Offensive Xwitter
😈 [ Adam Chester 🏴☠️ @_xpn_ ] My Okta for Red Teamers post is up! We look at how Kerberos SSO works, how to intercept credentials via a fake AD Agent, decrypting AD Agent tokens, adding skeleton key's, and even how to deploy a janky SAML IdP server to auth…
😈 [ јаmеѕ ███████ @rotarydrone ]
Awesome stuff 🔥 The AD agent hijack here is much stealthier (and cooler) than injecting a DLL.
Here's a nim example for LogonUser hooking, ala PTASpy or @_xpn_'s blog on AADC for red teams. This also works for the AD agent:
🔗 https://gist.githubusercontent.com/rotarydrone/645f77f7e778da75800d1cde4013da2f/raw/a7a12e6e4529f4d09037ee6d908ead89500aa1ad/LogonUserSpy.nim
🐥 [ tweet ][ quote ]
Awesome stuff 🔥 The AD agent hijack here is much stealthier (and cooler) than injecting a DLL.
Here's a nim example for LogonUser hooking, ala PTASpy or @_xpn_'s blog on AADC for red teams. This also works for the AD agent:
🔗 https://gist.githubusercontent.com/rotarydrone/645f77f7e778da75800d1cde4013da2f/raw/a7a12e6e4529f4d09037ee6d908ead89500aa1ad/LogonUserSpy.nim
🐥 [ tweet ][ quote ]
🔥2
😈 [ Dylan Tran @d_tranman ]
Dug into call stacks spoofing for the past few months and wrote something. Hopefully this is helpful.
🔗 https://dtsec.us/2023-09-15-StackSpoofin/
🐥 [ tweet ]
Dug into call stacks spoofing for the past few months and wrote something. Hopefully this is helpful.
🔗 https://dtsec.us/2023-09-15-StackSpoofin/
🐥 [ tweet ]
🔥2
😈 [ Greg Darwin @gregdarwin ]
Cobalt Strike 4.9 is now live. This release adds UDRL support for post-ex DLLs, the ability to export Beacon without a reflective loader, support for callbacks, a Beacon data store and more. Check out the blog post for details:
🔗 https://www.cobaltstrike.com/blog/cobalt-strike-49-take-me-to-your-loader
🐥 [ tweet ]
Cobalt Strike 4.9 is now live. This release adds UDRL support for post-ex DLLs, the ability to export Beacon without a reflective loader, support for callbacks, a Beacon data store and more. Check out the blog post for details:
🔗 https://www.cobaltstrike.com/blog/cobalt-strike-49-take-me-to-your-loader
🐥 [ tweet ]
🔥2
Психанул, когда rpcclient в очередной раз сломался о старые протоколы, а сделать резолв имя↔️сид надо было здесь и сейчас:
🔗 https://github.com/fortra/impacket/pull/1618
🔗 https://github.com/fortra/impacket/pull/1618
GitHub
Add lookupname.py example by snovvcrash · Pull Request #1618 · fortra/impacket
A tiny example for hLsarLookupNames3 and hLsarLookupSids2 calls that I use when rpcclient refuses to work 😒
🔥8😁1
😈 [ Omri Baso @omri_baso ]
Any new novel technique I researched for lateral movement by stealing tokens while abusing the RPC named pipe \
🔗 https://medium.com/p/a23965e8227e
🐥 [ tweet ]
Any new novel technique I researched for lateral movement by stealing tokens while abusing the RPC named pipe \
\pipe\LSM_API_service🔗 https://medium.com/p/a23965e8227e
🐥 [ tweet ]
🔥1
😈 [ Rasta Mouse @_RastaMouse ]
Experimenting with a basic stage0 that allows you to roll your own implants and stage them from external C2 frameworks.
🔗 https://youtu.be/wvDm6Ro0g1g
🐥 [ tweet ]
Experimenting with a basic stage0 that allows you to roll your own implants and stage them from external C2 frameworks.
🔗 https://youtu.be/wvDm6Ro0g1g
🐥 [ tweet ]
🔥2
😈 [ MalDev Academy @MalDevAcademy ]
Our EXE loader is now available to everyone on GitHub:
We'll be uploading more repositories on our GitHub in the future.
🔗 https://github.com/Maldev-Academy/MaldevAcademyLdr.1
🐥 [ tweet ]
Our EXE loader is now available to everyone on GitHub:
We'll be uploading more repositories on our GitHub in the future.
🔗 https://github.com/Maldev-Academy/MaldevAcademyLdr.1
🐥 [ tweet ]
🔥1
😈 [ Louis Dion-Marcil @ldionmarcil ]
Outlook for Windows can be tricked into displaying a fake domain, but open another one. Add a <base> tag with a fake domain + left-to-right mark (U+200E)
Links in <a> tags will show the fake domain, but open the real domain.
No need to buy .zip! :) Convincing #phishing #redteam
🐥 [ tweet ]
Outlook for Windows can be tricked into displaying a fake domain, but open another one. Add a <base> tag with a fake domain + left-to-right mark (U+200E)
Links in <a> tags will show the fake domain, but open the real domain.
No need to buy .zip! :) Convincing #phishing #redteam
🐥 [ tweet ]
🔥5👍1🥱1
Хз че это, но все постят https://news.1rj.ru/str/OffensiveTwitter?boost
🥱16👍3
😈 [ Chris Thompson @_Mayyhem ]
The entire SCCM hierarchy is vulnerable to takeover from any primary site because by design, there is no security boundary between sites in the same hierarchy. Check out my new post to learn more about how this can be abused, mitigated, and detected!
🔗 https://posts.specterops.io/sccm-hierarchy-takeover-41929c61e087
🐥 [ tweet ]
The entire SCCM hierarchy is vulnerable to takeover from any primary site because by design, there is no security boundary between sites in the same hierarchy. Check out my new post to learn more about how this can be abused, mitigated, and detected!
🔗 https://posts.specterops.io/sccm-hierarchy-takeover-41929c61e087
🐥 [ tweet ]
🔥1
😈 [ Tobias Neitzel @qtc_de ]
Standing on the shoulders of giants like silverf0x and @tiraniddo I created rpv - a @v_language library for analyzing Windows RPC servers - and rpv-web as a browser based frontend. Very similar to #RpcView but also different 😉
🔗 https://github.com/qtc-de/rpv
🔗 https://github.com/qtc-de/rpv-web
🐥 [ tweet ]
Standing on the shoulders of giants like silverf0x and @tiraniddo I created rpv - a @v_language library for analyzing Windows RPC servers - and rpv-web as a browser based frontend. Very similar to #RpcView but also different 😉
🔗 https://github.com/qtc-de/rpv
🔗 https://github.com/qtc-de/rpv-web
🐥 [ tweet ]
👍1🔥1
😈 [ Rémi GASCOU (Podalirius) @podalirius_ ]
Today I'm releasing #LDAPWordlistHarvester, a new tool for generate a wordlist based on the LDAP, in order to crack passwords of domain accounts. 🥳
The generated wordlist cracked way more passwords than rockyou2021 on my latest client.
🔗 https://github.com/p0dalirius/LDAPWordlistHarvester
🐥 [ tweet ]
Today I'm releasing #LDAPWordlistHarvester, a new tool for generate a wordlist based on the LDAP, in order to crack passwords of domain accounts. 🥳
The generated wordlist cracked way more passwords than rockyou2021 on my latest client.
🔗 https://github.com/p0dalirius/LDAPWordlistHarvester
🐥 [ tweet ]
🔥4
Не проксичейнсом едины!
Так-так-так, други. Вангую, вы уже давно искали переносимую альтернативупидорский Golang?.. На удивление, такая альтернатива есть – вот чему сегодня научили коллеги:
🔗 https://github.com/hmgle/graftcp
Выше пример с неработавшим ранее (через проксичейнс) go-windapsearch ⏫
Так-так-так, други. Вангую, вы уже давно искали переносимую альтернативу
proxychains[-ng], да которая бы еще и работала не на LD_PRELOAD-хуках, чтобы уметь редиректить 🔗 https://github.com/hmgle/graftcp
Выше пример с неработавшим ранее (через проксичейнс) go-windapsearch ⏫
🔥13👍1
😈 [ Dominic Chell 👻 @domchell ]
Spent some time refreshing my memory on ETW TI tonight. As a red teamer it's really important to get a good understanding of what the defenders/EDRs can see. Using the excellent Havoc as an example, let's have a peak...
🔗 https://threadreaderapp.com/thread/1706772248802291929.html
🐥 [ tweet ]
Spent some time refreshing my memory on ETW TI tonight. As a red teamer it's really important to get a good understanding of what the defenders/EDRs can see. Using the excellent Havoc as an example, let's have a peak...
🔗 https://threadreaderapp.com/thread/1706772248802291929.html
🐥 [ tweet ]
🔥3
Offensive Xwitter
Куdos коллегам из Awillix (@justsecurity) и всем причастным за крутую инициативу Pentest Award – было приятно посоревноваться, поддержать такое уникальное начинание, как первая премия для пентестеров, и в аналоговом мире поздороваться с топовым спецами) Как…
Ксакеп порционно публикует райтапы:
🔗 https://xakep.ru/2023/09/21/perimeter-silver/
🔗 https://xakep.ru/2023/09/22/seedr-hack/
🔗 https://xakep.ru/2023/09/27/pentest-award-bypass/ (мама, я в телевизоре)
🔗 https://xakep.ru/2023/09/29/fuck-the-logic/
🔗 https://xakep.ru/2023/10/03/macos-lpe/
🔗 https://xakep.ru/2023/09/21/perimeter-silver/
🔗 https://xakep.ru/2023/09/22/seedr-hack/
🔗 https://xakep.ru/2023/09/27/pentest-award-bypass/ (мама, я в телевизоре)
🔗 https://xakep.ru/2023/09/29/fuck-the-logic/
🔗 https://xakep.ru/2023/10/03/macos-lpe/
🔥13👍1
😈 [ Orange Cyberdefense's SensePost Team @sensepost ]
Traditional methods of blinding EDR's are to remove hooks. In this post @vikingfr investigates a new technique (and tool) for blinding an EDR in kernel land by limiting connections to the EDR driver's filter communication port.
🔗 https://sensepost.com/blog/2023/filter-mute-operation-investigating-edr-internal-communication/
🔗 https://v1k1ngfr.github.io/edrsnowblast/
🐥 [ tweet ]
Traditional methods of blinding EDR's are to remove hooks. In this post @vikingfr investigates a new technique (and tool) for blinding an EDR in kernel land by limiting connections to the EDR driver's filter communication port.
🔗 https://sensepost.com/blog/2023/filter-mute-operation-investigating-edr-internal-communication/
🔗 https://v1k1ngfr.github.io/edrsnowblast/
🐥 [ tweet ]
ультра интересно про препятствие взаимодействия подсистем user mode <-> kernel mode EDR, ослепление последнего без вайпа ядерных колбеков🔗 https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/av-edr-evasion/byovd
ссылочки про BYOVD я коллекционирую вот тут:
👍6🔥1
😈 [ HADESS @Hadess_security ]
The Art Of Hiding In Windows: techniques used by malicious actors to obscure their activities, making detection and analysis significantly more challenging for security professionals.
Article:
🔗 https://hadess.io/the-art-of-hiding-in-windows/
EBook:
🔗 https://hadess.io/the-art-of-hiding-in-windows-ebook/
#windows #redteam
🐥 [ tweet ]
The Art Of Hiding In Windows: techniques used by malicious actors to obscure their activities, making detection and analysis significantly more challenging for security professionals.
Article:
🔗 https://hadess.io/the-art-of-hiding-in-windows/
EBook:
🔗 https://hadess.io/the-art-of-hiding-in-windows-ebook/
#windows #redteam
🐥 [ tweet ]
(pdf-ка в комментах)👍2🔥2
😈 [ eversinc33 @eversinc33 ]
Nice tool:) Reminded me of a noscript I wrote a while ago, which is for those environments where users have to change their pws every X months, resulting in passwords like January2022. The noscript simply uses the LDAP pwdLastSet attr to generate a wordlist.
🔗 https://github.com/eversinc33/CredGuess
🐥 [ tweet ][ quote ]
Nice tool:) Reminded me of a noscript I wrote a while ago, which is for those environments where users have to change their pws every X months, resulting in passwords like January2022. The noscript simply uses the LDAP pwdLastSet attr to generate a wordlist.
🔗 https://github.com/eversinc33/CredGuess
🐥 [ tweet ][ quote ]
👍3
😈 [ Gabriel Landau @GabrielLandau ]
Watch me drop some still-unpatched Windows exploits at BlackHat:
✅ Bypass LSASS RunAsPPL
✅ Modify kernel memory
💥 Zero vulnerable drivers
Article:
🔗 http://tiny.cc/FVDX
Article #2:
🔗 http://tiny.cc/KillingPPLFault
Code:
🔗 https://github.com/gabriellandau/PPLFault
Talk:
🔗 https://youtu.be/5xteW8Tm410
🐥 [ tweet ]
Watch me drop some still-unpatched Windows exploits at BlackHat:
✅ Bypass LSASS RunAsPPL
✅ Modify kernel memory
💥 Zero vulnerable drivers
Article:
🔗 http://tiny.cc/FVDX
Article #2:
🔗 http://tiny.cc/KillingPPLFault
Code:
🔗 https://github.com/gabriellandau/PPLFault
Talk:
🔗 https://youtu.be/5xteW8Tm410
🐥 [ tweet ]
👍1🔥1