😈 [ harmj0y, Will Schroeder ]
I know I haven't blogged for a bit, but I promise @tifkin_, @0xdab0, and I have been working on something cool! This is the first blog in a series on the problem set we've been tackling, leading up to what we've built to address it - "On (Structured) Data"
🔗 https://posts.specterops.io/on-structured-data-707b7d9876c6
🐥 [ tweet ]
I know I haven't blogged for a bit, but I promise @tifkin_, @0xdab0, and I have been working on something cool! This is the first blog in a series on the problem set we've been tackling, leading up to what we've built to address it - "On (Structured) Data"
🔗 https://posts.specterops.io/on-structured-data-707b7d9876c6
🐥 [ tweet ]
👍1
😈 [ snowscan, Snowscan ]
You can use the Windows Search Protocol to coerce authentication from hosts running the Windows Search Service (Win10/11 only by default) as a regular domain user. Haven't been able to do WebDAV with it though so usefulness is limited. PoC:
🔗 https://github.com/slemire/WSPCoerce
🐥 [ tweet ]
You can use the Windows Search Protocol to coerce authentication from hosts running the Windows Search Service (Win10/11 only by default) as a regular domain user. Haven't been able to do WebDAV with it though so usefulness is limited. PoC:
🔗 https://github.com/slemire/WSPCoerce
🐥 [ tweet ]
👍1
😈 [ 0xdea, raptor@infosec.exchange ]
Everything you never knew about #NAT and wish you hadn't asked
// by @ekr____
🔗 https://educatedguesswork.org/posts/nat-part-1/
🔗 https://educatedguesswork.org/posts/nat-part-2/
🔗 https://educatedguesswork.org/posts/nat-part-3/
🔗 https://educatedguesswork.org/posts/nat-part-4/
🐥 [ tweet ]
Everything you never knew about #NAT and wish you hadn't asked
// by @ekr____
🔗 https://educatedguesswork.org/posts/nat-part-1/
🔗 https://educatedguesswork.org/posts/nat-part-2/
🔗 https://educatedguesswork.org/posts/nat-part-3/
🔗 https://educatedguesswork.org/posts/nat-part-4/
🐥 [ tweet ]
🔥3
😈 [ 0xTriboulet, Steve S. ]
Check out my guest write-up on the MaliciousGroup blog.
If you're interested in C, inline assembly, and return address spoofing, this is the writeup you're looking for.
@deadvolvo
🔗 https://blog.malicious.group/inline-assembly/
🐥 [ tweet ]
Check out my guest write-up on the MaliciousGroup blog.
If you're interested in C, inline assembly, and return address spoofing, this is the writeup you're looking for.
@deadvolvo
🔗 https://blog.malicious.group/inline-assembly/
🐥 [ tweet ]
🔥1
😈 [ fin3ss3g0d, fin3ss3g0d ]
Check out my multi-threaded version of secretsdump[.]py!
🔗 https://github.com/fin3ss3g0d/secretsdump.py
🐥 [ tweet ]
Check out my multi-threaded version of secretsdump[.]py!
🔗 https://github.com/fin3ss3g0d/secretsdump.py
🐥 [ tweet ]
🔥1
😈 [ dec0ne, Mor Davidovich ]
First blog post in our upcoming series - "Path to DA" where Shlomi and I will be sharing our experiences, stories, strategies and techniques for achieving Domain Admin privileges on engagements.
Mine is up next, stay tuned!
🔗 https://shorsec.io/blog/the-path-to-da-part-1-sysadmins-love-generic-passwords/
🐥 [ tweet ][ quote ]
First blog post in our upcoming series - "Path to DA" where Shlomi and I will be sharing our experiences, stories, strategies and techniques for achieving Domain Admin privileges on engagements.
Mine is up next, stay tuned!
🔗 https://shorsec.io/blog/the-path-to-da-part-1-sysadmins-love-generic-passwords/
🐥 [ tweet ][ quote ]
🔥3🤯1
😈 [ D1rkMtr, D1rkMtr ]
Inspired by @_EthicalChaos_'s talk on Threadless Process injection, created another approach using C:
🔗 https://github.com/TheD1rkMtr/D1rkInject
🐥 [ tweet ]
Inspired by @_EthicalChaos_'s talk on Threadless Process injection, created another approach using C:
🔗 https://github.com/TheD1rkMtr/D1rkInject
🐥 [ tweet ]
X (formerly Twitter)
Saad AHLA (@d1rkmtr) on X
Security researcher @AlteredSecurity
🔥1
😈 [ the_bit_diddler, sinusoid ]
If you're not containerizing your neo4j database for Bloodhound, you're doing it wrong.
Instantly transferrable and redeployable for colleagues.
#RedTeamTips
🐥 [ tweet ]
If you're not containerizing your neo4j database for Bloodhound, you're doing it wrong.
docker run -itd -p 7687:7687 -p 7474:7474 --env NEO4J_AUTH=neo4j/YOURPASSWORD -v $(pwd)/neo4j:/data neo4j:4.4-communityInstantly transferrable and redeployable for colleagues.
#RedTeamTips
🐥 [ tweet ]
🔥3
Куdos коллегам из Awillix (@justsecurity) и всем причастным за крутую инициативу Pentest Award – было приятно посоревноваться, поддержать такое уникальное начинание, как первая премия для пентестеров, и в аналоговом мире поздороваться с топовым спецами) Как договорились, материалы номинаций будут собраны в отдельный номер для ][, поэтому сейчас без спойлеров. Как говорится, stay tuned, самому не терпится попалить работы других выступавших 🟢 🟢
#pentestaward
#pentestaward
Please open Telegram to view this post
VIEW IN TELEGRAM
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥32
Forwarded from 𝖝𝖓𝖝 𝖘𝖔𝖋𝖙𝖜𝖆𝖗𝖊 𝖋𝖔𝖚𝖓𝖉𝖆𝖙𝖎𝖔𝖓
Буквально недавно OWASP выкатили релиз Security Top 10 для API. Измения не сильно большие, нарисовала картиночку для наглядности 😈
Подробности в доках https://owasp.org/API-Security/editions/2023/en/0x00-notice/
🥰 всем пис 🥰
Подробности в доках https://owasp.org/API-Security/editions/2023/en/0x00-notice/
Please open Telegram to view this post
VIEW IN TELEGRAM
👍6🔥1
😈 [ _atsika, Atsika ]
I've just started a blog on #maldev and #redteaming. Nothing fancy yet, just me trying to see if I've understood correctly.
The first post is about a custom version of GetModuleHandle and GetProcAddress in #go.
Check it out:
🔗 https://blog.atsika.ninja/posts/custom_getmodulehandle_getprocaddress/
🐥 [ tweet ]
I've just started a blog on #maldev and #redteaming. Nothing fancy yet, just me trying to see if I've understood correctly.
The first post is about a custom version of GetModuleHandle and GetProcAddress in #go.
Check it out:
🔗 https://blog.atsika.ninja/posts/custom_getmodulehandle_getprocaddress/
🐥 [ tweet ]
🔥2
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ bishopfox, Bishop Fox ]
We just published a detailed analysis of #CVE-2023-3519, which we previously wrote about. Today, we’re going even further into how this #RCE vulnerability can be exploited.
Our team created a #python noscript for generating shellcode given the fixup address and callback URL by calling nasm from Python. The final #exploit with addresses for VPX version 13.1-48.47 is available on our #GitHub.
🔗 bfx.social/3YjMxpz
#infosec #Citrix
🐥 [ tweet ]
We just published a detailed analysis of #CVE-2023-3519, which we previously wrote about. Today, we’re going even further into how this #RCE vulnerability can be exploited.
Our team created a #python noscript for generating shellcode given the fixup address and callback URL by calling nasm from Python. The final #exploit with addresses for VPX version 13.1-48.47 is available on our #GitHub.
🔗 bfx.social/3YjMxpz
#infosec #Citrix
🐥 [ tweet ]
🔥4
Offensive Xwitter
😈 [ bishopfox, Bishop Fox ] We just published a detailed analysis of #CVE-2023-3519, which we previously wrote about. Today, we’re going even further into how this #RCE vulnerability can be exploited. Our team created a #python noscript for generating shellcode…
😈 [ noperator, noperator ]
We're following others by publishing our exploit (and shellcode generator) for the critical-severity CVE-2023-3519, preauth RCE in Citrix ADC Gateway. If you haven't patched yet—do. 🩹
🔗 https://github.com/BishopFox/CVE-2023-3519
🐥 [ tweet ][ quote ]
We're following others by publishing our exploit (and shellcode generator) for the critical-severity CVE-2023-3519, preauth RCE in Citrix ADC Gateway. If you haven't patched yet—do. 🩹
🔗 https://github.com/BishopFox/CVE-2023-3519
🐥 [ tweet ][ quote ]
🔥2
👹 [ snovvcrash, sn🥶vvcr💥sh ]
FYI, #masscan users. The original masscan does NOT include the ‘TCP options’ field with MSS value which is required for some hosts to reply to the packet. The fork by @IvreRocks features the
For me that’s the masscan version of choice from now on:
🔗 https://github.com/ivre/masscan
🐥 [ tweet ]
FYI, #masscan users. The original masscan does NOT include the ‘TCP options’ field with MSS value which is required for some hosts to reply to the packet. The fork by @IvreRocks features the
--tcpmss switch that includes the mentioned field for your better scope coverage.For me that’s the masscan version of choice from now on:
🔗 https://github.com/ivre/masscan
🐥 [ tweet ]
🔥10🥱2🤔1
😈 [ _wald0, Andy Robbins ]
I am proud to announce the release of BloodHound CE!
Blog:
🔗 https://posts.specterops.io/bloodhound-community-edition-a-new-era-d64689806e90
Webinar:
🔗 https://ghst.ly/3Om0jDo
🐥 [ tweet ]
I am proud to announce the release of BloodHound CE!
Blog:
🔗 https://posts.specterops.io/bloodhound-community-edition-a-new-era-d64689806e90
Webinar:
🔗 https://ghst.ly/3Om0jDo
🐥 [ tweet ]
👍3
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ _wald0, Andy Robbins ]
Have Docker? Run BloodHound CE with one command:
🐥 [ tweet ]
Have Docker? Run BloodHound CE with one command:
curl -L https://github.com/SpecterOps/BloodHound/raw/main/examples/docker-compose/docker-compose.yml | docker compose -f - up🐥 [ tweet ]
🔥9
😈 [ DiLomSec1, Diegolomellini ]
As promised, here is a blogpost on SharpSCCMs new AdminService/CMPivot capabilities. The creator of SharpSCCM, @_Mayyhem and I will be at the SpecterOps booth tomorrow @ 11am and ARSENAL @ 11:30am Thursday presenting SCCM takeover and post-ex techniques
🔗 https://medium.com/@dlomellini/lateral-movement-without-lateral-movement-brought-to-you-by-configmgr-9b79b04634c7
🐥 [ tweet ]
As promised, here is a blogpost on SharpSCCMs new AdminService/CMPivot capabilities. The creator of SharpSCCM, @_Mayyhem and I will be at the SpecterOps booth tomorrow @ 11am and ARSENAL @ 11:30am Thursday presenting SCCM takeover and post-ex techniques
🔗 https://medium.com/@dlomellini/lateral-movement-without-lateral-movement-brought-to-you-by-configmgr-9b79b04634c7
🐥 [ tweet ]
👍1🔥1
😈 [ exploitph, Charlie Clark ]
my latest post on abusing DES using Kerberos, I've not updated my RoastInTheMiddle tool yet but I'll be doing that shortly, enjoy:
🔗 https://exploit.ph/des-is-useful.html
🐥 [ tweet ]
my latest post on abusing DES using Kerberos, I've not updated my RoastInTheMiddle tool yet but I'll be doing that shortly, enjoy:
🔗 https://exploit.ph/des-is-useful.html
🐥 [ tweet ]
👍5