😈 [ Corben Leo @hacker_ ]
I've made $500k+ from #SSRF vulnerabilities.
Here are my tricks:
🔗 https://threadreaderapp.com/thread/1694554700555981176.html
🐥 [ tweet ]
I've made $500k+ from #SSRF vulnerabilities.
Here are my tricks:
🔗 https://threadreaderapp.com/thread/1694554700555981176.html
🐥 [ tweet ]
👍5
😈 [ Matthew @embee_research ]
Unpacking .NET Malware Using Process Hacker and Dnspy.
An easy method to obtain unpacked .NET samples by leveraging Process Hacker to identify suspicious modules, and Dnspy to save them from memory.
🔗 https://embee-research.ghost.io/unpacking-net-malware-with-process-hacker/
🐥 [ tweet ]
Unpacking .NET Malware Using Process Hacker and Dnspy.
An easy method to obtain unpacked .NET samples by leveraging Process Hacker to identify suspicious modules, and Dnspy to save them from memory.
🔗 https://embee-research.ghost.io/unpacking-net-malware-with-process-hacker/
🐥 [ tweet ]
👍3
😈 [ n00py @n00py1 ]
The craziest BloodHound art I've made yet (password sharing clusters)
🐥 [ tweet ]
плагиат - очевидно же, что это Волосатый бублик
The craziest BloodHound art I've made yet (password sharing clusters)
🐥 [ tweet ]
плагиат - очевидно же, что это Волосатый бублик
🔥6
Offensive Xwitter
😈 [ Elliot @ElliotKillick ] Perfect DLL Hijacking: It's now possible with the latest in security research. Building on previous insights from @NetSPI, we reverse engineer the Windows library loader to disable the infamous Loader Lock and achieve ShellExecute…
😈 [ Elliot @ElliotKillick ]
The full and open source code used in "Perfect DLL Hijacking" has now been released on GitHub: LdrLockLiberator
🔗 https://github.com/ElliotKillick/LdrLockLiberator
🐥 [ tweet ]
The full and open source code used in "Perfect DLL Hijacking" has now been released on GitHub: LdrLockLiberator
🔗 https://github.com/ElliotKillick/LdrLockLiberator
🐥 [ tweet ]
🔥2
😈 [ Almond OffSec @AlmondOffSec ]
Understanding the different types of LDAP authentication methods is fundamental to apprehend subjects such as relay attacks or countermeasures. This post by @lowercase_drm introduces them through the lens of Python libraries.
🔗 https://offsec.almond.consulting/ldap-authentication-in-active-directory-environments.html
🐥 [ tweet ]
Understanding the different types of LDAP authentication methods is fundamental to apprehend subjects such as relay attacks or countermeasures. This post by @lowercase_drm introduces them through the lens of Python libraries.
🔗 https://offsec.almond.consulting/ldap-authentication-in-active-directory-environments.html
🐥 [ tweet ]
🔥2
😈 [ sinusoid @the_bit_diddler ]
Ever wanted to create Defender exclusions non-interactively?
Support for local and remote systems? ✔️
Ability to revert said changes? ✔️
Support processes, paths, and extensions? ✔️
BOF? ✔️
C# ✔️
Code is public:
🔗 https://github.com/EspressoCake/DefenderPathExclusions
🔗 https://github.com/EspressoCake/Defender-Exclusions-Creator-BOF
🐥 [ tweet ]
Ever wanted to create Defender exclusions non-interactively?
Support for local and remote systems? ✔️
Ability to revert said changes? ✔️
Support processes, paths, and extensions? ✔️
BOF? ✔️
C# ✔️
Code is public:
🔗 https://github.com/EspressoCake/DefenderPathExclusions
🔗 https://github.com/EspressoCake/Defender-Exclusions-Creator-BOF
🐥 [ tweet ]
🔥6
😈 [ Craig Rowland - Agentless Linux Security @CraigHRowland ]
Daily Linux whoami:
🐥 [ tweet ]
Daily Linux whoami:
$(echo -e "\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x77\x68\x6f\x61\x6d\x69")
🐥 [ tweet ]
😁5🔥1
Offensive Xwitter
😈 [ Antonio Cocomazzi @splinter_code ] Do you want to start the RemoteRegistry service without Admin privileges? Just write into the "winreg" named pipe 👆 🐥 [ tweet ]
😈 [ Geiseric @Geiseric4 ]
Following @splinter_code idea, you can also start RemoteRegistry remotely. This way you can check on which server DAs are connected, in case you want dump their creds. This noscript could help:
It works from low privileged user 😉
🔗 https://gist.github.com/GeisericII/6849bc86620c7a764d88502df5187bd0
🐥 [ tweet ]
Following @splinter_code idea, you can also start RemoteRegistry remotely. This way you can check on which server DAs are connected, in case you want dump their creds. This noscript could help:
It works from low privileged user 😉
🔗 https://gist.github.com/GeisericII/6849bc86620c7a764d88502df5187bd0
🐥 [ tweet ]
🔥4
😈 [ Thomas Seigneuret @_zblurx ]
New feature in #NetExec : S4U2Self and S4U2Proxy support and automation with --delegate and --self
It allows you to abuse KCD with protocol transition and RBCD automatically in NetExec, and use directly all the postex functionalities 🔥
For example with RBCD 👆🏻
🐥 [ tweet ]
New feature in #NetExec : S4U2Self and S4U2Proxy support and automation with --delegate and --self
It allows you to abuse KCD with protocol transition and RBCD automatically in NetExec, and use directly all the postex functionalities 🔥
For example with RBCD 👆🏻
🐥 [ tweet ]
🔥8👍1
😈 [ Antonio Cocomazzi @splinter_code ]
The slides of our joint research talk “10 Years of Windows Privilege Escalation with Potatoes” at #POC2023 are out!
cc @decoder_it
🔗 https://github.com/antonioCoco/infosec-talks/blob/main/10_years_of_Windows_Privilege_Escalation_with_Potatoes.pdf
🐥 [ tweet ]
The slides of our joint research talk “10 Years of Windows Privilege Escalation with Potatoes” at #POC2023 are out!
cc @decoder_it
🔗 https://github.com/antonioCoco/infosec-talks/blob/main/10_years_of_Windows_Privilege_Escalation_with_Potatoes.pdf
🐥 [ tweet ]
🔥7
Offensive Xwitter
😈 [ Antonio Cocomazzi @splinter_code ] The slides of our joint research talk “10 Years of Windows Privilege Escalation with Potatoes” at #POC2023 are out! cc @decoder_it 🔗 https://github.com/antonioCoco/infosec-talks/blob/main/10_years_of_Windows_Priv…
10_years_of_Windows_Privilege_Escalation_with_Potatoes.pdf
1.6 MB
🔥4
😈 [ уυηg ՏΝАΤ @yunginnanet ]
this was meant to be a simple debugging tool, but ended up being a full barebones, concurrent RFC1928 (SOCKS5) server. unnecessarily fast, very simple.
gophers that are interested in learning SOCKS5 protocol may find this useful (hopefully someone does)
🔗 https://gist.github.com/yunginnanet/c84f831a4ac39eada5609ce0319f8d54
🐥 [ tweet ]
this was meant to be a simple debugging tool, but ended up being a full barebones, concurrent RFC1928 (SOCKS5) server. unnecessarily fast, very simple.
gophers that are interested in learning SOCKS5 protocol may find this useful (hopefully someone does)
🔗 https://gist.github.com/yunginnanet/c84f831a4ac39eada5609ce0319f8d54
🐥 [ tweet ]
🔥6
😈 [ 5pider @C5pider ]
LdrLibraryEx.
A small x64 library to load PEs into memory.
🔗 https://github.com/Cracked5pider/LdrLibraryEx
🐥 [ tweet ]
LdrLibraryEx.
A small x64 library to load PEs into memory.
🔗 https://github.com/Cracked5pider/LdrLibraryEx
🐥 [ tweet ]
🔥3
😈 [ Charlie Clark @exploitph ]
Finally updated my RitM tool with the DES TGT session roasting code if anyone is interested.
Reminder, this isn't intended to be attack-ready code!
The attack is described in detail in my DES post (currently pinned to my profile).
🔗 https://github.com/0xe7/RoastInTheMiddle/pull/1
🐥 [ tweet ]
спасибо @Michaelzhm, что пнул 😅
Finally updated my RitM tool with the DES TGT session roasting code if anyone is interested.
Reminder, this isn't intended to be attack-ready code!
The attack is described in detail in my DES post (currently pinned to my profile).
🔗 https://github.com/0xe7/RoastInTheMiddle/pull/1
🐥 [ tweet ]
спасибо @Michaelzhm, что пнул 😅
🔥4👍1😁1
😈 [ S4ntiagoP @s4ntiago_p ]
🔥 New blogpost 🔥
Running PEs inline without a console.
You now can, for example, run PowerShell in CobaltStrike and obtain its output without spawning any process (including conhost.exe)
🔗 https://www.coresecurity.com/core-labs/articles/running-pes-inline-without-console
🐥 [ tweet ]
🔥 New blogpost 🔥
Running PEs inline without a console.
You now can, for example, run PowerShell in CobaltStrike and obtain its output without spawning any process (including conhost.exe)
🔗 https://www.coresecurity.com/core-labs/articles/running-pes-inline-without-console
🐥 [ tweet ]
🔥4
😈 [ S3cur3Th1sSh1t @ShitSecure ]
Today I needed to decrypt Veeam stored credentials. As existing toolings failed and/or manual decryption for a lot of passwords was too much effort I wrote a small assembly to do the whole job:
🔗 https://github.com/S3cur3Th1sSh1t/SharpVeeamDecryptor
🐥 [ tweet ]
Today I needed to decrypt Veeam stored credentials. As existing toolings failed and/or manual decryption for a lot of passwords was too much effort I wrote a small assembly to do the whole job:
🔗 https://github.com/S3cur3Th1sSh1t/SharpVeeamDecryptor
🐥 [ tweet ]
👍3🔥1
😈 [ Rémi GASCOU (Podalirius) @podalirius_ ]
In my latest article, discover the depth of the msDS-KeyCredentialLink attribute used in ShadowCredentials attacks and how to parse it. Plus, discover a Python library, pydsinternals, that simplifies the parsing process.
Check it out ⤵️
🔗 https://podalirius.net/en/articles/parsing-the-msds-keycredentiallink-value-for-shadowcredentials-attack/
🐥 [ tweet ]
In my latest article, discover the depth of the msDS-KeyCredentialLink attribute used in ShadowCredentials attacks and how to parse it. Plus, discover a Python library, pydsinternals, that simplifies the parsing process.
Check it out ⤵️
🔗 https://podalirius.net/en/articles/parsing-the-msds-keycredentiallink-value-for-shadowcredentials-attack/
🐥 [ tweet ]
👍2
😈 [ an0n @an0n_r0 ]
playing against an #AV/#EDR: when almost everything failed, finally, loaded @chvancooten's #NimPlant using my custom stager based on @hasherezade's libPeConv and managed to execute what I wanted, #Rubeus with built-in execute-assembly (#AMSI bypass + #ETW block). never give up :)
🐥 [ tweet ]
playing against an #AV/#EDR: when almost everything failed, finally, loaded @chvancooten's #NimPlant using my custom stager based on @hasherezade's libPeConv and managed to execute what I wanted, #Rubeus with built-in execute-assembly (#AMSI bypass + #ETW block). never give up :)
🐥 [ tweet ]
а кто сделал-то execute-assembly а а а👍7🤔1