Offensive Xwitter – Telegram
Offensive Xwitter
@OffensiveTwitter
19.4K subscribers
908 photos
48 videos
21 files
2.09K links
~$ socat TWITTER-LISTEN:443,fork,reuseaddr TELEGRAM:1.3.3.7:31337

Disclaimer: https://news.1rj.ru/str/OffensiveTwitter/546
Download Telegram
About
Blog
Apps
Platform
Join
Offensive Xwitter
19.4K subscribers
Offensive Xwitter
😈 [ an0n_r0, an0n ]

Mini-HOWTO about setting up Full Disk Encryption with unattended auto-unlock using TPM2 w/ Secure Boot on Kali.

Useful for rogue devices (auto-connecting to C2), headless pentest boxes, etc. storing confidential information but lacking physical security.

https://t.co/vOXnlpZcm6

🔗 https://gist.github.com/tothi/c7fdaaca3d61b7e3298863ada358fc1e

🐥 [ tweet ]
🔥2
1.44K views
Offensive Xwitter
😈 [ virustotal, VirusTotal ]

In late 2022 we started monitoring PyPI, the most important Python repository. In a few weeks, we found dozens of suspicious packages. Here is our deep dive into PyPI hosted malware, by
@alexey_firsh: https://t.co/EdGdlOFw9L

🔗 https://blog.virustotal.com/2023/06/inside-of-wasps-nest-deep-dive-into.html

🐥 [ tweet ]
🔥1
1.46K views
Offensive Xwitter
😈 [ d4rksystem, Kyle Cucci ]

Really nice analysis from @voidsec of the vulnerable driver used by Spybot's Terminator tool.

https://t.co/08M2Dr5AMF

🔗 https://voidsec.com/reverse-engineering-terminator-aka-zemana-antimalware-antilogger-driver/

🐥 [ tweet ]
1.29K views
Offensive Xwitter
😈 [ HackingLZ, Justin Elze ]

CS COFFLoader is public now thanks @_snus https://t.co/NIaNFWR47z https://t.co/nFahK7ZZX2

🔗 https://github.com/trustedsec/CS_COFFLoader/

🐥 [ tweet ]
👍2
1.24K views
Offensive Xwitter
😈 [ k_sec, Kurt Baumgartner ]

we go deeper yet into OpTriangulation...

🔗 https://securelist.com/triangledb-triangulation-implant/110050/

funny thing, it reminds me of a simple string xor decoder that i wrote for purple lambert research a few years ago.
course, many malware families use the same obfuscation... 

#include <stdio.h>
#include <string.h>

int main(int argc, const char* argv[]){
    unsigned int i=0;
    unsigned char c1, c2, x1;
    const int s1[] = {0x76, 0x18, 0x6C, 0x08, 0x64, 0x08, 0x00};  //obfuscated string value here

    const int *s2 = malloc(sizeof(s1));
    memcpy(s2,s1,sizeof(s1));

    // simple xor between current and next value
    while (s2[i+1] != '\0') {
            c1 = (unsigned char) s1[i];
            c2 = (unsigned char) s2[i+1];
            x1 = c1 ^ c2;
            printf("%c", x1);
            i++;
    }
    printf("\n");

    return 0;
}

🐥 [ tweet ]
👍2😁1
1.25K views
Offensive Xwitter
😈 [ pfiatde, pfiatde ]

Command detection in Powershell is not easy.
Some words about an obfuscated LSASS dumper command via comsvcs.
Plus some ways to circumvent deletion of the dump.

🔗 https://badoption.eu/blog/2023/06/21/dumpit.html
🔗 https://github.com/powerseb/PowerExtract

🐥 [ tweet ]
👍1
1.33K views
Offensive Xwitter
😈 [ pdnuclei, nuclei ]

If you're not writing custom Nuclei templates, you're missing out! 😢

⚛️ In this blog post, we explore the power of nuclei custom templates and how creating your own is beneficial for users!

Don't miss out, read this 👇

🔗 https://blog.projectdiscovery.io/if-youre-not-writing-custom-nuclei-templates-youre-missing-out/

🐥 [ tweet ]
1.58K views
Offensive Xwitter
😈 [ R0h1rr1m, Furkan Göksel ]

I developed a Fileless Lateral Movement tool called NimExec. It changes service configuration to execute the payload via manually crafted RPC packets. It's the improved version of @JulioUrena 's SharpNoPSExec with Pass the Hash support. Enjoy!

#infosec
https://t.co/G6xeyHVmnf

🔗 https://github.com/frkngksl/NimExec

🐥 [ tweet ]
2.25K views
Offensive Xwitter
😈 [ BlWasp_, BlackWasp ]

New tool in Rust. To learn this langage, and the basics of Windows internals, I have coded a TLS over TCP reverse shell with advanced integrated features like load a PE or a shellcode, download/upload files, bypass the AMSI, or autopwn the world...
https://t.co/DQShWQbeRw

🔗 https://github.com/BlWasp/rs-shell

🐥 [ tweet ]

https://github.com/BlWasp/rs-shell/blob/main/src/autopwn.rs 🗿
1.52K viewsedited  
Offensive Xwitter
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ 0gtweet, Grzegorz Tworek ]

Netsh.exe relies on extensions taken from Registry, which means it may be used as a persistence.
And what, if you go one step further, extending netsh with a DLL allowing you to do whatever you want? Kinda #LOLBin 😎
Enjoy the C code and DLL, as usual: https://t.co/xfm1Mxaf4F

🔗 https://github.com/gtworek/PSBits/tree/master/NetShRun

🐥 [ tweet ]
👍4
1.38K views
Offensive Xwitter
Немного кодгольфа для парсинга вывода pypykatz 🤪

pypykatz lsa minidump lsass.dmp 2>/dev/null | python3 <(wget -qO- https://gist.github.com/snovvcrash/d77a3ea5401498da95e1fab840122bea/raw/554b5621eed33be158c1583a17d50448964cefa8/pypyparse.py)


🔗 https://gist.github.com/snovvcrash/d77a3ea5401498da95e1fab840122bea
👍4😁3🥱1
1.32K views
Offensive Xwitter
😈 [ HakaiOffsec, Hakai Offsec ]

After some hard work, coffee has been released! Our newest Rust COFF Loader!
If you want to check it out:
Don’t forget to check our blog post for more details:

🔗 https://github.com/hakaioffsec/coffee
🔗 https://labs.hakaioffsec.com/coffee-a-coff-loader-made-in-rust/

🐥 [ tweet ]
👍1
1.29K views
Offensive Xwitter
Forwarded from RedTeam brazzers (Миша)
Кража KeyTab.

Во время тестирования на проникновение часто встречаются системы Linux с настроенным Keytab. Keytab хранит пары принципала кербероса и его зашифрованных ключей. С помощью этих зашифрованных ключей можно получить TGT. В результате чего появляется возможность запросить TGT на имя принципала без ввода пароля. Kerberos на Linux уже далеко не редкость - гетерогенные сети становятся все более популярными по ряду причин. Например, может быть такой сценарий, что на Linux бекапится содержимое какой-либо шары, при этом получить доступ к этой шаре могут только пользователи домена. В таком случае пишется простенький скрипт на баш, в котором реализуется логика по запросу TGT тикета на основе KeyTab, а затем копирования файлов с шары. Причем для периодичности запуска скрипт добавляется в crontab.

Нам, как атакующим, конечно же, интересен процесс запроса TGT билета на основе KeyTab. Для этого можно использовать команду kinit со следующим синтаксисом:
kinit –kt <keytab> <принципал>

Например, если файл /tmp/admin.keytab служит для аутентификации пользователя admin@OFFICE.LOCAL , то делаем вот так:
kinit -kt /tmp/admin.keytab admin@OFFICE.LOCAL

Остается лишь одна проблема - обнаружение самих KeyTab файлов. Конечно, можно ручками через find искать эти файлы, потом также муторно проверять разрешения на них, что не есть хорошо. Поэтому я накалякал следующий командлет, который автоматически найдет все .keytab файлы , а затем подсветит интересные разными цветами:
1. Зеленым подсвечиваются те файлы, которые принадлежат текущему пользователю.
2. Желтым подсвечиваются те файлы, которые принадлежат пользователю, отличному от текущего, при этом текущий пользователь не имеет достаточных прав (чтение/запись) на этот самый KeyTab.
3. Наконец, красным подсвечиваются файлы, которые принадлежат пользователю, отличному от текущего, при этом текущий пользователь имеет достаточные права на этот самый KeyTab.

find / -iname '*.keytab' -type f -exec ls -l {} \; 2>/dev/null | awk -v user="$(whoami)" 'BEGIN { FS = OFS = " "; red = "\033[31m"; yellow = "\033[33m"; green = "\033[32m"; reset = "\033[0m" } { if ($3 == user && $9 ~ /.keytab$/) { printf green } else if ($3 != user && $9 ~ /.keytab$/ && $1 ~ /^-.w.r../) { printf red } else if ($3 != user && $9 ~ /.keytab$/ && ($1 !~ /^.w.r../ || $1 !~ /^-.w../)) { printf yellow } print $0; printf reset }'
🔥5👍1
980 views
Offensive Xwitter
😈 [ stephenfewer, Stephen Fewer ]

Last Friday's @metasploit release adds coverage for CVE-2023-34362 in MOVEit Transfer, great work by @tychos_moose, @iagox86, @_CField and team. Nice to see the new fetch payloads in action too🔥Check out the release here:

🔗 https://www.rapid7.com/blog/post/2023/06/23/metasploit-weekly-wrap-up-16/

🐥 [ tweet ]
😁2🔥1
1.39K views
Offensive Xwitter
😈 [ mpgn_x64, mpgn ]

3, 2, 1 CrackMapExec 6.0.0 is now public ! 🎉

So much new features and fix that I've made a blogpost for it ▶️


Special thanks to @_zblurx @MJHallenbeck & @al3x_n3ff for their indefectible support & contributions ! 🍻

🔗 https://wiki.porchetta.industries/news/a-new-home

🐥 [ tweet ]
👍2🔥2
3.18K views
Offensive Xwitter
😈 [ _zblurx, Thomas Seigneuret ]

Want to bypass Windows Defender when dumping LSASS ? Just dump into .log files😅

🐥 [ tweet ]
🔥4😁2👍1😢1
1.64K views
Offensive Xwitter
😈 [ kleiton0x7e, Kleiton Kurti ]

Came up with an improved version of WMIExec. By leveraging the Win32_ScheduledJob class, we can remotely create scheduled jobs. This way it's not required anymore to rely on port 139 and 445.

Github:

#CyberSecurity #redteam #infosec #infosecurity

🔗 https://github.com/WKL-Sec/wmiexec/

🐥 [ tweet ]
🔥3
1.37K views
Offensive Xwitter
😈 [ passthehashbrwn, Josh ]

Just published a new blog post covering how to hide Beacon during BOF execution. If your BOF triggers a memory scan then EDR is likely to find Beacon and kill your process, but we can mask it using a simple technique.

🔗 https://securityintelligence.com/posts/how-to-hide-beacon-during-bof-execution/
🔗 https://github.com/xforcered/bofmask

🐥 [ tweet ]
🔥3
1.36K viewsedited  
Offensive Xwitter
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ an0n_r0, an0n ]

Just recreated this awesome @SpecterOps (@zyn3rgy, @0xthirteen) technique for initial access by #backdooring a random #ClickOnce application with a Cobalt Strike stager. While I became a ClickOnce addict🙃, compiled a short writeup about my journey:

🔗 https://an0n-r0.medium.com/backdooring-clickonce-net-for-initial-access-a-practical-example-1eb6863c0579

🐥 [ tweet ][ quote ]
👍7
1.54K views
Offensive Xwitter
Forwarded from Волосатый бублик
4 новых видео на канале SpecterOps

Security Distilled: Building a First-Principles Approach to Security
https://www.youtube.com/watch?v=zjJaYwqVHxY

A Taste of Kerberos Abuse
https://www.youtube.com/watch?v=9SUXifUp9ZY

The BloodHound 4.3 Release: Get Global Admin More Often
https://www.youtube.com/watch?v=H1q-CBHbmHE

Red + Blue, How Purple Are You? Identifying Gaps in The Spectrum of Security
https://www.youtube.com/watch?v=B_2AfoT2WxU
👍3🔥1
1.16K views
Offensive Xwitter
😈 [ ricnar456, Ricardo Narvaja ]

As promised, the research on CVE-2023-28252 is already published with its PoC and the detailed explanation of the reversing that we did with my friend @solidclt.

🔗 https://www.coresecurity.com/core-labs/articles/understanding-cve-2022-37969-windows-clfs-lpe
🔗 https://github.com/fortra/CVE-2023-28252

🐥 [ tweet ]
🔥6
1.48K viewsedited