😈 [ Antonio Cocomazzi @splinter_code ]
Excited to share my hardest research about UAC 🤯
"Bypassing UAC with SSPI Datagram Contexts" 🔥
In a nutshell:
✅ Works on latest Windows 11 down to Windows 7
✅ Works on both domain-joined and non-domain-joined machines
✅ Works without using UI hacks or any auto Works without using UI hacks or any auto elevated binary/interface
✅ Works with maximum UAC level settings *Always Notify*
✅ Not a security boundary / Won’t Fix
Enjoy the read! 👇
🔗 https://splintercod3.blogspot.com/p/bypassing-uac-with-sspi-datagram.html
🐥 [ tweet ]
Excited to share my hardest research about UAC 🤯
"Bypassing UAC with SSPI Datagram Contexts" 🔥
In a nutshell:
✅ Works on latest Windows 11 down to Windows 7
✅ Works on both domain-joined and non-domain-joined machines
✅ Works without using UI hacks or any auto Works without using UI hacks or any auto elevated binary/interface
✅ Works with maximum UAC level settings *Always Notify*
✅ Not a security boundary / Won’t Fix
Enjoy the read! 👇
🔗 https://splintercod3.blogspot.com/p/bypassing-uac-with-sspi-datagram.html
🐥 [ tweet ]
🔥6
😈 [ SkelSec @SkelSec ]
Weeeee! My Defcon talk is now on Youtube!
🔗 https://www.youtube.com/watch?v=7oAZK8x_mL0
🔗 https://github.com/skelsec/wsnet
🔗 https://github.com/skelsec/wsnet-dotnet
🐥 [ tweet ]
Weeeee! My Defcon talk is now on Youtube!
🔗 https://www.youtube.com/watch?v=7oAZK8x_mL0
🔗 https://github.com/skelsec/wsnet
🔗 https://github.com/skelsec/wsnet-dotnet
🐥 [ tweet ]
@skelsec гений, indeed👍2🔥1
Offensive Xwitter
😈 [ SkelSec @SkelSec ] Weeeee! My Defcon talk is now on Youtube! 🔗 https://www.youtube.com/watch?v=7oAZK8x_mL0 🔗 https://github.com/skelsec/wsnet 🔗 https://github.com/skelsec/wsnet-dotnet 🐥 [ tweet ] @skelsec гений, indeed
Tamas Jos - Spooky authentication at a distance.pdf
3.6 MB
👍2🔥1
😈 [ Adam Chester 🏴☠️ @_xpn_ ]
My Okta for Red Teamers post is up! We look at how Kerberos SSO works, how to intercept credentials via a fake AD Agent, decrypting AD Agent tokens, adding skeleton key's, and even how to deploy a janky SAML IdP server to auth as any user for good measure.
🔗 https://www.trustedsec.com/blog/okta-for-red-teamers/
🐥 [ tweet ]
My Okta for Red Teamers post is up! We look at how Kerberos SSO works, how to intercept credentials via a fake AD Agent, decrypting AD Agent tokens, adding skeleton key's, and even how to deploy a janky SAML IdP server to auth as any user for good measure.
🔗 https://www.trustedsec.com/blog/okta-for-red-teamers/
🐥 [ tweet ]
🔥2
Offensive Xwitter
😈 [ Adam Chester 🏴☠️ @_xpn_ ] My Okta for Red Teamers post is up! We look at how Kerberos SSO works, how to intercept credentials via a fake AD Agent, decrypting AD Agent tokens, adding skeleton key's, and even how to deploy a janky SAML IdP server to auth…
😈 [ јаmеѕ ███████ @rotarydrone ]
Awesome stuff 🔥 The AD agent hijack here is much stealthier (and cooler) than injecting a DLL.
Here's a nim example for LogonUser hooking, ala PTASpy or @_xpn_'s blog on AADC for red teams. This also works for the AD agent:
🔗 https://gist.githubusercontent.com/rotarydrone/645f77f7e778da75800d1cde4013da2f/raw/a7a12e6e4529f4d09037ee6d908ead89500aa1ad/LogonUserSpy.nim
🐥 [ tweet ][ quote ]
Awesome stuff 🔥 The AD agent hijack here is much stealthier (and cooler) than injecting a DLL.
Here's a nim example for LogonUser hooking, ala PTASpy or @_xpn_'s blog on AADC for red teams. This also works for the AD agent:
🔗 https://gist.githubusercontent.com/rotarydrone/645f77f7e778da75800d1cde4013da2f/raw/a7a12e6e4529f4d09037ee6d908ead89500aa1ad/LogonUserSpy.nim
🐥 [ tweet ][ quote ]
🔥2
😈 [ Dylan Tran @d_tranman ]
Dug into call stacks spoofing for the past few months and wrote something. Hopefully this is helpful.
🔗 https://dtsec.us/2023-09-15-StackSpoofin/
🐥 [ tweet ]
Dug into call stacks spoofing for the past few months and wrote something. Hopefully this is helpful.
🔗 https://dtsec.us/2023-09-15-StackSpoofin/
🐥 [ tweet ]
🔥2
😈 [ Greg Darwin @gregdarwin ]
Cobalt Strike 4.9 is now live. This release adds UDRL support for post-ex DLLs, the ability to export Beacon without a reflective loader, support for callbacks, a Beacon data store and more. Check out the blog post for details:
🔗 https://www.cobaltstrike.com/blog/cobalt-strike-49-take-me-to-your-loader
🐥 [ tweet ]
Cobalt Strike 4.9 is now live. This release adds UDRL support for post-ex DLLs, the ability to export Beacon without a reflective loader, support for callbacks, a Beacon data store and more. Check out the blog post for details:
🔗 https://www.cobaltstrike.com/blog/cobalt-strike-49-take-me-to-your-loader
🐥 [ tweet ]
🔥2
Психанул, когда rpcclient в очередной раз сломался о старые протоколы, а сделать резолв имя↔️сид надо было здесь и сейчас:
🔗 https://github.com/fortra/impacket/pull/1618
🔗 https://github.com/fortra/impacket/pull/1618
GitHub
Add lookupname.py example by snovvcrash · Pull Request #1618 · fortra/impacket
A tiny example for hLsarLookupNames3 and hLsarLookupSids2 calls that I use when rpcclient refuses to work 😒
🔥8😁1
😈 [ Omri Baso @omri_baso ]
Any new novel technique I researched for lateral movement by stealing tokens while abusing the RPC named pipe \
🔗 https://medium.com/p/a23965e8227e
🐥 [ tweet ]
Any new novel technique I researched for lateral movement by stealing tokens while abusing the RPC named pipe \
\pipe\LSM_API_service🔗 https://medium.com/p/a23965e8227e
🐥 [ tweet ]
🔥1
😈 [ Rasta Mouse @_RastaMouse ]
Experimenting with a basic stage0 that allows you to roll your own implants and stage them from external C2 frameworks.
🔗 https://youtu.be/wvDm6Ro0g1g
🐥 [ tweet ]
Experimenting with a basic stage0 that allows you to roll your own implants and stage them from external C2 frameworks.
🔗 https://youtu.be/wvDm6Ro0g1g
🐥 [ tweet ]
🔥2
😈 [ MalDev Academy @MalDevAcademy ]
Our EXE loader is now available to everyone on GitHub:
We'll be uploading more repositories on our GitHub in the future.
🔗 https://github.com/Maldev-Academy/MaldevAcademyLdr.1
🐥 [ tweet ]
Our EXE loader is now available to everyone on GitHub:
We'll be uploading more repositories on our GitHub in the future.
🔗 https://github.com/Maldev-Academy/MaldevAcademyLdr.1
🐥 [ tweet ]
🔥1
😈 [ Louis Dion-Marcil @ldionmarcil ]
Outlook for Windows can be tricked into displaying a fake domain, but open another one. Add a <base> tag with a fake domain + left-to-right mark (U+200E)
Links in <a> tags will show the fake domain, but open the real domain.
No need to buy .zip! :) Convincing #phishing #redteam
🐥 [ tweet ]
Outlook for Windows can be tricked into displaying a fake domain, but open another one. Add a <base> tag with a fake domain + left-to-right mark (U+200E)
Links in <a> tags will show the fake domain, but open the real domain.
No need to buy .zip! :) Convincing #phishing #redteam
🐥 [ tweet ]
🔥5👍1🥱1
Хз че это, но все постят https://news.1rj.ru/str/OffensiveTwitter?boost
🥱16👍3
😈 [ Chris Thompson @_Mayyhem ]
The entire SCCM hierarchy is vulnerable to takeover from any primary site because by design, there is no security boundary between sites in the same hierarchy. Check out my new post to learn more about how this can be abused, mitigated, and detected!
🔗 https://posts.specterops.io/sccm-hierarchy-takeover-41929c61e087
🐥 [ tweet ]
The entire SCCM hierarchy is vulnerable to takeover from any primary site because by design, there is no security boundary between sites in the same hierarchy. Check out my new post to learn more about how this can be abused, mitigated, and detected!
🔗 https://posts.specterops.io/sccm-hierarchy-takeover-41929c61e087
🐥 [ tweet ]
🔥1
😈 [ Tobias Neitzel @qtc_de ]
Standing on the shoulders of giants like silverf0x and @tiraniddo I created rpv - a @v_language library for analyzing Windows RPC servers - and rpv-web as a browser based frontend. Very similar to #RpcView but also different 😉
🔗 https://github.com/qtc-de/rpv
🔗 https://github.com/qtc-de/rpv-web
🐥 [ tweet ]
Standing on the shoulders of giants like silverf0x and @tiraniddo I created rpv - a @v_language library for analyzing Windows RPC servers - and rpv-web as a browser based frontend. Very similar to #RpcView but also different 😉
🔗 https://github.com/qtc-de/rpv
🔗 https://github.com/qtc-de/rpv-web
🐥 [ tweet ]
👍1🔥1
😈 [ Rémi GASCOU (Podalirius) @podalirius_ ]
Today I'm releasing #LDAPWordlistHarvester, a new tool for generate a wordlist based on the LDAP, in order to crack passwords of domain accounts. 🥳
The generated wordlist cracked way more passwords than rockyou2021 on my latest client.
🔗 https://github.com/p0dalirius/LDAPWordlistHarvester
🐥 [ tweet ]
Today I'm releasing #LDAPWordlistHarvester, a new tool for generate a wordlist based on the LDAP, in order to crack passwords of domain accounts. 🥳
The generated wordlist cracked way more passwords than rockyou2021 on my latest client.
🔗 https://github.com/p0dalirius/LDAPWordlistHarvester
🐥 [ tweet ]
🔥4
Не проксичейнсом едины!
Так-так-так, други. Вангую, вы уже давно искали переносимую альтернативупидорский Golang?.. На удивление, такая альтернатива есть – вот чему сегодня научили коллеги:
🔗 https://github.com/hmgle/graftcp
Выше пример с неработавшим ранее (через проксичейнс) go-windapsearch ⏫
Так-так-так, други. Вангую, вы уже давно искали переносимую альтернативу
proxychains[-ng], да которая бы еще и работала не на LD_PRELOAD-хуках, чтобы уметь редиректить 🔗 https://github.com/hmgle/graftcp
Выше пример с неработавшим ранее (через проксичейнс) go-windapsearch ⏫
🔥13👍1
😈 [ Dominic Chell 👻 @domchell ]
Spent some time refreshing my memory on ETW TI tonight. As a red teamer it's really important to get a good understanding of what the defenders/EDRs can see. Using the excellent Havoc as an example, let's have a peak...
🔗 https://threadreaderapp.com/thread/1706772248802291929.html
🐥 [ tweet ]
Spent some time refreshing my memory on ETW TI tonight. As a red teamer it's really important to get a good understanding of what the defenders/EDRs can see. Using the excellent Havoc as an example, let's have a peak...
🔗 https://threadreaderapp.com/thread/1706772248802291929.html
🐥 [ tweet ]
🔥3