PatchThatAMSI
6 AMSI patches , both force the triggering of a conditional jump inside AmsiOpenSession() that close the Amsi scanning session. The 1st patch by corrupting the Amsi context header and the 2nd patch by changing the string "AMSI" that will be compared to the Amsi context header to "D1RK". The other just
https://github.com/D1rkMtr/PatchThatAMSI
#amsi
#av
#bypass
@netpenteaters
6 AMSI patches , both force the triggering of a conditional jump inside AmsiOpenSession() that close the Amsi scanning session. The 1st patch by corrupting the Amsi context header and the 2nd patch by changing the string "AMSI" that will be compared to the Amsi context header to "D1RK". The other just
https://github.com/D1rkMtr/PatchThatAMSI
#amsi
#av
#bypass
@netpenteaters
Some useful Telegram channels
@OsintBlackBox
If you are interested in OSINT, the content here will be useful for you.
@Iranian_Osint
If you are interested in OSINT, the content here will be useful for you.
@PfkGit
If you are looking for penetration testing tools, find them here.
@pfk_git
If you are looking for penetration testing tools, find them here.
@Netpentesters ( English )
If you want to become a Pinterester, join this channel.
@Netpentester (Iranian)
If you want to become a Pinterester, join this channel.
@library_Sec
The largest cyber security library in Telegram.
@BlueRedTeam
Red Team and BlueTeam specialized reference.
@Pfk_0day
Learn Cyber Security ( Free )
@OsintBlackBox
If you are interested in OSINT, the content here will be useful for you.
@Iranian_Osint
If you are interested in OSINT, the content here will be useful for you.
@PfkGit
If you are looking for penetration testing tools, find them here.
@pfk_git
If you are looking for penetration testing tools, find them here.
@Netpentesters ( English )
If you want to become a Pinterester, join this channel.
@Netpentester (Iranian)
If you want to become a Pinterester, join this channel.
@library_Sec
The largest cyber security library in Telegram.
@BlueRedTeam
Red Team and BlueTeam specialized reference.
@Pfk_0day
Learn Cyber Security ( Free )
RustHound
https://github.com/OPENCYBER-FR/RustHound
#bloodhound
#ad
@NetPentesters
RustHound is a cross-platform BloodHound collector tool, written in Rust. (Linux,Windows,MacOS)
No anti-virus detection and cross-compiled.
RustHound generate users,groups,computers,ous,gpos,containers,domains json files to analyze it with BloodHound application.
If you can use SharpHound.exe, use it. Rusthound is a backup solution if SharpHound.exe is detected by AV or if SharpHound.exe isn't executable from the system where you have access to.
+ additional custom querieshttps://github.com/OPENCYBER-FR/RustHound
#bloodhound
#ad
@NetPentesters
#ad #ASREPRoast #kerberos
CVE-2022-33679 Windows Kerberos Elevation of Privilege
DOC
POC
@NetPentesters
CVE-2022-33679 Windows Kerberos Elevation of Privilege
DOC
POC
@NetPentesters
We have been asked questions about what questions will be asked in the interview or what it will look like, (although each company will ask questions according to their own needs or tell you what to do) I decided to dedicate a post to "interview questions". If you have participated in the interviews so far, you can contact us through the robot ID that I will provide for recruitment to complete this post, so that we can help these dear ones and have a comprehensive source of interview questions. If you network Penetration testing or network security, you can contact us.
@ChatNPTbot
@ChatNPTbot
Determining AD domain name via NTLM Auth
If you have nmap (http-ntlm-info) unable to determine the FQND of an Active Directory domain via OWA, for example due to Citrix NetScaler or other SSO solutions, do it manually!
1. curl -I -k -X POST -H 'Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAKANc6AAAADw==' -H 'Content-Length: 0' https://autodiscover.exmaple.com/ews
2. echo 'TlRMTVNTUAACAAAADAAMAD...' | python2 ./ntlmdecoder.py
https://gist.github.com/aseering/829a2270b72345a1dc42
#ntlm #auth #sso
#tricks #pentest
@netpentesters
If you have nmap (http-ntlm-info) unable to determine the FQND of an Active Directory domain via OWA, for example due to Citrix NetScaler or other SSO solutions, do it manually!
1. curl -I -k -X POST -H 'Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAKANc6AAAADw==' -H 'Content-Length: 0' https://autodiscover.exmaple.com/ews
2. echo 'TlRMTVNTUAACAAAADAAMAD...' | python2 ./ntlmdecoder.py
https://gist.github.com/aseering/829a2270b72345a1dc42
#ntlm #auth #sso
#tricks #pentest
@netpentesters
Gist
NTLM auth-string decoder
NTLM auth-string decoder. GitHub Gist: instantly share code, notes, and snippets.
#impacket
More examples using the Impacket library designed for learning purposes.
● dll_proxy_exec.py
● dump_ntds_creds.py
● remote_ssp_dump.py
● wmi_reg_exec.py
https://github.com/icyguider/MoreImpacketExamples
@Netpentesters
More examples using the Impacket library designed for learning purposes.
● dll_proxy_exec.py
● dump_ntds_creds.py
● remote_ssp_dump.py
● wmi_reg_exec.py
https://github.com/icyguider/MoreImpacketExamples
@Netpentesters
#ad #enum
[ SilentHound ]
@NetPenTesters
[ SilentHound ]
Quietly enumerate an Active Directory Domain via LDAP parsing users, admins, groups, etc.
https://github.com/layer8secure/SilentHound@NetPenTesters
GitHub
GitHub - layer8secure/SilentHound: Quietly enumerate an Active Directory Domain via LDAP parsing users, admins, groups, etc.
Quietly enumerate an Active Directory Domain via LDAP parsing users, admins, groups, etc. - layer8secure/SilentHound
Negoexrelayx
Negoex relaying tool
Toolkit for abusing #Kerberos PKU2U and NegoEx. Requires impacket It is recommended to install impacket from git directly to have the latest version available.
https://github.com/morRubin/NegoExRelay
@NetPentesters
Negoex relaying tool
Toolkit for abusing #Kerberos PKU2U and NegoEx. Requires impacket It is recommended to install impacket from git directly to have the latest version available.
https://github.com/morRubin/NegoExRelay
@NetPentesters
GitHub
GitHub - morRubin/NegoExRelay
Contribute to morRubin/NegoExRelay development by creating an account on GitHub.
👍1
Sans Or eLearnSecurity?
Anonymous Poll
28%
Sans
17%
eLearnSecurity
46%
Sans + eLearnSecurity
8%
None
#ad #relay #rpc #adcs
[ Relaying to AD Certificate Services over RPC ]
https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/
#AD
@NetPentesters
[ Relaying to AD Certificate Services over RPC ]
https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/
#AD
@NetPentesters
Bypasses most Kerberoast Detections
https://github.com/trustedsec/orpheus
#ad #kerberoast #redteam
@NetPentesters
https://github.com/trustedsec/orpheus
#ad #kerberoast #redteam
@NetPentesters
GitHub
GitHub - trustedsec/orpheus: Bypassing Kerberoast Detections with Modified KDC Options and Encryption Types
Bypassing Kerberoast Detections with Modified KDC Options and Encryption Types - trustedsec/orpheus
These KQL queries are designed to find use of the abuses in the #BloodHound BARK toolkit in #Azure AD
https://github.com/reprise99/Sentinel-Queries/tree/main/Azure%20AD%20Abuse%20Detection
#ad
@NetPentesters
https://github.com/reprise99/Sentinel-Queries/tree/main/Azure%20AD%20Abuse%20Detection
#ad
@NetPentesters
GitHub
Sentinel-Queries/Azure AD Abuse Detection at main · reprise99/Sentinel-Queries
Collection of KQL queries. Contribute to reprise99/Sentinel-Queries development by creating an account on GitHub.
FarsightAD
A #PowerShell noscript that aim to help uncovering (eventual) persistence mechanisms deployed by a threat actor following an Active Directory domain compromise.
The noscript produces CSV / JSON file exports of various objects and their attributes, enriched with timestamps from replication metadata. Additionally, if executed with replication privileges, the Directory Replication Service (DRS) protocol is leveraged to detect fully or partially hidden objects.
https://github.com/Qazeer/FarsightAD
#ad
@NetPentesters
A #PowerShell noscript that aim to help uncovering (eventual) persistence mechanisms deployed by a threat actor following an Active Directory domain compromise.
The noscript produces CSV / JSON file exports of various objects and their attributes, enriched with timestamps from replication metadata. Additionally, if executed with replication privileges, the Directory Replication Service (DRS) protocol is leveraged to detect fully or partially hidden objects.
https://github.com/Qazeer/FarsightAD
#ad
@NetPentesters
GitHub
GitHub - Qazeer/FarsightAD: PowerShell noscript that aim to help uncovering (eventual) persistence mechanisms deployed by a threat…
PowerShell noscript that aim to help uncovering (eventual) persistence mechanisms deployed by a threat actor following an Active Directory domain compromise - Qazeer/FarsightAD
👨💻1
ntlm_theft
A tool for generating multiple types of NTLMv2 hash theft files.
ntlm_theft is an Open Source Python3 Tool that generates 21 different types of hash theft documents. These can be used for phishing when either the target allows smb traffic outside their network, or if you are already inside the internal network.
https://github.com/Greenwolf/ntlm_theft
#NTML
@Netpentesters
A tool for generating multiple types of NTLMv2 hash theft files.
ntlm_theft is an Open Source Python3 Tool that generates 21 different types of hash theft documents. These can be used for phishing when either the target allows smb traffic outside their network, or if you are already inside the internal network.
https://github.com/Greenwolf/ntlm_theft
#NTML
@Netpentesters
Sandman
Sandman is a backdoor that meant to work on hardened networks during red team engagements.
Sandman works as a stager and leverages NTP (protocol to sync time & date) to download an arbitrary shellcode from a pre defined server.
Since NTP is a protocol that is overlooked by many defenders resulting wide network accessability.
https://github.com/Idov31/Sandman
#redteam
@Netpentesters
Sandman is a backdoor that meant to work on hardened networks during red team engagements.
Sandman works as a stager and leverages NTP (protocol to sync time & date) to download an arbitrary shellcode from a pre defined server.
Since NTP is a protocol that is overlooked by many defenders resulting wide network accessability.
https://github.com/Idov31/Sandman
#redteam
@Netpentesters
GitHub
GitHub - Idov31/Sandman: Sandman is a NTP based backdoor for hardened networks.
Sandman is a NTP based backdoor for hardened networks. - Idov31/Sandman
Warbird Hook
Using Microsoft WARBIRD to automatically unpack and execute encrypted shellcode in ClipSp.sys without triggering PatchGuard.
https://github.com/KiFilterFiberContext/warbird-hook
@Netpentesters
Using Microsoft WARBIRD to automatically unpack and execute encrypted shellcode in ClipSp.sys without triggering PatchGuard.
https://github.com/KiFilterFiberContext/warbird-hook
@Netpentesters
GitHub
GitHub - KiFilterFiberContext/warbird-hook: Using Microsoft Warbird to automatically unpack and execute encrypted shellcode in…
Using Microsoft Warbird to automatically unpack and execute encrypted shellcode in ClipSp.sys without triggering PatchGuard - KiFilterFiberContext/warbird-hook
👍1
⭐️ Privileger
Privilger allows you to work with privileges in Windows as easily as possible. There are three modes:
— Add privileges to an account;
— Start a process by adding a specific privilege to its token;
— Remove privilege from the user.
Thanks to:
@Michaelzhm
https://github.com/MzHmO/Privileger
#ad #windows #privilege #lsa
@netpentesters
Privilger allows you to work with privileges in Windows as easily as possible. There are three modes:
— Add privileges to an account;
— Start a process by adding a specific privilege to its token;
— Remove privilege from the user.
Thanks to:
@Michaelzhm
https://github.com/MzHmO/Privileger
#ad #windows #privilege #lsa
@netpentesters
👍4