This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ Akamai Security Intelligence Group @akamai_research ]
Today’s Theme is vulnerability 👀
Akamai researchers have discovered a vuln in Windows Themes that can trigger an authentication coercion - with almost zero user interaction.
User views the file, Explorer sends SMB packets with credentials.
Full post:
🔗 https://www.akamai.com/blog/security-research/2024/mar/leaking-ntlm-credentials-through-windows-themes
🐥 [ tweet ]
Today’s Theme is vulnerability 👀
Akamai researchers have discovered a vuln in Windows Themes that can trigger an authentication coercion - with almost zero user interaction.
User views the file, Explorer sends SMB packets with credentials.
Full post:
🔗 https://www.akamai.com/blog/security-research/2024/mar/leaking-ntlm-credentials-through-windows-themes
🐥 [ tweet ]
😁2🥱2👍1
😈 [ Pen Test Partners @PenTestPartners ]
SSH Split Tunnelling attacks are not new but with so many organisations still using the MS native SSH client they can be deadly effective- if all the holes in the cheese line up. It needs minimal setup and reduces likelihood of Blue team detection.
🔗 https://www.pentestpartners.com/security-blog/living-off-the-land-with-native-ssh-and-split-tunnelling/
🐥 [ tweet ]
SSH Split Tunnelling attacks are not new but with so many organisations still using the MS native SSH client they can be deadly effective- if all the holes in the cheese line up. It needs minimal setup and reduces likelihood of Blue team detection.
🔗 https://www.pentestpartners.com/security-blog/living-off-the-land-with-native-ssh-and-split-tunnelling/
🐥 [ tweet ]
🔥1
😈 [ Winslow @senzee1984 ]
My new article revisits classic technique Reflective Loading, and explains my tool InflativeLoading.
🔗 https://winslow1984.com/books/malware/page/reflectiveloading-and-inflativeloading
Thank @0xBoku @MalDevAcademy @stephenfewer @hasherezade and all other authors(and their articles/tools/projects) for the inspiration and help.
🐥 [ tweet ]
My new article revisits classic technique Reflective Loading, and explains my tool InflativeLoading.
🔗 https://winslow1984.com/books/malware/page/reflectiveloading-and-inflativeloading
Thank @0xBoku @MalDevAcademy @stephenfewer @hasherezade and all other authors(and their articles/tools/projects) for the inspiration and help.
🐥 [ tweet ]
👍3🔥3
😈 [ Rasta Mouse @_RastaMouse ]
[BLOG]
Small experiment with using YARP as a C2 redirector.
🔗 https://rastamouse.me/yarp-as-a-c2-redirector/
🐥 [ tweet ]
[BLOG]
Small experiment with using YARP as a C2 redirector.
🔗 https://rastamouse.me/yarp-as-a-c2-redirector/
🐥 [ tweet ]
👍6
Давненько у нас не было ничего авторского, да и Твиттер последнее время скуп на интересные материалы, поэтому давайте развлечемся и насисярпим что-нибудь полезное.
На текущем проекте мы уже долгое время работаем через невероятно узкий 5-хоповый канал, о который по кд ломается смбклиент при эксфильтрации больших объемов данных. Обычно в этих случаях очень выручает 7-Zip, который умеет разбивать и упаковывать дату в множественные тома по
N байт – таким образом можно утащить тяжеловесные файлы по чанкам, не боясь отвала соединения: если случается отвал, мы можем продолжить передачу данных практически с того же места, на котором остановились.Но ведь 7-Zip предустановлен далеко не везде. Глобально, как можно догадаться, это решается 500IQ-техникой «Bring Your Own 7-Zip», благо его не нужно инсталлировать, но ведь это дополнительное действие
Там, где есть C#, есть и Costura.Fody, который волшебным образом умеет упаковывать зависимости (в том числе, неуправляемый код) в одну конечную сборку. Покажу, как за 10 минут можно сделать свой self-contained 7-Zip враппер для fun & profit
1. Создаем консольный проект в визуалке под .NET Framework 4.5 x64.
2. Ставим зависимости:
PM> Install-Package Costura.Fody
PM> Install-Package SevenZipSharp.Net45
3. Забираем единственно необходимую unmanaged DLL
7za.dll с оф. сайта (standalone console version), размещаем ее в директории Costura64 и включаем в проект как Embedded Resource:PS > mkdir Costura64
PS > curl https://www.7-zip.org/a/7z2401-extra.7z -o .\Costura64\7z.7z
PS > & 'C:\Program Files\7-Zip\7z.exe' x .\Costura64\7z.7z -oCostura64 x64\7za.dll License.txt
PS > rm .\Costura64\7z.7z
4. Создаем манифест для Costura.Fody:
<?xml version="1.0" encoding="utf-8"?>
<Weavers xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="FodyWeavers.xsd">
<Costura CreateTemporaryAssemblies='true' IncludeDebugSymbols='false' />
</Weavers>
5. Погроммируем PoC, компилим в релиаз, убеждаемся, что все работает:
using System.IO;
using SevenZip;
namespace Sharp7Zip
{
internal class Program
{
static void Main()
{
// workaround for issue #75: https://github.com/Fody/Costura/issues/75
var costura = typeof(ArchiveFileInfo).Assembly.GetFile("sevenzipsharp.dll").Name;
SevenZipBase.SetLibraryPath(Path.Combine(Path.GetDirectoryName(costura), @"64\7za.dll"));
var compressor = new SevenZipCompressor
{
ArchiveFormat = OutArchiveFormat.SevenZip,
CompressionLevel = CompressionLevel.Ultra,
CompressionMethod = CompressionMethod.Lzma2,
VolumeSize = 1000,
EncryptHeaders = true,
DirectoryStructure = true,
IncludeEmptyDirectories = true,
PreserveDirectoryRoot = false,
CompressionMode = CompressionMode.Create
};
compressor.CompressDirectory(@"C:\Windows\System32\drivers\etc\", @"C:\ProgramData\etc.7z");
}
}
}
6. Клянчим у чатагпт полноценное консольное приложение с
7. Опционально делаем PS cradle любым удобным способом и наслаждаемся результатом
P. S. Стоит отметить, что это решение ни разу не с целью повышения опсека, т. к. зависимости костуры все равно распаковываются на диск в рантайме (по дефолту в
%TEMP%\Costura), но от утомляющей загрузки 7-Zip на таргет вручную избавляет.Please open Telegram to view this post
VIEW IN TELEGRAM
🔥13👍4🥱1
😈 [ Alex neff @al3x_n3ff ]
A new Module by @Shad0wCntr0ller just got merged into NetExec.
You can now automatically query for all outdated operating systems in ldap🔥
Besides the OS and the name, you will also get the IP as well as the pwdLastSet attribute for that computer account.
🐥 [ tweet ]
A new Module by @Shad0wCntr0ller just got merged into NetExec.
You can now automatically query for all outdated operating systems in ldap🔥
Besides the OS and the name, you will also get the IP as well as the pwdLastSet attribute for that computer account.
🐥 [ tweet ]
🔥6👍4
😈 [ Justin Elze @HackingLZ ]
Speaking of LLVMs:
🔗 https://trustedsec.com/blog/behind-the-code-assessing-public-compile-time-obfuscators-for-enhanced-opsec
🐥 [ tweet ]
Speaking of LLVMs:
🔗 https://trustedsec.com/blog/behind-the-code-assessing-public-compile-time-obfuscators-for-enhanced-opsec
🐥 [ tweet ]
👍2
😈 [ Melvin langvik @Flangvik ]
FULLHD OFFICIAL OFFSEC C2 Tier List
🔗 https://www.youtube.com/live/iYKItfBbPoY?si=AoUAwkwdUS30lEwe
🐥 [ tweet ]
FULLHD OFFICIAL OFFSEC C2 Tier List
🔗 https://www.youtube.com/live/iYKItfBbPoY?si=AoUAwkwdUS30lEwe
🐥 [ tweet ]
👍4
Offensive Xwitter
😈 [ Melvin langvik @Flangvik ] FULLHD OFFICIAL OFFSEC C2 Tier List 🔗 https://www.youtube.com/live/iYKItfBbPoY?si=AoUAwkwdUS30lEwe 🐥 [ tweet ]
😈 [ Melvin langvik @Flangvik ]
List is complete😂 Thanks to all who joined live! I had a blast, and I hope you all did too🥳 Next week, same time, I'm apparently doing an EDR tier list... 🤡If u missed it, VOD is here:
🔗 https://youtu.be/iYKItfBbPoY
🐥 [ tweet ]
List is complete😂 Thanks to all who joined live! I had a blast, and I hope you all did too🥳 Next week, same time, I'm apparently doing an EDR tier list... 🤡If u missed it, VOD is here:
🔗 https://youtu.be/iYKItfBbPoY
🐥 [ tweet ]
🥱5👍4
😈 [ Red Siege Information Security @RedSiege ]
🛠 NEW TOOL 🛠
Introducing: Jigsaw
Developed by Principal Security Consultant @hardwaterhacker
Link:
🔗 https://redsiege.com/jigsaw
A Python tool that scrambles shellcode bytes, providing a possibly undetectable payload.
Start challenging traditional detection with this low-entropy, puzzle-like approach.
🐥 [ tweet ]
🛠 NEW TOOL 🛠
Introducing: Jigsaw
Developed by Principal Security Consultant @hardwaterhacker
Link:
🔗 https://redsiege.com/jigsaw
A Python tool that scrambles shellcode bytes, providing a possibly undetectable payload.
Start challenging traditional detection with this low-entropy, puzzle-like approach.
🐥 [ tweet ]
кринж, но больше ниче интересного нет👍8
😈 [ Adam Chester 🏴☠️ @_xpn_ ]
New blog post is up... Identity Providers for RedTeamers. This follows my #SOCON2024 talk, and provides the technicals behind the presentation, looking at other IdP's and what techniques are effective beyond Okta.
🔗 https://blog.xpnsec.com/identity-providers-redteamers/
🐥 [ tweet ]
New blog post is up... Identity Providers for RedTeamers. This follows my #SOCON2024 talk, and provides the technicals behind the presentation, looking at other IdP's and what techniques are effective beyond Okta.
🔗 https://blog.xpnsec.com/identity-providers-redteamers/
🐥 [ tweet ]
🔥5
😈 [ 📔 Michael Grafnetter @MGrafnetter ]
Extending Active Directory Users and Computers context menus with PowerShell
🔗 https://www.dsinternals.com/en/extending-active-directory-aduc-context-menu-powershell/
🐥 [ tweet ]
Extending Active Directory Users and Computers context menus with PowerShell
🔗 https://www.dsinternals.com/en/extending-active-directory-aduc-context-menu-powershell/
🐥 [ tweet ]
👍6
😈 [ Guillaume Caillé @OffenseTeacher ]
Just published my methodology for finding good DLL side-loading candidates while avoiding using DllMain for injection to bypass Loader Lock limitations.
If you have been struggling with this, I hope this saves you time in the future.
🔗 https://www.okiok.com/achieving-dll-side-loading-in-the-original-process/
🐥 [ tweet ]
Just published my methodology for finding good DLL side-loading candidates while avoiding using DllMain for injection to bypass Loader Lock limitations.
If you have been struggling with this, I hope this saves you time in the future.
🔗 https://www.okiok.com/achieving-dll-side-loading-in-the-original-process/
🐥 [ tweet ]
🔥6
😈 [ SapientFlow @sapientflow ]
My first ever blog post is out:
🔗 https://medium.com/@sapientflow/finding-pastures-new-an-alternate-approach-for-implant-design-644611c526ca
Happy for any constructive criticism or anyone that just wants to engage on the topic.
🐥 [ tweet ]
My first ever blog post is out:
🔗 https://medium.com/@sapientflow/finding-pastures-new-an-alternate-approach-for-implant-design-644611c526ca
Happy for any constructive criticism or anyone that just wants to engage on the topic.
🐥 [ tweet ]
🔥5
😈 [ Lsec @lsecqt ]
My blog about executing shellcodes via Direct Pointer is live:
While this is something relatively simple as a concept, I felt like the Red Teaming Army needed such content.
🔗 https://lsecqt.github.io/Red-Teaming-Army/malware-development/leveraging-the-direct-pointer---a-stealthy-maneuver-in-evasion-tactics/
🐥 [ tweet ]
#для_самых_маленьких
My blog about executing shellcodes via Direct Pointer is live:
While this is something relatively simple as a concept, I felt like the Red Teaming Army needed such content.
🔗 https://lsecqt.github.io/Red-Teaming-Army/malware-development/leveraging-the-direct-pointer---a-stealthy-maneuver-in-evasion-tactics/
🐥 [ tweet ]
#для_самых_маленьких
👍5😁2
😈 [ Pedro Gabaldon @PedroGabaldon ]
Just landed 2 PRs on Impacket:
🔗 https://github.com/fortra/impacket/pull/1719
🔗 https://github.com/fortra/impacket/pull/1719
🐥 [ tweet ]
Just landed 2 PRs on Impacket:
🔗 https://github.com/fortra/impacket/pull/1719
🔗 https://github.com/fortra/impacket/pull/1719
🐥 [ tweet ]
SAM/LSA через shadow copy🔥5
😈 [ Zero Day Engineering @zerodaytraining ]
Release: VM Escape Exploit for Parallels Desktop Hypervisor (Pwn2Own 2021) (source code + video walkthrough)
A virtual machine escape exploit will typically require kernel privileges in the guest OS. In this exploit I chose to offload the reverse-engineered toolgate protocol implementation to a Python module, while keeping my low-level kernel code minimal, just enough to implement the attack interface - a nod to the principle of least privilege in systematic software engineering, which we miss a lot in non-trivial exploit development. -- @alisaesage
🔗 https://zerodayengineering.com/research/pwn2own-2021-vm-escape.html
🐥 [ tweet ]
Release: VM Escape Exploit for Parallels Desktop Hypervisor (Pwn2Own 2021) (source code + video walkthrough)
A virtual machine escape exploit will typically require kernel privileges in the guest OS. In this exploit I chose to offload the reverse-engineered toolgate protocol implementation to a Python module, while keeping my low-level kernel code minimal, just enough to implement the attack interface - a nod to the principle of least privilege in systematic software engineering, which we miss a lot in non-trivial exploit development. -- @alisaesage
🔗 https://zerodayengineering.com/research/pwn2own-2021-vm-escape.html
🐥 [ tweet ]
🔥3👍1