😈 [ eversinc33 @eversinc33 ]
Nice tool:) Reminded me of a noscript I wrote a while ago, which is for those environments where users have to change their pws every X months, resulting in passwords like January2022. The noscript simply uses the LDAP pwdLastSet attr to generate a wordlist.
🔗 https://github.com/eversinc33/CredGuess
🐥 [ tweet ][ quote ]
Nice tool:) Reminded me of a noscript I wrote a while ago, which is for those environments where users have to change their pws every X months, resulting in passwords like January2022. The noscript simply uses the LDAP pwdLastSet attr to generate a wordlist.
🔗 https://github.com/eversinc33/CredGuess
🐥 [ tweet ][ quote ]
👍3
😈 [ Gabriel Landau @GabrielLandau ]
Watch me drop some still-unpatched Windows exploits at BlackHat:
✅ Bypass LSASS RunAsPPL
✅ Modify kernel memory
💥 Zero vulnerable drivers
Article:
🔗 http://tiny.cc/FVDX
Article #2:
🔗 http://tiny.cc/KillingPPLFault
Code:
🔗 https://github.com/gabriellandau/PPLFault
Talk:
🔗 https://youtu.be/5xteW8Tm410
🐥 [ tweet ]
Watch me drop some still-unpatched Windows exploits at BlackHat:
✅ Bypass LSASS RunAsPPL
✅ Modify kernel memory
💥 Zero vulnerable drivers
Article:
🔗 http://tiny.cc/FVDX
Article #2:
🔗 http://tiny.cc/KillingPPLFault
Code:
🔗 https://github.com/gabriellandau/PPLFault
Talk:
🔗 https://youtu.be/5xteW8Tm410
🐥 [ tweet ]
👍1🔥1
😈 [ Csaba Fitzl @theevilbit ]
🎉🥁 The wait is over. Please welcome "Dock Tile Plugins" to the persistence club. My new favorite. 🤩 In the blog:
🍎 background and details
🍎 how to create and use
🍎 how to detect
🍎 sample code and binary
🔗 https://theevilbit.github.io/beyond/beyond_0032/
🐥 [ tweet ][ quote ]
🎉🥁 The wait is over. Please welcome "Dock Tile Plugins" to the persistence club. My new favorite. 🤩 In the blog:
🍎 background and details
🍎 how to create and use
🍎 how to detect
🍎 sample code and binary
🔗 https://theevilbit.github.io/beyond/beyond_0032/
🐥 [ tweet ][ quote ]
🔥3
😈 [ Orange Cyberdefense Switzerland @orangecyberch ]
The correct IP address is sometimes all you need to exploit a remote target.
Want to know more ? Have a look at the latest post by @plopz0r on our blog:
🔗 https://blog.scrt.ch/2023/09/25/exploiting-stale-adidns-entries/
🐥 [ tweet ]
The correct IP address is sometimes all you need to exploit a remote target.
Want to know more ? Have a look at the latest post by @plopz0r on our blog:
🔗 https://blog.scrt.ch/2023/09/25/exploiting-stale-adidns-entries/
🐥 [ tweet ]
👍3
😈 [ Chetan Nayak (Brute Ratel C4 Author) @NinjaParanoid ]
Here is my blog post detailing the secure hosting of a C2 infrastructure and the exploitation of various Azure services for C2 purposes:
🔗 https://0xdarkvortex.dev/c2-infra-on-azure/
🐥 [ tweet ]
Here is my blog post detailing the secure hosting of a C2 infrastructure and the exploitation of various Azure services for C2 purposes:
🔗 https://0xdarkvortex.dev/c2-infra-on-azure/
🐥 [ tweet ]
👍3🤔1
😈 [ eversinc33 @eversinc33 ]
Wrote a blog post for my company on how we implement obfuscation for our C# post-exploitation arsenal. Discussing some detection opportunities and our ways around them. Special thx to @Flangvik for his video on SharpCollection, which is our pipelines base
🔗 https://www.r-tec.net/r-tec-blog-net-assembly-obfuscation-for-memory-scanner-evasion.html
🐥 [ tweet ]
Wrote a blog post for my company on how we implement obfuscation for our C# post-exploitation arsenal. Discussing some detection opportunities and our ways around them. Special thx to @Flangvik for his video on SharpCollection, which is our pipelines base
🔗 https://www.r-tec.net/r-tec-blog-net-assembly-obfuscation-for-memory-scanner-evasion.html
🐥 [ tweet ]
🔥3
😈 [ Md Ismail Šojal @0x0SojalSec ]
The new cs.github.com search allows for regex, which means brand new regex GitHub Dorks are possible!
Eg, find SSH and FTP passwords via connection strings with:
/ssh:\/\/.*:.*@.*target\.com/
/ftp:\/\/.*:.*@.*target\.com/
🐥 [ tweet ]
The new cs.github.com search allows for regex, which means brand new regex GitHub Dorks are possible!
Eg, find SSH and FTP passwords via connection strings with:
/ssh:\/\/.*:.*@.*target\.com/
/ftp:\/\/.*:.*@.*target\.com/
🐥 [ tweet ]
🔥4
😈 [ 📔 Michael Grafnetter @MGrafnetter ]
Introducing a new offline variant of the Golden gMSA attack against AD with time shifting. Enables Pass-the-Hash and Silver Ticket attacks. Requires access to ntds.dit backup and works until a new KDS Root Key is generated. #DSInternals CC: @YuG0rd
🔗 https://www.dsinternals.com/en/dsinternals-v4.11/
🐥 [ tweet ]
Introducing a new offline variant of the Golden gMSA attack against AD with time shifting. Enables Pass-the-Hash and Silver Ticket attacks. Requires access to ntds.dit backup and works until a new KDS Root Key is generated. #DSInternals CC: @YuG0rd
🔗 https://www.dsinternals.com/en/dsinternals-v4.11/
🐥 [ tweet ]
🔥4
This media is not supported in your browser
VIEW IN TELEGRAM
Недавно поймал себя на мысли, что я скрафтил 31337ный хацкерский промпт для zsh, а на рабочей тачке все равно пользуюсь дефолтным, потому что некрасиво пихать скрины с консолью, где 100500 эмоджи, в многомиллионные отчеты заказчикам – поймут подумают ведь, что дурачок какой-то работал. Поэтому спиздил разработал такую вот новинку – автоскрываемый промпт,
после выполнения команд в котором остается только таймстемп, который можно по красоте пихать в отчеты 🤓
🔗 https://github.com/snovvcrash/dotfiles-linux/blob/master/zsh/plugins/zsh-transient-prompt.zsh
после выполнения команд в котором остается только таймстемп, который можно по красоте пихать в отчеты 🤓
🔗 https://github.com/snovvcrash/dotfiles-linux/blob/master/zsh/plugins/zsh-transient-prompt.zsh
👍11🔥4😁2
😈 [ D1rkMtr @D1rkMtr ]
My Humble Windows Defender Undetectable: Data Exfiltration project that Exfitrate Personal Documents like: .doc .docx .xls .xlsx .ppt .pptx .pdf .jpeg .jpg .png .txt .json ...
Link to Project:
🔗 https://github.com/TheD1rkMtr/DocPlz
🐥 [ tweet ]
My Humble Windows Defender Undetectable: Data Exfiltration project that Exfitrate Personal Documents like: .doc .docx .xls .xlsx .ppt .pptx .pdf .jpeg .jpg .png .txt .json ...
Link to Project:
🔗 https://github.com/TheD1rkMtr/DocPlz
🐥 [ tweet ]
😁2👍1🥱1
😈 [ Rasta Mouse @_RastaMouse ]
[BLOG]
Taking a quick look at the new Aggressor callbacks in Cobalt Strike 4.9.
🔗 https://rastamouse.me/cobalt-strike-aggressor-callbacks/
🐥 [ tweet ]
[BLOG]
Taking a quick look at the new Aggressor callbacks in Cobalt Strike 4.9.
🔗 https://rastamouse.me/cobalt-strike-aggressor-callbacks/
🐥 [ tweet ]
👍2🔥1🤔1🤯1🥱1
😈 [ icyguider @icyguider ]
LatLoader is a PoC Havoc module that performs lateral movement via DLL sideloading while evading default Elastic EDR rules. Making it was a great learning exercise, and I'm hoping others can learn from it too. Enjoy! ✌️
🔗 https://github.com/icyguider/LatLoader
🔗 https://youtu.be/W0PZZPpsO6U
🐥 [ tweet ]
LatLoader is a PoC Havoc module that performs lateral movement via DLL sideloading while evading default Elastic EDR rules. Making it was a great learning exercise, and I'm hoping others can learn from it too. Enjoy! ✌️
🔗 https://github.com/icyguider/LatLoader
🔗 https://youtu.be/W0PZZPpsO6U
🐥 [ tweet ]
👍4🔥1😁1
Offensive Xwitter
Недавно поймал себя на мысли, что я скрафтил 31337ный хацкерский промпт для zsh, а на рабочей тачке все равно пользуюсь дефолтным, потому что некрасиво пихать скрины с консолью, где 100500 эмоджи, в многомиллионные отчеты заказчикам – поймут подумают ведь…
This media is not supported in your browser
VIEW IN TELEGRAM
Еще немного ZSH-задротства на ночь глядя: если вы когда-нибудь работали с большими git-репозиториями, где внушительная история коммитов и большой размер файлов в отдельных ветках, то могли заметить подвисание промпта при включенном git-статусе (когда прозрачно отображается имя текущей ветки, состояние stage-файлов и т. д.). Это обусловлено тем, что при каждой отрисовке промпта, шелл выполняет под капотом
Умные люди решили, что можно вынести определенные таски, как например, обработка статуса git-репозитория, в асинхронные задачи, которые выполняются в бэкграунде, и написали библиотеку zsh-async. Нам лишь остается написать небольшой плагин, который использует эту библиотеку для реализации своей версии
🔗 https://github.com/snovvcrash/dotfiles-linux/blob/master/zsh/plugins/async-git-info.zsh
git status. Объем кода, ответственный за эти манипуляции, действительно поражает воображение (пример для oh-my-zsh здесь). Что можно придумать, чтобы оптимизировать подобные задачи?Умные люди решили, что можно вынести определенные таски, как например, обработка статуса git-репозитория, в асинхронные задачи, которые выполняются в бэкграунде, и написали библиотеку zsh-async. Нам лишь остается написать небольшой плагин, который использует эту библиотеку для реализации своей версии
git_prompt_info. Результат можно наблюдать выше на примере огромной репы Empire: наверху промпт рисуется синхронно, поэтому виден лаг при переходе в директорию с git-репозиторием, внизу – асинхронно, поэтому шелл возвращается мгновенно, а git-статус дорисовывается через полсекунды.🔗 https://github.com/snovvcrash/dotfiles-linux/blob/master/zsh/plugins/async-git-info.zsh
🤯6🔥3😁1
😈 [ Bobby Cooke @0xBoku ]
We just released Reflective Call Stack Detections and Evasions! This was co-authored by our @XForce Red intern Dylan Tran @d_tranman! Dylan is wicked smart and it was fun working with him! Check it out!🥷
🔗 https://securityintelligence.com/x-force/reflective-call-stack-detections-evasions/
🐥 [ tweet ]
We just released Reflective Call Stack Detections and Evasions! This was co-authored by our @XForce Red intern Dylan Tran @d_tranman! Dylan is wicked smart and it was fun working with him! Check it out!🥷
🔗 https://securityintelligence.com/x-force/reflective-call-stack-detections-evasions/
🐥 [ tweet ]
😁1
😈 [ drm @lowercase_drm ]
pywerview v0.5.2 is out! It implements, among other things, the "simple authentication trick" to use the tool against hardened DCs and without install custom ldap3 lib.
🔗 https://github.com/the-useless-one/pywerview/commit/ba08fa2b29ef72ddc658d448465a8343f8536f6f
🐥 [ tweet ]
очень прикольная техника для аутентификации в захарженном LDAPS (с навешенным Channel Binding) без необходимости устанавливать патченную версию ldap3 с вот этим коммитом
pywerview v0.5.2 is out! It implements, among other things, the "simple authentication trick" to use the tool against hardened DCs and without install custom ldap3 lib.
🔗 https://github.com/the-useless-one/pywerview/commit/ba08fa2b29ef72ddc658d448465a8343f8536f6f
🐥 [ tweet ]
очень прикольная техника для аутентификации в захарженном LDAPS (с навешенным Channel Binding) без необходимости устанавливать патченную версию ldap3 с вот этим коммитом
🔥3😁1
Offensive Xwitter
😈 [ drm @lowercase_drm ] pywerview v0.5.2 is out! It implements, among other things, the "simple authentication trick" to use the tool against hardened DCs and without install custom ldap3 lib. 🔗 https://github.com/the-useless-one/pywerview/commit/ba08f…
👹 [ sn🥶vvcr💥sh @snovvcrash ]
A mega cool trick indeed! It can be easily adopted for existing LDAP tooling, an example for @_dirkjan’s adidnsdump👆🏻
🐥 [ tweet ][ quote ]
A mega cool trick indeed! It can be easily adopted for existing LDAP tooling, an example for @_dirkjan’s adidnsdump👆🏻
🐥 [ tweet ][ quote ]
🔥4😁2🥱1
😈 [ an0n @an0n_r0 ]
my favorite (and might be the most complete) wifi hacking guide (+pwnbox setup) by @Xst3nZ:
🔗 https://github.com/koutto/pi-pwnbox-rogueap/wiki
following this it was relatively easy to perform an evil twin attack after setting up a wpa-eap home lab (managed to capture a challenge using eaphammer 🙂).
🐥 [ tweet ]
my favorite (and might be the most complete) wifi hacking guide (+pwnbox setup) by @Xst3nZ:
🔗 https://github.com/koutto/pi-pwnbox-rogueap/wiki
following this it was relatively easy to perform an evil twin attack after setting up a wpa-eap home lab (managed to capture a challenge using eaphammer 🙂).
🐥 [ tweet ]
👍6
😈 [ Felipe Molina @felmoltor ]
Great reading about Sliver and OSEP:
🔗 https://bishopfox.com/blog/passing-the-osep-exam-using-sliver
🐥 [ tweet ]
Great reading about Sliver and OSEP:
🔗 https://bishopfox.com/blog/passing-the-osep-exam-using-sliver
🐥 [ tweet ]
🔥10
😈 [ Maxime Meignan @th3m4ks ]
How to disable some parts of EDR’s telemetry on Windows 10? Just ask nicely!
See for more info about an interesting logic bug we found on Win10 that affects all EDRs 😉
🔗 https://www.riskinsight-wavestone.com/en/2023/10/a-universal-edr-bypass-built-in-windows-10/
🐥 [ tweet ]
How to disable some parts of EDR’s telemetry on Windows 10? Just ask nicely!
See for more info about an interesting logic bug we found on Win10 that affects all EDRs 😉
🔗 https://www.riskinsight-wavestone.com/en/2023/10/a-universal-edr-bypass-built-in-windows-10/
🐥 [ tweet ]
🔥4
Offensive Xwitter
👹 [ sn🥶vvcr💥sh @snovvcrash ] A mega cool trick indeed! It can be easily adopted for existing LDAP tooling, an example for @_dirkjan’s adidnsdump👆🏻 🐥 [ tweet ][ quote ]
😈 [ drm @lowercase_drm ]
Another trick: LDAP signing but LDAPS is not configured? Use DIGEST-MD5 and signing!
🐥 [ tweet ][ quote ]
Another trick: LDAP signing but LDAPS is not configured? Use DIGEST-MD5 and signing!
🐥 [ tweet ][ quote ]
👍3🔥1