This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ dec0ne, Mor Davidovich ]
Watched @ustayready webcast yesterday and decided to try implement the technique myself.
Got it working and as a POC plant DLL in Teams folder to be sideloaded for persistence / code exec. Very cool initial access technique. Amazing work @ustayready
Blog:
🔗 https://shorsec.io/blog/malrdp-implementing-rouge-rdp-manually/
🐥 [ tweet ]
Watched @ustayready webcast yesterday and decided to try implement the technique myself.
Got it working and as a POC plant DLL in Teams folder to be sideloaded for persistence / code exec. Very cool initial access technique. Amazing work @ustayready
Blog:
🔗 https://shorsec.io/blog/malrdp-implementing-rouge-rdp-manually/
🐥 [ tweet ]
🔥3
😈 [ securekomodo, Bryan Smith ]
Here is my python-based scanner to find #Citrix RCE. Leverages several fingerprinting techniques to accurately identify a remote Citrix servers version and detect if vulnerable to CVE-2023-3467. This is not an exploit PoC. Happy #bugbounty hunting :)
🔗 https://github.com/securekomodo/citrixInspector/
🐥 [ tweet ]
Here is my python-based scanner to find #Citrix RCE. Leverages several fingerprinting techniques to accurately identify a remote Citrix servers version and detect if vulnerable to CVE-2023-3467. This is not an exploit PoC. Happy #bugbounty hunting :)
🔗 https://github.com/securekomodo/citrixInspector/
🐥 [ tweet ]
👍4
😈 [ _xpn_, Adam Chester ]
If you're used to spraying to find Pre2K computer account creds, I've added a new noscript to pull the TGS for a computer account and check it offline.. might help to work around password spraying detection.
🔗 https://github.com/xpn/RandomTSScripts
🐥 [ tweet ]
If you're used to spraying to find Pre2K computer account creds, I've added a new noscript to pull the TGS for a computer account and check it offline.. might help to work around password spraying detection.
🔗 https://github.com/xpn/RandomTSScripts
🐥 [ tweet ]
🔥2
👍8🤯2🔥1🥱1
😈 [ kyleavery_, Kyle Avery ]
New DLL hijacking opportunities, triggered using DCOM for lateral movement:
🔗 https://github.com/WKL-Sec/dcomhijack
🐥 [ tweet ]
New DLL hijacking opportunities, triggered using DCOM for lateral movement:
🔗 https://github.com/WKL-Sec/dcomhijack
🐥 [ tweet ]
👍2
😈 [ exploitph, Charlie Clark ]
I drafted slides for an extended talk on forged tickets which was apparently not good enough for a con this year so @4ndr3w6S and I have decided to publish the slides (around 99% done) and I'll leave the rest up to the imagination of the reader, enjoy:
🔗 https://github.com/0xe7/Talks/blob/main/Andrew_Charlie_Ive_Got_A_Forged_Twinkle_In_My_Eye.pdf
🐥 [ tweet ]
I drafted slides for an extended talk on forged tickets which was apparently not good enough for a con this year so @4ndr3w6S and I have decided to publish the slides (around 99% done) and I'll leave the rest up to the imagination of the reader, enjoy:
🔗 https://github.com/0xe7/Talks/blob/main/Andrew_Charlie_Ive_Got_A_Forged_Twinkle_In_My_Eye.pdf
🐥 [ tweet ]
👍4
😈 [ D1rkMtr, D1rkMtr ]
Blog on Advanced module stomping and Heap/Stack Encryption is now out, it bypass PE-Sieve and Moneta while sleeping
Blog:
🔗 https://labs.cognisys.group/posts/Advanced-Module-Stomping-and-Heap-Stack-Encryption/
Github Project:
🔗 https://github.com/CognisysGroup/SweetDreams
🐥 [ tweet ]
Blog on Advanced module stomping and Heap/Stack Encryption is now out, it bypass PE-Sieve and Moneta while sleeping
Blog:
🔗 https://labs.cognisys.group/posts/Advanced-Module-Stomping-and-Heap-Stack-Encryption/
Github Project:
🔗 https://github.com/CognisysGroup/SweetDreams
🐥 [ tweet ]
🔥3
😈 [ hasherezade, hasherezade ]
If you ever need to convert an EXE into a DLL: // #exe_to_dll
🔗 https://github.com/hasherezade/exe_to_dll
🐥 [ tweet ]
If you ever need to convert an EXE into a DLL: // #exe_to_dll
🔗 https://github.com/hasherezade/exe_to_dll
🐥 [ tweet ]
🤯5🔥2
😈 [ harmj0y, Will Schroeder ]
I know I haven't blogged for a bit, but I promise @tifkin_, @0xdab0, and I have been working on something cool! This is the first blog in a series on the problem set we've been tackling, leading up to what we've built to address it - "On (Structured) Data"
🔗 https://posts.specterops.io/on-structured-data-707b7d9876c6
🐥 [ tweet ]
I know I haven't blogged for a bit, but I promise @tifkin_, @0xdab0, and I have been working on something cool! This is the first blog in a series on the problem set we've been tackling, leading up to what we've built to address it - "On (Structured) Data"
🔗 https://posts.specterops.io/on-structured-data-707b7d9876c6
🐥 [ tweet ]
👍1
😈 [ snowscan, Snowscan ]
You can use the Windows Search Protocol to coerce authentication from hosts running the Windows Search Service (Win10/11 only by default) as a regular domain user. Haven't been able to do WebDAV with it though so usefulness is limited. PoC:
🔗 https://github.com/slemire/WSPCoerce
🐥 [ tweet ]
You can use the Windows Search Protocol to coerce authentication from hosts running the Windows Search Service (Win10/11 only by default) as a regular domain user. Haven't been able to do WebDAV with it though so usefulness is limited. PoC:
🔗 https://github.com/slemire/WSPCoerce
🐥 [ tweet ]
👍1
😈 [ 0xdea, raptor@infosec.exchange ]
Everything you never knew about #NAT and wish you hadn't asked
// by @ekr____
🔗 https://educatedguesswork.org/posts/nat-part-1/
🔗 https://educatedguesswork.org/posts/nat-part-2/
🔗 https://educatedguesswork.org/posts/nat-part-3/
🔗 https://educatedguesswork.org/posts/nat-part-4/
🐥 [ tweet ]
Everything you never knew about #NAT and wish you hadn't asked
// by @ekr____
🔗 https://educatedguesswork.org/posts/nat-part-1/
🔗 https://educatedguesswork.org/posts/nat-part-2/
🔗 https://educatedguesswork.org/posts/nat-part-3/
🔗 https://educatedguesswork.org/posts/nat-part-4/
🐥 [ tweet ]
🔥3
😈 [ 0xTriboulet, Steve S. ]
Check out my guest write-up on the MaliciousGroup blog.
If you're interested in C, inline assembly, and return address spoofing, this is the writeup you're looking for.
@deadvolvo
🔗 https://blog.malicious.group/inline-assembly/
🐥 [ tweet ]
Check out my guest write-up on the MaliciousGroup blog.
If you're interested in C, inline assembly, and return address spoofing, this is the writeup you're looking for.
@deadvolvo
🔗 https://blog.malicious.group/inline-assembly/
🐥 [ tweet ]
🔥1
😈 [ fin3ss3g0d, fin3ss3g0d ]
Check out my multi-threaded version of secretsdump[.]py!
🔗 https://github.com/fin3ss3g0d/secretsdump.py
🐥 [ tweet ]
Check out my multi-threaded version of secretsdump[.]py!
🔗 https://github.com/fin3ss3g0d/secretsdump.py
🐥 [ tweet ]
🔥1
😈 [ dec0ne, Mor Davidovich ]
First blog post in our upcoming series - "Path to DA" where Shlomi and I will be sharing our experiences, stories, strategies and techniques for achieving Domain Admin privileges on engagements.
Mine is up next, stay tuned!
🔗 https://shorsec.io/blog/the-path-to-da-part-1-sysadmins-love-generic-passwords/
🐥 [ tweet ][ quote ]
First blog post in our upcoming series - "Path to DA" where Shlomi and I will be sharing our experiences, stories, strategies and techniques for achieving Domain Admin privileges on engagements.
Mine is up next, stay tuned!
🔗 https://shorsec.io/blog/the-path-to-da-part-1-sysadmins-love-generic-passwords/
🐥 [ tweet ][ quote ]
🔥3🤯1
😈 [ D1rkMtr, D1rkMtr ]
Inspired by @_EthicalChaos_'s talk on Threadless Process injection, created another approach using C:
🔗 https://github.com/TheD1rkMtr/D1rkInject
🐥 [ tweet ]
Inspired by @_EthicalChaos_'s talk on Threadless Process injection, created another approach using C:
🔗 https://github.com/TheD1rkMtr/D1rkInject
🐥 [ tweet ]
X (formerly Twitter)
Saad AHLA (@d1rkmtr) on X
Security researcher @AlteredSecurity
🔥1
😈 [ the_bit_diddler, sinusoid ]
If you're not containerizing your neo4j database for Bloodhound, you're doing it wrong.
Instantly transferrable and redeployable for colleagues.
#RedTeamTips
🐥 [ tweet ]
If you're not containerizing your neo4j database for Bloodhound, you're doing it wrong.
docker run -itd -p 7687:7687 -p 7474:7474 --env NEO4J_AUTH=neo4j/YOURPASSWORD -v $(pwd)/neo4j:/data neo4j:4.4-communityInstantly transferrable and redeployable for colleagues.
#RedTeamTips
🐥 [ tweet ]
🔥3
Куdos коллегам из Awillix (@justsecurity) и всем причастным за крутую инициативу Pentest Award – было приятно посоревноваться, поддержать такое уникальное начинание, как первая премия для пентестеров, и в аналоговом мире поздороваться с топовым спецами) Как договорились, материалы номинаций будут собраны в отдельный номер для ][, поэтому сейчас без спойлеров. Как говорится, stay tuned, самому не терпится попалить работы других выступавших 🟢 🟢
#pentestaward
#pentestaward
Please open Telegram to view this post
VIEW IN TELEGRAM
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥32
Forwarded from 𝖝𝖓𝖝 𝖘𝖔𝖋𝖙𝖜𝖆𝖗𝖊 𝖋𝖔𝖚𝖓𝖉𝖆𝖙𝖎𝖔𝖓
Буквально недавно OWASP выкатили релиз Security Top 10 для API. Измения не сильно большие, нарисовала картиночку для наглядности 😈
Подробности в доках https://owasp.org/API-Security/editions/2023/en/0x00-notice/
🥰 всем пис 🥰
Подробности в доках https://owasp.org/API-Security/editions/2023/en/0x00-notice/
Please open Telegram to view this post
VIEW IN TELEGRAM
👍6🔥1
😈 [ _atsika, Atsika ]
I've just started a blog on #maldev and #redteaming. Nothing fancy yet, just me trying to see if I've understood correctly.
The first post is about a custom version of GetModuleHandle and GetProcAddress in #go.
Check it out:
🔗 https://blog.atsika.ninja/posts/custom_getmodulehandle_getprocaddress/
🐥 [ tweet ]
I've just started a blog on #maldev and #redteaming. Nothing fancy yet, just me trying to see if I've understood correctly.
The first post is about a custom version of GetModuleHandle and GetProcAddress in #go.
Check it out:
🔗 https://blog.atsika.ninja/posts/custom_getmodulehandle_getprocaddress/
🐥 [ tweet ]
🔥2
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ bishopfox, Bishop Fox ]
We just published a detailed analysis of #CVE-2023-3519, which we previously wrote about. Today, we’re going even further into how this #RCE vulnerability can be exploited.
Our team created a #python noscript for generating shellcode given the fixup address and callback URL by calling nasm from Python. The final #exploit with addresses for VPX version 13.1-48.47 is available on our #GitHub.
🔗 bfx.social/3YjMxpz
#infosec #Citrix
🐥 [ tweet ]
We just published a detailed analysis of #CVE-2023-3519, which we previously wrote about. Today, we’re going even further into how this #RCE vulnerability can be exploited.
Our team created a #python noscript for generating shellcode given the fixup address and callback URL by calling nasm from Python. The final #exploit with addresses for VPX version 13.1-48.47 is available on our #GitHub.
🔗 bfx.social/3YjMxpz
#infosec #Citrix
🐥 [ tweet ]
🔥4