
#BloodHound
@NetPentesters
https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7
#BloodHound
@NetPentesters
Medium
Certipy 4.0: ESC9 & ESC10, BloodHound GUI, New Authentication and Request Methods — and more!
A new version of Certipy has been released along with a forked BloodHound GUI that has PKI support! In this blog post, we will look at…
BloodHound-Tools
A collection of tools that integrate to BloodHound.
Bloodhound is the defacto standard that both blue and red security teams use to find lateral movement and privilege escalation paths that can potentially be exploited inside an enterprise environment. A typical environment can yield millions of paths, representing almost endless opportunities for red teams to attack and creating a seemingly insurmountable number of attack vectors for blue teams to tackle.
However, a critical dimension that Bloodhound ignores, namely network access, could hold the key to shutting down excessive lateral movement. This repository contains tools that integrate with Bloodhound’s database in order to reflect network access, for the benefit of both red and blue teams.
https://github.com/zeronetworks/BloodHound-Tools
Research:
https://zeronetworks.com/blog/adversary-resilience-via-least-privilege-networking-part-1/
#Bloodhound
@NetPentesters
A collection of tools that integrate to BloodHound.
Bloodhound is the defacto standard that both blue and red security teams use to find lateral movement and privilege escalation paths that can potentially be exploited inside an enterprise environment. A typical environment can yield millions of paths, representing almost endless opportunities for red teams to attack and creating a seemingly insurmountable number of attack vectors for blue teams to tackle.
However, a critical dimension that Bloodhound ignores, namely network access, could hold the key to shutting down excessive lateral movement. This repository contains tools that integrate with Bloodhound’s database in order to reflect network access, for the benefit of both red and blue teams.
https://github.com/zeronetworks/BloodHound-Tools
Research:
https://zeronetworks.com/blog/adversary-resilience-via-least-privilege-networking-part-1/
#Bloodhound
@NetPentesters
Pingtunnel is a tool that send TCP/UDP traffic over ICMP
https://github.com/esrrhs/pingtunnel
@NetPentesters
https://github.com/esrrhs/pingtunnel
@NetPentesters
GitHub
GitHub - esrrhs/pingtunnel: Pingtunnel is a tool that send TCP/UDP traffic over ICMP
Pingtunnel is a tool that send TCP/UDP traffic over ICMP - esrrhs/pingtunnel
LDAP Monitor
Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration!
With this tool you can quickly see if your attack worked and if it changed LDAP attributes of the target object.
https://github.com/p0dalirius/LDAPmonitor
#LDAP
@NetPentesters
Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration!
With this tool you can quickly see if your attack worked and if it changed LDAP attributes of the target object.
https://github.com/p0dalirius/LDAPmonitor
#LDAP
@NetPentesters
GitHub
GitHub - p0dalirius/LDAPmonitor: Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration!
Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration! - GitHub - p0dalirius/LDAPmonitor: Monitor creation, deletion and changes to LDAP objects ...
CVE-2022-30216:
Server Service Authentication Coerce Vulnerability (Windows 11 / Server 2022)
https://github.com/akamai/akamai-security-research/tree/main/cve-2022-30216
#Vulnerability
#Exploit
@NetPentesters
Server Service Authentication Coerce Vulnerability (Windows 11 / Server 2022)
https://github.com/akamai/akamai-security-research/tree/main/cve-2022-30216
#Vulnerability
#Exploit
@NetPentesters
A swiss army knife for pentesting networks
https://github.com/snovvcrash/CrackMapExec/tree/dotnetassembly
@NetPentesters
https://github.com/snovvcrash/CrackMapExec/tree/dotnetassembly
@NetPentesters
GitHub
GitHub - snovvcrash/CrackMapExec at dotnetassembly
A swiss army knife for pentesting networks. Contribute to snovvcrash/CrackMapExec development by creating an account on GitHub.
#uac #bypass
[ UAC BYPASS]
iscsicpl autoelevate DLL Search Order hijacking UAC Bypass 0day
https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC
@NetPentesters
[ UAC BYPASS]
iscsicpl autoelevate DLL Search Order hijacking UAC Bypass 0day
https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC
@NetPentesters
GitHub
GitHub - hackerhouse-opensource/iscsicpl_bypassUAC: UAC bypass for x64 Windows 7 - 11
UAC bypass for x64 Windows 7 - 11. Contribute to hackerhouse-opensource/iscsicpl_bypassUAC development by creating an account on GitHub.
#ipv6 #scan
[ An interesting article about solving the IPv6 scanning problem. ]
https://www.shadowserver.org/news/hello-ipv6-scanning-world/
@NetPentesters
[ An interesting article about solving the IPv6 scanning problem. ]
https://www.shadowserver.org/news/hello-ipv6-scanning-world/
@NetPentesters
www.shadowserver.org
Hello IPv6 Scanning World! | The Shadowserver Foundation
In the last few months, Shadowserver has been systematically rolling out IPv6 scanning of services. We chose to conduct our scanning based on hitlists of IPv6 addresses observed being used in the wild, maintaining up to 1 billion unique IPv6 addresses on…
[ hoaxshell ]
hoaxshell is an unconventional Windows reverse shell, currently undetected
by Microsoft Defender and other AV solutions as it is solely based on http(s) traffic.
Thanks to: Ruslan
https://github.com/t3l3machus/hoaxshell
@NetPentesters
hoaxshell is an unconventional Windows reverse shell, currently undetected
by Microsoft Defender and other AV solutions as it is solely based on http(s) traffic.
Thanks to: Ruslan
https://github.com/t3l3machus/hoaxshell
@NetPentesters
GitHub
GitHub - t3l3machus/hoaxshell: A Windows reverse shell payload generator and handler that abuses the http(s) protocol to establish…
A Windows reverse shell payload generator and handler that abuses the http(s) protocol to establish a beacon-like reverse shell. - t3l3machus/hoaxshell
#lpe #linux #cve
LPE exploit for CVE-2022-34918.
This exploit has been written for the kernel Linux ubuntu 5.15.0-39-generic
article: https://randorisec.fr/crack-linux-firewall/
https://github.com/randorisec/CVE-2022-34918-LPE-PoC
@NetPentesters
LPE exploit for CVE-2022-34918.
This exploit has been written for the kernel Linux ubuntu 5.15.0-39-generic
article: https://randorisec.fr/crack-linux-firewall/
https://github.com/randorisec/CVE-2022-34918-LPE-PoC
@NetPentesters
#ldap #gc #impacket
If ldap/ldaps ports are blocked by firewall but gc port (3268) is accessible. In my case, kerberoasting with impacket can't be achieved. Simply switch ldap:// protocol to gc:// in impacket and win!
@NetPentesters
If ldap/ldaps ports are blocked by firewall but gc port (3268) is accessible. In my case, kerberoasting with impacket can't be achieved. Simply switch ldap:// protocol to gc:// in impacket and win!
@NetPentesters
#av #evasion
A PoC implementation for an evasion technique to terminate the current
thread and restore it before resuming execution, while implementing page
protection changes during no execution.
https://github.com/janoglezcampos/DeathSleep
@NetPentesters
A PoC implementation for an evasion technique to terminate the current
thread and restore it before resuming execution, while implementing page
protection changes during no execution.
https://github.com/janoglezcampos/DeathSleep
@NetPentesters
GitHub
GitHub - janoglezcampos/DeathSleep: A PoC implementation for an evasion technique to terminate the current thread and restore it…
A PoC implementation for an evasion technique to terminate the current thread and restore it before resuming execution, while implementing page protection changes during no execution. - janoglezcam...
#windows #impersonate #lpe
[ DiagTrackEoP ]
Just another way to abuse SeImpersonate privilege
https://github.com/Wh04m1001/DiagTrackEoP
@NetPentesters
[ DiagTrackEoP ]
Just another way to abuse SeImpersonate privilege
https://github.com/Wh04m1001/DiagTrackEoP
@NetPentesters
GitHub
GitHub - Wh04m1001/DiagTrackEoP
Contribute to Wh04m1001/DiagTrackEoP development by creating an account on GitHub.
[ Running Exploit As Protected Process Light From Userland ]
Run any code as the highest level of protection, meaning that the exploit will have full access over any other Protected Process Light and anti-malware services won’t be able to monitor it(Since they run with the lower protection of AntiMalware)
https://tastypepperoni.medium.com/running-exploit-as-protected-process-ligh-from-userland-f4c7dfe63387
+POC: https://github.com/tastypepperoni/RunAsWinTcb
#exploit
@NetPentesters
Run any code as the highest level of protection, meaning that the exploit will have full access over any other Protected Process Light and anti-malware services won’t be able to monitor it(Since they run with the lower protection of AntiMalware)
https://tastypepperoni.medium.com/running-exploit-as-protected-process-ligh-from-userland-f4c7dfe63387
+POC: https://github.com/tastypepperoni/RunAsWinTcb
#exploit
@NetPentesters
Medium
Running Exploit As Protected Process Light From Userland
Overview
#pid #lsass
Fourteen Ways to Read the PID for the Local Security Authority Subsystem Service (LSASS)
https://www.mdsec.co.uk/2022/08/fourteen-ways-to-read-the-pid-for-the-local-security-authority-subsystem-service-lsass/
@NetPentesters
Fourteen Ways to Read the PID for the Local Security Authority Subsystem Service (LSASS)
https://www.mdsec.co.uk/2022/08/fourteen-ways-to-read-the-pid-for-the-local-security-authority-subsystem-service-lsass/
@NetPentesters
MDSec
Fourteen Ways to Read the PID for the Local Security Authority Subsystem Service (LSASS) - MDSec
Introduction Process enumeration is necessary prior to injecting shellcode or dumping memory. Threat actors tend to favour using CreateToolhelp32Snapshot with Process32First and Process32Next to gather a list of running processes....