😈 [ NotMedic, Tim McGuffin ]
I don't know what to do with this knowledge, but today I learned that curl has a handler for LDAP URIs.
curl --user $CREDS "ldaps://ldap.foo.com/DC=ads,DC=foo,DC=com?memberOf?sub?(&(sAMAccountName=$USER)(memberOf=CN=$GROUP,OU=Distribution,OU=Groups,DC=ads,DC=foo,DC=com))"
🐥 [ tweet ]
I don't know what to do with this knowledge, but today I learned that curl has a handler for LDAP URIs.
curl --user $CREDS "ldaps://ldap.foo.com/DC=ads,DC=foo,DC=com?memberOf?sub?(&(sAMAccountName=$USER)(memberOf=CN=$GROUP,OU=Distribution,OU=Groups,DC=ads,DC=foo,DC=com))"
🐥 [ tweet ]
😈 [ PortSwiggerRes, PortSwigger Research ]
Arbitrary cache poisoning on all Akamai websites via 'Connection: Content-Length' - $50k in bounties well-earned by @jacopotediosi
https://t.co/UmlKIGsgWR
https://t.co/OFHGMVA2gP
🔗 https://medium.com/@jacopotediosi/worldwide-server-side-cache-poisoning-on-all-akamai-edge-nodes-50k-bounty-earned-f97d80f3922b
🔗 https://blog.hacktivesecurity.com/index.php/2022/09/17/http/
🐥 [ tweet ]
Arbitrary cache poisoning on all Akamai websites via 'Connection: Content-Length' - $50k in bounties well-earned by @jacopotediosi
https://t.co/UmlKIGsgWR
https://t.co/OFHGMVA2gP
🔗 https://medium.com/@jacopotediosi/worldwide-server-side-cache-poisoning-on-all-akamai-edge-nodes-50k-bounty-earned-f97d80f3922b
🔗 https://blog.hacktivesecurity.com/index.php/2022/09/17/http/
🐥 [ tweet ]
😈 [ C5pider, 5pider ]
Have fun guys.
https://t.co/hjq5qTYgMc
https://t.co/Z2mAJIiAGQ
https://t.co/WehmmCVCsC
🔗 https://www.virustotal.com/gui/file/ec6896542e726997e4e01d11f4fce88cb97ec59243f291966fb3ce48308041d8
🔗 https://www.virustotal.com/gui/file/56d507046eaf1fcfbdaa5491679c4f7244c9ad5cc9da4a03332c6ccb2f69ee2d
🔗 https://www.virustotal.com/gui/file-analysis/ZGFhZGU5ZWIzNjcxNzA4ODhkNzdmZDljNjViODY4MzU6MTY2NDU0NTE2Mw==
🐥 [ tweet ]
Have fun guys.
https://t.co/hjq5qTYgMc
https://t.co/Z2mAJIiAGQ
https://t.co/WehmmCVCsC
🔗 https://www.virustotal.com/gui/file/ec6896542e726997e4e01d11f4fce88cb97ec59243f291966fb3ce48308041d8
🔗 https://www.virustotal.com/gui/file/56d507046eaf1fcfbdaa5491679c4f7244c9ad5cc9da4a03332c6ccb2f69ee2d
🔗 https://www.virustotal.com/gui/file-analysis/ZGFhZGU5ZWIzNjcxNzA4ODhkNzdmZDljNjViODY4MzU6MTY2NDU0NTE2Mw==
🐥 [ tweet ]
эм, а где сорцы-то??🤔2
😈 [ C5pider, 5pider ]
The Havoc Framework
https://t.co/eBpOaicsI6
🔗 https://github.com/HavocFramework/Havoc
🐥 [ tweet ]
The Havoc Framework
https://t.co/eBpOaicsI6
🔗 https://github.com/HavocFramework/Havoc
🐥 [ tweet ]
так, дождались сорцов🔥3
😈 [ codex_tf2, CodeX ]
PyHmmm - third party agent PoC for Havoc C2 - repo + blogpost
https://t.co/kolzUJHL0n
https://t.co/pzPAK77ftn
🔗 https://codex-7.gitbook.io/codexs-terminal-window/red-team/red-team-dev/extending-havoc-c2/third-party-agents
🔗 https://github.com/CodeXTF2/PyHmmm
🐥 [ tweet ]
PyHmmm - third party agent PoC for Havoc C2 - repo + blogpost
https://t.co/kolzUJHL0n
https://t.co/pzPAK77ftn
🔗 https://codex-7.gitbook.io/codexs-terminal-window/red-team/red-team-dev/extending-havoc-c2/third-party-agents
🔗 https://github.com/CodeXTF2/PyHmmm
🐥 [ tweet ]
😈 [ MrUn1k0d3r, Mr.Un1k0d3r ]
You want to use signed PowerShell noscripts?
Have a look at all the signed PowerShell noscripts located in C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\
Some of these can execute code and do all kind of interesting stuff.
https://t.co/7uBzACJ4JP
#redteam
🔗 https://github.com/Mr-Un1k0d3r/ATP-PowerShell-Scripts
🐥 [ tweet ]
You want to use signed PowerShell noscripts?
Have a look at all the signed PowerShell noscripts located in C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\
Some of these can execute code and do all kind of interesting stuff.
https://t.co/7uBzACJ4JP
#redteam
🔗 https://github.com/Mr-Un1k0d3r/ATP-PowerShell-Scripts
🐥 [ tweet ]
🔥1
😈 [ theluemmel, ADCluemmelSec ]
UPDATES to ADCS blog.
@ly4k_ gave so much input I had to implement.
@n00py1 gave a really good hint for ESC5 with his question.
So here goes:
ESC2 - Update how it works
ESC4 - Automation via Certipy
ESC5 - Full attack path
Bonus - Bloodhound Integration
https://t.co/iWvY9gTIAM
🔗 https://luemmelsec.github.io/Skidaddle-Skideldi-I-just-pwnd-your-PKI/
🐥 [ tweet ]
UPDATES to ADCS blog.
@ly4k_ gave so much input I had to implement.
@n00py1 gave a really good hint for ESC5 with his question.
So here goes:
ESC2 - Update how it works
ESC4 - Automation via Certipy
ESC5 - Full attack path
Bonus - Bloodhound Integration
https://t.co/iWvY9gTIAM
🔗 https://luemmelsec.github.io/Skidaddle-Skideldi-I-just-pwnd-your-PKI/
🐥 [ tweet ]
Про то, что делать, когда у тебя на руках есть только NT-хеш машинной учетки, чтобы стать на ней локал админом 👇🏻
https://threadreaderapp.com/thread/1576176699300990976.html
https://threadreaderapp.com/thread/1576176699300990976.html
Threadreaderapp
Thread by @snovvcrash on Thread Reader App
@snovvcrash: [#HackTip ⚒️] (1/3) There’re a couple of ways to become a local admin on a box when you possess only the corresponding machine account NT hash. The first one being the well known Silver ticket...…
🔥1
😈 [ 0xdf_, 0xdf ]
Scrambled from @hackthebox_eu disabled NTLM auth, breaking how I typically interact with a Windows host. .NET RE, Silver Tickets, Kerberoasting. I'll show attacking from both Windows and Linux. And JuicyPotatoNG in Beyond Root.
https://t.co/ER0RUaEApA
🔗 https://0xdf.gitlab.io/2022/10/01/htb-scrambled.html
🐥 [ tweet ]
Scrambled from @hackthebox_eu disabled NTLM auth, breaking how I typically interact with a Windows host. .NET RE, Silver Tickets, Kerberoasting. I'll show attacking from both Windows and Linux. And JuicyPotatoNG in Beyond Root.
https://t.co/ER0RUaEApA
🔗 https://0xdf.gitlab.io/2022/10/01/htb-scrambled.html
🐥 [ tweet ]
😈 [ itm4n, Clément Labro ]
Some news about PrivescCheck! 📰
If you are a Metasploit user, please note that I finally solved a (stupid) issue that prevented the noscript from working properly with "powershell_execute". 🥳
More info on GitHub.
👉 https://t.co/OZfgHlAq8S
👉 https://t.co/UvD5hRwBey
🔗 https://github.com/itm4n/PrivescCheck#metasploit-timeout
🔗 https://github.com/itm4n/PrivescCheck/issues/27
🐥 [ tweet ]
Some news about PrivescCheck! 📰
If you are a Metasploit user, please note that I finally solved a (stupid) issue that prevented the noscript from working properly with "powershell_execute". 🥳
More info on GitHub.
👉 https://t.co/OZfgHlAq8S
👉 https://t.co/UvD5hRwBey
🔗 https://github.com/itm4n/PrivescCheck#metasploit-timeout
🔗 https://github.com/itm4n/PrivescCheck/issues/27
🐥 [ tweet ]
😈 [ mrd0x, mr.d0x ]
Chromium's application mode can be used to easily build realistic phishing desktop applications. Enjoy.
https://t.co/rUolWjd5Ch
🔗 https://mrd0x.com/phishing-with-chromium-application-mode/
🐥 [ tweet ]
Chromium's application mode can be used to easily build realistic phishing desktop applications. Enjoy.
https://t.co/rUolWjd5Ch
🔗 https://mrd0x.com/phishing-with-chromium-application-mode/
🐥 [ tweet ]
😈 [ _dirkjan, Dirk-jan ]
Fox-IT just open sourced their enterprise forensics tooling dissect. This is a big project that some of the smartest people I know have worked on. It supports many filesystems and file formats, all as Python libraries. Docs: https://t.co/M6YAygmW3E / code: https://t.co/HKT4eYIm1a
🔗 https://docs.dissect.tools
🔗 http://github.com/fox-it/dissect
🐥 [ tweet ]
Fox-IT just open sourced their enterprise forensics tooling dissect. This is a big project that some of the smartest people I know have worked on. It supports many filesystems and file formats, all as Python libraries. Docs: https://t.co/M6YAygmW3E / code: https://t.co/HKT4eYIm1a
🔗 https://docs.dissect.tools
🔗 http://github.com/fox-it/dissect
🐥 [ tweet ]
😈 [ tiraniddo, James Forshaw ]
Here's a fork of Rubeus with the 'askrc4' command. https://t.co/g5IHpyaFfR it's not remotely suitable for a PR as I'm just using Rubeus as a surrogate Kerberos client. Knock yourselves out.
🔗 https://github.com/tyranid/Rubeus/commit/3092e1f11164bf379708b815a05061783653e834
🐥 [ tweet ][ quote ]
Here's a fork of Rubeus with the 'askrc4' command. https://t.co/g5IHpyaFfR it's not remotely suitable for a PR as I'm just using Rubeus as a surrogate Kerberos client. Knock yourselves out.
🔗 https://github.com/tyranid/Rubeus/commit/3092e1f11164bf379708b815a05061783653e834
🐥 [ tweet ][ quote ]
😈 [ Alh4zr3d, Alh4zr3d ]
Red Teamers, few Linux tips today:
Disable history (do first) -
"export HISTFILE=/dev/null"
Hide a command by masking it as syslogd -
"(exec -a syslogd nmap -T0 10.0.2.1/24)"
Start a background hidden process as syslogd -
"exec -a syslogd nmap -T0 10.0.2.1/24 &>nmap.log &"
🐥 [ tweet ]
Red Teamers, few Linux tips today:
Disable history (do first) -
"export HISTFILE=/dev/null"
Hide a command by masking it as syslogd -
"(exec -a syslogd nmap -T0 10.0.2.1/24)"
Start a background hidden process as syslogd -
"exec -a syslogd nmap -T0 10.0.2.1/24 &>nmap.log &"
🐥 [ tweet ]
😈 [ theluemmel, ADCluemmelSec ]
Added a minor flag to the OfficeMemScraper.ps1 from @424f424f so you can dump e.g. msedge.exe with several running processes. The tool would otherwise overwrite the results on each iteration.
Based on the research from @mrd0x
https://t.co/PenD7ywK7X
https://t.co/5D3PMU5skf
🔗 https://mrd0x.com/stealing-tokens-from-office-applications/
🔗 https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/master/OfficeMemScraper.ps1
🐥 [ tweet ]
Added a minor flag to the OfficeMemScraper.ps1 from @424f424f so you can dump e.g. msedge.exe with several running processes. The tool would otherwise overwrite the results on each iteration.
Based on the research from @mrd0x
https://t.co/PenD7ywK7X
https://t.co/5D3PMU5skf
🔗 https://mrd0x.com/stealing-tokens-from-office-applications/
🔗 https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/master/OfficeMemScraper.ps1
🐥 [ tweet ]
😈 [ _RastaMouse, Rasta Mouse ]
I made an experimental fork of @_EthicalChaos_'s https://t.co/DxNcYHEY9r project. Basically, just replaced the use of P/Invoke with D/Invoke and Win32 APIs with Nt APIs.
There are lots of untested code paths, so YMMV.
https://t.co/dnmgRborgD
🔗 http://MinHook.NET
🔗 https://github.com/rasta-mouse/MinHook.NET
🐥 [ tweet ]
I made an experimental fork of @_EthicalChaos_'s https://t.co/DxNcYHEY9r project. Basically, just replaced the use of P/Invoke with D/Invoke and Win32 APIs with Nt APIs.
There are lots of untested code paths, so YMMV.
https://t.co/dnmgRborgD
🔗 http://MinHook.NET
🔗 https://github.com/rasta-mouse/MinHook.NET
🐥 [ tweet ]