Pivoting Over Challenge Based Enterprise WiFi Network
https://tbhaxor.com/pivoting-over-peap-mschapv2-wifi-network
@NetPentesters
https://tbhaxor.com/pivoting-over-peap-mschapv2-wifi-network
@NetPentesters
tbhaxor's Blog
Pivoting Over Challenge Based Enterprise WiFi Network
You will discover how to connect to the organization's access point using PEAP-MSCHAPv2 authentication and relay the response to the authenticator challenge This will allow you to read the private emails on a LAN-hosted POP3 server.
🀄 Privilege Escalation Enumeration Script for Windows
https://github.com/itm4n/PrivescCheck
#windows
#privesc
#enumeration
#enum
#powershell
@NetPentesters
This noscript aims to enumerate common Windows security misconfigurations that can be leveraged for privilege escalation. It also gathers various information that might be useful for exploitation and/or post-exploitation
https://github.com/itm4n/PrivescCheck
#windows
#privesc
#enumeration
#enum
#powershell
@NetPentesters
GitHub
GitHub - itm4n/PrivescCheck: Privilege Escalation Enumeration Script for Windows
Privilege Escalation Enumeration Script for Windows - itm4n/PrivescCheck
Roast in the Middle
Python implementation of the man-in-the-middle attack
● Performs ARP spoofing between your target(s) and the gateway to obtain a man-in-the-middle position
● Sniffs traffic for an AS-REQ containing PA-ENC-TIMESTAMP data
● Replays the sniffed AS-REQ to a DC after changing the SPN to usernames/SPNs provided via a file
● Outputs any roasted account hashes
https://github.com/Tw1sm/RITM
#ad
#mitm
#kerberos
@NetPentesters
Python implementation of the man-in-the-middle attack
● Performs ARP spoofing between your target(s) and the gateway to obtain a man-in-the-middle position
● Sniffs traffic for an AS-REQ containing PA-ENC-TIMESTAMP data
● Replays the sniffed AS-REQ to a DC after changing the SPN to usernames/SPNs provided via a file
● Outputs any roasted account hashes
https://github.com/Tw1sm/RITM
#ad
#mitm
#kerberos
@NetPentesters
GitHub
GitHub - Tw1sm/RITM: Roast in the Middle
Roast in the Middle. Contribute to Tw1sm/RITM development by creating an account on GitHub.
[ Living-Off-the-Blindspot - Operating into EDRs’ blindspot ]
#edr
#bypass
#python
@NetPentesters
EDR bypass with python
https://www.naksyn.com/edr%20evasion/2022/09/01/operating-into-EDRs-blindspot.html#edr
#bypass
#python
@NetPentesters
BadBlood
BadBlood by Secframe fills a Microsoft Active Directory Domain with a structure and thousands of objects. The output of the tool is a domain similar to a domain in the real world.
After BadBlood is ran on a domain, security analysts and engineers can practice using tools to gain an understanding and prescribe to securing Active Directory. Each time this tool runs, it produces different results. The domain, users, groups, computers and permissions are different. Every. Single. Time.
https://github.com/davidprowe/BadBlood
#ad
@NetPenteaters
BadBlood by Secframe fills a Microsoft Active Directory Domain with a structure and thousands of objects. The output of the tool is a domain similar to a domain in the real world.
After BadBlood is ran on a domain, security analysts and engineers can practice using tools to gain an understanding and prescribe to securing Active Directory. Each time this tool runs, it produces different results. The domain, users, groups, computers and permissions are different. Every. Single. Time.
https://github.com/davidprowe/BadBlood
#ad
@NetPenteaters
I need an admin to train users
have the following conditions:
Have at least 1 year of network penetration testing experience or network penetration testing skills.
Training should be in Eve-NG or GNS3 environment.
Contact the following address:
@ChatNPTbot
have the following conditions:
Have at least 1 year of network penetration testing experience or network penetration testing skills.
Training should be in Eve-NG or GNS3 environment.
Contact the following address:
@ChatNPTbot
Azure AD Exporter
The Azure AD Exporter is a PowerShell module that allows you to export your Azure AD and Azure AD B2C configuration settings to local .json files.
This module can be run as a nightly scheduled task or a DevOps component (Azure DevOps, GitHub, Jenkins) and the exported files can be version controlled in Git or SharePoint.
This will provide tenant administrators with a historical view of all the settings in the tenant including the change history over the years.
https://github.com/microsoft/azureadexporter
#AD
#Azure
@NetPentesters
The Azure AD Exporter is a PowerShell module that allows you to export your Azure AD and Azure AD B2C configuration settings to local .json files.
This module can be run as a nightly scheduled task or a DevOps component (Azure DevOps, GitHub, Jenkins) and the exported files can be version controlled in Git or SharePoint.
This will provide tenant administrators with a historical view of all the settings in the tenant including the change history over the years.
https://github.com/microsoft/azureadexporter
#AD
#Azure
@NetPentesters
ShadowSpray
A tool to spray Shadow Credentials across an entire domain in hopes of abusing long forgotten GenericWrite/GenericAll DACLs over other objects in the domain.
https://github.com/Dec0ne/ShadowSpray/
#ad
#spray
@NetPentesters
A tool to spray Shadow Credentials across an entire domain in hopes of abusing long forgotten GenericWrite/GenericAll DACLs over other objects in the domain.
https://github.com/Dec0ne/ShadowSpray/
#ad
#spray
@NetPentesters
SpecterOps
The Renaissance of NTLM Relay Attacks: Everything You Need to Know - SpecterOps
NTLM relay attacks have been around for a long time. While many security practitioners think NTLM relay is a solved problem, or at least a not-so-severe one, it is, in fact, alive and kicking and arguably worse than ever before. Relay attacks are the easiest…
Microsoft Office Online Server Remote Code Execution
https://www.mdsec.co.uk/2022/10/microsoft-office-online-server-remote-code-execution/
#ssrf
#ntlm
@NetPentesters
https://www.mdsec.co.uk/2022/10/microsoft-office-online-server-remote-code-execution/
#ssrf
#ntlm
@NetPentesters
MDSec
Microsoft Office Online Server Remote Code Execution - MDSec
Microsoft’s Office Online Server is the next generation of Office Web Apps Server; it provides a browser based viewer/editor for Word, PowerPoint, Excel and OneNote documents. The product can be...
This media is not supported in your browser
VIEW IN TELEGRAM
QueenSono
A Golang Package for Data Exfiltration with ICMP protocol.
QueenSono tool only relies on the fact that ICMP protocol isn't monitored. It is quite common.
It could also been used within a system with basic ICMP inspection (ie. frequency and content length watcher) or to bypass authentication step with captive portal (used by many public Wi-Fi to authenticate users after connecting to the Wi-Fi e.g Airport Wi-Fi).
Try to imitate PyExfil (and others) with the idea that the target machine does not necessary have python installed (so provide a binary could be useful)
https://github.com/ariary/QueenSono
@Netpentesters
A Golang Package for Data Exfiltration with ICMP protocol.
QueenSono tool only relies on the fact that ICMP protocol isn't monitored. It is quite common.
It could also been used within a system with basic ICMP inspection (ie. frequency and content length watcher) or to bypass authentication step with captive portal (used by many public Wi-Fi to authenticate users after connecting to the Wi-Fi e.g Airport Wi-Fi).
Try to imitate PyExfil (and others) with the idea that the target machine does not necessary have python installed (so provide a binary could be useful)
https://github.com/ariary/QueenSono
@Netpentesters
PatchThatAMSI
6 AMSI patches , both force the triggering of a conditional jump inside AmsiOpenSession() that close the Amsi scanning session. The 1st patch by corrupting the Amsi context header and the 2nd patch by changing the string "AMSI" that will be compared to the Amsi context header to "D1RK". The other just
https://github.com/D1rkMtr/PatchThatAMSI
#amsi
#av
#bypass
@netpenteaters
6 AMSI patches , both force the triggering of a conditional jump inside AmsiOpenSession() that close the Amsi scanning session. The 1st patch by corrupting the Amsi context header and the 2nd patch by changing the string "AMSI" that will be compared to the Amsi context header to "D1RK". The other just
https://github.com/D1rkMtr/PatchThatAMSI
#amsi
#av
#bypass
@netpenteaters
Some useful Telegram channels
@OsintBlackBox
If you are interested in OSINT, the content here will be useful for you.
@Iranian_Osint
If you are interested in OSINT, the content here will be useful for you.
@PfkGit
If you are looking for penetration testing tools, find them here.
@pfk_git
If you are looking for penetration testing tools, find them here.
@Netpentesters ( English )
If you want to become a Pinterester, join this channel.
@Netpentester (Iranian)
If you want to become a Pinterester, join this channel.
@library_Sec
The largest cyber security library in Telegram.
@BlueRedTeam
Red Team and BlueTeam specialized reference.
@Pfk_0day
Learn Cyber Security ( Free )
@OsintBlackBox
If you are interested in OSINT, the content here will be useful for you.
@Iranian_Osint
If you are interested in OSINT, the content here will be useful for you.
@PfkGit
If you are looking for penetration testing tools, find them here.
@pfk_git
If you are looking for penetration testing tools, find them here.
@Netpentesters ( English )
If you want to become a Pinterester, join this channel.
@Netpentester (Iranian)
If you want to become a Pinterester, join this channel.
@library_Sec
The largest cyber security library in Telegram.
@BlueRedTeam
Red Team and BlueTeam specialized reference.
@Pfk_0day
Learn Cyber Security ( Free )
RustHound
https://github.com/OPENCYBER-FR/RustHound
#bloodhound
#ad
@NetPentesters
RustHound is a cross-platform BloodHound collector tool, written in Rust. (Linux,Windows,MacOS)
No anti-virus detection and cross-compiled.
RustHound generate users,groups,computers,ous,gpos,containers,domains json files to analyze it with BloodHound application.
If you can use SharpHound.exe, use it. Rusthound is a backup solution if SharpHound.exe is detected by AV or if SharpHound.exe isn't executable from the system where you have access to.
+ additional custom querieshttps://github.com/OPENCYBER-FR/RustHound
#bloodhound
#ad
@NetPentesters
#ad #ASREPRoast #kerberos
CVE-2022-33679 Windows Kerberos Elevation of Privilege
DOC
POC
@NetPentesters
CVE-2022-33679 Windows Kerberos Elevation of Privilege
DOC
POC
@NetPentesters
We have been asked questions about what questions will be asked in the interview or what it will look like, (although each company will ask questions according to their own needs or tell you what to do) I decided to dedicate a post to "interview questions". If you have participated in the interviews so far, you can contact us through the robot ID that I will provide for recruitment to complete this post, so that we can help these dear ones and have a comprehensive source of interview questions. If you network Penetration testing or network security, you can contact us.
@ChatNPTbot
@ChatNPTbot
Determining AD domain name via NTLM Auth
If you have nmap (http-ntlm-info) unable to determine the FQND of an Active Directory domain via OWA, for example due to Citrix NetScaler or other SSO solutions, do it manually!
1. curl -I -k -X POST -H 'Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAKANc6AAAADw==' -H 'Content-Length: 0' https://autodiscover.exmaple.com/ews
2. echo 'TlRMTVNTUAACAAAADAAMAD...' | python2 ./ntlmdecoder.py
https://gist.github.com/aseering/829a2270b72345a1dc42
#ntlm #auth #sso
#tricks #pentest
@netpentesters
If you have nmap (http-ntlm-info) unable to determine the FQND of an Active Directory domain via OWA, for example due to Citrix NetScaler or other SSO solutions, do it manually!
1. curl -I -k -X POST -H 'Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAKANc6AAAADw==' -H 'Content-Length: 0' https://autodiscover.exmaple.com/ews
2. echo 'TlRMTVNTUAACAAAADAAMAD...' | python2 ./ntlmdecoder.py
https://gist.github.com/aseering/829a2270b72345a1dc42
#ntlm #auth #sso
#tricks #pentest
@netpentesters
Gist
NTLM auth-string decoder
NTLM auth-string decoder. GitHub Gist: instantly share code, notes, and snippets.
#impacket
More examples using the Impacket library designed for learning purposes.
● dll_proxy_exec.py
● dump_ntds_creds.py
● remote_ssp_dump.py
● wmi_reg_exec.py
https://github.com/icyguider/MoreImpacketExamples
@Netpentesters
More examples using the Impacket library designed for learning purposes.
● dll_proxy_exec.py
● dump_ntds_creds.py
● remote_ssp_dump.py
● wmi_reg_exec.py
https://github.com/icyguider/MoreImpacketExamples
@Netpentesters
#ad #enum
[ SilentHound ]
@NetPenTesters
[ SilentHound ]
Quietly enumerate an Active Directory Domain via LDAP parsing users, admins, groups, etc.
https://github.com/layer8secure/SilentHound@NetPenTesters
GitHub
GitHub - layer8secure/SilentHound: Quietly enumerate an Active Directory Domain via LDAP parsing users, admins, groups, etc.
Quietly enumerate an Active Directory Domain via LDAP parsing users, admins, groups, etc. - layer8secure/SilentHound
Negoexrelayx
Negoex relaying tool
Toolkit for abusing #Kerberos PKU2U and NegoEx. Requires impacket It is recommended to install impacket from git directly to have the latest version available.
https://github.com/morRubin/NegoExRelay
@NetPentesters
Negoex relaying tool
Toolkit for abusing #Kerberos PKU2U and NegoEx. Requires impacket It is recommended to install impacket from git directly to have the latest version available.
https://github.com/morRubin/NegoExRelay
@NetPentesters
GitHub
GitHub - morRubin/NegoExRelay
Contribute to morRubin/NegoExRelay development by creating an account on GitHub.
👍1