😈 [ an0n @an0n_r0 ]
playing against an #AV/#EDR: when almost everything failed, finally, loaded @chvancooten's #NimPlant using my custom stager based on @hasherezade's libPeConv and managed to execute what I wanted, #Rubeus with built-in execute-assembly (#AMSI bypass + #ETW block). never give up :)
🐥 [ tweet ]
playing against an #AV/#EDR: when almost everything failed, finally, loaded @chvancooten's #NimPlant using my custom stager based on @hasherezade's libPeConv and managed to execute what I wanted, #Rubeus with built-in execute-assembly (#AMSI bypass + #ETW block). never give up :)
🐥 [ tweet ]
а кто сделал-то execute-assembly а а а👍7🤔1
😈 [ Matt Creel @Tw1sm ]
New post 👇
Taking a look at compromising Slack access on both Windows and macOS. New BOF included!
🔗 https://posts.specterops.io/abusing-slack-for-offensive-operations-part-2-19fef38cc967
🐥 [ tweet ]
New post 👇
Taking a look at compromising Slack access on both Windows and macOS. New BOF included!
🔗 https://posts.specterops.io/abusing-slack-for-offensive-operations-part-2-19fef38cc967
🐥 [ tweet ]
🔥2
Offensive Xwitter
😈 [ S3cur3Th1sSh1t @ShitSecure ] Today I needed to decrypt Veeam stored credentials. As existing toolings failed and/or manual decryption for a lot of passwords was too much effort I wrote a small assembly to do the whole job: 🔗 https://github.com/S3cur…
😈 [ an0n @an0n_r0 ]
super useful, thanks ;) actually, the best manual post-exploitation decryption howto is provided by Veeam itself: :)
🔗 https://www.veeam.com/kb4349
🐥 [ tweet ]
super useful, thanks ;) actually, the best manual post-exploitation decryption howto is provided by Veeam itself: :)
🔗 https://www.veeam.com/kb4349
🐥 [ tweet ]
🔥3
😈 [ Nick VanGilder @nickvangilder ]
Red teamers: Early on in my offensive security career, I relied heavily on popular C2 frameworks like Metasploit, PowerShell Empire, Cobalt Strike, etc. during my engagements. I’m sure this is probably fairly common for many of us in this space. However, somewhere along the way, it began to bother me that I didn’t really understand how C2 frameworks worked “under the hood”. So, I set out to address that. For better or worse, I decided that the solution to the problem was to write my own (very basic) C2 framework. I didn’t do this because I felt that the community needed yet another C2 framework (it doesn’t, and it definitely doesn’t need mine). I did it so that I could better understand key, foundational C2 concepts and improve my own personal red team tradecraft. The process of designing and coding a simple C2 framework actually helped me more than I had planned, and I wish I had done it sooner.
Takeaway: if you are in the offensive security space and using OSTs created by others, I would highly encourage you to carve out time to learn how these tools work under the hood. I can promise you that you will learn a lot by doing this.
If you want to check out my C2 framework or use it has a starting point for developing your own, please feel free. You can find the "Most Average C2 Ever" on GitHub, here:
🔗 https://github.com/nickvangilder/most-average-c2-ever
If I can do it, you can do it. (And yes, I'm a terrible coder, but it works!)
🐥 [ tweet ]
Red teamers: Early on in my offensive security career, I relied heavily on popular C2 frameworks like Metasploit, PowerShell Empire, Cobalt Strike, etc. during my engagements. I’m sure this is probably fairly common for many of us in this space. However, somewhere along the way, it began to bother me that I didn’t really understand how C2 frameworks worked “under the hood”. So, I set out to address that. For better or worse, I decided that the solution to the problem was to write my own (very basic) C2 framework. I didn’t do this because I felt that the community needed yet another C2 framework (it doesn’t, and it definitely doesn’t need mine). I did it so that I could better understand key, foundational C2 concepts and improve my own personal red team tradecraft. The process of designing and coding a simple C2 framework actually helped me more than I had planned, and I wish I had done it sooner.
Takeaway: if you are in the offensive security space and using OSTs created by others, I would highly encourage you to carve out time to learn how these tools work under the hood. I can promise you that you will learn a lot by doing this.
If you want to check out my C2 framework or use it has a starting point for developing your own, please feel free. You can find the "Most Average C2 Ever" on GitHub, here:
🔗 https://github.com/nickvangilder/most-average-c2-ever
If I can do it, you can do it. (And yes, I'm a terrible coder, but it works!)
🐥 [ tweet ]
не понял тред: чела решили забулить, потому что он поделился опытом создания базового ратника + выложил код... ну ок 😐👍8😢3🥱1
Генератор тестилки шеллкодов, как shcode2exe, только на баше 👇🏻
#!/usr/bin/env bash
# Usage:
# bin2compile.sh {32|64} <INPUT_BIN> [OUTPUT_EXE]
# Examples:
# msfvenom -p windows/x64/exec CMD=calc.exe -f raw -o calc.bin
# bin2compile.sh 64 calc.bin calc.exe
ARCH="${1}"
SC_PATH=`realpath "${2}"`
SC_NAME=`basename "${SC_PATH}"`
SC_NAME="${SC_NAME%.*}"
[[ "${#}" -gt 2 ]] && EXE_NAME="${3}" || EXE_NAME="${SC_NAME}.exe"
cat << EOT > "/tmp/${SC_NAME}.asm"
global _start
section .text
_start:
incbin "${SC_PATH}"
EOT
if [[ "${ARCH}" == "32" ]]; then
NASM_ARCH="win32"
LD_ARCH="i386pe"
elif [[ "${ARCH}" == "64" ]]; then
NASM_ARCH="win64"
LD_ARCH="i386pep"
fi
echo "[*] Compile time: `date`"
echo "[*] Compiling x${ARCH}"
nasm -f "${NASM_ARCH}" -o "/tmp/${SC_NAME}.obj" "/tmp/${SC_NAME}.asm"
ld -m "${LD_ARCH}" -o "${EXE_NAME}" "/tmp/${SC_NAME}.obj"
if [[ "$?" -ne 1 ]]; then
echo "[+] Success"
echo "[+] Output size: `stat -c %s ${EXE_NAME} | numfmt --to=iec`"
else
echo "[-] Failed"
fi
rm -f /tmp/${SC_NAME}.{asm,obj}
🔥9👍3
😈 [ ATTL4S @DaniLJ94 ]
New post together with @saim1z exploring Cobalt Strike's make_token command.
We realised there is not a lot of information about this functionality, so we decided to take a good look at it to answer some questions we had and how it works under the hood.
Enjoy!
🔗 https://research.nccgroup.com/2023/11/10/demystifying-cobalt-strikes-make_token-command/
🐥 [ tweet ]
New post together with @saim1z exploring Cobalt Strike's make_token command.
We realised there is not a lot of information about this functionality, so we decided to take a good look at it to answer some questions we had and how it works under the hood.
Enjoy!
🔗 https://research.nccgroup.com/2023/11/10/demystifying-cobalt-strikes-make_token-command/
🐥 [ tweet ]
👍6😁3
😈 [ Florian Roth @cyb3rops ]
I'm still collecting funny issues on offsec tools on Github
If you find more, send them my way and I'll create a Github repo so we can collect them together for the lulz
🔗 https://neo23x0.github.io/LOLSecIssues/
🐥 [ tweet ]
I'm still collecting funny issues on offsec tools on Github
If you find more, send them my way and I'll create a Github repo so we can collect them together for the lulz
🔗 https://neo23x0.github.io/LOLSecIssues/
🐥 [ tweet ]
😁8
😈 [ assume_breach @assume_breach ]
Getting a beacon from the DC using a raw Havoc shellcode file from a network shared folder. Tool is in my repo.
🔗 https://github.com/assume-breach/Home-Grown-Red-Team.git
🐥 [ tweet ]
Getting a beacon from the DC using a raw Havoc shellcode file from a network shared folder. Tool is in my repo.
🔗 https://github.com/assume-breach/Home-Grown-Red-Team.git
🐥 [ tweet ]
👍5
😈 [ Panagiotis Chartas @t3l3machus ]
For your #redteam enumeration and brute forcing needs, use babelstrike to transliterate and generate usernames from full names in various non-English languages (common issue from scraped employee data) 🌐 Currently, it covers Greek, Hindi, Spanish, French, Polish, and Hungarian:
🔗 https://github.com/t3l3machus/BabelStrike
Combine it with #psudohash, a password list generator that imitates password creation patterns commonly used by humans, like substituting a word's letters with symbols or numbers (leet), using char-case variations, adding a common padding before or after the main passphrase and more:
🔗 https://github.com/t3l3machus/psudohash
🐥 [ tweet ]
For your #redteam enumeration and brute forcing needs, use babelstrike to transliterate and generate usernames from full names in various non-English languages (common issue from scraped employee data) 🌐 Currently, it covers Greek, Hindi, Spanish, French, Polish, and Hungarian:
🔗 https://github.com/t3l3machus/BabelStrike
Combine it with #psudohash, a password list generator that imitates password creation patterns commonly used by humans, like substituting a word's letters with symbols or numbers (leet), using char-case variations, adding a common padding before or after the main passphrase and more:
🔗 https://github.com/t3l3machus/psudohash
🐥 [ tweet ]
😈 [ SkelSec @SkelSec ]
Due to a gentle nudge from @michael_eder_ I have uploaded my pysnaffler project to Github and to pyp.
(did you know that you can sponsor me on github?)
Anyways, enjoy!
🔗 https://github.com/skelsec/pysnaffler
🐥 [ tweet ]
Due to a gentle nudge from @michael_eder_ I have uploaded my pysnaffler project to Github and to pyp.
(did you know that you can sponsor me on github?)
Anyways, enjoy!
🔗 https://github.com/skelsec/pysnaffler
🐥 [ tweet ]
😈 [ Diego Capriotti @naksyn ]
Here's Process Stomping injection and how you can use it in a Mockingjay-ish way to load a Beacon on a exe's RWX section using sRDI. Check it out!
Blog:
🔗 https://www.naksyn.com/edr%20evasion/2023/11/18/mockingjay-revisited-process-stomping-srdi-beacon.html
Tool:
🔗 https://github.com/naksyn/ProcessStomping
Thanks to @hasherezade and @monoxgas for their awesome work
🐥 [ tweet ]
Here's Process Stomping injection and how you can use it in a Mockingjay-ish way to load a Beacon on a exe's RWX section using sRDI. Check it out!
Blog:
🔗 https://www.naksyn.com/edr%20evasion/2023/11/18/mockingjay-revisited-process-stomping-srdi-beacon.html
Tool:
🔗 https://github.com/naksyn/ProcessStomping
Thanks to @hasherezade and @monoxgas for their awesome work
🐥 [ tweet ]
🔥3
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ Arris Huijgen @bitsadmin ]
#LOFLCAB highlight: Ssms.exe
Using SQL Server Management Studio with Kerberos authentication to obtain command execution on the SQL server using the xp_cmdshell stored procedure.
Details:
🔗 https://lofl-project.github.io/loflcab/Binaries/Ssms/
Full quality video:
🔗 https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform-part-3#sql-server
🐥 [ tweet ][ quote ]
#LOFLCAB highlight: Ssms.exe
Using SQL Server Management Studio with Kerberos authentication to obtain command execution on the SQL server using the xp_cmdshell stored procedure.
Details:
🔗 https://lofl-project.github.io/loflcab/Binaries/Ssms/
Full quality video:
🔗 https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform-part-3#sql-server
🐥 [ tweet ][ quote ]
🔥3
😈 [ Adam Svoboda @adamsvoboda ]
Ever find yourself on an endpoint with SentinelOne and have Local Admin? Just ask SentinelAgent.exe nicely, and it will dump a process for you, including itself!
It bombs out on LSASS, but most other processes work.
🔗 https://gist.github.com/adamsvoboda/8e248c6b7fb812af5d04daba141c867e
Unable to dump LSASS using the previous noscript? No problem, just ask S1 for a Live Kernel Dump instead! You can open this in windbg (and use mimilib.dll) and go from there.
🔗 https://gist.github.com/adamsvoboda/8f29e09d74b73e1dec3f9049c4358e80
🐥 [ tweet ][ quote ]
Ever find yourself on an endpoint with SentinelOne and have Local Admin? Just ask SentinelAgent.exe nicely, and it will dump a process for you, including itself!
It bombs out on LSASS, but most other processes work.
🔗 https://gist.github.com/adamsvoboda/8e248c6b7fb812af5d04daba141c867e
Unable to dump LSASS using the previous noscript? No problem, just ask S1 for a Live Kernel Dump instead! You can open this in windbg (and use mimilib.dll) and go from there.
🔗 https://gist.github.com/adamsvoboda/8f29e09d74b73e1dec3f9049c4358e80
🐥 [ tweet ][ quote ]
😁4