Offensive Xwitter
😈 [ wei @XiaoWei___ ] MSRC fixed a RCE bug in TCPIP module. I found the bug several months ago. Its score is 9.8 and exploitation is more likely. Please apply the patch immediately. 🐥 [ tweet ]
😈 [ Robel Campbell @RobelCampbell ]
Regarding CVE-2024-38063 IPV6 RCE in Windows...
After reading RFCs about optional headers in IPv6 packets, I managed to create POC to cause a crash. The bug check in this case isn't too detailed, but essentially the underflow creates a large value used in a loop which eventually write data out of bounds and causes a crash.
I imagine this can be weaponized using heap massaging techniques and corrupting adjacent objects in the heap.
As many have already stated before, this can easily be mitigated by applying the latest patches or disabling IPv6 (which is enabled by default).
🐥 [ tweet ]
Regarding CVE-2024-38063 IPV6 RCE in Windows...
After reading RFCs about optional headers in IPv6 packets, I managed to create POC to cause a crash. The bug check in this case isn't too detailed, but essentially the underflow creates a large value used in a loop which eventually write data out of bounds and causes a crash.
I imagine this can be weaponized using heap massaging techniques and corrupting adjacent objects in the heap.
As many have already stated before, this can easily be mitigated by applying the latest patches or disabling IPv6 (which is enabled by default).
🐥 [ tweet ]
👍9🍌1
Offensive Xwitter
😈 [ Robel Campbell @RobelCampbell ] Regarding CVE-2024-38063 IPV6 RCE in Windows... After reading RFCs about optional headers in IPv6 packets, I managed to create POC to cause a crash. The bug check in this case isn't too detailed, but essentially the underflow…
😈 [ farmpoet @f4rmpoet ]
It's time to take a closer look at CVE-2024-38063 (Windows TCPIP RCE).
I usually don't post partial analysis but since most available info is unreliable I'll do my best to try and shed some light.
This time I'll focus on my workflow and thought process as we go 🧵
🔗 https://threadreaderapp.com/thread/1825472703223992323.html
🐥 [ tweet ]
It's time to take a closer look at CVE-2024-38063 (Windows TCPIP RCE).
I usually don't post partial analysis but since most available info is unreliable I'll do my best to try and shed some light.
This time I'll focus on my workflow and thought process as we go 🧵
🔗 https://threadreaderapp.com/thread/1825472703223992323.html
🐥 [ tweet ]
Forwarded from nu11z
Всем привет, в связи с тем что последнее время приходится часто пентестить FreeIPA мы начали разрабатывать либу по типу impacket заточенную под особенности ипы. Пока начали реализовывать kerberos и написали пок для CVE-2024-3183. Если у кого-то будет желание как-то помочь в разработке - welcome.
https://github.com/c2micro/ipapocket
https://github.com/c2micro/ipapocket
🔥13😁1🍌1
😈 [ nc @thoughtfault ]
In a 2021 study, Jensen et al. observed a pronounced concentration of anime girl profile pictures among the most obscure accounts during a social network analysis of "infosec twitter" and associated subcommunities. As part of the study, a visualization was generated:
🐥 [ tweet ]
In a 2021 study, Jensen et al. observed a pronounced concentration of anime girl profile pictures among the most obscure accounts during a social network analysis of "infosec twitter" and associated subcommunities. As part of the study, a visualization was generated:
🐥 [ tweet ]
сойдет😁19👍1🤯1
Forwarded from APT
🔐 FreeIPA Rosting (CVE-2024-3183)
A vulnerability recently discovered by my friend @Im10n in FreeIPA involves a Kerberos TGS-REQ being encrypted using the client’s session key. If a principal’s key is compromised, an attacker could potentially perform offline brute-force attacks to decrypt tickets by exploiting the encrypted key and associated salts.
🔗Source:
https://github.com/Cyxow/CVE-2024-3183-POC
#freeipa #kerberos #hashcat #cve
———
Добавляем доклад Миши в вишлист на Offzone🚶♂️
A vulnerability recently discovered by my friend @Im10n in FreeIPA involves a Kerberos TGS-REQ being encrypted using the client’s session key. If a principal’s key is compromised, an attacker could potentially perform offline brute-force attacks to decrypt tickets by exploiting the encrypted key and associated salts.
🔗Source:
https://github.com/Cyxow/CVE-2024-3183-POC
#freeipa #kerberos #hashcat #cve
———
Добавляем доклад Миши в вишлист на Offzone
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥17
😈 [ Kleiton Kurti @kleiton0x7e ]
A year ago I published a blog post on bypassing EDR using CS profiles. I’ve updated it to include an additional way of preventing msvcrt.dll from being flagged by Defender: by making the payload CRT library-independent.
🔗 https://kleiton0x00.github.io/posts/Harnessing-the-Power-of-Cobalt-Strike-Profiles-for-EDR-Evasion/
🐥 [ tweet ]
A year ago I published a blog post on bypassing EDR using CS profiles. I’ve updated it to include an additional way of preventing msvcrt.dll from being flagged by Defender: by making the payload CRT library-independent.
🔗 https://kleiton0x00.github.io/posts/Harnessing-the-Power-of-Cobalt-Strike-Profiles-for-EDR-Evasion/
🐥 [ tweet ]
👍12
#для_самых_маленьких
На собесах мне нравится задавать вопросы на понимание чужого кода, и одним из забавных примеров, где многие путаются при попытках быстро объяснить полученный диссонанс, мне видится распространенный из-за своей копипастности велосипед
На первый взгляд, в нем нет ничего необычного за исключением одного нюанса: реализация поиска имени модуля по двусвязному списку в этой функции будет работать только при нестандартном определении структуры
Если обратиться к документации, то первым полем структуры
Для того же, чтобы эта реализация
Почему так? 🤨
Кто хочет, может ответить на этот вопрос самостоятельно и переписать функцию
На собесах мне нравится задавать вопросы на понимание чужого кода, и одним из забавных примеров, где многие путаются при попытках быстро объяснить полученный диссонанс, мне видится распространенный из-за своей копипастности велосипед
kernel32!GetModuleHandle, взятый, например, отсюда.На первый взгляд, в нем нет ничего необычного за исключением одного нюанса: реализация поиска имени модуля по двусвязному списку в этой функции будет работать только при нестандартном определении структуры
LDR_DATA_TABLE_ENTRY.Если обратиться к документации, то первым полем структуры
LDR_DATA_TABLE_ENTRY будет значиться нечто PVOID Reserved1[2], что есть ни что иное, как двусвязный список LIST_ENTRY InLoadOrderLinks (изображение).Для того же, чтобы эта реализация
GetModuleHandle отработала, определение LDR_DATA_TABLE_ENTRY должно быть как здесь, а именно, начинаться со второго (из документации) поля LIST_ENTRY InMemoryOrderLinks.Почему так? 🤨
Кто хочет, может ответить на этот вопрос самостоятельно и переписать функцию
findNtDll, используя каноничное определение LDR_DATA_TABLE_ENTRY, или же открыть комментарии и ознакомиться с одним из возможных решений 👇🏻🤔6👍2🔥2
😈 [ Josh @passthehashbrwn ]
New blog from me on manually manipulating Vectored Exception Handlers to evade some EDRs and perform threadless process injection.
Blog:
🔗 https://securityintelligence.com/x-force/using-veh-for-defense-evasion-process-injection/
Accompanying code:
🔗 https://github.com/xforcered/VectoredExceptionHandling
🐥 [ tweet ]
New blog from me on manually manipulating Vectored Exception Handlers to evade some EDRs and perform threadless process injection.
Blog:
🔗 https://securityintelligence.com/x-force/using-veh-for-defense-evasion-process-injection/
Accompanying code:
🔗 https://github.com/xforcered/VectoredExceptionHandling
🐥 [ tweet ]
👍7🔥2
APT
🔐 FreeIPA Rosting (CVE-2024-3183) A vulnerability recently discovered by my friend @Im10n in FreeIPA involves a Kerberos TGS-REQ being encrypted using the client’s session key. If a principal’s key is compromised, an attacker could potentially perform offline…
Кайфанул с доклада, особенно с того, что импакетовский
В свое время я эту проблему решал так 👇🏻
Полный патч 👇🏻
getTGT.py, оказывается, можно починить одной строкой, разрешив ошибки декодирования ASN.1.В свое время я эту проблему решал так 👇🏻
Из коробки сценарий getTGT[.]py конечно же не работает, кто бы мог подумать (Рис. 1).
Почему-то FreeIPA думает, что номер операции (aka application tag) EncASRepPart это 26 (хотя в RFC он 25). Другие люди прикола тоже не оценили.
Если изменить спеку ASN.1, как того хочет ИПА, getTGT[.]py начинает работать (Рис. 2). Удобно, что Overpass-the-Key для этой темы тоже робит.
Полный патч 👇🏻
diff --git a/impacket/krb5/asn1.py b/impacket/krb5/asn1.py
index 24963824..393ac9bb 100644
--- a/impacket/krb5/asn1.py
+++ b/impacket/krb5/asn1.py
@@ -283,9 +283,9 @@ class EncKDCRepPart(univ.Sequence):
_sequence_optional_component('key-expiration', 3, KerberosTime()),
_sequence_component('flags', 4, TicketFlags()),
_sequence_component('authtime', 5, KerberosTime()),
- _sequence_optional_component('starttime', 6, KerberosTime()),
+ _sequence_optional_component('starttime', 6, KerberosTime()), # can be empty, so worth try-excepting
_sequence_component('endtime', 7, KerberosTime()),
- _sequence_optional_component('renew-till', 8, KerberosTime()),
+ _sequence_optional_component('renew-till', 8, KerberosTime()), # can be empty, so worth try-excepting
_sequence_component('srealm', 9, Realm()),
_sequence_component('sname', 10, PrincipalName()),
_sequence_optional_component('caddr', 11, HostAddresses()),
diff --git a/impacket/krb5/ccache.py b/impacket/krb5/ccache.py
index 915ea268..01c7f2f8 100644
--- a/impacket/krb5/ccache.py
+++ b/impacket/krb5/ccache.py
@@ -25,6 +25,7 @@ from six import b, PY2
from pyasn1.codec.der import decoder, encoder
from pyasn1.type.univ import noValue
+from pyasn1.error import PyAsn1Error
from binascii import hexlify
from impacket.structure import Structure
@@ -493,9 +494,12 @@ class CCache:
credential['time'] = Times()
credential['time']['authtime'] = self.toTimeStamp(types.KerberosTime.from_asn1(encASRepPart['authtime']))
- credential['time']['starttime'] = self.toTimeStamp(types.KerberosTime.from_asn1(encASRepPart['starttime']))
+ try:
+ credential['time']['starttime'] = self.toTimeStamp(types.KerberosTime.from_asn1(encASRepPart['starttime']))
+ except PyAsn1Error:
+ pass
credential['time']['endtime'] = self.toTimeStamp(types.KerberosTime.from_asn1(encASRepPart['endtime']))
- credential['time']['renew_till'] = self.toTimeStamp(types.KerberosTime.from_asn1(encASRepPart['renew-till']))
+ #credential['time']['renew_till'] = self.toTimeStamp(types.KerberosTime.from_asn1(encASRepPart['renew-till']))
flags = self.reverseFlags(encASRepPart['flags'])
credential['tktflags'] = flags
diff --git a/impacket/krb5/constants.py b/impacket/krb5/constants.py
index 60f1776c..581b5007 100644
--- a/impacket/krb5/constants.py
+++ b/impacket/krb5/constants.py
@@ -42,7 +42,7 @@ class ApplicationTagNumbers(Enum):
KRB_SAFE = 20
KRB_PRIV = 21
KRB_CRED = 22
- EncASRepPart = 25
+ EncASRepPart = 26 # WTF ??? https://mailman.mit.edu/pipermail/kerberos/2006-July/010040.html
EncTGSRepPart = 26
EncApRepPart = 27
EncKrbPrivPart = 28
🔥17👍3🤯3
😈 [ Charlie Bromberg « Shutdown » @_nwodtuhs ]
🎉 After >1y of hard work, @AzeTIIx and I are thrilled to release v2 of The Hacker Recipes!
We moved away from GitBook and now have control over both engine & hosting 🥹
1st addition for contributors: your work is being highlighted across the site! 🫡
🔗 https://thehacker.recipes/
🐥 [ tweet ]
🎉 After >1y of hard work, @AzeTIIx and I are thrilled to release v2 of The Hacker Recipes!
We moved away from GitBook and now have control over both engine & hosting 🥹
1st addition for contributors: your work is being highlighted across the site! 🫡
🔗 https://thehacker.recipes/
🐥 [ tweet ]
👍15
😈 [ SandboxEscaper @big_polar_bear2 ]
It is shit, I feel like I failed. Waste of time. I only added the LLL portion in the last month, but it is such a complicated topic, I just didn't get it to work well enough. Hopefully the number theoretical portion in paper.pdf is useful.
🔗 https://github.com/Big-polar-bear/factorization
🐥 [ tweet ]
It is shit, I feel like I failed. Waste of time. I only added the LLL portion in the last month, but it is such a complicated topic, I just didn't get it to work well enough. Hopefully the number theoretical portion in paper.pdf is useful.
🔗 https://github.com/Big-polar-bear/factorization
🐥 [ tweet ]
что-то новое про факторизацию Ферма, используя алгоритм Ленстры-Ленстры-Ловаса (LLL)🔥8🤯2🤔1
😈 [ VIZIT @vizitcondoms ]
Мы, кстати, предоставляем защиту на случаи, если сажаете свои джеты куда ни попадя
🐥 [ tweet ]
Мы, кстати, предоставляем защиту на случаи, если сажаете свои джеты куда ни попадя
🐥 [ tweet ]
после 10й просьбы прокомментировать задержание отвечу всем разом цитатой из тви для сохранения аутентичности канала😁15🔥5👍3😢1🍌1
😈 [ Przemysław Kłys @PrzemyslawKlys ]
If you're into #ActiveDirectory, keep it clean from stale objects. CleanupMonster, my new #PowerShell module, can help you with that. I wrote a blog post about it to make it easier to implement.
It has fancy reporting and lots of customizations:
🔗 https://evotec.xyz/mastering-active-directory-hygiene-automating-stale-computer-cleanup-with-cleanupmonster/
🐥 [ tweet ]
If you're into #ActiveDirectory, keep it clean from stale objects. CleanupMonster, my new #PowerShell module, can help you with that. I wrote a blog post about it to make it easier to implement.
It has fancy reporting and lots of customizations:
🔗 https://evotec.xyz/mastering-active-directory-hygiene-automating-stale-computer-cleanup-with-cleanupmonster/
🐥 [ tweet ]
👍7
😈 [ Alisa Esage Шевченко @alisaesage ]
Best research of Windows IPv6 RCE bug that I've seen so far (by ynwarcs). Still plenty of room for exploit development.
🔗 https://github.com/ynwarcs/CVE-2024-38063
🐥 [ tweet ]
Best research of Windows IPv6 RCE bug that I've seen so far (by ynwarcs). Still plenty of room for exploit development.
🔗 https://github.com/ynwarcs/CVE-2024-38063
🐥 [ tweet ]
🔥14🥱2
😈 [ Austin Hudson @ilove2pwn_ ]
Hopefully, should be simpler in the very near future to build COM/MSRPC clients & servers ( with SEH __try/__except/__finally support ) on Unix with mingw-w64 & clang with GNU LD.
I'll be uploading an example sometime in the next few weeks depending on how busy I am.
🐥 [ tweet ]
Hopefully, should be simpler in the very near future to build COM/MSRPC clients & servers ( with SEH __try/__except/__finally support ) on Unix with mingw-w64 & clang with GNU LD.
I'll be uploading an example sometime in the next few weeks depending on how busy I am.
🐥 [ tweet ]
👍4
😈 [ Viking @Vikingfr ]
"SuperFetchQuery" can be useful for some scenarios like Red Team, Exploit Dev or Maldev. Let’s take a look!
🔗 https://v1k1ngfr.github.io/superfetchquery-superpower/
🐥 [ tweet ]
"SuperFetchQuery" can be useful for some scenarios like Red Team, Exploit Dev or Maldev. Let’s take a look!
🔗 https://v1k1ngfr.github.io/superfetchquery-superpower/
🐥 [ tweet ]
🔥6
😈 [ S3cur3Th1sSh1t @ShitSecure ]
Want to reflectively load MSVC compiled rust binaries e.G. from Powershell, C# or similar?
You have two options from my current perspective:
1) Adjust your PE-Loader to do "something" (unknown yet) for proper execution
2) Remove default main as shown:
🔗 https://gist.github.com/S3cur3Th1sSh1t/bbde56e01d7440ee97b69f4eb179f4cb
🐥 [ tweet ][ quote ]
Want to reflectively load MSVC compiled rust binaries e.G. from Powershell, C# or similar?
You have two options from my current perspective:
1) Adjust your PE-Loader to do "something" (unknown yet) for proper execution
2) Remove default main as shown:
🔗 https://gist.github.com/S3cur3Th1sSh1t/bbde56e01d7440ee97b69f4eb179f4cb
🐥 [ tweet ][ quote ]
👍9🔥1
😈 [ CICADA8Research @CICADA8Research ]
Our new article about privilege escalation via vulnerable MSI files. All roads lead to NT AUTHORIRTY\SYSTEM :)
🔗 https://cicada-8.medium.com/evil-msi-a-long-story-about-vulnerabilities-in-msi-files-1a2a1acaf01c
🔗 https://github.com/CICADA8-Research/MyMSIAnalyzer
🐥 [ tweet ]
Our new article about privilege escalation via vulnerable MSI files. All roads lead to NT AUTHORIRTY\SYSTEM :)
🔗 https://cicada-8.medium.com/evil-msi-a-long-story-about-vulnerabilities-in-msi-files-1a2a1acaf01c
🔗 https://github.com/CICADA8-Research/MyMSIAnalyzer
🐥 [ tweet ]
👍13🔥7🤯2🥱1
😈 [ Jason Lang @curi0usJack ]
It's been a while since I've gotten to modify a GPO through a proxy as part of a red team. Fun and terrifying! If you're in that scenario now, this might help:
🔗 https://trustedsec.com/blog/weaponizing-group-policy-objects-access
🐥 [ tweet ]
It's been a while since I've gotten to modify a GPO through a proxy as part of a red team. Fun and terrifying! If you're in that scenario now, this might help:
🔗 https://trustedsec.com/blog/weaponizing-group-policy-objects-access
🐥 [ tweet ]
👍5🔥2🥱1
😈 [ Grzegorz Tworek @0gtweet ]
Listing all processes keeping particular file open is not a trivial task but since Vista we have a special syscall parameter for such purpose. Microsoft says "reserved for system use" but I was brave enough to wrap it into PowerShell function. Enjoy!
🔗 https://github.com/gtworek/PSBits/blob/master/Misc2/Get-PidsForOpenFile.ps1
🐥 [ tweet ]
Listing all processes keeping particular file open is not a trivial task but since Vista we have a special syscall parameter for such purpose. Microsoft says "reserved for system use" but I was brave enough to wrap it into PowerShell function. Enjoy!
🔗 https://github.com/gtworek/PSBits/blob/master/Misc2/Get-PidsForOpenFile.ps1
🐥 [ tweet ]
🔥15👍2