😈 [ MDSecLabs, MDSec ]
We've just published a quick write up on CVE-2023-23397, which allows a remote adversary to leak NetNTLMv2 hashes: https://t.co/xDxGwJfY2e by @domchell
🔗 https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/
🐥 [ tweet ]
We've just published a quick write up on CVE-2023-23397, which allows a remote adversary to leak NetNTLMv2 hashes: https://t.co/xDxGwJfY2e by @domchell
🔗 https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/
🐥 [ tweet ]
Offensive Xwitter
😈 [ MDSecLabs, MDSec ] We've just published a quick write up on CVE-2023-23397, which allows a remote adversary to leak NetNTLMv2 hashes: https://t.co/xDxGwJfY2e by @domchell 🔗 https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation…
Threadreaderapp
Thread by @domchell on Thread Reader App
@domchell: As auth coercion is blowing up due to #cve-2023-23397, I've put together a quick thread about how we at @MDSecLabs have been leveraging these techniques in our red team engagements for quite some time. It...…
👹 [ snovvcrash, sn🥶vvcr💥sh ]
Have been playing around with Domain Fronting via Fastly and discovered that you actually do not need to confirm the domain name ownership (by adding a CNAME) for the traffic to flow towards your IP. A bug or feature? 🤔
🐥 [ tweet ]
Have been playing around with Domain Fronting via Fastly and discovered that you actually do not need to confirm the domain name ownership (by adding a CNAME) for the traffic to flow towards your IP. A bug or feature? 🤔
🐥 [ tweet ]
игрались тут с @Acrono с домен фронтингом и вот такую фичу интересную нашли🔥4😁2
Offensive Xwitter
😈 [ 0xBoku, Bobby Cooke ] We've just released the first post in the Cobalt Strike reflective loader blog series! 🥷This one took allot of effort and I am excited to share it with you! The better it does, the better i'll make the next ones 😉 https://t.co/ZA2eoIwy5t…
😈 [ gregdarwin, Greg Darwin ]
New Cobalt Strike blog post - this one is the first in a series on UDRL development and accompanies a new addition to the Arsenal Kit: The UDRL-VS. We're aiming to lower the barrier to entry for developing UDRLs with this series.
https://t.co/4EfCfuLT9G
🔗 https://www.cobaltstrike.com/blog/revisiting-the-udrl-part-1-simplifying-development/
🐥 [ tweet ]
New Cobalt Strike blog post - this one is the first in a series on UDRL development and accompanies a new addition to the Arsenal Kit: The UDRL-VS. We're aiming to lower the barrier to entry for developing UDRLs with this series.
https://t.co/4EfCfuLT9G
🔗 https://www.cobaltstrike.com/blog/revisiting-the-udrl-part-1-simplifying-development/
🐥 [ tweet ]
продолжаем учиться писать URDL для кобыX (formerly Twitter)
Greg Darwin (@gregdarwin) on X
No longer using Twitter. Gone looking for blue skies.
Offensive Xwitter
😈 [ TrustedSec, TrustedSec ] In our newest #blog post, TAC Practice Lead @4ndr3w6S and co-author @exploitph lead us through the examination of #Kerberos ticket times and #checksums to demonstrate their importance and how they can better serve both offensive…
Не проверял, но похоже на правду ⤵️
🔗 https://github.com/sqrtZeroKnowledge/CVE-2023-23397_EXPLOIT_0DAY
UPD. И еще один PoC на поше ⤵️
🔗 https://github.com/api0cradle/CVE-2023-23397-POC-Powershell
🔗 https://github.com/sqrtZeroKnowledge/CVE-2023-23397_EXPLOIT_0DAY
UPD. И еще один PoC на поше ⤵️
🔗 https://github.com/api0cradle/CVE-2023-23397-POC-Powershell
~$ git clone https://github.com/worawit/MS17-010.git && cd MS17-010
~$ git checkout -b smb_get_file 83b3745
~$ wget https://gist.github.com/snovvcrash/e910523a366844448e3a2b40685969e7/raw/e00b7b04aa5c96b0e5f21eae305448cf3c2fd4fa/zzz_smb_get_file.patch
~$ git apply zzz_smb_get_file.patch
🔥6
Forwarded from Great
Привет, а можешь на гист залить zzz_exploit ?
https://twitter.com/snovvcrash/status/1636406137510666242
https://twitter.com/snovvcrash/status/1636406137510666242
🤔3
😈 [ nodauf, nodauf ]
New PPL Bypass with the poc by @itm4n :
https://t.co/6uHwTaE59y
https://t.co/NQOO2BsxPP
🔗 https://blog.scrt.ch/2023/03/17/bypassing-ppl-in-userland-again/
🔗 https://github.com/itm4n/PPLmedic
🐥 [ tweet ]
New PPL Bypass with the poc by @itm4n :
https://t.co/6uHwTaE59y
https://t.co/NQOO2BsxPP
🔗 https://blog.scrt.ch/2023/03/17/bypassing-ppl-in-userland-again/
🔗 https://github.com/itm4n/PPLmedic
🐥 [ tweet ]
😈 [ ZeroMemoryEx, V2 ]
a kernel mode driver that can replace a process token with the system token for elevating Process privileges, check it out .
https://t.co/XFbHcTc1JX
🔗 https://github.com/ZeroMemoryEx/Tokenizer
🐥 [ tweet ]
a kernel mode driver that can replace a process token with the system token for elevating Process privileges, check it out .
https://t.co/XFbHcTc1JX
🔗 https://github.com/ZeroMemoryEx/Tokenizer
🐥 [ tweet ]
APT
🔥 NimPlant С2 This is a new light-weight, first-stage C2 implant written in Nim, with a supporting Python server and Next.JS web GUI. https://github.com/chvancooten/NimPlant #c2 #nim #python #redteam
😈 [ AnubisOnSec, anubis ]
Ayy, we did the thing. Here's a small blog on how we worked with @chvancooten to help provide some detections before the release of NimPlant 💪
https://t.co/0ToKqp58bj
🔗 https://developer.nvidia.com/blog/detecting-malware-with-purple-team-collaboration/
🐥 [ tweet ]
Ayy, we did the thing. Here's a small blog on how we worked with @chvancooten to help provide some detections before the release of NimPlant 💪
https://t.co/0ToKqp58bj
🔗 https://developer.nvidia.com/blog/detecting-malware-with-purple-team-collaboration/
🐥 [ tweet ]
⚠️ Тут это, говорят, сервера ложатся от дцсинка сикретсдампом (2012R2, 2016, 2019). Когда есть возможность, не реплицируйте вслепую весь нтдс – лсасс не выдерживает.
https://github.com/fortra/impacket/issues/1436#issuecomment-1476996085
https://github.com/fortra/impacket/issues/1436#issuecomment-1476996085
GitHub
Has secretsdump ever crashed a domain controller? · Issue #1436 · fortra/impacket
Configuration impacket version: Latest Python version: 3.10 Target OS: Kali latest Debug Output With Command String I was doing a secretsdump with DA creds as follows: ./secretsdump.py -just-dc-ntl...
😈 [ passthehashbrwn, Josh ]
Here's a short blog on using Frida to write and bypass detections for your TTPs. We can use good ol' userland hooking + JavaScript bindings to avoid writing complex kernel code, which lets us quickly develop test cases and improve our techniques.
https://t.co/IxixfRmG67
🔗 https://passthehashbrowns.github.io/using-frida-for-rapid-detection-testing
🐥 [ tweet ]
Here's a short blog on using Frida to write and bypass detections for your TTPs. We can use good ol' userland hooking + JavaScript bindings to avoid writing complex kernel code, which lets us quickly develop test cases and improve our techniques.
https://t.co/IxixfRmG67
🔗 https://passthehashbrowns.github.io/using-frida-for-rapid-detection-testing
🐥 [ tweet ]
Offensive Xwitter
⚠️ Тут это, говорят, сервера ложатся от дцсинка сикретсдампом (2012R2, 2016, 2019). Когда есть возможность, не реплицируйте вслепую весь нтдс – лсасс не выдерживает. https://github.com/fortra/impacket/issues/1436#issuecomment-1476996085
😈 [ _EthicalChaos_, CCob🏴 ]
@mpgn_x64 @twosevenzero I've just had a look at the WinDbg crash log. LSASS is crashing with 0xC0000005 access violation with an invalid read. Doesn't really matter how impacket has implemented MS-DRSR, this is a CVE. At minimum a DoS but potentially RCE under the right conditions.
🐥 [ tweet ]
@mpgn_x64 @twosevenzero I've just had a look at the WinDbg crash log. LSASS is crashing with 0xC0000005 access violation with an invalid read. Doesn't really matter how impacket has implemented MS-DRSR, this is a CVE. At minimum a DoS but potentially RCE under the right conditions.
🐥 [ tweet ]
хихикX (formerly Twitter)
CCob🏴 (@_EthicalChaos_) on X
Ceri Coburn: Hacker | R̷u̷n̷n̷e̷r̷ DIYer| Vizsla Fanboy and a Little Welsh Bull apparently 🏴
Author of poorly coded tools: https://t.co/P6tT2qQksC
Author of poorly coded tools: https://t.co/P6tT2qQksC
😈 [ _0pr_, ChaofanXU ]
Read @0xTriboulet 's blog https://t.co/FTGXcJD4e3 is like an addiction. Teaches you how to become a good "shellcode smuggler". And, Sektor7 is a must go too.
🔗 https://steve-s.gitbook.io/0xtriboulet/
🐥 [ tweet ]
Read @0xTriboulet 's blog https://t.co/FTGXcJD4e3 is like an addiction. Teaches you how to become a good "shellcode smuggler". And, Sektor7 is a must go too.
🔗 https://steve-s.gitbook.io/0xtriboulet/
🐥 [ tweet ]
🔥1
😈 [ an0n_r0, an0n ]
Played with Outlook CVE-2023-23397. Made a simple PoC email builder & sender featuring malicious reminder (just a Msg, no need to use a Task or Cal. Ev.).
Critical 0-click account takeover on internal networks even after MS patch, no need to open the message on the victim side.
🐥 [ tweet ]
Played with Outlook CVE-2023-23397. Made a simple PoC email builder & sender featuring malicious reminder (just a Msg, no need to use a Task or Cal. Ev.).
Critical 0-click account takeover on internal networks even after MS patch, no need to open the message on the victim side.
🐥 [ tweet ]
😈 [ mpgn_x64, mpgn ]
I've just tested a new feature developed by @MJHallenbeck and I must say that even myself I was not ready for this ... 🫣
You will soon be able to chain multiple modules on CrackMapExec and gain so much time 🔥💪
Coming in a few days for sponsors on @porchetta_ind 🪂
🐥 [ tweet ]
I've just tested a new feature developed by @MJHallenbeck and I must say that even myself I was not ready for this ... 🫣
You will soon be able to chain multiple modules on CrackMapExec and gain so much time 🔥💪
Coming in a few days for sponsors on @porchetta_ind 🪂
🐥 [ tweet ]