😈 [ Almond OffSec @AlmondOffSec ]
Understanding the different types of LDAP authentication methods is fundamental to apprehend subjects such as relay attacks or countermeasures. This post by @lowercase_drm introduces them through the lens of Python libraries.
🔗 https://offsec.almond.consulting/ldap-authentication-in-active-directory-environments.html
🐥 [ tweet ]
Understanding the different types of LDAP authentication methods is fundamental to apprehend subjects such as relay attacks or countermeasures. This post by @lowercase_drm introduces them through the lens of Python libraries.
🔗 https://offsec.almond.consulting/ldap-authentication-in-active-directory-environments.html
🐥 [ tweet ]
🔥2
😈 [ sinusoid @the_bit_diddler ]
Ever wanted to create Defender exclusions non-interactively?
Support for local and remote systems? ✔️
Ability to revert said changes? ✔️
Support processes, paths, and extensions? ✔️
BOF? ✔️
C# ✔️
Code is public:
🔗 https://github.com/EspressoCake/DefenderPathExclusions
🔗 https://github.com/EspressoCake/Defender-Exclusions-Creator-BOF
🐥 [ tweet ]
Ever wanted to create Defender exclusions non-interactively?
Support for local and remote systems? ✔️
Ability to revert said changes? ✔️
Support processes, paths, and extensions? ✔️
BOF? ✔️
C# ✔️
Code is public:
🔗 https://github.com/EspressoCake/DefenderPathExclusions
🔗 https://github.com/EspressoCake/Defender-Exclusions-Creator-BOF
🐥 [ tweet ]
🔥6
😈 [ Craig Rowland - Agentless Linux Security @CraigHRowland ]
Daily Linux whoami:
🐥 [ tweet ]
Daily Linux whoami:
$(echo -e "\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x77\x68\x6f\x61\x6d\x69")
🐥 [ tweet ]
😁5🔥1
Offensive Xwitter
😈 [ Antonio Cocomazzi @splinter_code ] Do you want to start the RemoteRegistry service without Admin privileges? Just write into the "winreg" named pipe 👆 🐥 [ tweet ]
😈 [ Geiseric @Geiseric4 ]
Following @splinter_code idea, you can also start RemoteRegistry remotely. This way you can check on which server DAs are connected, in case you want dump their creds. This noscript could help:
It works from low privileged user 😉
🔗 https://gist.github.com/GeisericII/6849bc86620c7a764d88502df5187bd0
🐥 [ tweet ]
Following @splinter_code idea, you can also start RemoteRegistry remotely. This way you can check on which server DAs are connected, in case you want dump their creds. This noscript could help:
It works from low privileged user 😉
🔗 https://gist.github.com/GeisericII/6849bc86620c7a764d88502df5187bd0
🐥 [ tweet ]
🔥4
😈 [ Thomas Seigneuret @_zblurx ]
New feature in #NetExec : S4U2Self and S4U2Proxy support and automation with --delegate and --self
It allows you to abuse KCD with protocol transition and RBCD automatically in NetExec, and use directly all the postex functionalities 🔥
For example with RBCD 👆🏻
🐥 [ tweet ]
New feature in #NetExec : S4U2Self and S4U2Proxy support and automation with --delegate and --self
It allows you to abuse KCD with protocol transition and RBCD automatically in NetExec, and use directly all the postex functionalities 🔥
For example with RBCD 👆🏻
🐥 [ tweet ]
🔥8👍1
😈 [ Antonio Cocomazzi @splinter_code ]
The slides of our joint research talk “10 Years of Windows Privilege Escalation with Potatoes” at #POC2023 are out!
cc @decoder_it
🔗 https://github.com/antonioCoco/infosec-talks/blob/main/10_years_of_Windows_Privilege_Escalation_with_Potatoes.pdf
🐥 [ tweet ]
The slides of our joint research talk “10 Years of Windows Privilege Escalation with Potatoes” at #POC2023 are out!
cc @decoder_it
🔗 https://github.com/antonioCoco/infosec-talks/blob/main/10_years_of_Windows_Privilege_Escalation_with_Potatoes.pdf
🐥 [ tweet ]
🔥7
Offensive Xwitter
😈 [ Antonio Cocomazzi @splinter_code ] The slides of our joint research talk “10 Years of Windows Privilege Escalation with Potatoes” at #POC2023 are out! cc @decoder_it 🔗 https://github.com/antonioCoco/infosec-talks/blob/main/10_years_of_Windows_Priv…
10_years_of_Windows_Privilege_Escalation_with_Potatoes.pdf
1.6 MB
🔥4
😈 [ уυηg ՏΝАΤ @yunginnanet ]
this was meant to be a simple debugging tool, but ended up being a full barebones, concurrent RFC1928 (SOCKS5) server. unnecessarily fast, very simple.
gophers that are interested in learning SOCKS5 protocol may find this useful (hopefully someone does)
🔗 https://gist.github.com/yunginnanet/c84f831a4ac39eada5609ce0319f8d54
🐥 [ tweet ]
this was meant to be a simple debugging tool, but ended up being a full barebones, concurrent RFC1928 (SOCKS5) server. unnecessarily fast, very simple.
gophers that are interested in learning SOCKS5 protocol may find this useful (hopefully someone does)
🔗 https://gist.github.com/yunginnanet/c84f831a4ac39eada5609ce0319f8d54
🐥 [ tweet ]
🔥6
😈 [ 5pider @C5pider ]
LdrLibraryEx.
A small x64 library to load PEs into memory.
🔗 https://github.com/Cracked5pider/LdrLibraryEx
🐥 [ tweet ]
LdrLibraryEx.
A small x64 library to load PEs into memory.
🔗 https://github.com/Cracked5pider/LdrLibraryEx
🐥 [ tweet ]
🔥3
😈 [ Charlie Clark @exploitph ]
Finally updated my RitM tool with the DES TGT session roasting code if anyone is interested.
Reminder, this isn't intended to be attack-ready code!
The attack is described in detail in my DES post (currently pinned to my profile).
🔗 https://github.com/0xe7/RoastInTheMiddle/pull/1
🐥 [ tweet ]
спасибо @Michaelzhm, что пнул 😅
Finally updated my RitM tool with the DES TGT session roasting code if anyone is interested.
Reminder, this isn't intended to be attack-ready code!
The attack is described in detail in my DES post (currently pinned to my profile).
🔗 https://github.com/0xe7/RoastInTheMiddle/pull/1
🐥 [ tweet ]
спасибо @Michaelzhm, что пнул 😅
🔥4👍1😁1
😈 [ S4ntiagoP @s4ntiago_p ]
🔥 New blogpost 🔥
Running PEs inline without a console.
You now can, for example, run PowerShell in CobaltStrike and obtain its output without spawning any process (including conhost.exe)
🔗 https://www.coresecurity.com/core-labs/articles/running-pes-inline-without-console
🐥 [ tweet ]
🔥 New blogpost 🔥
Running PEs inline without a console.
You now can, for example, run PowerShell in CobaltStrike and obtain its output without spawning any process (including conhost.exe)
🔗 https://www.coresecurity.com/core-labs/articles/running-pes-inline-without-console
🐥 [ tweet ]
🔥4
😈 [ S3cur3Th1sSh1t @ShitSecure ]
Today I needed to decrypt Veeam stored credentials. As existing toolings failed and/or manual decryption for a lot of passwords was too much effort I wrote a small assembly to do the whole job:
🔗 https://github.com/S3cur3Th1sSh1t/SharpVeeamDecryptor
🐥 [ tweet ]
Today I needed to decrypt Veeam stored credentials. As existing toolings failed and/or manual decryption for a lot of passwords was too much effort I wrote a small assembly to do the whole job:
🔗 https://github.com/S3cur3Th1sSh1t/SharpVeeamDecryptor
🐥 [ tweet ]
👍3🔥1
😈 [ Rémi GASCOU (Podalirius) @podalirius_ ]
In my latest article, discover the depth of the msDS-KeyCredentialLink attribute used in ShadowCredentials attacks and how to parse it. Plus, discover a Python library, pydsinternals, that simplifies the parsing process.
Check it out ⤵️
🔗 https://podalirius.net/en/articles/parsing-the-msds-keycredentiallink-value-for-shadowcredentials-attack/
🐥 [ tweet ]
In my latest article, discover the depth of the msDS-KeyCredentialLink attribute used in ShadowCredentials attacks and how to parse it. Plus, discover a Python library, pydsinternals, that simplifies the parsing process.
Check it out ⤵️
🔗 https://podalirius.net/en/articles/parsing-the-msds-keycredentiallink-value-for-shadowcredentials-attack/
🐥 [ tweet ]
👍2
😈 [ an0n @an0n_r0 ]
playing against an #AV/#EDR: when almost everything failed, finally, loaded @chvancooten's #NimPlant using my custom stager based on @hasherezade's libPeConv and managed to execute what I wanted, #Rubeus with built-in execute-assembly (#AMSI bypass + #ETW block). never give up :)
🐥 [ tweet ]
playing against an #AV/#EDR: when almost everything failed, finally, loaded @chvancooten's #NimPlant using my custom stager based on @hasherezade's libPeConv and managed to execute what I wanted, #Rubeus with built-in execute-assembly (#AMSI bypass + #ETW block). never give up :)
🐥 [ tweet ]
а кто сделал-то execute-assembly а а а👍7🤔1
😈 [ Matt Creel @Tw1sm ]
New post 👇
Taking a look at compromising Slack access on both Windows and macOS. New BOF included!
🔗 https://posts.specterops.io/abusing-slack-for-offensive-operations-part-2-19fef38cc967
🐥 [ tweet ]
New post 👇
Taking a look at compromising Slack access on both Windows and macOS. New BOF included!
🔗 https://posts.specterops.io/abusing-slack-for-offensive-operations-part-2-19fef38cc967
🐥 [ tweet ]
🔥2
Offensive Xwitter
😈 [ S3cur3Th1sSh1t @ShitSecure ] Today I needed to decrypt Veeam stored credentials. As existing toolings failed and/or manual decryption for a lot of passwords was too much effort I wrote a small assembly to do the whole job: 🔗 https://github.com/S3cur…
😈 [ an0n @an0n_r0 ]
super useful, thanks ;) actually, the best manual post-exploitation decryption howto is provided by Veeam itself: :)
🔗 https://www.veeam.com/kb4349
🐥 [ tweet ]
super useful, thanks ;) actually, the best manual post-exploitation decryption howto is provided by Veeam itself: :)
🔗 https://www.veeam.com/kb4349
🐥 [ tweet ]
🔥3
😈 [ Nick VanGilder @nickvangilder ]
Red teamers: Early on in my offensive security career, I relied heavily on popular C2 frameworks like Metasploit, PowerShell Empire, Cobalt Strike, etc. during my engagements. I’m sure this is probably fairly common for many of us in this space. However, somewhere along the way, it began to bother me that I didn’t really understand how C2 frameworks worked “under the hood”. So, I set out to address that. For better or worse, I decided that the solution to the problem was to write my own (very basic) C2 framework. I didn’t do this because I felt that the community needed yet another C2 framework (it doesn’t, and it definitely doesn’t need mine). I did it so that I could better understand key, foundational C2 concepts and improve my own personal red team tradecraft. The process of designing and coding a simple C2 framework actually helped me more than I had planned, and I wish I had done it sooner.
Takeaway: if you are in the offensive security space and using OSTs created by others, I would highly encourage you to carve out time to learn how these tools work under the hood. I can promise you that you will learn a lot by doing this.
If you want to check out my C2 framework or use it has a starting point for developing your own, please feel free. You can find the "Most Average C2 Ever" on GitHub, here:
🔗 https://github.com/nickvangilder/most-average-c2-ever
If I can do it, you can do it. (And yes, I'm a terrible coder, but it works!)
🐥 [ tweet ]
Red teamers: Early on in my offensive security career, I relied heavily on popular C2 frameworks like Metasploit, PowerShell Empire, Cobalt Strike, etc. during my engagements. I’m sure this is probably fairly common for many of us in this space. However, somewhere along the way, it began to bother me that I didn’t really understand how C2 frameworks worked “under the hood”. So, I set out to address that. For better or worse, I decided that the solution to the problem was to write my own (very basic) C2 framework. I didn’t do this because I felt that the community needed yet another C2 framework (it doesn’t, and it definitely doesn’t need mine). I did it so that I could better understand key, foundational C2 concepts and improve my own personal red team tradecraft. The process of designing and coding a simple C2 framework actually helped me more than I had planned, and I wish I had done it sooner.
Takeaway: if you are in the offensive security space and using OSTs created by others, I would highly encourage you to carve out time to learn how these tools work under the hood. I can promise you that you will learn a lot by doing this.
If you want to check out my C2 framework or use it has a starting point for developing your own, please feel free. You can find the "Most Average C2 Ever" on GitHub, here:
🔗 https://github.com/nickvangilder/most-average-c2-ever
If I can do it, you can do it. (And yes, I'm a terrible coder, but it works!)
🐥 [ tweet ]
не понял тред: чела решили забулить, потому что он поделился опытом создания базового ратника + выложил код... ну ок 😐👍8😢3🥱1
Генератор тестилки шеллкодов, как shcode2exe, только на баше 👇🏻
#!/usr/bin/env bash
# Usage:
# bin2compile.sh {32|64} <INPUT_BIN> [OUTPUT_EXE]
# Examples:
# msfvenom -p windows/x64/exec CMD=calc.exe -f raw -o calc.bin
# bin2compile.sh 64 calc.bin calc.exe
ARCH="${1}"
SC_PATH=`realpath "${2}"`
SC_NAME=`basename "${SC_PATH}"`
SC_NAME="${SC_NAME%.*}"
[[ "${#}" -gt 2 ]] && EXE_NAME="${3}" || EXE_NAME="${SC_NAME}.exe"
cat << EOT > "/tmp/${SC_NAME}.asm"
global _start
section .text
_start:
incbin "${SC_PATH}"
EOT
if [[ "${ARCH}" == "32" ]]; then
NASM_ARCH="win32"
LD_ARCH="i386pe"
elif [[ "${ARCH}" == "64" ]]; then
NASM_ARCH="win64"
LD_ARCH="i386pep"
fi
echo "[*] Compile time: `date`"
echo "[*] Compiling x${ARCH}"
nasm -f "${NASM_ARCH}" -o "/tmp/${SC_NAME}.obj" "/tmp/${SC_NAME}.asm"
ld -m "${LD_ARCH}" -o "${EXE_NAME}" "/tmp/${SC_NAME}.obj"
if [[ "$?" -ne 1 ]]; then
echo "[+] Success"
echo "[+] Output size: `stat -c %s ${EXE_NAME} | numfmt --to=iec`"
else
echo "[-] Failed"
fi
rm -f /tmp/${SC_NAME}.{asm,obj}
🔥9👍3