😈 [ Mark Baggett @MarkBaggett ]
Do you know the history of Metasploit? How did it grow from a small project to a game changer for Infosec? Check out this episode of Infosec. Toolshed featuring @hdmoore
🔗 https://youtu.be/Dl6qNRCiPgo?si=-zKticbSGYqlL6H7
🐥 [ tweet ]
Do you know the history of Metasploit? How did it grow from a small project to a game changer for Infosec? Check out this episode of Infosec. Toolshed featuring @hdmoore
🔗 https://youtu.be/Dl6qNRCiPgo?si=-zKticbSGYqlL6H7
🐥 [ tweet ]
👍4
😈 [ Ido Veltzman @Idov31 ]
After a long time, the 6th and final part of Lord Of The Ring0 is here:
In this part, the focus will be on kernel mode and user mode memory interaction, look into how attaching process work, and writing an AMSI bypass driver:
🔗 https://idov31.github.io/posts/lord-of-the-ring0-p6
🐥 [ tweet ]
After a long time, the 6th and final part of Lord Of The Ring0 is here:
In this part, the focus will be on kernel mode and user mode memory interaction, look into how attaching process work, and writing an AMSI bypass driver:
🔗 https://idov31.github.io/posts/lord-of-the-ring0-p6
🐥 [ tweet ]
🔥5
😈 [ Diego Capriotti @naksyn ]
One thing I always look for when starting in a network without AD creds is user enumeration with RPC null sessions.
impacket SAMR (samrdump) and LSARPC (lookupsid) tools will give you only a small part of the story. Here's my minimal RID cycling noscript that outplayed everything else, enabling me to find some crackable ASREP-roastable DA accounts hiding with RID > 50000 that were unable to be found using other tools.
I am using chunks to avoid DoS and getting NT_STATUS_INSUFFICIENT_RESOURCES, ofc you can tweak it according to your YOLO level.
there will be a new RPC connection for every chunk, it's a bit better than cycling and using rpcclient every time and always starting RPC connections from scratch. However, RID cycling with rpcclient will generate a ton of STATUS_NO_SUCH_USER responses that are sus, if someone is looking and knows what to look for ofc
🔗 https://gist.github.com/naksyn/8204c76cda2541e72668fa065ba94c09
🐥 [ tweet ]
One thing I always look for when starting in a network without AD creds is user enumeration with RPC null sessions.
impacket SAMR (samrdump) and LSARPC (lookupsid) tools will give you only a small part of the story. Here's my minimal RID cycling noscript that outplayed everything else, enabling me to find some crackable ASREP-roastable DA accounts hiding with RID > 50000 that were unable to be found using other tools.
I am using chunks to avoid DoS and getting NT_STATUS_INSUFFICIENT_RESOURCES, ofc you can tweak it according to your YOLO level.
there will be a new RPC connection for every chunk, it's a bit better than cycling and using rpcclient every time and always starting RPC connections from scratch. However, RID cycling with rpcclient will generate a ton of STATUS_NO_SUCH_USER responses that are sus, if someone is looking and knows what to look for ofc
🔗 https://gist.github.com/naksyn/8204c76cda2541e72668fa065ba94c09
🐥 [ tweet ]
🔥4
😈 [ Ricardo Ruiz @RicardoJoseRF ]
Last week I made public NativeDump, a tool to dump lsass using only Native APIs by hand-crafting Minidump files (without MinidumpWriteDump!). Check it out here:
🔗 https://github.com/ricardojoserf/NativeDump
🐥 [ tweet ]
Last week I made public NativeDump, a tool to dump lsass using only Native APIs by hand-crafting Minidump files (without MinidumpWriteDump!). Check it out here:
🔗 https://github.com/ricardojoserf/NativeDump
🐥 [ tweet ]
🔥9
😈 [ Filip Dragovic @filip_dragovic ]
I published my PoC for CVE-2023-36047 as MSRC fixed the bypass today tracked as CVE-2024-21447. With some modification can be ported for CVE-2024-21447.
🔗 https://github.com/Wh04m1001/UserManagerEoP
🔗 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36047
🔗 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21447
🐥 [ tweet ]
I published my PoC for CVE-2023-36047 as MSRC fixed the bypass today tracked as CVE-2024-21447. With some modification can be ported for CVE-2024-21447.
🔗 https://github.com/Wh04m1001/UserManagerEoP
🔗 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36047
🔗 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21447
🐥 [ tweet ]
👍4
😈 [ TrustedSec @TrustedSec ]
TAC Practice Lead @mega_spl0it and co-author @4ndr3w6S are back with the final installment of A Hitch-Hacker’s Guide to DACL-Based Detections. Read about the additional attributes they found on our blog!
🔗 https://trustedsec.com/blog/a-hitch-hackers-guide-to-dacl-based-detections-the-addendum
🐥 [ tweet ]
TAC Practice Lead @mega_spl0it and co-author @4ndr3w6S are back with the final installment of A Hitch-Hacker’s Guide to DACL-Based Detections. Read about the additional attributes they found on our blog!
🔗 https://trustedsec.com/blog/a-hitch-hackers-guide-to-dacl-based-detections-the-addendum
🐥 [ tweet ]
🔥3
😈 [ Octoberfest7 @Octoberfest73 ]
I spent the past couple days playing with and contributing to @R0h1rr1m's Shoggoth project, which can turn PE's and BOF's into PIC. Super cool project, and one that opens up some interesting possibilities 😉
🔗 https://github.com/frkngksl/Shoggoth
🐥 [ tweet ]
I spent the past couple days playing with and contributing to @R0h1rr1m's Shoggoth project, which can turn PE's and BOF's into PIC. Super cool project, and one that opens up some interesting possibilities 😉
🔗 https://github.com/frkngksl/Shoggoth
🐥 [ tweet ]
🔥5
Forwarded from PT SWARM
🏭 We've tested the new RCE in Microsoft Outlook (CVE-2024-21378) in a production environment and confirm it works well!
A brief instruction for red teams:
1. Compile our enhanced DLL;
2. Use NetSPI's ruler and wait!
No back connect required!
🔥 📐📏
A brief instruction for red teams:
1. Compile our enhanced DLL;
2. Use NetSPI's ruler and wait!
No back connect required!
🔥 📐📏
🔥5👍4
😈 [ Andy Gill @ZephrFish ]
My latest post on the @Lares_ Labs blog, is live. It discusses a real-world scenario we observed during a pentest.
🔗 https://labs.lares.com/this-one-time-on-a-pentest/
🐥 [ tweet ]
My latest post on the @Lares_ Labs blog, is live. It discusses a real-world scenario we observed during a pentest.
🔗 https://labs.lares.com/this-one-time-on-a-pentest/
🐥 [ tweet ]
🥱1
Freedom F0x
Message
Мануал по почесыванию ЧСВ:
1. Открываешь рандомный гайд по пенетрестам.
2. Идешь в референсы.
3. Считаешь количество матчей по своему никнейму.
4. If > 0: радуешься, забыв на пару секунд о бренности бытия (else: тильтуешь).
1. Открываешь рандомный гайд по пенетрестам.
2. Идешь в референсы.
3. Считаешь количество матчей по своему никнейму.
4. If > 0: радуешься, забыв на пару секунд о бренности бытия (else: тильтуешь).
😁26👍4🥱1
😈 [ Fabio Assolini @assolini ]
XZ backdoor story – Initial analysis
🔗 https://securelist.com/xz-backdoor-story-part-1/112354/
🐥 [ tweet ]
XZ backdoor story – Initial analysis
🔗 https://securelist.com/xz-backdoor-story-part-1/112354/
🐥 [ tweet ]
👍8
😈 [ Eloy @zer1t0@defcon.social @zer1t0 ]
Shellnova: A template for generating advances Linux shellcodes from c code that resolves libc functions dynamically. Inspired from Windows Stardust of @C5pider.
🔗 https://gitlab.com/Zer1t0/shellnova
🐥 [ tweet ]
Shellnova: A template for generating advances Linux shellcodes from c code that resolves libc functions dynamically. Inspired from Windows Stardust of @C5pider.
🔗 https://gitlab.com/Zer1t0/shellnova
🐥 [ tweet ]
🔥5👍1
😈 [ Rhino Security Labs @RhinoSecurity ]
New Blog Post: CVE-2024-2448: Authenticated Command Injection In Progress Kemp LoadMaster
🔗 https://rhinosecuritylabs.com/research/cve-2024-2448-kemp-loadmaster/
🐥 [ tweet ]
New Blog Post: CVE-2024-2448: Authenticated Command Injection In Progress Kemp LoadMaster
🔗 https://rhinosecuritylabs.com/research/cve-2024-2448-kemp-loadmaster/
🐥 [ tweet ]
👍2🤯1
😈 [ Evan McBroom @mcbroom_evan ]
I just published a blog and tool for the LSA Whisperer work that was presented at the SpecterOps Conference (SOCON) back in March.
If you are interested in getting credentials from LSASS without accessing its memory, check it out!
Blog:
🔗 https://medium.com/specter-ops-posts/lsa-whisperer-20874277ea3b
Tool:
🔗 https://github.com/Meowmycks/LetMeowIn
Crossposted on GH:
🔗 https://gist.github.com/EvanMcBroom/dceb1c7070ee3278eaedd04b42aed279
🐥 [ tweet ]
I just published a blog and tool for the LSA Whisperer work that was presented at the SpecterOps Conference (SOCON) back in March.
If you are interested in getting credentials from LSASS without accessing its memory, check it out!
Blog:
🔗 https://medium.com/specter-ops-posts/lsa-whisperer-20874277ea3b
Tool:
🔗 https://github.com/Meowmycks/LetMeowIn
Crossposted on GH:
🔗 https://gist.github.com/EvanMcBroom/dceb1c7070ee3278eaedd04b42aed279
🐥 [ tweet ]
🔥6
😈 [ Synacktiv @Synacktiv ]
We are starting a new series of blog posts on post-quantum cryptography! Check-out our first article which gives an introduction to modern cryptography concepts.
🔗 https://www.synacktiv.com/en/publications/quantum-readiness-introduction-to-modern-cryptography
🐥 [ tweet ]
We are starting a new series of blog posts on post-quantum cryptography! Check-out our first article which gives an introduction to modern cryptography concepts.
🔗 https://www.synacktiv.com/en/publications/quantum-readiness-introduction-to-modern-cryptography
🐥 [ tweet ]
ничего не понятности пост👍6😁2
😈 [ Synacktiv @Synacktiv ]
In our latest blogpost, @croco_byte presents an often overlooked AD attack surface related to OUs ACLs,with the release of a dedicated exploitation tool, OUned[.]py:
🔗 https://github.com/synacktiv/OUned
🔗 https://www.synacktiv.com/publications/ounedpy-exploiting-hidden-organizational-units-acl-attack-vectors-in-active-directory
🐥 [ tweet ]
In our latest blogpost, @croco_byte presents an often overlooked AD attack surface related to OUs ACLs,with the release of a dedicated exploitation tool, OUned[.]py:
🔗 https://github.com/synacktiv/OUned
🔗 https://www.synacktiv.com/publications/ounedpy-exploiting-hidden-organizational-units-acl-attack-vectors-in-active-directory
🐥 [ tweet ]
👍4
😈 [ soka @pentest_soka ]
I just released a series of 2 blog posts about increasing your stealth capabilities during offensive operations. I hope you will find something useful!
🔗 https://sokarepo.github.io/redteam/2024/01/04/increase-your-stealth-capabilities-part1.html
🔗 https://sokarepo.github.io/redteam/2024/01/04/increase-your-stealth-capabilities-part2.html
🐥 [ tweet ]
I just released a series of 2 blog posts about increasing your stealth capabilities during offensive operations. I hope you will find something useful!
🔗 https://sokarepo.github.io/redteam/2024/01/04/increase-your-stealth-capabilities-part1.html
🔗 https://sokarepo.github.io/redteam/2024/01/04/increase-your-stealth-capabilities-part2.html
🐥 [ tweet ]
🔥6👍1
😈 [ Florian @floesen_ ]
Did you know that LSASS has the ability to execute arbitrary kernel-mode addresses? I wrote a small proof of concept that allows administrators to execute unsigned code in the kernel if LSA Protection is disabled.
🔗 https://github.com/floesen/KExecDD
🐥 [ tweet ]
Did you know that LSASS has the ability to execute arbitrary kernel-mode addresses? I wrote a small proof of concept that allows administrators to execute unsigned code in the kernel if LSA Protection is disabled.
🔗 https://github.com/floesen/KExecDD
🐥 [ tweet ]
🔥7👍1
Forwarded from Red Team Alerts
EvilLsassTwin - PPL Bypass, Fast 12MB In-Memory Dumps
https://ift.tt/N9k5LwS
Discuss on Reddit : https://ift.tt/4bZIEqa
@redteamalerts
https://ift.tt/N9k5LwS
Discuss on Reddit : https://ift.tt/4bZIEqa
@redteamalerts
GitHub
Nimperiments/EvilLsassTwin at main · RePRGM/Nimperiments
Various one-off pentesting projects written in Nim. Updates happen on a whim. - RePRGM/Nimperiments
🔥3
Спасибо за круглое число 🤝
10к и правда много для канала, куда я складываю свой «список для чтения», всех обнимаю❤️
10к и правда много для канала, куда я складываю свой «список для чтения», всех обнимаю
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥18👍3