👹 [ snovvcrash, sn🥶vvcr💥sh ]
Being on a vacation I couldn’t resist from playing with a slightly modified example of internal credential phishing by @zux0x3a (which is not as complex as the CredentialPhisher from @foxit). Below is a quick demo of invoking a credential dialog with CME, DInjector and donut 🍩
🔗 https://github.com/0xsp-SRD/0xsp.com/tree/main/creds_hunt
🐥 [ tweet ]
Being on a vacation I couldn’t resist from playing with a slightly modified example of internal credential phishing by @zux0x3a (which is not as complex as the CredentialPhisher from @foxit). Below is a quick demo of invoking a credential dialog with CME, DInjector and donut 🍩
🔗 https://github.com/0xsp-SRD/0xsp.com/tree/main/creds_hunt
🐥 [ tweet ]
😈 [ 0xdf_, 0xdf ]
Streamio retires from @hackthebox_eu. A Windows box with MSSQL injection in a PHP site, local and remote file includes, and LAPS.
https://t.co/dE4dFy3n9F
🔗 https://0xdf.gitlab.io/2022/09/17/htb-streamio.html
🐥 [ tweet ]
Streamio retires from @hackthebox_eu. A Windows box with MSSQL injection in a PHP site, local and remote file includes, and LAPS.
https://t.co/dE4dFy3n9F
🔗 https://0xdf.gitlab.io/2022/09/17/htb-streamio.html
🐥 [ tweet ]
😈 [ ippsec, ippsec ]
#HackTheBox StreamIO video is live, this box has an excellent primer on manually enumerating MSSQL Databases after a successful inject. There’s a lot more to the box than that like active director and LAPS.
https://t.co/of1Puv1EBR
🔗 https://youtu.be/qKcUKlwoGw8
🐥 [ tweet ]
#HackTheBox StreamIO video is live, this box has an excellent primer on manually enumerating MSSQL Databases after a successful inject. There’s a lot more to the box than that like active director and LAPS.
https://t.co/of1Puv1EBR
🔗 https://youtu.be/qKcUKlwoGw8
🐥 [ tweet ]
🤯1
😈 [ theluemmel, S4U2LuemmelSec ]
Not sure if ADCS ESC 3 is abusable, because Certify and Certipy only give info on the 1st prerequisit "Certificate Request Agent"?
Use ldapfilter
(&(objectclass=pkicertificatetemplate)(msPKI-RA-Application-Policies=1.3.6.1.4.1.311.20.2.1)(pkiextendedkeyusage=1.3.6.1.5.5.7.3.2))'
🐥 [ tweet ]
Not sure if ADCS ESC 3 is abusable, because Certify and Certipy only give info on the 1st prerequisit "Certificate Request Agent"?
Use ldapfilter
(&(objectclass=pkicertificatetemplate)(msPKI-RA-Application-Policies=1.3.6.1.4.1.311.20.2.1)(pkiextendedkeyusage=1.3.6.1.5.5.7.3.2))'
🐥 [ tweet ]
😈 [ doc_guard, DOCGuard - Detect Maldocs in Seconds! ]
Strange PPT maldoc with low detection rates since 2022-02-02.
MD5: c0060c0741833af67121390922c44f91
PPT file>wnoscript.exe>powershell.exe>rundll32.exe
[+]Exec wnoscript when user moves mouse
[+]Wnoscript exec powershell
[+]PS download the XORed DLL.
[+]Exec it using rundll32.exe
🐥 [ tweet ]
Strange PPT maldoc with low detection rates since 2022-02-02.
MD5: c0060c0741833af67121390922c44f91
PPT file>wnoscript.exe>powershell.exe>rundll32.exe
[+]Exec wnoscript when user moves mouse
[+]Wnoscript exec powershell
[+]PS download the XORed DLL.
[+]Exec it using rundll32.exe
🐥 [ tweet ]
🔥3
😈 [ lkarlslund, Lars Karlslund ]
Stuck on a network with no credentials? No worry, you can anonymously bruteforce Active Directory controllers for usernames over LDAP Pings (cLDAP) using my new tool - with parallelization I get 10K usernames/sec
https://t.co/ETeKR4OVFP
🔗 https://github.com/lkarlslund/ldapnomnom
🐥 [ tweet ]
Stuck on a network with no credentials? No worry, you can anonymously bruteforce Active Directory controllers for usernames over LDAP Pings (cLDAP) using my new tool - with parallelization I get 10K usernames/sec
https://t.co/ETeKR4OVFP
🔗 https://github.com/lkarlslund/ldapnomnom
🐥 [ tweet ]
🔥1
😈 [ splinter_code, Antonio Cocomazzi ]
After more than 2 years, RunasCs got a big update! 🥳
Biggest changes:
- NetworkCleartext (8) default logon type
- UAC bypass (when admin pass is known)
Enjoy :D
https://t.co/WgAH4qpbZ6
🔗 https://github.com/antonioCoco/RunasCs/releases/tag/v1.4
🐥 [ tweet ]
After more than 2 years, RunasCs got a big update! 🥳
Biggest changes:
- NetworkCleartext (8) default logon type
- UAC bypass (when admin pass is known)
Enjoy :D
https://t.co/WgAH4qpbZ6
🔗 https://github.com/antonioCoco/RunasCs/releases/tag/v1.4
🐥 [ tweet ]
😈 [ mrd0x, mr.d0x ]
Stealing Access Tokens From Office Desktop Applications
https://t.co/12bMrugfe9
🔗 https://mrd0x.com/stealing-tokens-from-office-applications/
🐥 [ tweet ]
Stealing Access Tokens From Office Desktop Applications
https://t.co/12bMrugfe9
🔗 https://mrd0x.com/stealing-tokens-from-office-applications/
🐥 [ tweet ]
😈 [ cube0x0, Cube0x0 ]
A new blog post about relaying YubiKeys is up and tools have been uploaded to GitHub!
This would not have been possible without the previous work of @_EthicalChaos_ so big thanks to him
https://t.co/zfEV7RUAV5
🔗 https://cube0x0.github.io/Relaying-YubiKeys/
🐥 [ tweet ]
A new blog post about relaying YubiKeys is up and tools have been uploaded to GitHub!
This would not have been possible without the previous work of @_EthicalChaos_ so big thanks to him
https://t.co/zfEV7RUAV5
🔗 https://cube0x0.github.io/Relaying-YubiKeys/
🐥 [ tweet ]
😈 [ an0n_r0, an0n ]
Here is why NetNTLMv1 should be disabled in prod networks ASAP. Besides cracking the hash back to NTLM (and then forging Silver Tickets) is straightforward, there is also a lesser known but immediate relay attack path by removing the MIC and doing RBCD abuse. Demo in screenshots.
🐥 [ tweet ]
Here is why NetNTLMv1 should be disabled in prod networks ASAP. Besides cracking the hash back to NTLM (and then forging Silver Tickets) is straightforward, there is also a lesser known but immediate relay attack path by removing the MIC and doing RBCD abuse. Demo in screenshots.
🐥 [ tweet ]
😈 [ aniqfakhrul, Aniq Fakhrul ]
Thanks for the detailed poc! You can also do this without password by relaying ms-efsrpc to target computer, store the socks session and use it with printerbug
🐥 [ tweet ][ quote ]
Thanks for the detailed poc! You can also do this without password by relaying ms-efsrpc to target computer, store the socks session and use it with printerbug
🐥 [ tweet ][ quote ]
😈 [ alukatsky, Alexey Lukatsky ]
Последние нашумевшие взломы (Uber, Okta, Microsoft, LastPass, Cisco и т.п.) объединяет одно - обход MFA. Не пора ли выбросить ее на свалку или все-таки у этой защитной меры есть шанс на достойное существование и надо просто правильно ее использовать? https://t.co/IRNwbbj2lU
🔗 https://lukatsky.ru/technology/vzlom-uber-cisco-i-okta-ili-ne-pora-li-vykinut-mfa-na-pomoyku.html
🐥 [ tweet ]
Последние нашумевшие взломы (Uber, Okta, Microsoft, LastPass, Cisco и т.п.) объединяет одно - обход MFA. Не пора ли выбросить ее на свалку или все-таки у этой защитной меры есть шанс на достойное существование и надо просто правильно ее использовать? https://t.co/IRNwbbj2lU
🔗 https://lukatsky.ru/technology/vzlom-uber-cisco-i-okta-ili-ne-pora-li-vykinut-mfa-na-pomoyku.html
🐥 [ tweet ]
😈 [ gentilkiwi, 🥝🏳️🌈 Benjamin Delpy ]
Want to play with Djoin file ? Citrix SSO passwords?
A new #mimikatz 🥝release here for you!
> https://t.co/kG0WlIHOlQ
(no digital signature, OpenSource certificates are expensive😒)
🔗 https://github.com/gentilkiwi/mimikatz
🐥 [ tweet ]
Want to play with Djoin file ? Citrix SSO passwords?
A new #mimikatz 🥝release here for you!
> https://t.co/kG0WlIHOlQ
(no digital signature, OpenSource certificates are expensive😒)
🔗 https://github.com/gentilkiwi/mimikatz
🐥 [ tweet ]