Forwarded from Path Secure (CuriV)
Подъехали записи выступлений с BlackHat22!
Куча разных докладов про внешку, внутрянку, реверс, криптографию.
Из интересного в плейлисте:
- Уязвимости в Matrix;
- Атаки на AFDS
- Атаки на электрокары;
- Атаки на керберос RC4;
- Обход EDR;
- Атаки на смартконтракты;
- Обход WAF:
- Атаки на канальном уровне.
Куча разных докладов про внешку, внутрянку, реверс, криптографию.
Из интересного в плейлисте:
- Уязвимости в Matrix;
- Атаки на AFDS
- Атаки на электрокары;
- Атаки на керберос RC4;
- Обход EDR;
- Атаки на смартконтракты;
- Обход WAF:
- Атаки на канальном уровне.
🔥5
😈 [ elkement, elkement ]
Hi Active Directory / ADCS hackers, I've published something! You can add the new SID extension manually if certificate templates allow for custom names: https://t.co/SndcHH3Kz7
🔗 https://elkement.blog/2023/03/30/lord-of-the-sid-how-to-add-the-objectsid-attribute-to-a-certificate-manually/
🐥 [ tweet ]
Hi Active Directory / ADCS hackers, I've published something! You can add the new SID extension manually if certificate templates allow for custom names: https://t.co/SndcHH3Kz7
🔗 https://elkement.blog/2023/03/30/lord-of-the-sid-how-to-add-the-objectsid-attribute-to-a-certificate-manually/
🐥 [ tweet ]
😈 [ naksyn, Diego Capriotti ]
Triggered by an idea of @Octoberfest73, just discovered that you can alter the dll search path of a process you're about to create.
Just call SetDllDirectoryA before CreateProcessA.
For your sideloading pleasurezz :)
🐥 [ tweet ]
Triggered by an idea of @Octoberfest73, just discovered that you can alter the dll search path of a process you're about to create.
Just call SetDllDirectoryA before CreateProcessA.
For your sideloading pleasurezz :)
🐥 [ tweet ]
Forwarded from APT
🕳 Ngrok: SSH Reverse Tunnel Agent
Did you know that you can run ngrok without even installing ngrok? You can start tunnels via SSH without downloading an ngrok agent by running an SSH reverse tunnel command:
https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent/
#ngrok #ssh #reverse #tunnel
Did you know that you can run ngrok without even installing ngrok? You can start tunnels via SSH without downloading an ngrok agent by running an SSH reverse tunnel command:
ssh -i ~/.ssh/id_ed25519 -R 80:localhost:80 v2@tunnel.us.ngrok.com http
Source:https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent/
#ngrok #ssh #reverse #tunnel
🔥3
😈 [ zimnyaatishina, zimnyaa ]
A new article about replacing memfd_create with a custom libfuse FS for in-memory ELF execution: https://t.co/AU5ZPJXHaf
The PoC code also tries to disallow others from reading the executable file.
🔗 https://tishina.in/execution/replacing-memfd-with-fuse
🐥 [ tweet ]
A new article about replacing memfd_create with a custom libfuse FS for in-memory ELF execution: https://t.co/AU5ZPJXHaf
The PoC code also tries to disallow others from reading the executable file.
🔗 https://tishina.in/execution/replacing-memfd-with-fuse
🐥 [ tweet ]
🔥1
😈 [ _RastaMouse, Rasta Mouse ]
I'm starting a blog series on using #SharpC2. The first post is demonstrates using HTTPS with a redirector.
https://t.co/TV3DrRvYqn
🔗 https://rastamouse.me/sharpc2-https-with-redirector/
🐥 [ tweet ]
I'm starting a blog series on using #SharpC2. The first post is demonstrates using HTTPS with a redirector.
https://t.co/TV3DrRvYqn
🔗 https://rastamouse.me/sharpc2-https-with-redirector/
🐥 [ tweet ]
🔥1
😈 [ M_haggis, The Haag™ ]
Introducing the Living Off The Land Drivers (LOLDrivers) project, a crucial resource that consolidates vulnerable and malicious drivers in one place to streamline research and analysis.
🔗 http://loldrivers.io
LOLDrivers enhances awareness of driver-related security risks and empowers organizations to mitigate these risks, improving their overall cybersecurity posture. By fostering collaboration and knowledge sharing within the cybersecurity community, LOLDrivers, along with sister projects like LOLBAS and GTFOBins, paves the way for a safer and more secure digital landscape.
Read our release blog to learn all about the project and how to contribute
🔗 https://haggis-m.medium.com/living-off-the-land-drivers-a5d74d45e77a
🐥 [ tweet ]
Introducing the Living Off The Land Drivers (LOLDrivers) project, a crucial resource that consolidates vulnerable and malicious drivers in one place to streamline research and analysis.
🔗 http://loldrivers.io
LOLDrivers enhances awareness of driver-related security risks and empowers organizations to mitigate these risks, improving their overall cybersecurity posture. By fostering collaboration and knowledge sharing within the cybersecurity community, LOLDrivers, along with sister projects like LOLBAS and GTFOBins, paves the way for a safer and more secure digital landscape.
Read our release blog to learn all about the project and how to contribute
🔗 https://haggis-m.medium.com/living-off-the-land-drivers-a5d74d45e77a
🐥 [ tweet ]
X (formerly Twitter)
The Haag™ (@M_haggis) on X
Threat Researcher | Co-Host of Atomics on a Friday | LOLDrivers & Atomic Red Team Maintainer | I'm Everywhere and Nowhere - BSG.
😈 [ NinjaParanoid, Chetan Nayak (Brute Ratel C4 Author) ]
Found a new windows API for executing shellcode - RtlRunOnceExecuteOnce. Haven't see anyone using this technique yet. Theres a lot more you can do apart from the generic shellcode execution as you can also pass a CONTEXT and parameter, but I will let the creativity of the users to figure it out. (something..something for Dllmain loaderlock 😉)
🔗 https://gist.github.com/paranoidninja/b929963db2e1922adee5d8bf3cac61cf
🐥 [ tweet ]
Found a new windows API for executing shellcode - RtlRunOnceExecuteOnce. Haven't see anyone using this technique yet. Theres a lot more you can do apart from the generic shellcode execution as you can also pass a CONTEXT and parameter, but I will let the creativity of the users to figure it out. (something..something for Dllmain loaderlock 😉)
🔗 https://gist.github.com/paranoidninja/b929963db2e1922adee5d8bf3cac61cf
🐥 [ tweet ]
🔥3
😈 [ 4ndr3w6S, Andrew ]
This is cool @redcanary: https://t.co/RrCtb40Nhu. Really loving the clean and user-friendly layout 🤩
🔗 https://atomicredteam.io/atomics/
🐥 [ tweet ]
This is cool @redcanary: https://t.co/RrCtb40Nhu. Really loving the clean and user-friendly layout 🤩
🔗 https://atomicredteam.io/atomics/
🐥 [ tweet ]
Дебажил я тут ASN.1 спеки для MIT-имплементации Кербероса, и вот вам маленький лайфхак для раскуривания масштабных кодовых баз на Python: встроенные интерактивные интерпретатор и дебаггер – ваши друзья на век.
Запиховываете единственный ванлайнер в то место в коде, где потенцивально ожидаетпиздец раскрутка стека исключением, и спокойно изучаете себе окружение:
UPD. @Riocool поделился похожим подходом с помощью "интерпретатора на стероидах" IPython (ставится через PyPI):
Запиховываете единственный ванлайнер в то место в коде, где потенцивально ожидает
import code,sys; code.interact(local=locals()); sys.exit(-1)
import pdb; pdb.set_trace()
Вставлять print("I'm here1"), конечно, романтичнее, но очень скоро утомляет.UPD. @Riocool поделился похожим подходом с помощью "интерпретатора на стероидах" IPython (ставится через PyPI):
from IPython import embed; embed()#python #debug
🔥2🤔2
😈 [ naksyn, Diego Capriotti ]
Just pushed an update to Pyramid.
check it out here: https://t.co/8gj8rCY8yE
Small thread on added features👇
🔗 https://github.com/naksyn/Pyramid
Cradle and server have been updated so that delivered files and part of the URL can now be encrypted/decrypted with chacha or xor. Pass is hardcoded in cradle and server.
Useful to avoid network signatures triggered upon downloading of some python dependencies (i.e. bh, Lazagne)
In modules config section you can now specify the extraction directory of some dependencies that require loading pyds (i.e. Cryptodome).
Useful to load pyds from a network share or a folder where you have write permissions to keep the main Python folder clean.
Pyramid Server configuration can now be automatically copied on modules and cradle files based on the passed command line parameters.
This reduces error probability during setup and saves you some time.
🐥 [ tweet ]
Just pushed an update to Pyramid.
check it out here: https://t.co/8gj8rCY8yE
Small thread on added features👇
🔗 https://github.com/naksyn/Pyramid
Cradle and server have been updated so that delivered files and part of the URL can now be encrypted/decrypted with chacha or xor. Pass is hardcoded in cradle and server.
Useful to avoid network signatures triggered upon downloading of some python dependencies (i.e. bh, Lazagne)
In modules config section you can now specify the extraction directory of some dependencies that require loading pyds (i.e. Cryptodome).
Useful to load pyds from a network share or a folder where you have write permissions to keep the main Python folder clean.
Pyramid Server configuration can now be automatically copied on modules and cradle files based on the passed command line parameters.
This reduces error probability during setup and saves you some time.
🐥 [ tweet ]
Интересно, просто и понятно про Windows API, LSA, SSP/AP через призму оффенсив-кодинга на C++ от ][ и @Michaelzhm:
🔗 Свин API. Изучаем возможности WinAPI для пентестера
🔗 Поставщик небезопасности. Как Windows раскрывает пароль пользователя
🔗 КодингДолой Mimikatz! Инжектим тикеты своими руками
🔗 Свин API. Изучаем возможности WinAPI для пентестера
🔗 Поставщик небезопасности. Как Windows раскрывает пароль пользователя
🔗 КодингДолой Mimikatz! Инжектим тикеты своими руками
🔥4
😈 [ _Kudaes_, Kurosh Dabbagh ]
I've found that fibers may be something to look at when it comes to execute local in-memory code. This is a simple PoC of how you can leverage fibers to execute in-memory code without spawning threads and hiding suspicious thread stacks among others.
https://t.co/kjIPOunGun
🔗 https://github.com/Kudaes/Fiber
🐥 [ tweet ]
I've found that fibers may be something to look at when it comes to execute local in-memory code. This is a simple PoC of how you can leverage fibers to execute in-memory code without spawning threads and hiding suspicious thread stacks among others.
https://t.co/kjIPOunGun
🔗 https://github.com/Kudaes/Fiber
🐥 [ tweet ]
😈 [ Oddvarmoe, Oddvar Moe ]
Some really great sites you should bookmark
🔗 https://www.loldrivers.io/
🔗 https://gtfobins.github.io/
🔗 https://lolbas-project.github.io/
🔗 https://lots-project.com/
🔗 https://filesec.io/
🔗 https://malapi.io/
🐥 [ tweet ]
Some really great sites you should bookmark
🔗 https://www.loldrivers.io/
🔗 https://gtfobins.github.io/
🔗 https://lolbas-project.github.io/
🔗 https://lots-project.com/
🔗 https://filesec.io/
🔗 https://malapi.io/
🐥 [ tweet ]
🔥3
😈 [ Hadess_security, HADESS ]
64 Methods for Execute Mimikatz
https://t.co/wKw1AseHly
#mimikatz
🔗 https://redteamrecipe.com/64-Methods-For-Execute-Mimikatz/
🐥 [ tweet ]
64 Methods for Execute Mimikatz
https://t.co/wKw1AseHly
#mimikatz
🔗 https://redteamrecipe.com/64-Methods-For-Execute-Mimikatz/
🐥 [ tweet ]
очень мило🔥3
Forwarded from Ralf Hacker Channel (Ralf Hacker)
В семействе картошек пополнение - GodPotato. Windows LPE:
* Windows Server 2012 - Windows Server 2022 ;
* Windows8 - Windows 11
https://github.com/BeichenDream/GodPotato
#git #soft #lpe
* Windows Server 2012 - Windows Server 2022 ;
* Windows8 - Windows 11
https://github.com/BeichenDream/GodPotato
#git #soft #lpe
GitHub
GitHub - BeichenDream/GodPotato
Contribute to BeichenDream/GodPotato development by creating an account on GitHub.