EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections
and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.
https://github.com/wavestone-cdt/EDRSandblast/tree/DefCon30Release
#edr
#bypass
@NetPentesters
and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.
https://github.com/wavestone-cdt/EDRSandblast/tree/DefCon30Release
#edr
#bypass
@NetPentesters
GitHub
GitHub - wavestone-cdt/EDRSandblast at DefCon30Release
Contribute to wavestone-cdt/EDRSandblast development by creating an account on GitHub.
PrintNightmare exploit With the following features:
- Ability to target multiple hosts.
- Built-in SMB server for payload delivery, removing the need for open file shares.
- Exploit includes both MS-RPRN & MS-PAR protocols (define in CMD args).
- Implements UNC bypass technique.
https://github.com/m8sec/CVE-2021-34527
@NetPentesters
- Ability to target multiple hosts.
- Built-in SMB server for payload delivery, removing the need for open file shares.
- Exploit includes both MS-RPRN & MS-PAR protocols (define in CMD args).
- Implements UNC bypass technique.
https://github.com/m8sec/CVE-2021-34527
@NetPentesters
GitHub
GitHub - m8sec/CVE-2021-34527: PrintNightmare (CVE-2021-34527) PoC Exploit
PrintNightmare (CVE-2021-34527) PoC Exploit. Contribute to m8sec/CVE-2021-34527 development by creating an account on GitHub.
A basic emulation of an "RPC Backdoor"
https://github.com/eladshamir/RPC-Backdoor
#rpc
#backdoor
@NetPentesters
https://github.com/eladshamir/RPC-Backdoor
#rpc
#backdoor
@NetPentesters
GitHub
GitHub - eladshamir/RPC-Backdoor: A basic emulation of an "RPC Backdoor"
A basic emulation of an "RPC Backdoor". Contribute to eladshamir/RPC-Backdoor development by creating an account on GitHub.
dc-sonar
Analyzing AD domains for security risks related to user accounts
https://github.com/ST1LLY/dc-sonar
#ad
#redteam
@NetPentesters
Analyzing AD domains for security risks related to user accounts
https://github.com/ST1LLY/dc-sonar
#ad
#redteam
@NetPentesters
Best Practices for Securing Active Directory
https://docs.microsoft.com/en-gb/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory
#ad
#blueteam
@NetPentesters
https://docs.microsoft.com/en-gb/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory
#ad
#blueteam
@NetPentesters
Docs
Best practices for securing Active Directory
Learn more about best practices for securing Active Directory.
RPCRecon
Tool in Bash to carry out a basic enumeration and extract the most relevant information from an Active Directory via rpcclient.
This utility will allow us to obtain the following information from a Domain:
▫️ Domain Users
▫️ Domain Users with their denoscription
▫️ Domain Admin Users
▫️ Domain Groups
▫️ Domains within the network
https://github.com/m4lal0/RPCrecon
#AD
@NetPentesters
Tool in Bash to carry out a basic enumeration and extract the most relevant information from an Active Directory via rpcclient.
This utility will allow us to obtain the following information from a Domain:
▫️ Domain Users
▫️ Domain Users with their denoscription
▫️ Domain Admin Users
▫️ Domain Groups
▫️ Domains within the network
https://github.com/m4lal0/RPCrecon
#AD
@NetPentesters
GitHub
GitHub - m4lal0/RPCrecon: Herramienta en Bash para efectuar una enumeración básica y extraer la información más relevante de un…
Herramienta en Bash para efectuar una enumeración básica y extraer la información más relevante de un Directorio Activo vía rpcclient. - m4lal0/RPCrecon
SilentHound
Quietly enumerate an Active Directory Domain via LDAP parsing users, admins, groups, etc.
This will create an isolated virtual environment with dependencies needed for the project. To use the project you can either open a shell in the virtualenv with pipenv shell or run commands directly with pipenv run.
https://github.com/layer8secure/SilentHound
#ad
@NetPentesters
Quietly enumerate an Active Directory Domain via LDAP parsing users, admins, groups, etc.
This will create an isolated virtual environment with dependencies needed for the project. To use the project you can either open a shell in the virtualenv with pipenv shell or run commands directly with pipenv run.
https://github.com/layer8secure/SilentHound
#ad
@NetPentesters
AzurePolicyTestFramework
A CLI tool to test Azure Policy relying on Terraform + Golang
https://github.com/microsoft/AzurePolicyTestFramework
#Azure
@NetPentesters
A CLI tool to test Azure Policy relying on Terraform + Golang
https://github.com/microsoft/AzurePolicyTestFramework
#Azure
@NetPentesters
MSSQL Analysis Services - Coerced Authentication
A technique to coerce a Windows SQL Server to authenticate on an arbitrary machine.
https://github.com/p0dalirius/MSSQL-Analysis-Coerce
#mssql
#ntlm
@NetPentesters
A technique to coerce a Windows SQL Server to authenticate on an arbitrary machine.
https://github.com/p0dalirius/MSSQL-Analysis-Coerce
#mssql
#ntlm
@NetPentesters
GitHub
GitHub - p0dalirius/MSSQL-Analysis-Coerce: A technique to coerce a Windows SQL Server to authenticate on an arbitrary machine.
A technique to coerce a Windows SQL Server to authenticate on an arbitrary machine. - p0dalirius/MSSQL-Analysis-Coerce
DNS Reaper
Sub-domain takeover tool, but with an emphasis on accuracy, speed and the number of signatures in our arsenal!
We can scan around 50 subdomains per second, testing each one with over 50 takeover signatures. This means most organisations can scan their entire DNS estate in less than 10 seconds.
https://github.com/punk-security/dnsReaper
#tools
@NetPentesters
Sub-domain takeover tool, but with an emphasis on accuracy, speed and the number of signatures in our arsenal!
We can scan around 50 subdomains per second, testing each one with over 50 takeover signatures. This means most organisations can scan their entire DNS estate in less than 10 seconds.
https://github.com/punk-security/dnsReaper
#tools
@NetPentesters
GitHub
GitHub - punk-security/dnsReaper: dnsReaper - subdomain takeover tool for attackers, bug bounty hunters and the blue team!
dnsReaper - subdomain takeover tool for attackers, bug bounty hunters and the blue team! - punk-security/dnsReaper
evilginx2
A man-in-the-middle attack framework used for phishing login credentials along with session cookies, which in turn allows to bypass 2-factor authentication protection.
This tool is a successor to Evilginx, released in 2017, which used a custom version of nginx HTTP server to provide man-in-the-middle functionality to act as a proxy between a browser and phished website. Present version is fully written in GO as a standalone application, which implements its own HTTP and DNS server, making it extremely easy to set up and use.
https://github.com/kgretzky/evilginx2
#MITM
@NetPentesters
A man-in-the-middle attack framework used for phishing login credentials along with session cookies, which in turn allows to bypass 2-factor authentication protection.
This tool is a successor to Evilginx, released in 2017, which used a custom version of nginx HTTP server to provide man-in-the-middle functionality to act as a proxy between a browser and phished website. Present version is fully written in GO as a standalone application, which implements its own HTTP and DNS server, making it extremely easy to set up and use.
https://github.com/kgretzky/evilginx2
#MITM
@NetPentesters
GitHub
GitHub - kgretzky/evilginx2: Standalone man-in-the-middle attack framework used for phishing login credentials along with session…
Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication - kgretzky/evilginx2
ADenum
ADEnum.py is a pentesting tool that allows to find misconfiguration through the protocol LDAP and exploit some of those weaknesses with Kerberos.
LDAP:
▫️ Enum Domain Admin users
▫️ Enum Domain Controllers
▫️ Enum Domain users with Password Not Expire
▫️ Enum Domain users with old password
▫️ Enum Domain users with interesting denoscription
▫️ Enum Domain users with not the default encryption
▫️ Enum Domain users with Protecting Privileged Domain Accounts
Kerberos:
▫️ AS-REP Roastable
▫️ Kerberoastable
▫️ Password cracking with john (krb5tgs and krb5asrep)
https://github.com/SecuProject/ADenum
#ad
#redteam
@NetPentesters
ADEnum.py is a pentesting tool that allows to find misconfiguration through the protocol LDAP and exploit some of those weaknesses with Kerberos.
LDAP:
▫️ Enum Domain Admin users
▫️ Enum Domain Controllers
▫️ Enum Domain users with Password Not Expire
▫️ Enum Domain users with old password
▫️ Enum Domain users with interesting denoscription
▫️ Enum Domain users with not the default encryption
▫️ Enum Domain users with Protecting Privileged Domain Accounts
Kerberos:
▫️ AS-REP Roastable
▫️ Kerberoastable
▫️ Password cracking with john (krb5tgs and krb5asrep)
https://github.com/SecuProject/ADenum
#ad
#redteam
@NetPentesters
GitHub
GitHub - SecuProject/ADenum: AD Enum is a pentesting tool that allows to find misconfiguration through the the protocol LDAP and…
AD Enum is a pentesting tool that allows to find misconfiguration through the the protocol LDAP and exploit some of those weaknesses with kerberos. - SecuProject/ADenum
SilentHound
Quietly enumerate an Active Directory Domain via LDAP parsing users, admins, groups, etc.
https://github.com/layer8secure/SilentHound
#ad
#enum
@NetPentesters
Quietly enumerate an Active Directory Domain via LDAP parsing users, admins, groups, etc.
https://github.com/layer8secure/SilentHound
#ad
#enum
@NetPentesters
GitHub
GitHub - layer8secure/SilentHound: Quietly enumerate an Active Directory Domain via LDAP parsing users, admins, groups, etc.
Quietly enumerate an Active Directory Domain via LDAP parsing users, admins, groups, etc. - layer8secure/SilentHound
BARK
BARK stands for BloodHound Attack Research Kit. It is a PowerShell noscript built to assist the BloodHound Enterprise team with researching and continuously validating abuse primitives. BARK currently focuses on Microsoft's Azure suite of products and services.
BARK requires no third party dependencies. BARK's functions are designed to be as simple and maintainable as possible. Most functions are very simple wrappers for making requests to various REST API endpoints. BARK's basic functions do not even require each other - you can pull almost any BARK function out of BARK and it will work perfectly as a standalone function in your own noscripts.
https://github.com/BloodHoundAD/BARK
#AD
@NetPentesters
BARK stands for BloodHound Attack Research Kit. It is a PowerShell noscript built to assist the BloodHound Enterprise team with researching and continuously validating abuse primitives. BARK currently focuses on Microsoft's Azure suite of products and services.
BARK requires no third party dependencies. BARK's functions are designed to be as simple and maintainable as possible. Most functions are very simple wrappers for making requests to various REST API endpoints. BARK's basic functions do not even require each other - you can pull almost any BARK function out of BARK and it will work perfectly as a standalone function in your own noscripts.
https://github.com/BloodHoundAD/BARK
#AD
@NetPentesters
GitHub
GitHub - BloodHoundAD/BARK: BloodHound Attack Research Kit
BloodHound Attack Research Kit. Contribute to BloodHoundAD/BARK development by creating an account on GitHub.
Friends, if you have any questions about network penetration testing, contact us with the following bot:
@ChatNPTbot
@ChatNPTbot
Active Directory Certificate Services Abuse
https://rayrt.gitlab.io/posts/Active-Directory-Certificate-Services-Abuse/
#ad
#adcs
@NetPentesters
https://rayrt.gitlab.io/posts/Active-Directory-Certificate-Services-Abuse/
#ad
#adcs
@NetPentesters
Autobloody
Automatically exploit Active Directory privilege escalation paths shown by BloodHound combining pathgen.py and autobloody.py.
Here is the list of the BloodHound edges currently supported for automatic exploitation:
MemberOf
ForceChangePassword
AddMembers
AddSelf
DCSync
GetChanges/GetChangesAll
GenericAll
WriteDacl
GenericWrite
WriteOwner
Owns
Contains
AllExtendedRights
https://github.com/CravateRouge/autobloody
#ad
#bloodhound
@NetPentesters
Automatically exploit Active Directory privilege escalation paths shown by BloodHound combining pathgen.py and autobloody.py.
Here is the list of the BloodHound edges currently supported for automatic exploitation:
MemberOf
ForceChangePassword
AddMembers
AddSelf
DCSync
GetChanges/GetChangesAll
GenericAll
WriteDacl
GenericWrite
WriteOwner
Owns
Contains
AllExtendedRights
https://github.com/CravateRouge/autobloody
#ad
#bloodhound
@NetPentesters
GitHub
GitHub - CravateRouge/autobloody: Tool to automatically exploit Active Directory privilege escalation paths shown by BloodHound
Tool to automatically exploit Active Directory privilege escalation paths shown by BloodHound - CravateRouge/autobloody
[ LDAP Nom Nom ]
Anonymously bruteforce Active Directory usernames from Domain Controllers by abusing LDAP Ping requests (cLDAP)
https://github.com/lkarlslund/ldapnomnom
#ldap
#ad
#enum
#bruteforce
@NetPentesters
Anonymously bruteforce Active Directory usernames from Domain Controllers by abusing LDAP Ping requests (cLDAP)
https://github.com/lkarlslund/ldapnomnom
#ldap
#ad
#enum
#bruteforce
@NetPentesters
GitHub
GitHub - lkarlslund/ldapnomnom: Quietly and anonymously bruteforce Active Directory usernames at insane speeds from Domain Controllers…
Quietly and anonymously bruteforce Active Directory usernames at insane speeds from Domain Controllers by (ab)using LDAP Ping requests (cLDAP) - lkarlslund/ldapnomnom
PowerHuntShares
is design to automatically inventory, analyze, and report excessive privilege assigned to SMB shares on Active Directory domain joined computers.
It is intented to help IAM and other blue teams gain a better understand of their SMB Share attack surface and provides data insights to help naturally group related share to help stream line remediation efforts at scale.
https://github.com/NetSPI/PowerHuntShares
Attacking and Remediating Excessive Network Share Permissions in Active Directory Environments
https://www.netspi.com/blog/technical/network-penetration-testing/network-share-permissions-powerhuntshares
#ad
#SMB
@NetPentesters
is design to automatically inventory, analyze, and report excessive privilege assigned to SMB shares on Active Directory domain joined computers.
It is intented to help IAM and other blue teams gain a better understand of their SMB Share attack surface and provides data insights to help naturally group related share to help stream line remediation efforts at scale.
https://github.com/NetSPI/PowerHuntShares
Attacking and Remediating Excessive Network Share Permissions in Active Directory Environments
https://www.netspi.com/blog/technical/network-penetration-testing/network-share-permissions-powerhuntshares
#ad
#SMB
@NetPentesters
GitHub
GitHub - NetSPI/PowerHuntShares: PowerHuntShares is an audit noscript designed in inventory, analyze, and report excessive privileges…
PowerHuntShares is an audit noscript designed in inventory, analyze, and report excessive privileges configured on Active Directory domains. - NetSPI/PowerHuntShares
JuicyPotatoNG
Another Windows Local Privilege Escalation from Service Account to System
LINK TO RESEARCH
https://github.com/antonioCoco/JuicyPotatoNG
#windows #LPE
@NetPentesters
Another Windows Local Privilege Escalation from Service Account to System
LINK TO RESEARCH
https://github.com/antonioCoco/JuicyPotatoNG
#windows #LPE
@NetPentesters
Decoder's Blog
Giving JuicyPotato a second chance: JuicyPotatoNG
Well, it’s been a long time ago since our beloved JuicyPotato has been published. Meantime things changed and got fixed (backported also to Win10 1803/Server2016) leading to the glorious end …
linWinPwn
bash noscript that automates a number of Active Directory Enumeration and Vulnerability checks
https://github.com/lefayjey/linWinPwn
#ad
#enum
@NetPentesters
bash noscript that automates a number of Active Directory Enumeration and Vulnerability checks
https://github.com/lefayjey/linWinPwn
#ad
#enum
@NetPentesters
GitHub
GitHub - lefayjey/linWinPwn: linWinPwn is a bash noscript that streamlines the use of a number of Active Directory tools
linWinPwn is a bash noscript that streamlines the use of a number of Active Directory tools - lefayjey/linWinPwn