Иногда бывают ситуации, когда нет возможности изменить время на рабочей машине с *NIX-ами (например, отключить синхронизацию часов ВМ с хостом в VBox можно только предварительно потушив виртуалку), а помучить Керберос нада здесь и сейчас.
Для таких случаев сподручно пользоваться faketime (ставится через
Для таких случаев сподручно пользоваться faketime (ставится через
apt) – утилитой для изменения времени ОС в контексте одной команды. Сие работает перехватом системных вызовов и подменой истинного значения времени на то, что нужно пользователю для того или иного действия:~$ ntpdate -q $DC
~$ ntpdate -q $DC | awk -F. '{print $1}'
~$ faketime "`ntpdate -q $DC | awk -F. '{print $1}'`" /bin/date
🔥10🤔1
😈 [ DragoQcc, DragoQCC ]
https://t.co/Ebn0PQMyru Today, I am releasing HardHat C2 on GitHub. HardHat is a multiplayer, cross-platform C2 developed in C# for adversary emulation and red teaming. I would like to give some thanks to my coworkers @SpecterOps and to @_RastaMouse for all their help.
🔗 https://github.com/DragoQCC/HardHatC2
🐥 [ tweet ]
https://t.co/Ebn0PQMyru Today, I am releasing HardHat C2 on GitHub. HardHat is a multiplayer, cross-platform C2 developed in C# for adversary emulation and red teaming. I would like to give some thanks to my coworkers @SpecterOps and to @_RastaMouse for all their help.
🔗 https://github.com/DragoQCC/HardHatC2
🐥 [ tweet ]
😈 [ icyguider, icyguider ]
Have you ever wanted to transfer files over DNS A records? No? Well too bad lol, I've updated @domchell's PowerDNS to do that along with some other things. Could be useful for pentests with no standard outbound access... which yes I get quite a bit of. 😭 https://t.co/r8a31fuadM
🔗 https://github.com/icyguider/NewPowerDNS
🐥 [ tweet ]
Have you ever wanted to transfer files over DNS A records? No? Well too bad lol, I've updated @domchell's PowerDNS to do that along with some other things. Could be useful for pentests with no standard outbound access... which yes I get quite a bit of. 😭 https://t.co/r8a31fuadM
🔗 https://github.com/icyguider/NewPowerDNS
🐥 [ tweet ]
😈 [ sensepost, Orange Cyberdefense's SensePost Team ]
The RID500 Admin account doesn't benefit from Protected User Group restrictions. This is a MS WONTFIX & means you can authenticate as Admin using RC4 KRB or perform any KRB delegation attack if you impersonate the RID500 Admin. The latest find by @Defte_
https://t.co/27D3QWnQBD
🔗 https://sensepost.com/blog/2023/protected-users-you-thought-you-were-safe-uh/
🐥 [ tweet ]
The RID500 Admin account doesn't benefit from Protected User Group restrictions. This is a MS WONTFIX & means you can authenticate as Admin using RC4 KRB or perform any KRB delegation attack if you impersonate the RID500 Admin. The latest find by @Defte_
https://t.co/27D3QWnQBD
🔗 https://sensepost.com/blog/2023/protected-users-you-thought-you-were-safe-uh/
🐥 [ tweet ]
😈 [ 0xcc00, Bilal ]
Happy to share my new tool "yetAnotherObfuscator".
A C# obfuscator tool that can bypass Windows Defender antivirus. I made this tool mainly as an excuse to learn more about C# and how obfuscators work.
https://t.co/ZjyyDOyWra
This is an alpha release, so expect some nice bugs.
🔗 https://github.com/0xb11a1/yetAnotherObfuscator
🐥 [ tweet ]
Happy to share my new tool "yetAnotherObfuscator".
A C# obfuscator tool that can bypass Windows Defender antivirus. I made this tool mainly as an excuse to learn more about C# and how obfuscators work.
https://t.co/ZjyyDOyWra
This is an alpha release, so expect some nice bugs.
🔗 https://github.com/0xb11a1/yetAnotherObfuscator
🐥 [ tweet ]
Forwarded from Path Secure (CuriV)
Подъехали записи выступлений с BlackHat22!
Куча разных докладов про внешку, внутрянку, реверс, криптографию.
Из интересного в плейлисте:
- Уязвимости в Matrix;
- Атаки на AFDS
- Атаки на электрокары;
- Атаки на керберос RC4;
- Обход EDR;
- Атаки на смартконтракты;
- Обход WAF:
- Атаки на канальном уровне.
Куча разных докладов про внешку, внутрянку, реверс, криптографию.
Из интересного в плейлисте:
- Уязвимости в Matrix;
- Атаки на AFDS
- Атаки на электрокары;
- Атаки на керберос RC4;
- Обход EDR;
- Атаки на смартконтракты;
- Обход WAF:
- Атаки на канальном уровне.
🔥5
😈 [ elkement, elkement ]
Hi Active Directory / ADCS hackers, I've published something! You can add the new SID extension manually if certificate templates allow for custom names: https://t.co/SndcHH3Kz7
🔗 https://elkement.blog/2023/03/30/lord-of-the-sid-how-to-add-the-objectsid-attribute-to-a-certificate-manually/
🐥 [ tweet ]
Hi Active Directory / ADCS hackers, I've published something! You can add the new SID extension manually if certificate templates allow for custom names: https://t.co/SndcHH3Kz7
🔗 https://elkement.blog/2023/03/30/lord-of-the-sid-how-to-add-the-objectsid-attribute-to-a-certificate-manually/
🐥 [ tweet ]
😈 [ naksyn, Diego Capriotti ]
Triggered by an idea of @Octoberfest73, just discovered that you can alter the dll search path of a process you're about to create.
Just call SetDllDirectoryA before CreateProcessA.
For your sideloading pleasurezz :)
🐥 [ tweet ]
Triggered by an idea of @Octoberfest73, just discovered that you can alter the dll search path of a process you're about to create.
Just call SetDllDirectoryA before CreateProcessA.
For your sideloading pleasurezz :)
🐥 [ tweet ]
Forwarded from APT
🕳 Ngrok: SSH Reverse Tunnel Agent
Did you know that you can run ngrok without even installing ngrok? You can start tunnels via SSH without downloading an ngrok agent by running an SSH reverse tunnel command:
https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent/
#ngrok #ssh #reverse #tunnel
Did you know that you can run ngrok without even installing ngrok? You can start tunnels via SSH without downloading an ngrok agent by running an SSH reverse tunnel command:
ssh -i ~/.ssh/id_ed25519 -R 80:localhost:80 v2@tunnel.us.ngrok.com http
Source:https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent/
#ngrok #ssh #reverse #tunnel
🔥3
😈 [ zimnyaatishina, zimnyaa ]
A new article about replacing memfd_create with a custom libfuse FS for in-memory ELF execution: https://t.co/AU5ZPJXHaf
The PoC code also tries to disallow others from reading the executable file.
🔗 https://tishina.in/execution/replacing-memfd-with-fuse
🐥 [ tweet ]
A new article about replacing memfd_create with a custom libfuse FS for in-memory ELF execution: https://t.co/AU5ZPJXHaf
The PoC code also tries to disallow others from reading the executable file.
🔗 https://tishina.in/execution/replacing-memfd-with-fuse
🐥 [ tweet ]
🔥1
😈 [ _RastaMouse, Rasta Mouse ]
I'm starting a blog series on using #SharpC2. The first post is demonstrates using HTTPS with a redirector.
https://t.co/TV3DrRvYqn
🔗 https://rastamouse.me/sharpc2-https-with-redirector/
🐥 [ tweet ]
I'm starting a blog series on using #SharpC2. The first post is demonstrates using HTTPS with a redirector.
https://t.co/TV3DrRvYqn
🔗 https://rastamouse.me/sharpc2-https-with-redirector/
🐥 [ tweet ]
🔥1
😈 [ M_haggis, The Haag™ ]
Introducing the Living Off The Land Drivers (LOLDrivers) project, a crucial resource that consolidates vulnerable and malicious drivers in one place to streamline research and analysis.
🔗 http://loldrivers.io
LOLDrivers enhances awareness of driver-related security risks and empowers organizations to mitigate these risks, improving their overall cybersecurity posture. By fostering collaboration and knowledge sharing within the cybersecurity community, LOLDrivers, along with sister projects like LOLBAS and GTFOBins, paves the way for a safer and more secure digital landscape.
Read our release blog to learn all about the project and how to contribute
🔗 https://haggis-m.medium.com/living-off-the-land-drivers-a5d74d45e77a
🐥 [ tweet ]
Introducing the Living Off The Land Drivers (LOLDrivers) project, a crucial resource that consolidates vulnerable and malicious drivers in one place to streamline research and analysis.
🔗 http://loldrivers.io
LOLDrivers enhances awareness of driver-related security risks and empowers organizations to mitigate these risks, improving their overall cybersecurity posture. By fostering collaboration and knowledge sharing within the cybersecurity community, LOLDrivers, along with sister projects like LOLBAS and GTFOBins, paves the way for a safer and more secure digital landscape.
Read our release blog to learn all about the project and how to contribute
🔗 https://haggis-m.medium.com/living-off-the-land-drivers-a5d74d45e77a
🐥 [ tweet ]
X (formerly Twitter)
The Haag™ (@M_haggis) on X
Threat Researcher | Co-Host of Atomics on a Friday | LOLDrivers & Atomic Red Team Maintainer | I'm Everywhere and Nowhere - BSG.
😈 [ NinjaParanoid, Chetan Nayak (Brute Ratel C4 Author) ]
Found a new windows API for executing shellcode - RtlRunOnceExecuteOnce. Haven't see anyone using this technique yet. Theres a lot more you can do apart from the generic shellcode execution as you can also pass a CONTEXT and parameter, but I will let the creativity of the users to figure it out. (something..something for Dllmain loaderlock 😉)
🔗 https://gist.github.com/paranoidninja/b929963db2e1922adee5d8bf3cac61cf
🐥 [ tweet ]
Found a new windows API for executing shellcode - RtlRunOnceExecuteOnce. Haven't see anyone using this technique yet. Theres a lot more you can do apart from the generic shellcode execution as you can also pass a CONTEXT and parameter, but I will let the creativity of the users to figure it out. (something..something for Dllmain loaderlock 😉)
🔗 https://gist.github.com/paranoidninja/b929963db2e1922adee5d8bf3cac61cf
🐥 [ tweet ]
🔥3
😈 [ 4ndr3w6S, Andrew ]
This is cool @redcanary: https://t.co/RrCtb40Nhu. Really loving the clean and user-friendly layout 🤩
🔗 https://atomicredteam.io/atomics/
🐥 [ tweet ]
This is cool @redcanary: https://t.co/RrCtb40Nhu. Really loving the clean and user-friendly layout 🤩
🔗 https://atomicredteam.io/atomics/
🐥 [ tweet ]
Дебажил я тут ASN.1 спеки для MIT-имплементации Кербероса, и вот вам маленький лайфхак для раскуривания масштабных кодовых баз на Python: встроенные интерактивные интерпретатор и дебаггер – ваши друзья на век.
Запиховываете единственный ванлайнер в то место в коде, где потенцивально ожидаетпиздец раскрутка стека исключением, и спокойно изучаете себе окружение:
UPD. @Riocool поделился похожим подходом с помощью "интерпретатора на стероидах" IPython (ставится через PyPI):
Запиховываете единственный ванлайнер в то место в коде, где потенцивально ожидает
import code,sys; code.interact(local=locals()); sys.exit(-1)
import pdb; pdb.set_trace()
Вставлять print("I'm here1"), конечно, романтичнее, но очень скоро утомляет.UPD. @Riocool поделился похожим подходом с помощью "интерпретатора на стероидах" IPython (ставится через PyPI):
from IPython import embed; embed()#python #debug
🔥2🤔2
😈 [ naksyn, Diego Capriotti ]
Just pushed an update to Pyramid.
check it out here: https://t.co/8gj8rCY8yE
Small thread on added features👇
🔗 https://github.com/naksyn/Pyramid
Cradle and server have been updated so that delivered files and part of the URL can now be encrypted/decrypted with chacha or xor. Pass is hardcoded in cradle and server.
Useful to avoid network signatures triggered upon downloading of some python dependencies (i.e. bh, Lazagne)
In modules config section you can now specify the extraction directory of some dependencies that require loading pyds (i.e. Cryptodome).
Useful to load pyds from a network share or a folder where you have write permissions to keep the main Python folder clean.
Pyramid Server configuration can now be automatically copied on modules and cradle files based on the passed command line parameters.
This reduces error probability during setup and saves you some time.
🐥 [ tweet ]
Just pushed an update to Pyramid.
check it out here: https://t.co/8gj8rCY8yE
Small thread on added features👇
🔗 https://github.com/naksyn/Pyramid
Cradle and server have been updated so that delivered files and part of the URL can now be encrypted/decrypted with chacha or xor. Pass is hardcoded in cradle and server.
Useful to avoid network signatures triggered upon downloading of some python dependencies (i.e. bh, Lazagne)
In modules config section you can now specify the extraction directory of some dependencies that require loading pyds (i.e. Cryptodome).
Useful to load pyds from a network share or a folder where you have write permissions to keep the main Python folder clean.
Pyramid Server configuration can now be automatically copied on modules and cradle files based on the passed command line parameters.
This reduces error probability during setup and saves you some time.
🐥 [ tweet ]
Интересно, просто и понятно про Windows API, LSA, SSP/AP через призму оффенсив-кодинга на C++ от ][ и @Michaelzhm:
🔗 Свин API. Изучаем возможности WinAPI для пентестера
🔗 Поставщик небезопасности. Как Windows раскрывает пароль пользователя
🔗 КодингДолой Mimikatz! Инжектим тикеты своими руками
🔗 Свин API. Изучаем возможности WinAPI для пентестера
🔗 Поставщик небезопасности. Как Windows раскрывает пароль пользователя
🔗 КодингДолой Mimikatz! Инжектим тикеты своими руками
🔥4
😈 [ _Kudaes_, Kurosh Dabbagh ]
I've found that fibers may be something to look at when it comes to execute local in-memory code. This is a simple PoC of how you can leverage fibers to execute in-memory code without spawning threads and hiding suspicious thread stacks among others.
https://t.co/kjIPOunGun
🔗 https://github.com/Kudaes/Fiber
🐥 [ tweet ]
I've found that fibers may be something to look at when it comes to execute local in-memory code. This is a simple PoC of how you can leverage fibers to execute in-memory code without spawning threads and hiding suspicious thread stacks among others.
https://t.co/kjIPOunGun
🔗 https://github.com/Kudaes/Fiber
🐥 [ tweet ]