😈 [ Tim Willis @itswillis ]

Two new posts from @tiraniddo today.

On reviving a memory trapping primitive from his 2021 post:

🔗 https://googleprojectzero.blogspot.com/2025/01/windows-exploitation-tricks-trapping.html

Where he shares a bug class and demonstrates how you can get a COM object trapped in a more privileged process:

🔗 https://googleprojectzero.blogspot.com/2025/01/windows-bug-class-accessing-trapped-com.html

Happy Reading! 📚

🐥 [ tweet ]

Однажды в голову мне пришла идея разработать немного-немало свой собственный google. Чтоб его можно было запустить в локальной сети и отыскать там любые секреты где нибудь в глубине публичных сетевых дисков, ftp или вебе. И что бы такая система понимала не только текстовые файлы, но и офисные документы, архивы, исполняемые файлы, картинки, звук, словом всё что только может прийти в голову и что нельзя искать простым текстовым поиском.
Интернет сегодня нельзя представить без поисковика, но почему в локальной сети иная картина? Ведь как известно общедоступные ресурсы это вечная головная боль всех админов, а для пентестеров их анализ слишком дорогостоящая по времени работа.
Разработать в одиночку и за умеренное время собственный аналог google непростая задача. К решению данной проблемы я пытался подойти с разных сторон и за всё время два или три раза полностью переписывал всю систему с нуля. Но в итоге мне удалось найти очень простое и элегантное решение, почти не требующее кодинг - создать систему построенную из готовых компонентов (GNU), легко масштабируемую и также легко внедряемую (docker). Да ещё и понимающую google дорки (opensearch).
Такая система может быть одинаково полезна как пентестерам когда перед тобой сотни шар, так и защитникам - ведь систему можно настроить на непрерывный регулярный краулинг всех общедоступных ресурсов.
В статье https://habr.com/ru/companies/ussc/articles/878340/ я детально описываю идею моей системы, её несложную логику работы а так же настройку и примеры использования.

😈 [ serioton @seriotonctf ]

Just updated my NetExec cheatsheet. Added some new commands and tweaks. It includes the commands I use when working on HackTheBox and Vulnlab machines

🔗 https://github.com/seriotonctf/cme-nxc-cheat-sheet

🐥 [ tweet ]

😈 [ ProjectDiscovery @pdiscoveryio ]

Replace request headers from your terminal with Proxify by ProjectDiscovery!

⌨️

proxify -req-mrd "replace_regex(request, 'User-Agent: .*', 'User-Agent: <YOUR-PAYLOAD>')"

Check it out 👆

🐥 [ tweet ]

😈 [ RedTeam Pentesting @RedTeamPT ]

The LLMNR response name spoofing pioneered by @tiraniddo and @Synacktiv does not seem to work with mDNS & NetBIOS 😢
But guess what! It works with DNS😯

🥳 Here's the new pretender release supporting Kerberos relaying via DHCPv6-DNS-Takeover: 🎉

🔗 https://github.com/RedTeamPentesting/pretender/releases/tag/v1.3.1

🐥 [ tweet ]

😈 [ MANSK1ES @mansk1es ]

Check out my new blog post, "Weaponizing Background Images for Information Disclosure and LPE" where I walk through the AnyDesk vuln I found a few months ago (CVE-2024-12754/ZDI-24-1711):

🔗 https://mansk1es.gitbook.io/AnyDesk_CVE-2024-12754

🐥 [ tweet ]

Простая реализация ts::multirdp

https://gist.github.com/S3cur3Th1sSh1t/8294ec59d1ef38cba661697edcfacb9b

#soft #ad #pentest #redteam #dev

😈 [ Wietze @Wietze ]

🚀 Today I'm launching ArgFuscator: an open-source platform documenting command-line obfuscation tricks AND letting you generate your own

🔥 68 executables supported out of the box - use right away, make tweaks, or create your own

👉 Now available at

🔗 http://argfuscator.net

🐥 [ tweet ]

😈 [ CICADA8Research @CICADA8Research ]

Hi friends, Recently @mansk1es presented his research about LPE in AnyDesk (CVE-2024-12754). Our team developed a POC on this vulnerability😀

Check it here:

🔗 https://github.com/CICADA8-Research/Penetration/tree/main/POCs/CVE-2024-12754

🐥 [ tweet ]

😈 [ Daniel @0x64616e ]

My current understanding of Kerberos Relaying

🐥 [ tweet ]

😈 [ Bobby Cooke @0xBoku ]

🔪Open-sourcing 💀StringReaper BOF!
I've had great success in engagements carving credentials out of remote process memory with this BOF

🔗 https://github.com/boku7/StringReaper

🐥 [ tweet ]

😈 [ eversinc33 🤍🔪⋆｡˚ ⋆ @eversinc33 ]

@0xBoku recent unhooking bof reminded of this fun trick on how to unhook any windows DLL without opening a handle to an on disk file - just download it from the MS symbol server and replace in memory :3

🔗 https://gist.github.com/eversinc33/86b4d1d71748a55efceb69a4f18f4d1d

🐥 [ tweet ]

😈 [ Chetan Nayak (Brute Ratel C4 Author) @NinjaParanoid ]

BOF Development is in full flow at Dark Vortex. Multiple new standalone BOFs have been added and ported from various open source projects to BRC4-BOF-Artillery git-repo. New ones are mentioned in the commits. More crazy updates are on the way...

🔗 https://github.com/paranoidninja/BRC4-BOF-Artillery

🐥 [ tweet ]

😈 [ n00py @n00py1 ]

ESC15 Manual Exploitation

🔗 https://www.mannulinux.org/2025/02/Curious-case-of-AD-CS-ESC15-vulnerable-instance-and-its-manual-exploitation.html

🐥 [ tweet ]

😈 [ vx-underground @vxunderground ]

Hi,

Just wrote a keylogger that uses ONLY the Windows COM (Component Object Model). The only WINAPI functions it has is GetModuleHandleW (could be replaced with a custom implemented to remove the function invocation), and GetConsoleWindow (forwards to actual SYSCALLs, can't strip it out).

Everything else is pure suffering. It is an abomination.

I'll be releasing it later once I clean up the code. It's a cool little proof-of-concept.

What should I name this thing?

-smelly smellington

🔗 https://vx-api.gitbook.io/vx-api/my-projects/jeff-com-only-keylogger

🐥 [ tweet ]

😈 [ CodeX @codex_tf2 ]

Releasing WebcamBOF📸

Webcam capture capability for Cobalt Strike as a BOF, with in-memory download options (as a file or screenshot). USB webcams supported (at least mine is)

Remind me never to use the MF API in BOFs again😭
(god i hate this codebase)

🔗 https://github.com/CodeXTF2/WebcamBOF

🐥 [ tweet ]

😈 [ CICADA8Research @CICADA8Research ]

Hello friends! There is a lot of information about Kerberos Relay out and it is easy to get confused! That's why we have created a small MindMap to help you understand Kerberos Relay

U can find PDF/HTML/PNG version here:

🔗 https://github.com/CICADA8-Research/Penetration/tree/main/KrbRelay%20MindMap

🐥 [ tweet ]

😈 [ Ellis Springe @knavesec ]

Dropping a one-off noscript to pull arbitrary AD attributes from ADExplorer snapshots. @0xBoku and I used this on a recent op to pull custom attributes that listed Computer objects owned by specific users so we could correlate high-value targets to systems:

🔗 https://github.com/c3c/ADExplorerSnapshot.py/pull/66

🐥 [ tweet ]

😈 [ RedTeam Pentesting @RedTeamPT ]

🎉 We've just released 🔐 keycred 🎉

A cross-platform tool for handling Active Directory Shadow Credentials/msDS-KeyCredentialLink 🔑.

It supports UnPAC-the-Hash/PKINIT, Pass-the-Cert, Channel Binding and more 💪🚀

🔥 Get it while it's still hot! 🔥

🔗 https://github.com/RedTeamPentesting/keycred

🐥 [ tweet ]

😈 [ Synacktiv @Synacktiv ]

In our latest article, @l4x4 revisits the secretsdump implementation, offering an alternative avoiding reg save and eliminates writing files to disk, significantly reducing the likelihood of triggering security alerts. Read the details at .

🔗 https://www.synacktiv.com/publications/lsa-secrets-revisiting-secretsdump

🐥 [ tweet ]

😈 [ TrustedSec @TrustedSec ]

In our new #blog, Senior Research Analyst @codewhisperer84 unveils his new tool DIT Explorer which he created after researching NTDS.dit files on Active Directory. Read part one of this series now to find out what this tool can do!

🔗 https://trustedsec.com/blog/exploring-ntds-dit-part-1-cracking-the-surface-with-dit-explorer

🐥 [ tweet ]