Ring +3 Malwares: Few tricks
http://www.blackstormsecurity.com/docs/BSIDES_2018_RELEASE.pdf
@windowshackinglibrary
http://www.blackstormsecurity.com/docs/BSIDES_2018_RELEASE.pdf
@windowshackinglibrary
Kerberos Party Tricks: Weaponizing Kerberos Protocol Flaws
http://www.exumbraops.com/blog/2016/6/1/kerberos-party-tricks-weaponizing-kerberos-protocol-flaws
@windowshackinglibrary
http://www.exumbraops.com/blog/2016/6/1/kerberos-party-tricks-weaponizing-kerberos-protocol-flaws
@windowshackinglibrary
Executing Commands and Bypassing AppLocker with PowerShell Diagnostic Scripts
https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-noscripts
@windowshackinglibrary
https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-noscripts
@windowshackinglibrary
bohops
Executing Commands and Bypassing AppLocker with PowerShell Diagnostic Scripts
Introduction Last week, I was hunting around the Windows Operating System for interesting noscripts and binaries that may be useful for future penetration tests and Red Team engagements. With increa…
Forwarded from Security Talks (Jonhnathan Jonhnathan Jonhnathan)
Not a Security Boundary: Bypassing User Account Control
Matt Nelson at Derbycon 2017
Microsoft's User Account Control feature, introduced in Windows Vista, has been a topic of interest to many in the security community. Since UAC was designed to force user approval for administrative actions, attackers (and red teamers) encounter UAC on nearly every engagement. As a result, bypassing this control is a task that an actor often has to overcome, despite its lack of formal designation as a security boundary. This talk highlights what UAC is, previous work by others, research methodology, and details several technical UAC bypasses developed by the author.
https://youtu.be/c8LgqtATAnE
@SecTalks
Matt Nelson at Derbycon 2017
Microsoft's User Account Control feature, introduced in Windows Vista, has been a topic of interest to many in the security community. Since UAC was designed to force user approval for administrative actions, attackers (and red teamers) encounter UAC on nearly every engagement. As a result, bypassing this control is a task that an actor often has to overcome, despite its lack of formal designation as a security boundary. This talk highlights what UAC is, previous work by others, research methodology, and details several technical UAC bypasses developed by the author.
https://youtu.be/c8LgqtATAnE
@SecTalks
YouTube
T114 Not a Security Boundary Bypassing User Account Control Matt Nelson
These are the videos from Derbycon 7 (2017):http://www.irongeek.com/i.php?page=videos/derbycon7/mainlist
Windows Userland Persistence Fundamentals
http://www.fuzzysecurity.com/tutorials/19.html
@WindowsHackingLibrary
http://www.fuzzysecurity.com/tutorials/19.html
@WindowsHackingLibrary
DLL Hijacking via URL files
https://insert-noscript.blogspot.com.br/2018/05/dll-hijacking-via-url-files.html
@WindowsHackingLibrary
https://insert-noscript.blogspot.com.br/2018/05/dll-hijacking-via-url-files.html
@WindowsHackingLibrary
Blogspot
DLL Hijacking via URL files
This blogpost describes how I got annoyed by vulnerabilities in 3rd party Windows applications, which allowed to execute local files but wi...
Enumerating remote access policies through GPO
https://labs.mwrinfosecurity.com/blog/enumerating-remote-access-policies-through-gpo/
@WindowsHackingLibrary
https://labs.mwrinfosecurity.com/blog/enumerating-remote-access-policies-through-gpo/
@WindowsHackingLibrary
MailSniper
MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email, or by an administrator to search the mailboxes of every user in a domain.
https://github.com/dafthack/MailSniper
@WindowsHackingLibrary
MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email, or by an administrator to search the mailboxes of every user in a domain.
https://github.com/dafthack/MailSniper
@WindowsHackingLibrary
GitHub
GitHub - dafthack/MailSniper: MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment…
MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It ca...
DomainPasswordSpray
DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain.
https://github.com/dafthack/DomainPasswordSpray
@WindowsHackingLibrary
DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain.
https://github.com/dafthack/DomainPasswordSpray
@WindowsHackingLibrary
GitHub
GitHub - dafthack/DomainPasswordSpray: DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against…
DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain. BE VERY CAR...
5 Ways to Find Systems Running Domain Admin Processes
https://blog.netspi.com/5-ways-to-find-systems-running-domain-admin-processes/
@WindowsHackingLibrary
https://blog.netspi.com/5-ways-to-find-systems-running-domain-admin-processes/
@WindowsHackingLibrary
NetSPI
5 Ways to Find Systems Running Domain Admin Processes
Migrating to Domain Admin processes is a common way penetration testers are able to impersonate Domain Admin accounts on the network. However, before a pentester can do that, they need to know what systems those processes are running on. In this blog I’ll…
How to bypass GPO Policy restriction for Powershell usage
https://github.com/p3nt4/PowerShdll
@WindowsHackingLibrary
https://github.com/p3nt4/PowerShdll
@WindowsHackingLibrary
GitHub
GitHub - p3nt4/PowerShdll: Run PowerShell with rundll32. Bypass software restrictions.
Run PowerShell with rundll32. Bypass software restrictions. - p3nt4/PowerShdll
ADAPE - Active Directory Assessment and Privilege Escalation Script
https://github.com/hausec/ADAPE-Script
@WindowsHackingLibrary
https://github.com/hausec/ADAPE-Script
@WindowsHackingLibrary
GitHub
GitHub - hausec/ADAPE-Script: Active Directory Assessment and Privilege Escalation Script
Active Directory Assessment and Privilege Escalation Script - hausec/ADAPE-Script
Kerberoasting, exploiting unpatched systems – a day in the life of a Red Teamer
http://niiconsulting.com/checkmate/2018/05/kerberoasting-exploiting-unpatched-systems-a-day-in-the-life-of-a-red-teamer/
@WindowsHackingLibrary
http://niiconsulting.com/checkmate/2018/05/kerberoasting-exploiting-unpatched-systems-a-day-in-the-life-of-a-red-teamer/
@WindowsHackingLibrary
Network Intelligence
Kerberoasting, exploiting unpatched systems – a day in the life of a Red Teamer - Network Intelligence
The Scope Recently, we conducted a red team assessment for a large enterprise client where the scenarios allowed were to either use the hardened laptop of the client or to try and connect our own laptop to the network (though they did have a Network Access…
Understanding and Evading Get-InjectedThread
https://blog.xpnsec.com/undersanding-and-evading-get-injectedthread/
@WindowsHackingLibrary
https://blog.xpnsec.com/undersanding-and-evading-get-injectedthread/
@WindowsHackingLibrary
XPN InfoSec Blog
@_xpn_ - Understanding and Evading Get-InjectedThread
One of the many areas of this field that I really enjoy is the "cat and mouse" game played between RedTeam and BlueTeam, each forcing the other to up their game. Often we see some awesome tools being released to help defenders detect malware or shellcode…
PowerLessShell rely on MSBuild.exe to remotely execute PowerShell noscripts and commands without spawning powershell.exe. You can also execute raw shellcode using the same approach.
https://github.com/Mr-Un1k0d3r/PowerLessShell
@WindowsHackingLibrary
https://github.com/Mr-Un1k0d3r/PowerLessShell
@WindowsHackingLibrary
GitHub
GitHub - Mr-Un1k0d3r/PowerLessShell: Run PowerShell command without invoking powershell.exe
Run PowerShell command without invoking powershell.exe - Mr-Un1k0d3r/PowerLessShell
Dumping Clear-Text Credentials
https://pentestlab.blog/2018/04/04/dumping-clear-text-credentials/
@WindowsHackingLibrary
https://pentestlab.blog/2018/04/04/dumping-clear-text-credentials/
@WindowsHackingLibrary
Penetration Testing Lab
Dumping Clear-Text Credentials
Passwords in clear-text that are stored in a Windows host can allow penetration testers to perform lateral movement inside an internal network and eventually fully compromise it. Therefore in a sys…
Office365 ActiveSync Username Enumeration
https://www.sec-1.com/blog/2017/office365-activesync-username-enumeration
@WindowsHackingLibrary
https://www.sec-1.com/blog/2017/office365-activesync-username-enumeration
@WindowsHackingLibrary
Sec-1 Labs
Office365 ActiveSync Username Enumeration - Sec-1 Labs
Summary There is a simple username enumeration issue in Office365’s ActiveSync, Microsoft do not consider this a vulnerability so Sec-1 do not expect this issue to be fixed. Sec-1 Penetration Tester Oliver Morton has written a noscript to exploit this which…
This noscript will attempt to list and get TGTs for those users that have the property
'Do not require Kerberos preauthentication' set (UF_DONT_REQUIRE_PREAUTH).
For those users with such configuration, a John The Ripper output will be generated so
you can send it for cracking.
https://github.com/CoreSecurity/impacket/commit/bada8a719f8ed7be4633514eea94bc768dbaf019
@WindowsHackingLibrary
'Do not require Kerberos preauthentication' set (UF_DONT_REQUIRE_PREAUTH).
For those users with such configuration, a John The Ripper output will be generated so
you can send it for cracking.
https://github.com/CoreSecurity/impacket/commit/bada8a719f8ed7be4633514eea94bc768dbaf019
@WindowsHackingLibrary
GitHub
Adding GetNPUsers.py noscript · SecureAuthCorp/impacket@bada8a7
This noscript will attempt to list and get TGTs for those users that have the property
'Do not require Kerberos preauthentication' set (UF_DONT_REQUIRE_PREAUTH).
For those users with ...
'Do not require Kerberos preauthentication' set (UF_DONT_REQUIRE_PREAUTH).
For those users with ...
NTLMv1 Multitool
This tool modifies NTLMv1/NTLMv1-ESS/MSCHAPv2 hashes so they can be cracked with DES Mode 14000 in hashcat
https://github.com/evilmog/ntlmv1-multi/
@WindowsHackingLibrary
This tool modifies NTLMv1/NTLMv1-ESS/MSCHAPv2 hashes so they can be cracked with DES Mode 14000 in hashcat
https://github.com/evilmog/ntlmv1-multi/
@WindowsHackingLibrary
GitHub
GitHub - evilmog/ntlmv1-multi: NTLMv1 Multitool
NTLMv1 Multitool. Contribute to evilmog/ntlmv1-multi development by creating an account on GitHub.