Forwarded from 1N73LL1G3NC3
A PoC that combines AutodialDLL lateral movement technique and SSP to scrape NTLM hashes from LSASS process.
Denoscription
Upload a DLL to the target machine. Then it enables remote registry to modify AutodialDLL entry and start/restart BITS service. Svchosts would load our DLL, set again AutodiaDLL to default value and perform a RPC request to force LSASS to load the same DLL as a Security Support Provider. Once the DLL is loaded by LSASS, it would search inside the process memory to extract NTLM hashes and the key/IV.
Denoscription
Upload a DLL to the target machine. Then it enables remote registry to modify AutodialDLL entry and start/restart BITS service. Svchosts would load our DLL, set again AutodiaDLL to default value and perform a RPC request to force LSASS to load the same DLL as a Security Support Provider. Once the DLL is loaded by LSASS, it would search inside the process memory to extract NTLM hashes and the key/IV.
😈 [ praetorianlabs, Praetorian ]
As CI/CD pipelines become more prevalent, their attack surface and abuse are being leveraged more and more by advanced red teams and real-world APTs
https://t.co/okEik1OrsK
🔗 http://ow.ly/erVT50LmSL7
🐥 [ tweet ]
As CI/CD pipelines become more prevalent, their attack surface and abuse are being leveraged more and more by advanced red teams and real-world APTs
https://t.co/okEik1OrsK
🔗 http://ow.ly/erVT50LmSL7
🐥 [ tweet ]
😈 [ _RastaMouse, Rasta Mouse ]
[BLOG]
Short post on using the different methods for getting a Domain object in .NET and why you should care in your tools.
https://t.co/4l8jcx8ozN
🔗 https://rastamouse.me/getdomain-vs-getcomputerdomain-vs-getcurrentdomain/
🐥 [ tweet ]
[BLOG]
Short post on using the different methods for getting a Domain object in .NET and why you should care in your tools.
https://t.co/4l8jcx8ozN
🔗 https://rastamouse.me/getdomain-vs-getcomputerdomain-vs-getcurrentdomain/
🐥 [ tweet ]
😈 [ ShitSecure, S3cur3Th1sSh1t ]
Colleage of mine is currently on fire with blog posts and YouTube videos. 🔥Basic AV evasion stuff but also Pentest topics, and more. Worth checking out: @lsecqt
https://t.co/xMFoxckU9D
🔗 https://m.youtube.com/c/Lsecqt
🐥 [ tweet ]
Colleage of mine is currently on fire with blog posts and YouTube videos. 🔥Basic AV evasion stuff but also Pentest topics, and more. Worth checking out: @lsecqt
https://t.co/xMFoxckU9D
🔗 https://m.youtube.com/c/Lsecqt
🐥 [ tweet ]
😈 [ tiraniddo, James Forshaw ]
Finally got around to writing a blog about the Kerberos RC4-MD4 downgrade attack, how it works, and how you can exploit it. https://t.co/cBKoVtZKug
🔗 https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
🐥 [ tweet ]
Finally got around to writing a blog about the Kerberos RC4-MD4 downgrade attack, how it works, and how you can exploit it. https://t.co/cBKoVtZKug
🔗 https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
🐥 [ tweet ]
🔥4
😈 [ ORCx41, ORCA ]
had some time, so i made this; does process injection, ppid spoofing stuff, and a few other neat things ;p
https://t.co/oMgC16MubJ
🔗 https://github.com/ORCx41/TerraLdr
🐥 [ tweet ]
had some time, so i made this; does process injection, ppid spoofing stuff, and a few other neat things ;p
https://t.co/oMgC16MubJ
🔗 https://github.com/ORCx41/TerraLdr
🐥 [ tweet ]
😈 [ 424f424f, rvrsh3ll ]
Excellent demonstration of LPE via WebDAV to Shadow Credentials over C2 by @vendetce https://t.co/UWHAI4k51j
🔗 https://youtu.be/b0lLxLJKaRs?t=3549
🐥 [ tweet ]
Excellent demonstration of LPE via WebDAV to Shadow Credentials over C2 by @vendetce https://t.co/UWHAI4k51j
🔗 https://youtu.be/b0lLxLJKaRs?t=3549
🐥 [ tweet ]
😈 [ SkelSec, SkelSec ]
Managed to create the exploit for @tiraniddo 's latest Kerberos findings!
#feelsaccomplished
🐥 [ tweet ]
Managed to create the exploit for @tiraniddo 's latest Kerberos findings!
#feelsaccomplished
🐥 [ tweet ]
😈 [ sensepost, Orange Cyberdefense's SensePost Team ]
Read @defte_'s Windows authentication token manipulation deep dive to compromise Active Directory in this new blog post. Includes a new tool and a CrackMapExec module using it as a, "token" of appreciation.
https://t.co/ML8FHoIi5f
🔗 https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/
🐥 [ tweet ]
Read @defte_'s Windows authentication token manipulation deep dive to compromise Active Directory in this new blog post. Includes a new tool and a CrackMapExec module using it as a, "token" of appreciation.
https://t.co/ML8FHoIi5f
🔗 https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/
🐥 [ tweet ]
😈 [ mpgn_x64, mpgn ]
We worked together with @_zblurx to pull this new feature on CME ! CrackMapExec can now authenticate using kerberos with login/pass/nthash/aeskey without the need of a KRB5CCNAME ticket env 🚀
But wait there is more! by adding this feature we can now mimic kerbrute features 🔥🫡
🐥 [ tweet ]
We worked together with @_zblurx to pull this new feature on CME ! CrackMapExec can now authenticate using kerberos with login/pass/nthash/aeskey without the need of a KRB5CCNAME ticket env 🚀
But wait there is more! by adding this feature we can now mimic kerbrute features 🔥🫡
🐥 [ tweet ]
🔥4
😈 [ an0n_r0, an0n ]
here is a basic meterpreter protocol stager for PE stages using the libpeconv project by @hasherezade:
https://t.co/qsdb9XWvgj
no evasion included, using this only as a template. but already able to run it with a Sliver EXE beacon as a stage against Defender for Endpoint.
🔗 https://github.com/tothi/stager_libpeconv
🐥 [ tweet ]
here is a basic meterpreter protocol stager for PE stages using the libpeconv project by @hasherezade:
https://t.co/qsdb9XWvgj
no evasion included, using this only as a template. but already able to run it with a Sliver EXE beacon as a stage against Defender for Endpoint.
🔗 https://github.com/tothi/stager_libpeconv
🐥 [ tweet ]
🎃 [ vxunderground, vx-underground ]
From our headquarters underneath the Vatican, happy Halloween!
Today we release the first edition of our new publication Black Mass.
Special thanks to our Editor in Chief @h313n_0f_t0r for all of her hard work.
https://t.co/NbDen3RUOh
🔗 https://papers.vx-underground.org/papers/Other/VXUG%20Zines/Black%20Mass%20Halloween%202022.pdf
🐥 [ tweet ]
From our headquarters underneath the Vatican, happy Halloween!
Today we release the first edition of our new publication Black Mass.
Special thanks to our Editor in Chief @h313n_0f_t0r for all of her hard work.
https://t.co/NbDen3RUOh
🔗 https://papers.vx-underground.org/papers/Other/VXUG%20Zines/Black%20Mass%20Halloween%202022.pdf
🐥 [ tweet ]
👍1
😈 [ SkelSec, SkelSec ]
The two exploits for
CVE-2022-33679
CVE-2022-33647
are now available for @porchetta_ind subscribers. It will be available on github for the wider public in a few weeks.
https://t.co/c30GqXjIcx
🔗 https://gitlab.porchetta.industries/Skelsec/minikerberos
🐥 [ tweet ]
The two exploits for
CVE-2022-33679
CVE-2022-33647
are now available for @porchetta_ind subscribers. It will be available on github for the wider public in a few weeks.
https://t.co/c30GqXjIcx
🔗 https://gitlab.porchetta.industries/Skelsec/minikerberos
🐥 [ tweet ]
😈 [ mpgn_x64, mpgn ]
Decided to check on this writeup from @0xdf_ when I read this sentence: "I wasn’t able to get crackmapexec to work either."
With the latest update on CrackMapExec let's go for a 'Scrambled vs Crackmapexec' ! Getting root only using CME in 5 minutes 🚀✌️
https://t.co/hpz9JWnhzQ
🔗 https://gist.github.com/mpgn/9fc08b0f0fde55e8c322518bc1f9c317
🐥 [ tweet ][ quote ]
Decided to check on this writeup from @0xdf_ when I read this sentence: "I wasn’t able to get crackmapexec to work either."
With the latest update on CrackMapExec let's go for a 'Scrambled vs Crackmapexec' ! Getting root only using CME in 5 minutes 🚀✌️
https://t.co/hpz9JWnhzQ
🔗 https://gist.github.com/mpgn/9fc08b0f0fde55e8c322518bc1f9c317
🐥 [ tweet ][ quote ]
Forwarded from APT
🔑 Abuse Kerberos RC4 (CVE-2022-33679)
This blog post goes into detail on how Windows Kerberos Elevation of Privilege vulnerability works and how to force Kerberos to downgrade the encoding from the default AES encryption to the historical MD4-RC4. The vulnerability could allows an attacker to obtain an authenticated session on behalf of the victim and also lead to arbitrary code execution.
Research:
https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
Exploit:
https://github.com/Bdenneu/CVE-2022-33679
#ad #kerberos #rc4 #exploit
This blog post goes into detail on how Windows Kerberos Elevation of Privilege vulnerability works and how to force Kerberos to downgrade the encoding from the default AES encryption to the historical MD4-RC4. The vulnerability could allows an attacker to obtain an authenticated session on behalf of the victim and also lead to arbitrary code execution.
Research:
https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
Exploit:
https://github.com/Bdenneu/CVE-2022-33679
#ad #kerberos #rc4 #exploit
😈 [ SEKTOR7net, SEKTOR7 Institute ]
How to avoid memory scanners?
@kyleavery_ brings the answer.
https://t.co/0azWrDcG2N
🔗 https://www.youtube.com/watch?v=edIMUcxCueA
🐥 [ tweet ]
How to avoid memory scanners?
@kyleavery_ brings the answer.
https://t.co/0azWrDcG2N
🔗 https://www.youtube.com/watch?v=edIMUcxCueA
🐥 [ tweet ]
😈 [ _RastaMouse, Rasta Mouse ]
Nim in 100 Seconds
https://t.co/GeYgqYsM8M
🔗 https://www.youtube.com/watch?v=WHyOHQ_GkNo
🐥 [ tweet ]
Nim in 100 Seconds
https://t.co/GeYgqYsM8M
🔗 https://www.youtube.com/watch?v=WHyOHQ_GkNo
🐥 [ tweet ]
😈 [ icyguider, icyguider ]
After years of using the default examples, I've finally started writing my own custom noscripts using Impacket. Wanted to share a few examples that helped me during the learning process. Hope you enjoy! https://t.co/Ya5PAhHAZC
🔗 https://github.com/icyguider/MoreImpacketExamples
🐥 [ tweet ]
After years of using the default examples, I've finally started writing my own custom noscripts using Impacket. Wanted to share a few examples that helped me during the learning process. Hope you enjoy! https://t.co/Ya5PAhHAZC
🔗 https://github.com/icyguider/MoreImpacketExamples
🐥 [ tweet ]