Exchange TabShell RCE PoC (CVE-2022-41076)

+ Microsoft #Exchange: OWASSRF + TabShell (CVE-2022-41076)

The TabShell vulnerability its a form of #Privilege Escalation which allows breaking out of the restricted #Powershell #Sandbox after you have successfully gained access through OWASSRF.

https://gist.github.com/testanull/518871a2e2057caa2bc9c6ae6634103e

Details:
https://blog.viettelcybersecurity.com/tabshell-owassrf/

#Exchange
#ssrf
#tabshell
#poc
@NetPentesters

#Whitepaper
"Timeroasting, Trustroasting and Computer Spraying: Taking advantage of weak computer and trust account passwords in Active Directory".

]-> Timeroasting noscripts:
https://github.com/SecuraBV/Timeroast

#AD
@NetPentesters

[CVE49] Microsoft Windows LNK Remote Code Execution Vulnerability - CVE-2020-1299

File Explorer, previously known as Windows Explorer, is a file manager application that has been included with releases of the Microsoft Windows operating system from Windows 95 onwards. It provides a graphical user interface for accessing the file systems. It is also the component of the operating system that presents many user interface items on the screen such as the taskbar and desktop.

Explorer has a lot of features, each version of the operating system has been upgraded it by Microsoft. Here I discovered that the Explorer will automatically parsing the LNK file if the LNK file appears in the context that the Explorer is accessing. For example, if we are on the desktop, the Explorer will parse the LNK files that appear on the desktop and maybe in some secondary directory (about the depth of the folder that the Explorer can access, I don't know).

https://blog.vincss.net/2020/06/cve49-microsoft-windows-lnk-remote-code-execution-vuln-cve-2020-1299-eng.html?m=1

@NetPentesters

pfSense as an OpenVPN client for specific devices

One of the most powerful features of pfSense is it’s ability to direct your data requests through different end-points using NAT rules. pfSense is amazing as an OpenVPN client because it can selectively route any device on the network through the VPN service (i.e., my tablets and TV go through US servers, while my smartphone, VoIP, computers go my local ISP).
This setup becomes extremely handy for use with applications which are not aware of OpenVPN protocol, eg. download managers, torrent clients, etc. Expecting privacy you should be positive that traffic won't go through your ISP's gateway in case of failure on side of VPN provider. And obviously OpenVPN client should automatically reconnect as soon as service goes live again.
https://gist.github.com/InQuize/59e7c458c510ae779743
#Pfsense
@Netpentesters

This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.

https://github.com/lgandx/PCredz
#pcap
#credential
#sniffer
@Netpentesters

Have you ever wanted to transfer files over DNS A records? No? Well too bad lol, I've updated @domchell's PowerDNS to do that along with some other things. Could be useful for pentests with no standard outbound access... which yes I get quite a bit of.
https://github.com/icyguider/NewPowerDNS
#DNS
@NetPentesters

​​Microsoft Activation Scripts (MAS)

A Windows and Office activator using HWID / KMS38 / Online KMS activation methods, with a focus on open-source code and fewer antivirus detections.

https://github.com/massgravel/Microsoft-Activation-Scripts
#Microsoft
@Netpentesters

​​CVE-2022-24644

ZZ Inc. KeyMouse 3.08 (#Windows) Unauthenticated Update Remote Code Execution Vulnerability

https://github.com/gerr-re/cve-2022-24644

#cve
#Vulnerability
@Netpentesters

​​acltoolkit

ACL Toolkit is an ACL abuse swiss-knife.

https://github.com/zblurx/acltoolkit
#acl
@Netpentesters

Poweshell tool to check for partially encrypted files with various techniques and sandbox them for analysis.

https://github.com/shadowdevnotreal/anti_Royal

#Powershell
@NetPentesters

We tried to put together all known MITM attacks and methods of protection against these attacks. Here is also contains tools for carrying out MITM attacks, some interesting attack cases and some tricks associated with them.

https://github.com/Sab0tag3d/MITM-cheatsheet
#MITM
@NetPentesters

Kerberos LPE (CVE-2023-21817)

https://resee.it/tweet/1645565092229189632
#Kerberos
@Netpentesters

A cheat sheet that contains common enumeration and attack methods for Windows Active Directory.

https://github.com/Integration-IT/Active-Directory-Exploitation-Cheat-Sheet

#ad #cheatsheet
@NetPentesters

​​PowerShell-Deobfuscation-Exercise

An exercise to practice deobfuscating PowerShell Scripts.

https://github.com/trevormiller6/PowerShell-Deobfuscation-Exercise

#PowerShell #Deobfuscation
@NetPentesters

​​Somnium

Script to test network prevention and detection capabilities.

https://github.com/asluppiter/Somnium

Active Directory Toplogy Visualizer

https://github.com/ryanries/ADTV

#AD
#Toplogy
@NetPentesters

​​About Cloud Scout

Cloud Scout is a plugin which works on top of BloodHound, leveraging its visualization capabilities in order to visualize cross platform attack paths.

https://github.com/SygniaLabs/security-cloud-scout

#BloodHound
@NetPentesters

Quick Network Scanner Library

Rust library for scanning network hosts asynchronously.

https://github.com/0xor0ne/qscan

​​ADReplStatus

Active Directory Replication Status Tool, aka ADREPLSTATUS.

https://github.com/ryanries/ADReplStatus

#AD
@NetPentesters

​​Popeye

A Kubernetes Cluster Sanitizer

Popeye is a utility that scans live Kubernetes cluster and reports potential issues with deployed resources and configurations. It sanitizes your cluster based on what's deployed and not what's sitting on disk. By scanning your cluster, it detects misconfigurations and helps you to ensure that best practices are in place, thus preventing future headaches.

https://github.com/derailed/popeye

#Kubernetes
@NetPentesters