😈 [ mpgn_x64, mpgn ]
Dumping LSASS is such a 2020 move, let me introduce a new CrackMapExec module called Masky developed by @_ZakSec 🎉
If you have admin privilege, the module will impersonate all users connected -> ask a certificate (ADCS) -> retrieve the NT hash using PKINIT 🚀
Crazy module 🪂
🐥 [ tweet ]
Dumping LSASS is such a 2020 move, let me introduce a new CrackMapExec module called Masky developed by @_ZakSec 🎉
If you have admin privilege, the module will impersonate all users connected -> ask a certificate (ADCS) -> retrieve the NT hash using PKINIT 🚀
Crazy module 🪂
🐥 [ tweet ]
😈 [ BlackArrowSec, BlackArrow ]
💥One shell to HANDLE them all
New approach to escalate privileges from a web shell by abusing open token handles. #RedTeam /cc @_Kudaes_
➡ https://t.co/8KWQw4q5U5
🔗 https://www.tarlogic.com/blog/token-handles-abuse-one-shell-to-handle-them-all/
🐥 [ tweet ]
💥One shell to HANDLE them all
New approach to escalate privileges from a web shell by abusing open token handles. #RedTeam /cc @_Kudaes_
➡ https://t.co/8KWQw4q5U5
🔗 https://www.tarlogic.com/blog/token-handles-abuse-one-shell-to-handle-them-all/
🐥 [ tweet ]
😈 [ _dirkjan, Dirk-jan ]
If you missed my Black Hat US talk about abusing External Identities in Azure AD, I will be giving the talk again as a BH webcast on Thursday November 10th!
You can register on the BH site: https://t.co/9QgT5Cd5Xk
I'll be joined by @kfosaaen sharing more Azure AD research 😀
🔗 https://www.blackhat.com/html/webcast/11102022-backdooring-and-hijacking-azure-ad-accounts.html
🐥 [ tweet ]
If you missed my Black Hat US talk about abusing External Identities in Azure AD, I will be giving the talk again as a BH webcast on Thursday November 10th!
You can register on the BH site: https://t.co/9QgT5Cd5Xk
I'll be joined by @kfosaaen sharing more Azure AD research 😀
🔗 https://www.blackhat.com/html/webcast/11102022-backdooring-and-hijacking-azure-ad-accounts.html
🐥 [ tweet ]
😈 [ _RastaMouse, Rasta Mouse ]
I finally got around to publishing release binaries for #SharpC2. They're self-contained, so no need to have a .NET runtime or SDK installed to use.
https://t.co/sGFr5XbAtf
🔗 https://github.com/rasta-mouse/SharpC2/releases/latest
🐥 [ tweet ]
I finally got around to publishing release binaries for #SharpC2. They're self-contained, so no need to have a .NET runtime or SDK installed to use.
https://t.co/sGFr5XbAtf
🔗 https://github.com/rasta-mouse/SharpC2/releases/latest
🐥 [ tweet ]
Forwarded from 1N73LL1G3NC3
A PoC that combines AutodialDLL lateral movement technique and SSP to scrape NTLM hashes from LSASS process.
Denoscription
Upload a DLL to the target machine. Then it enables remote registry to modify AutodialDLL entry and start/restart BITS service. Svchosts would load our DLL, set again AutodiaDLL to default value and perform a RPC request to force LSASS to load the same DLL as a Security Support Provider. Once the DLL is loaded by LSASS, it would search inside the process memory to extract NTLM hashes and the key/IV.
Denoscription
Upload a DLL to the target machine. Then it enables remote registry to modify AutodialDLL entry and start/restart BITS service. Svchosts would load our DLL, set again AutodiaDLL to default value and perform a RPC request to force LSASS to load the same DLL as a Security Support Provider. Once the DLL is loaded by LSASS, it would search inside the process memory to extract NTLM hashes and the key/IV.
😈 [ praetorianlabs, Praetorian ]
As CI/CD pipelines become more prevalent, their attack surface and abuse are being leveraged more and more by advanced red teams and real-world APTs
https://t.co/okEik1OrsK
🔗 http://ow.ly/erVT50LmSL7
🐥 [ tweet ]
As CI/CD pipelines become more prevalent, their attack surface and abuse are being leveraged more and more by advanced red teams and real-world APTs
https://t.co/okEik1OrsK
🔗 http://ow.ly/erVT50LmSL7
🐥 [ tweet ]
😈 [ _RastaMouse, Rasta Mouse ]
[BLOG]
Short post on using the different methods for getting a Domain object in .NET and why you should care in your tools.
https://t.co/4l8jcx8ozN
🔗 https://rastamouse.me/getdomain-vs-getcomputerdomain-vs-getcurrentdomain/
🐥 [ tweet ]
[BLOG]
Short post on using the different methods for getting a Domain object in .NET and why you should care in your tools.
https://t.co/4l8jcx8ozN
🔗 https://rastamouse.me/getdomain-vs-getcomputerdomain-vs-getcurrentdomain/
🐥 [ tweet ]
😈 [ ShitSecure, S3cur3Th1sSh1t ]
Colleage of mine is currently on fire with blog posts and YouTube videos. 🔥Basic AV evasion stuff but also Pentest topics, and more. Worth checking out: @lsecqt
https://t.co/xMFoxckU9D
🔗 https://m.youtube.com/c/Lsecqt
🐥 [ tweet ]
Colleage of mine is currently on fire with blog posts and YouTube videos. 🔥Basic AV evasion stuff but also Pentest topics, and more. Worth checking out: @lsecqt
https://t.co/xMFoxckU9D
🔗 https://m.youtube.com/c/Lsecqt
🐥 [ tweet ]
😈 [ tiraniddo, James Forshaw ]
Finally got around to writing a blog about the Kerberos RC4-MD4 downgrade attack, how it works, and how you can exploit it. https://t.co/cBKoVtZKug
🔗 https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
🐥 [ tweet ]
Finally got around to writing a blog about the Kerberos RC4-MD4 downgrade attack, how it works, and how you can exploit it. https://t.co/cBKoVtZKug
🔗 https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
🐥 [ tweet ]
🔥4
😈 [ ORCx41, ORCA ]
had some time, so i made this; does process injection, ppid spoofing stuff, and a few other neat things ;p
https://t.co/oMgC16MubJ
🔗 https://github.com/ORCx41/TerraLdr
🐥 [ tweet ]
had some time, so i made this; does process injection, ppid spoofing stuff, and a few other neat things ;p
https://t.co/oMgC16MubJ
🔗 https://github.com/ORCx41/TerraLdr
🐥 [ tweet ]
😈 [ 424f424f, rvrsh3ll ]
Excellent demonstration of LPE via WebDAV to Shadow Credentials over C2 by @vendetce https://t.co/UWHAI4k51j
🔗 https://youtu.be/b0lLxLJKaRs?t=3549
🐥 [ tweet ]
Excellent demonstration of LPE via WebDAV to Shadow Credentials over C2 by @vendetce https://t.co/UWHAI4k51j
🔗 https://youtu.be/b0lLxLJKaRs?t=3549
🐥 [ tweet ]
😈 [ SkelSec, SkelSec ]
Managed to create the exploit for @tiraniddo 's latest Kerberos findings!
#feelsaccomplished
🐥 [ tweet ]
Managed to create the exploit for @tiraniddo 's latest Kerberos findings!
#feelsaccomplished
🐥 [ tweet ]
😈 [ sensepost, Orange Cyberdefense's SensePost Team ]
Read @defte_'s Windows authentication token manipulation deep dive to compromise Active Directory in this new blog post. Includes a new tool and a CrackMapExec module using it as a, "token" of appreciation.
https://t.co/ML8FHoIi5f
🔗 https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/
🐥 [ tweet ]
Read @defte_'s Windows authentication token manipulation deep dive to compromise Active Directory in this new blog post. Includes a new tool and a CrackMapExec module using it as a, "token" of appreciation.
https://t.co/ML8FHoIi5f
🔗 https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/
🐥 [ tweet ]
😈 [ mpgn_x64, mpgn ]
We worked together with @_zblurx to pull this new feature on CME ! CrackMapExec can now authenticate using kerberos with login/pass/nthash/aeskey without the need of a KRB5CCNAME ticket env 🚀
But wait there is more! by adding this feature we can now mimic kerbrute features 🔥🫡
🐥 [ tweet ]
We worked together with @_zblurx to pull this new feature on CME ! CrackMapExec can now authenticate using kerberos with login/pass/nthash/aeskey without the need of a KRB5CCNAME ticket env 🚀
But wait there is more! by adding this feature we can now mimic kerbrute features 🔥🫡
🐥 [ tweet ]
🔥4
😈 [ an0n_r0, an0n ]
here is a basic meterpreter protocol stager for PE stages using the libpeconv project by @hasherezade:
https://t.co/qsdb9XWvgj
no evasion included, using this only as a template. but already able to run it with a Sliver EXE beacon as a stage against Defender for Endpoint.
🔗 https://github.com/tothi/stager_libpeconv
🐥 [ tweet ]
here is a basic meterpreter protocol stager for PE stages using the libpeconv project by @hasherezade:
https://t.co/qsdb9XWvgj
no evasion included, using this only as a template. but already able to run it with a Sliver EXE beacon as a stage against Defender for Endpoint.
🔗 https://github.com/tothi/stager_libpeconv
🐥 [ tweet ]
🎃 [ vxunderground, vx-underground ]
From our headquarters underneath the Vatican, happy Halloween!
Today we release the first edition of our new publication Black Mass.
Special thanks to our Editor in Chief @h313n_0f_t0r for all of her hard work.
https://t.co/NbDen3RUOh
🔗 https://papers.vx-underground.org/papers/Other/VXUG%20Zines/Black%20Mass%20Halloween%202022.pdf
🐥 [ tweet ]
From our headquarters underneath the Vatican, happy Halloween!
Today we release the first edition of our new publication Black Mass.
Special thanks to our Editor in Chief @h313n_0f_t0r for all of her hard work.
https://t.co/NbDen3RUOh
🔗 https://papers.vx-underground.org/papers/Other/VXUG%20Zines/Black%20Mass%20Halloween%202022.pdf
🐥 [ tweet ]
👍1
😈 [ SkelSec, SkelSec ]
The two exploits for
CVE-2022-33679
CVE-2022-33647
are now available for @porchetta_ind subscribers. It will be available on github for the wider public in a few weeks.
https://t.co/c30GqXjIcx
🔗 https://gitlab.porchetta.industries/Skelsec/minikerberos
🐥 [ tweet ]
The two exploits for
CVE-2022-33679
CVE-2022-33647
are now available for @porchetta_ind subscribers. It will be available on github for the wider public in a few weeks.
https://t.co/c30GqXjIcx
🔗 https://gitlab.porchetta.industries/Skelsec/minikerberos
🐥 [ tweet ]
😈 [ mpgn_x64, mpgn ]
Decided to check on this writeup from @0xdf_ when I read this sentence: "I wasn’t able to get crackmapexec to work either."
With the latest update on CrackMapExec let's go for a 'Scrambled vs Crackmapexec' ! Getting root only using CME in 5 minutes 🚀✌️
https://t.co/hpz9JWnhzQ
🔗 https://gist.github.com/mpgn/9fc08b0f0fde55e8c322518bc1f9c317
🐥 [ tweet ][ quote ]
Decided to check on this writeup from @0xdf_ when I read this sentence: "I wasn’t able to get crackmapexec to work either."
With the latest update on CrackMapExec let's go for a 'Scrambled vs Crackmapexec' ! Getting root only using CME in 5 minutes 🚀✌️
https://t.co/hpz9JWnhzQ
🔗 https://gist.github.com/mpgn/9fc08b0f0fde55e8c322518bc1f9c317
🐥 [ tweet ][ quote ]