#lpe #linux #cve
LPE exploit for CVE-2022-34918.
This exploit has been written for the kernel Linux ubuntu 5.15.0-39-generic
article: https://randorisec.fr/crack-linux-firewall/
https://github.com/randorisec/CVE-2022-34918-LPE-PoC
@NetPentesters
LPE exploit for CVE-2022-34918.
This exploit has been written for the kernel Linux ubuntu 5.15.0-39-generic
article: https://randorisec.fr/crack-linux-firewall/
https://github.com/randorisec/CVE-2022-34918-LPE-PoC
@NetPentesters
#ldap #gc #impacket
If ldap/ldaps ports are blocked by firewall but gc port (3268) is accessible. In my case, kerberoasting with impacket can't be achieved. Simply switch ldap:// protocol to gc:// in impacket and win!
@NetPentesters
If ldap/ldaps ports are blocked by firewall but gc port (3268) is accessible. In my case, kerberoasting with impacket can't be achieved. Simply switch ldap:// protocol to gc:// in impacket and win!
@NetPentesters
#av #evasion
A PoC implementation for an evasion technique to terminate the current
thread and restore it before resuming execution, while implementing page
protection changes during no execution.
https://github.com/janoglezcampos/DeathSleep
@NetPentesters
A PoC implementation for an evasion technique to terminate the current
thread and restore it before resuming execution, while implementing page
protection changes during no execution.
https://github.com/janoglezcampos/DeathSleep
@NetPentesters
GitHub
GitHub - janoglezcampos/DeathSleep: A PoC implementation for an evasion technique to terminate the current thread and restore it…
A PoC implementation for an evasion technique to terminate the current thread and restore it before resuming execution, while implementing page protection changes during no execution. - janoglezcam...
#windows #impersonate #lpe
[ DiagTrackEoP ]
Just another way to abuse SeImpersonate privilege
https://github.com/Wh04m1001/DiagTrackEoP
@NetPentesters
[ DiagTrackEoP ]
Just another way to abuse SeImpersonate privilege
https://github.com/Wh04m1001/DiagTrackEoP
@NetPentesters
GitHub
GitHub - Wh04m1001/DiagTrackEoP
Contribute to Wh04m1001/DiagTrackEoP development by creating an account on GitHub.
[ Running Exploit As Protected Process Light From Userland ]
Run any code as the highest level of protection, meaning that the exploit will have full access over any other Protected Process Light and anti-malware services won’t be able to monitor it(Since they run with the lower protection of AntiMalware)
https://tastypepperoni.medium.com/running-exploit-as-protected-process-ligh-from-userland-f4c7dfe63387
+POC: https://github.com/tastypepperoni/RunAsWinTcb
#exploit
@NetPentesters
Run any code as the highest level of protection, meaning that the exploit will have full access over any other Protected Process Light and anti-malware services won’t be able to monitor it(Since they run with the lower protection of AntiMalware)
https://tastypepperoni.medium.com/running-exploit-as-protected-process-ligh-from-userland-f4c7dfe63387
+POC: https://github.com/tastypepperoni/RunAsWinTcb
#exploit
@NetPentesters
Medium
Running Exploit As Protected Process Light From Userland
Overview
#pid #lsass
Fourteen Ways to Read the PID for the Local Security Authority Subsystem Service (LSASS)
https://www.mdsec.co.uk/2022/08/fourteen-ways-to-read-the-pid-for-the-local-security-authority-subsystem-service-lsass/
@NetPentesters
Fourteen Ways to Read the PID for the Local Security Authority Subsystem Service (LSASS)
https://www.mdsec.co.uk/2022/08/fourteen-ways-to-read-the-pid-for-the-local-security-authority-subsystem-service-lsass/
@NetPentesters
MDSec
Fourteen Ways to Read the PID for the Local Security Authority Subsystem Service (LSASS) - MDSec
Introduction Process enumeration is necessary prior to injecting shellcode or dumping memory. Threat actors tend to favour using CreateToolhelp32Snapshot with Process32First and Process32Next to gather a list of running processes....
#sandbox #detect
Such a tiny code snippet that can help you bypass some automatic sandbox detections
@NetPentesters
Such a tiny code snippet that can help you bypass some automatic sandbox detections
@NetPentesters
Deny internet access and sniff your local network by performing arp spoofing attacks.
https://github.com/avan-pra/arpmess
@NetPentesters
https://github.com/avan-pra/arpmess
@NetPentesters
GitHub
GitHub - avan-pra/arpmess: Perform arp spoofing attack in C
Perform arp spoofing attack in C. Contribute to avan-pra/arpmess development by creating an account on GitHub.
[ Know Your AD Vulnerability: CVE-2022-26923 ]
An article with a detailed analysis of the CVE-2022-26923 vulnerability
https://www.semperis.com/blog/ad-vulnerability-cve-2022-26923/
#CVE
#AD
@NetPentesters
An article with a detailed analysis of the CVE-2022-26923 vulnerability
https://www.semperis.com/blog/ad-vulnerability-cve-2022-26923/
#CVE
#AD
@NetPentesters
Semperis
Know Your AD Vulnerability: CVE-2022-26923
Understanding Active Directory vulnerabilities like CVE-2022-26923 is crucial to protecting your organization. Learn about AD vulnerabilities at Semperis.
A VMWare Workspace ONE Access Remote Code Execution Exploit
https://github.com/sourceincite/hekate
#vmware
#one
#cve
#poc
@NetPentesters
https://github.com/sourceincite/hekate
#vmware
#one
#cve
#poc
@NetPentesters
GitHub
GitHub - sourceincite/hekate
Contribute to sourceincite/hekate development by creating an account on GitHub.
[ Concealed code execution: Techniques and detection ]
https://www.huntandhackett.com/blog/concealed-code-execution-techniques-and-detection
@NetPentesters
https://www.huntandhackett.com/blog/concealed-code-execution-techniques-and-detection
@NetPentesters
Huntandhackett
Concealed code execution: Techniques and detection
After months of dedicated research we cover a wide range of concealed code execution techniques and investigate their mechanisms and how to detect them.
EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections
and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.
https://github.com/wavestone-cdt/EDRSandblast/tree/DefCon30Release
#edr
#bypass
@NetPentesters
and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.
https://github.com/wavestone-cdt/EDRSandblast/tree/DefCon30Release
#edr
#bypass
@NetPentesters
GitHub
GitHub - wavestone-cdt/EDRSandblast at DefCon30Release
Contribute to wavestone-cdt/EDRSandblast development by creating an account on GitHub.
PrintNightmare exploit With the following features:
- Ability to target multiple hosts.
- Built-in SMB server for payload delivery, removing the need for open file shares.
- Exploit includes both MS-RPRN & MS-PAR protocols (define in CMD args).
- Implements UNC bypass technique.
https://github.com/m8sec/CVE-2021-34527
@NetPentesters
- Ability to target multiple hosts.
- Built-in SMB server for payload delivery, removing the need for open file shares.
- Exploit includes both MS-RPRN & MS-PAR protocols (define in CMD args).
- Implements UNC bypass technique.
https://github.com/m8sec/CVE-2021-34527
@NetPentesters
GitHub
GitHub - m8sec/CVE-2021-34527: PrintNightmare (CVE-2021-34527) PoC Exploit
PrintNightmare (CVE-2021-34527) PoC Exploit. Contribute to m8sec/CVE-2021-34527 development by creating an account on GitHub.
A basic emulation of an "RPC Backdoor"
https://github.com/eladshamir/RPC-Backdoor
#rpc
#backdoor
@NetPentesters
https://github.com/eladshamir/RPC-Backdoor
#rpc
#backdoor
@NetPentesters
GitHub
GitHub - eladshamir/RPC-Backdoor: A basic emulation of an "RPC Backdoor"
A basic emulation of an "RPC Backdoor". Contribute to eladshamir/RPC-Backdoor development by creating an account on GitHub.
dc-sonar
Analyzing AD domains for security risks related to user accounts
https://github.com/ST1LLY/dc-sonar
#ad
#redteam
@NetPentesters
Analyzing AD domains for security risks related to user accounts
https://github.com/ST1LLY/dc-sonar
#ad
#redteam
@NetPentesters
Best Practices for Securing Active Directory
https://docs.microsoft.com/en-gb/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory
#ad
#blueteam
@NetPentesters
https://docs.microsoft.com/en-gb/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory
#ad
#blueteam
@NetPentesters
Docs
Best practices for securing Active Directory
Learn more about best practices for securing Active Directory.
RPCRecon
Tool in Bash to carry out a basic enumeration and extract the most relevant information from an Active Directory via rpcclient.
This utility will allow us to obtain the following information from a Domain:
▫️ Domain Users
▫️ Domain Users with their denoscription
▫️ Domain Admin Users
▫️ Domain Groups
▫️ Domains within the network
https://github.com/m4lal0/RPCrecon
#AD
@NetPentesters
Tool in Bash to carry out a basic enumeration and extract the most relevant information from an Active Directory via rpcclient.
This utility will allow us to obtain the following information from a Domain:
▫️ Domain Users
▫️ Domain Users with their denoscription
▫️ Domain Admin Users
▫️ Domain Groups
▫️ Domains within the network
https://github.com/m4lal0/RPCrecon
#AD
@NetPentesters
GitHub
GitHub - m4lal0/RPCrecon: Herramienta en Bash para efectuar una enumeración básica y extraer la información más relevante de un…
Herramienta en Bash para efectuar una enumeración básica y extraer la información más relevante de un Directorio Activo vía rpcclient. - m4lal0/RPCrecon
SilentHound
Quietly enumerate an Active Directory Domain via LDAP parsing users, admins, groups, etc.
This will create an isolated virtual environment with dependencies needed for the project. To use the project you can either open a shell in the virtualenv with pipenv shell or run commands directly with pipenv run.
https://github.com/layer8secure/SilentHound
#ad
@NetPentesters
Quietly enumerate an Active Directory Domain via LDAP parsing users, admins, groups, etc.
This will create an isolated virtual environment with dependencies needed for the project. To use the project you can either open a shell in the virtualenv with pipenv shell or run commands directly with pipenv run.
https://github.com/layer8secure/SilentHound
#ad
@NetPentesters