Offensive Xwitter
😈 [ bishopfox, Bishop Fox ] We just published a detailed analysis of #CVE-2023-3519, which we previously wrote about. Today, we’re going even further into how this #RCE vulnerability can be exploited. Our team created a #python noscript for generating shellcode…
😈 [ noperator, noperator ]
We're following others by publishing our exploit (and shellcode generator) for the critical-severity CVE-2023-3519, preauth RCE in Citrix ADC Gateway. If you haven't patched yet—do. 🩹
🔗 https://github.com/BishopFox/CVE-2023-3519
🐥 [ tweet ][ quote ]
We're following others by publishing our exploit (and shellcode generator) for the critical-severity CVE-2023-3519, preauth RCE in Citrix ADC Gateway. If you haven't patched yet—do. 🩹
🔗 https://github.com/BishopFox/CVE-2023-3519
🐥 [ tweet ][ quote ]
🔥2
👹 [ snovvcrash, sn🥶vvcr💥sh ]
FYI, #masscan users. The original masscan does NOT include the ‘TCP options’ field with MSS value which is required for some hosts to reply to the packet. The fork by @IvreRocks features the
For me that’s the masscan version of choice from now on:
🔗 https://github.com/ivre/masscan
🐥 [ tweet ]
FYI, #masscan users. The original masscan does NOT include the ‘TCP options’ field with MSS value which is required for some hosts to reply to the packet. The fork by @IvreRocks features the
--tcpmss switch that includes the mentioned field for your better scope coverage.For me that’s the masscan version of choice from now on:
🔗 https://github.com/ivre/masscan
🐥 [ tweet ]
🔥10🥱2🤔1
😈 [ _wald0, Andy Robbins ]
I am proud to announce the release of BloodHound CE!
Blog:
🔗 https://posts.specterops.io/bloodhound-community-edition-a-new-era-d64689806e90
Webinar:
🔗 https://ghst.ly/3Om0jDo
🐥 [ tweet ]
I am proud to announce the release of BloodHound CE!
Blog:
🔗 https://posts.specterops.io/bloodhound-community-edition-a-new-era-d64689806e90
Webinar:
🔗 https://ghst.ly/3Om0jDo
🐥 [ tweet ]
👍3
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ _wald0, Andy Robbins ]
Have Docker? Run BloodHound CE with one command:
🐥 [ tweet ]
Have Docker? Run BloodHound CE with one command:
curl -L https://github.com/SpecterOps/BloodHound/raw/main/examples/docker-compose/docker-compose.yml | docker compose -f - up🐥 [ tweet ]
🔥9
😈 [ DiLomSec1, Diegolomellini ]
As promised, here is a blogpost on SharpSCCMs new AdminService/CMPivot capabilities. The creator of SharpSCCM, @_Mayyhem and I will be at the SpecterOps booth tomorrow @ 11am and ARSENAL @ 11:30am Thursday presenting SCCM takeover and post-ex techniques
🔗 https://medium.com/@dlomellini/lateral-movement-without-lateral-movement-brought-to-you-by-configmgr-9b79b04634c7
🐥 [ tweet ]
As promised, here is a blogpost on SharpSCCMs new AdminService/CMPivot capabilities. The creator of SharpSCCM, @_Mayyhem and I will be at the SpecterOps booth tomorrow @ 11am and ARSENAL @ 11:30am Thursday presenting SCCM takeover and post-ex techniques
🔗 https://medium.com/@dlomellini/lateral-movement-without-lateral-movement-brought-to-you-by-configmgr-9b79b04634c7
🐥 [ tweet ]
👍1🔥1
😈 [ exploitph, Charlie Clark ]
my latest post on abusing DES using Kerberos, I've not updated my RoastInTheMiddle tool yet but I'll be doing that shortly, enjoy:
🔗 https://exploit.ph/des-is-useful.html
🐥 [ tweet ]
my latest post on abusing DES using Kerberos, I've not updated my RoastInTheMiddle tool yet but I'll be doing that shortly, enjoy:
🔗 https://exploit.ph/des-is-useful.html
🐥 [ tweet ]
👍5
😈 [ ShitSecure, S3cur3Th1sSh1t ]
Wrote something on how to bypass Google Safe Browsing for Phishing campaigns🧐
🔗 https://www.r-tec.net/r-tec-blog-evade-signature-based-phishing-detections.html
🐥 [ tweet ]
Wrote something on how to bypass Google Safe Browsing for Phishing campaigns🧐
🔗 https://www.r-tec.net/r-tec-blog-evade-signature-based-phishing-detections.html
🐥 [ tweet ]
👍1🔥1
😈 [ _RastaMouse, Rasta Mouse ]
[BLOG]
Short post on using the Process Inject Kit in Cobalt Strike, which I feel is quite under-utilized based on the projects I've seen online.
🔗 https://offensivedefence.co.uk/posts/cs-process-inject-kit/
🐥 [ tweet ]
[BLOG]
Short post on using the Process Inject Kit in Cobalt Strike, which I feel is quite under-utilized based on the projects I've seen online.
🔗 https://offensivedefence.co.uk/posts/cs-process-inject-kit/
🐥 [ tweet ]
🔥1
😈 [ joehowwolf, William Burgess ]
New Cobalt Strike blog by @HenriNurmi - Simplifying BOF Development: Debug, Test, and Save Your B(e)acon
All in VS BOF template available in latest Arsenal kit release!
🔗 https://www.cobaltstrike.com/blog/simplifying-bof-development
🐥 [ tweet ]
New Cobalt Strike blog by @HenriNurmi - Simplifying BOF Development: Debug, Test, and Save Your B(e)acon
All in VS BOF template available in latest Arsenal kit release!
🔗 https://www.cobaltstrike.com/blog/simplifying-bof-development
🐥 [ tweet ]
🔥1
😈 [ garrfoster, Garrett ]
SCCM Site takeover by abusing the AdminService API. In this blog, I walkthrough the discovery process and demonstrate site takeover via credential relaying.
🔗 https://medium.com/specter-ops-posts/site-takeover-via-sccms-adminservice-api-d932e22b2bf
🐥 [ tweet ]
SCCM Site takeover by abusing the AdminService API. In this blog, I walkthrough the discovery process and demonstrate site takeover via credential relaying.
🔗 https://medium.com/specter-ops-posts/site-takeover-via-sccms-adminservice-api-d932e22b2bf
🐥 [ tweet ]
🔥5
😈 [ 0xTriboulet, Steve S. ]
Use C, and some inline assembly, to create a self-extracting shellcode executable!
This solution was inspired by @hasherezade's C to Shellcode method, and was the basis for my solution to @MalDevAcademy's shellcode challenge.
Check it out!
🔗 https://steve-s.gitbook.io/0xtriboulet/just-malicious/from-c-with-inline-assembly-to-shellcode
🐥 [ tweet ]
Use C, and some inline assembly, to create a self-extracting shellcode executable!
This solution was inspired by @hasherezade's C to Shellcode method, and was the basis for my solution to @MalDevAcademy's shellcode challenge.
Check it out!
🔗 https://steve-s.gitbook.io/0xtriboulet/just-malicious/from-c-with-inline-assembly-to-shellcode
🐥 [ tweet ]
🔥1
😈 [ harmj0y, Will Schroeder - ✈ HACKER SUMMER CAMP ]
@tifkin_ , @0xdab0 , and I are very proud to announce that the alpha release of Nemesis is now public! The code is at and we have a post explaining details at 1/3
🔗 https://github.com/SpecterOps/Nemesis
🔗 https://posts.specterops.io/hacking-with-your-nemesis-7861f75fcab4
🐥 [ tweet ]
@tifkin_ , @0xdab0 , and I are very proud to announce that the alpha release of Nemesis is now public! The code is at and we have a post explaining details at 1/3
🔗 https://github.com/SpecterOps/Nemesis
🔗 https://posts.specterops.io/hacking-with-your-nemesis-7861f75fcab4
🐥 [ tweet ]
🔥1
😈 [ _xpn_, Adam Chester ]
Second blog post to finish out the week. Expanding on a previous tweet to look at how LAPS 2.0 crypto works, how the PowerShell Get-LAPSADPassword cmdlet works, and provided a quick BOF to do pull and decrypt msLAPS-EncryptedPassword
🔗 https://blog.xpnsec.com/lapsv2-internals/
🐥 [ tweet ]
Second blog post to finish out the week. Expanding on a previous tweet to look at how LAPS 2.0 crypto works, how the PowerShell Get-LAPSADPassword cmdlet works, and provided a quick BOF to do pull and decrypt msLAPS-EncryptedPassword
🔗 https://blog.xpnsec.com/lapsv2-internals/
🐥 [ tweet ]
👍2
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ zux0x3a, Lawrence ]
it is tricky to hide a payload content inside rdp connection file!, with some observation it could lead to newer technique to use.
🔗 https://0xsp.com/offensive/navigating-embedded-payload-extraction-from-rdp-files-defence-evasion/
🐥 [ tweet ]
it is tricky to hide a payload content inside rdp connection file!, with some observation it could lead to newer technique to use.
🔗 https://0xsp.com/offensive/navigating-embedded-payload-extraction-from-rdp-files-defence-evasion/
🐥 [ tweet ]
👍4🥱1
😈 [ _EthicalChaos_, CCob🏴 ]
Thanks to everyone who came to my DEF CON talk yesterday. I should have submitted for a 45 minute talk as I didn't have time to cover the DNS update capability of gssapi-abuse tool. DNS mode is super handy if you want to apply instant updates to AD DNS
🔗 https://github.com/CCob/gssapi-abuse#dns-mode
🐥 [ tweet ]
Thanks to everyone who came to my DEF CON talk yesterday. I should have submitted for a 45 minute talk as I didn't have time to cover the DNS update capability of gssapi-abuse tool. DNS mode is super handy if you want to apply instant updates to AD DNS
🔗 https://github.com/CCob/gssapi-abuse#dns-mode
🐥 [ tweet ]
👍1🔥1
😈 [ m417z, Michael Maltsev ]
It's common knowledge that the best source for Windows native API definitions is the collection of System Informer (formerly Process Hacker) phnt headers. Surprisingly, there were no online docs for them, so I created a simple website:
🔗 https://ntdoc.m417z.com/
🐥 [ tweet ]
It's common knowledge that the best source for Windows native API definitions is the collection of System Informer (formerly Process Hacker) phnt headers. Surprisingly, there were no online docs for them, so I created a simple website:
🔗 https://ntdoc.m417z.com/
🐥 [ tweet ]
🔥2
NoFilter_Abusing_Windows_Filtering_Platform_for_privilege_escalation.pdf
1.8 MB
😈 [ RonB_Y, Ron BY ]
Presenting my research at @defcon was incredible!
The repo for my tool #NoFilter is:
🔗 https://github.com/deepinstinct/NoFilter
The research will be published as a blog post soon
#DEFCON #DEFCON31
🐥 [ tweet ]
Presenting my research at @defcon was incredible!
The repo for my tool #NoFilter is:
🔗 https://github.com/deepinstinct/NoFilter
The research will be published as a blog post soon
#DEFCON #DEFCON31
🐥 [ tweet ]
🔥2
😈 [ assume_breach, assume_breach ]
I just published Home Grown Red Team: SMB Pivots With Havoc C2
An updated article for lateral movement with Havoc.
🔗 https://link.medium.com/Ap3Xk0HKjCb
🐥 [ tweet ]
I just published Home Grown Red Team: SMB Pivots With Havoc C2
An updated article for lateral movement with Havoc.
🔗 https://link.medium.com/Ap3Xk0HKjCb
🐥 [ tweet ]
🔥2