😈 [ Dazzy @dazzyddos ]
Wrote a blog post on abusing exclusions to evade AVs/EDR which is stealthy, effective and an often overlooked topic.
🔗 https://medium.com/seercurity-spotlight/abusing-av-edr-exclusions-to-evade-detections-21fe31d7ed49
🐥 [ tweet ]
Wrote a blog post on abusing exclusions to evade AVs/EDR which is stealthy, effective and an often overlooked topic.
🔗 https://medium.com/seercurity-spotlight/abusing-av-edr-exclusions-to-evade-detections-21fe31d7ed49
🐥 [ tweet ]
😢4🔥2
😈 [ Logan Goins @shellph1sh ]
Created another write-up, this time on NTLM relay attacks to LDAP(S), including details of WebClient coercion, NTLM transport vulnerabilities, and finally device takeover after achieving authentication. You can read about it on my blog :)
🔗 https://logan-goins.com/2024-07-23-ldap-relay/
🐥 [ tweet ]
Created another write-up, this time on NTLM relay attacks to LDAP(S), including details of WebClient coercion, NTLM transport vulnerabilities, and finally device takeover after achieving authentication. You can read about it on my blog :)
🔗 https://logan-goins.com/2024-07-23-ldap-relay/
🐥 [ tweet ]
🔥6🥱4👍1
😈 [ wei @XiaoWei___ ]
MSRC fixed a RCE bug in TCPIP module.
I found the bug several months ago.
Its score is 9.8 and exploitation is more likely. Please apply the patch immediately.
🐥 [ tweet ]
MSRC fixed a RCE bug in TCPIP module.
I found the bug several months ago.
Its score is 9.8 and exploitation is more likely. Please apply the patch immediately.
🐥 [ tweet ]
🤯12🔥3👍2
😈 [ Synacktiv @Synacktiv ]
In our latest blogpost, @croco_byte explores the inner workings of SCCM policies and introduces SCCMSecrets[.]py, a tool targeting secret policies in order to exploit misconfigurations, harvest credentials, and pivot across collections by impersonating legitimate clients.
🔗 https://www.synacktiv.com/publications/sccmsecretspy-exploiting-sccm-policies-distribution-for-credentials-harvesting-initial
🐥 [ tweet ]
In our latest blogpost, @croco_byte explores the inner workings of SCCM policies and introduces SCCMSecrets[.]py, a tool targeting secret policies in order to exploit misconfigurations, harvest credentials, and pivot across collections by impersonating legitimate clients.
🔗 https://www.synacktiv.com/publications/sccmsecretspy-exploiting-sccm-policies-distribution-for-credentials-harvesting-initial
🐥 [ tweet ]
🥱6👍4
😈 [ Tetsuo @7etsuo ]
Added templates for 24 process injection techniques to my Windows API Cheatsheet.
Code Injection Techniques
0. Process Enumeration Code
1. DLL Injection
2. PE Injection
3. Reflective Injection
4. APC Injection
5. Process Hollowing (Process Replacement)
6. AtomBombing
7. Process Doppelgänging
8. Process Herpaderping
9. Hooking Injection
10. Extra Windows Memory Injection
11. Propagate Injection
12. Heap Spray
13. Thread Execution Hijacking
14. Module Stomping
15. IAT Hooking
16. Inline Hooking
17. Debugger Injection
18. COM Hijacking
19. Phantom DLL Hollowing
20. PROPagate
21. Early Bird Injection
22. Shim-based Injection
23. Mapping Injection
24. KnownDlls Cache Poisoning
🔗 https://github.com/7etsuo/windows-api-function-cheatsheets
🐥 [ tweet ]
Added templates for 24 process injection techniques to my Windows API Cheatsheet.
Code Injection Techniques
0. Process Enumeration Code
1. DLL Injection
2. PE Injection
3. Reflective Injection
4. APC Injection
5. Process Hollowing (Process Replacement)
6. AtomBombing
7. Process Doppelgänging
8. Process Herpaderping
9. Hooking Injection
10. Extra Windows Memory Injection
11. Propagate Injection
12. Heap Spray
13. Thread Execution Hijacking
14. Module Stomping
15. IAT Hooking
16. Inline Hooking
17. Debugger Injection
18. COM Hijacking
19. Phantom DLL Hollowing
20. PROPagate
21. Early Bird Injection
22. Shim-based Injection
23. Mapping Injection
24. KnownDlls Cache Poisoning
🔗 https://github.com/7etsuo/windows-api-function-cheatsheets
🐥 [ tweet ]
👍10🔥4🥱3🍌2😢1
😈 [ Emeric Nasi @EmericNasi ]
Hi, I talked about advanced initial access in June at OffensiveX in Athens.
Slides are here:
🔗 https://github.com/sevagas/Advanced_Initial_access_in_2024_OffensiveX/blob/main/breach_the_gates_extended.pdf
For those who ask: I still don't know when the recorded talk will be published
🐥 [ tweet ]
Hi, I talked about advanced initial access in June at OffensiveX in Athens.
Slides are here:
🔗 https://github.com/sevagas/Advanced_Initial_access_in_2024_OffensiveX/blob/main/breach_the_gates_extended.pdf
For those who ask: I still don't know when the recorded talk will be published
🐥 [ tweet ]
👍9🥱2
😈 [ Will @BushidoToken ]
I am happy to share a new resource I recently created called The Ransomware Tool Matrix:
🔗 https://blog.bushidotoken.net/2024/08/the-ransomware-tool-matrix.html
🔗 https://github.com/BushidoUK/Ransomware-Tool-Matrix
🐥 [ tweet ]
I am happy to share a new resource I recently created called The Ransomware Tool Matrix:
🔗 https://blog.bushidotoken.net/2024/08/the-ransomware-tool-matrix.html
🔗 https://github.com/BushidoUK/Ransomware-Tool-Matrix
🐥 [ tweet ]
🔥11👍1
Offensive Xwitter
😈 [ wei @XiaoWei___ ] MSRC fixed a RCE bug in TCPIP module. I found the bug several months ago. Its score is 9.8 and exploitation is more likely. Please apply the patch immediately. 🐥 [ tweet ]
😈 [ Robel Campbell @RobelCampbell ]
Regarding CVE-2024-38063 IPV6 RCE in Windows...
After reading RFCs about optional headers in IPv6 packets, I managed to create POC to cause a crash. The bug check in this case isn't too detailed, but essentially the underflow creates a large value used in a loop which eventually write data out of bounds and causes a crash.
I imagine this can be weaponized using heap massaging techniques and corrupting adjacent objects in the heap.
As many have already stated before, this can easily be mitigated by applying the latest patches or disabling IPv6 (which is enabled by default).
🐥 [ tweet ]
Regarding CVE-2024-38063 IPV6 RCE in Windows...
After reading RFCs about optional headers in IPv6 packets, I managed to create POC to cause a crash. The bug check in this case isn't too detailed, but essentially the underflow creates a large value used in a loop which eventually write data out of bounds and causes a crash.
I imagine this can be weaponized using heap massaging techniques and corrupting adjacent objects in the heap.
As many have already stated before, this can easily be mitigated by applying the latest patches or disabling IPv6 (which is enabled by default).
🐥 [ tweet ]
👍9🍌1
Offensive Xwitter
😈 [ Robel Campbell @RobelCampbell ] Regarding CVE-2024-38063 IPV6 RCE in Windows... After reading RFCs about optional headers in IPv6 packets, I managed to create POC to cause a crash. The bug check in this case isn't too detailed, but essentially the underflow…
😈 [ farmpoet @f4rmpoet ]
It's time to take a closer look at CVE-2024-38063 (Windows TCPIP RCE).
I usually don't post partial analysis but since most available info is unreliable I'll do my best to try and shed some light.
This time I'll focus on my workflow and thought process as we go 🧵
🔗 https://threadreaderapp.com/thread/1825472703223992323.html
🐥 [ tweet ]
It's time to take a closer look at CVE-2024-38063 (Windows TCPIP RCE).
I usually don't post partial analysis but since most available info is unreliable I'll do my best to try and shed some light.
This time I'll focus on my workflow and thought process as we go 🧵
🔗 https://threadreaderapp.com/thread/1825472703223992323.html
🐥 [ tweet ]
Forwarded from nu11z
Всем привет, в связи с тем что последнее время приходится часто пентестить FreeIPA мы начали разрабатывать либу по типу impacket заточенную под особенности ипы. Пока начали реализовывать kerberos и написали пок для CVE-2024-3183. Если у кого-то будет желание как-то помочь в разработке - welcome.
https://github.com/c2micro/ipapocket
https://github.com/c2micro/ipapocket
🔥13😁1🍌1
😈 [ nc @thoughtfault ]
In a 2021 study, Jensen et al. observed a pronounced concentration of anime girl profile pictures among the most obscure accounts during a social network analysis of "infosec twitter" and associated subcommunities. As part of the study, a visualization was generated:
🐥 [ tweet ]
In a 2021 study, Jensen et al. observed a pronounced concentration of anime girl profile pictures among the most obscure accounts during a social network analysis of "infosec twitter" and associated subcommunities. As part of the study, a visualization was generated:
🐥 [ tweet ]
сойдет😁19👍1🤯1
Forwarded from APT
🔐 FreeIPA Rosting (CVE-2024-3183)
A vulnerability recently discovered by my friend @Im10n in FreeIPA involves a Kerberos TGS-REQ being encrypted using the client’s session key. If a principal’s key is compromised, an attacker could potentially perform offline brute-force attacks to decrypt tickets by exploiting the encrypted key and associated salts.
🔗Source:
https://github.com/Cyxow/CVE-2024-3183-POC
#freeipa #kerberos #hashcat #cve
———
Добавляем доклад Миши в вишлист на Offzone🚶♂️
A vulnerability recently discovered by my friend @Im10n in FreeIPA involves a Kerberos TGS-REQ being encrypted using the client’s session key. If a principal’s key is compromised, an attacker could potentially perform offline brute-force attacks to decrypt tickets by exploiting the encrypted key and associated salts.
🔗Source:
https://github.com/Cyxow/CVE-2024-3183-POC
#freeipa #kerberos #hashcat #cve
———
Добавляем доклад Миши в вишлист на Offzone
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥17
😈 [ Kleiton Kurti @kleiton0x7e ]
A year ago I published a blog post on bypassing EDR using CS profiles. I’ve updated it to include an additional way of preventing msvcrt.dll from being flagged by Defender: by making the payload CRT library-independent.
🔗 https://kleiton0x00.github.io/posts/Harnessing-the-Power-of-Cobalt-Strike-Profiles-for-EDR-Evasion/
🐥 [ tweet ]
A year ago I published a blog post on bypassing EDR using CS profiles. I’ve updated it to include an additional way of preventing msvcrt.dll from being flagged by Defender: by making the payload CRT library-independent.
🔗 https://kleiton0x00.github.io/posts/Harnessing-the-Power-of-Cobalt-Strike-Profiles-for-EDR-Evasion/
🐥 [ tweet ]
👍12
#для_самых_маленьких
На собесах мне нравится задавать вопросы на понимание чужого кода, и одним из забавных примеров, где многие путаются при попытках быстро объяснить полученный диссонанс, мне видится распространенный из-за своей копипастности велосипед
На первый взгляд, в нем нет ничего необычного за исключением одного нюанса: реализация поиска имени модуля по двусвязному списку в этой функции будет работать только при нестандартном определении структуры
Если обратиться к документации, то первым полем структуры
Для того же, чтобы эта реализация
Почему так? 🤨
Кто хочет, может ответить на этот вопрос самостоятельно и переписать функцию
На собесах мне нравится задавать вопросы на понимание чужого кода, и одним из забавных примеров, где многие путаются при попытках быстро объяснить полученный диссонанс, мне видится распространенный из-за своей копипастности велосипед
kernel32!GetModuleHandle, взятый, например, отсюда.На первый взгляд, в нем нет ничего необычного за исключением одного нюанса: реализация поиска имени модуля по двусвязному списку в этой функции будет работать только при нестандартном определении структуры
LDR_DATA_TABLE_ENTRY.Если обратиться к документации, то первым полем структуры
LDR_DATA_TABLE_ENTRY будет значиться нечто PVOID Reserved1[2], что есть ни что иное, как двусвязный список LIST_ENTRY InLoadOrderLinks (изображение).Для того же, чтобы эта реализация
GetModuleHandle отработала, определение LDR_DATA_TABLE_ENTRY должно быть как здесь, а именно, начинаться со второго (из документации) поля LIST_ENTRY InMemoryOrderLinks.Почему так? 🤨
Кто хочет, может ответить на этот вопрос самостоятельно и переписать функцию
findNtDll, используя каноничное определение LDR_DATA_TABLE_ENTRY, или же открыть комментарии и ознакомиться с одним из возможных решений 👇🏻🤔6👍2🔥2
😈 [ Josh @passthehashbrwn ]
New blog from me on manually manipulating Vectored Exception Handlers to evade some EDRs and perform threadless process injection.
Blog:
🔗 https://securityintelligence.com/x-force/using-veh-for-defense-evasion-process-injection/
Accompanying code:
🔗 https://github.com/xforcered/VectoredExceptionHandling
🐥 [ tweet ]
New blog from me on manually manipulating Vectored Exception Handlers to evade some EDRs and perform threadless process injection.
Blog:
🔗 https://securityintelligence.com/x-force/using-veh-for-defense-evasion-process-injection/
Accompanying code:
🔗 https://github.com/xforcered/VectoredExceptionHandling
🐥 [ tweet ]
👍7🔥2
APT
🔐 FreeIPA Rosting (CVE-2024-3183) A vulnerability recently discovered by my friend @Im10n in FreeIPA involves a Kerberos TGS-REQ being encrypted using the client’s session key. If a principal’s key is compromised, an attacker could potentially perform offline…
Кайфанул с доклада, особенно с того, что импакетовский
В свое время я эту проблему решал так 👇🏻
Полный патч 👇🏻
getTGT.py, оказывается, можно починить одной строкой, разрешив ошибки декодирования ASN.1.В свое время я эту проблему решал так 👇🏻
Из коробки сценарий getTGT[.]py конечно же не работает, кто бы мог подумать (Рис. 1).
Почему-то FreeIPA думает, что номер операции (aka application tag) EncASRepPart это 26 (хотя в RFC он 25). Другие люди прикола тоже не оценили.
Если изменить спеку ASN.1, как того хочет ИПА, getTGT[.]py начинает работать (Рис. 2). Удобно, что Overpass-the-Key для этой темы тоже робит.
Полный патч 👇🏻
diff --git a/impacket/krb5/asn1.py b/impacket/krb5/asn1.py
index 24963824..393ac9bb 100644
--- a/impacket/krb5/asn1.py
+++ b/impacket/krb5/asn1.py
@@ -283,9 +283,9 @@ class EncKDCRepPart(univ.Sequence):
_sequence_optional_component('key-expiration', 3, KerberosTime()),
_sequence_component('flags', 4, TicketFlags()),
_sequence_component('authtime', 5, KerberosTime()),
- _sequence_optional_component('starttime', 6, KerberosTime()),
+ _sequence_optional_component('starttime', 6, KerberosTime()), # can be empty, so worth try-excepting
_sequence_component('endtime', 7, KerberosTime()),
- _sequence_optional_component('renew-till', 8, KerberosTime()),
+ _sequence_optional_component('renew-till', 8, KerberosTime()), # can be empty, so worth try-excepting
_sequence_component('srealm', 9, Realm()),
_sequence_component('sname', 10, PrincipalName()),
_sequence_optional_component('caddr', 11, HostAddresses()),
diff --git a/impacket/krb5/ccache.py b/impacket/krb5/ccache.py
index 915ea268..01c7f2f8 100644
--- a/impacket/krb5/ccache.py
+++ b/impacket/krb5/ccache.py
@@ -25,6 +25,7 @@ from six import b, PY2
from pyasn1.codec.der import decoder, encoder
from pyasn1.type.univ import noValue
+from pyasn1.error import PyAsn1Error
from binascii import hexlify
from impacket.structure import Structure
@@ -493,9 +494,12 @@ class CCache:
credential['time'] = Times()
credential['time']['authtime'] = self.toTimeStamp(types.KerberosTime.from_asn1(encASRepPart['authtime']))
- credential['time']['starttime'] = self.toTimeStamp(types.KerberosTime.from_asn1(encASRepPart['starttime']))
+ try:
+ credential['time']['starttime'] = self.toTimeStamp(types.KerberosTime.from_asn1(encASRepPart['starttime']))
+ except PyAsn1Error:
+ pass
credential['time']['endtime'] = self.toTimeStamp(types.KerberosTime.from_asn1(encASRepPart['endtime']))
- credential['time']['renew_till'] = self.toTimeStamp(types.KerberosTime.from_asn1(encASRepPart['renew-till']))
+ #credential['time']['renew_till'] = self.toTimeStamp(types.KerberosTime.from_asn1(encASRepPart['renew-till']))
flags = self.reverseFlags(encASRepPart['flags'])
credential['tktflags'] = flags
diff --git a/impacket/krb5/constants.py b/impacket/krb5/constants.py
index 60f1776c..581b5007 100644
--- a/impacket/krb5/constants.py
+++ b/impacket/krb5/constants.py
@@ -42,7 +42,7 @@ class ApplicationTagNumbers(Enum):
KRB_SAFE = 20
KRB_PRIV = 21
KRB_CRED = 22
- EncASRepPart = 25
+ EncASRepPart = 26 # WTF ??? https://mailman.mit.edu/pipermail/kerberos/2006-July/010040.html
EncTGSRepPart = 26
EncApRepPart = 27
EncKrbPrivPart = 28
🔥17👍3🤯3
😈 [ Charlie Bromberg « Shutdown » @_nwodtuhs ]
🎉 After >1y of hard work, @AzeTIIx and I are thrilled to release v2 of The Hacker Recipes!
We moved away from GitBook and now have control over both engine & hosting 🥹
1st addition for contributors: your work is being highlighted across the site! 🫡
🔗 https://thehacker.recipes/
🐥 [ tweet ]
🎉 After >1y of hard work, @AzeTIIx and I are thrilled to release v2 of The Hacker Recipes!
We moved away from GitBook and now have control over both engine & hosting 🥹
1st addition for contributors: your work is being highlighted across the site! 🫡
🔗 https://thehacker.recipes/
🐥 [ tweet ]
👍15
😈 [ SandboxEscaper @big_polar_bear2 ]
It is shit, I feel like I failed. Waste of time. I only added the LLL portion in the last month, but it is such a complicated topic, I just didn't get it to work well enough. Hopefully the number theoretical portion in paper.pdf is useful.
🔗 https://github.com/Big-polar-bear/factorization
🐥 [ tweet ]
It is shit, I feel like I failed. Waste of time. I only added the LLL portion in the last month, but it is such a complicated topic, I just didn't get it to work well enough. Hopefully the number theoretical portion in paper.pdf is useful.
🔗 https://github.com/Big-polar-bear/factorization
🐥 [ tweet ]
что-то новое про факторизацию Ферма, используя алгоритм Ленстры-Ленстры-Ловаса (LLL)🔥8🤯2🤔1