OffSec/OSINT Resources

https://Urlscan.io
https://Hunter.io
https://snov.io
https://Osint.link
https://DNSdumpster.com
https://osintframework.com
https://shodan.io
https://censys.io
https://zoomeye.org
https://opencorporates.com
https://kitploit.com
https://ipv4info.com
https://robtex.com
https://securitytrails.com
https://intelx.io
https://crt.sh
https://spyse.com

#offsec #osint

Obscure-IP-Obfuscator

Simple script you can use to convert and obscure any IP address of any host.

https://github.com/C-REMO/Obscure-IP-Obfuscator

#ip #obfuscate #tools

Unauthenticated RCE in Palo Alto GlobalProtect VPN

https://www.randori.com/blog/cve-2021-3064/

#globalprotect #cve #0day

NanoDump

Dumping LSASS has never been so stealthy

Features

• It uses syscalls (with SysWhispers2) for most operations
• You can choose to download the dump without touching disk or write it to a file
• The minidump by default has an invalid signature to avoid detection
• It reduces the size of the dump by ignoring irrelevant DLLs. The (nano)dump tends to be arround 10 MB in size
• You don't need to provide the PID of LSASS
• No calls to dbghelp or any other library are made, all the dump logic is implemented in nanodump
• You can use the .exe version to run nanodump outside of Cobalt Strike

https://github.com/helpsystems/nanodump

#dump #lsass #syswhispers

SMBSR

Well, SMBSR is a python script which given a CIDR/IP/IP_file/HOSTNAME(s) enumerates all the SMB services listening (445) among the targets and tries to authenticate against them; if the authentication succeed then all the folders and subfolders are visited recursively in order to find secrets in files and ... secret files. In order to scan the targets for SMB ports open the masscan module is used.

https://github.com/oldboy21/SMBSR

#smb #share #secrets #redteam

Pre-Auth Reflected XSS in MS Exchange (CVE-2021-41349)

https://github.com/httpvoid/CVE-Reverse/tree/master/CVE-2021-41349

#exchange #xss #cve

Sed Cheat Sheet

Useful sed scripts & patterns.

https://github.com/adrianscheff/useful-sed

#sed #cheatsheet #bash

Living Off Trusted Sites (LOTS)

Attackers are using popular legitimate domains when conducting phishing, C&C, exfiltration and downloading tools to evade detection.

https://lots-project.com

#lots #redteam #blueteam #sites #upload

Taking the pain out of C2 Infrastructure

# https://byt3bl33d3r.substack.com/p/taking-the-pain-out-of-c2-infrastructure
# https://byt3bl33d3r.substack.com/p/taking-the-pain-out-of-c2-infrastructure-3c4

#c2 #redteam #infrastructure

Git Cheat Sheet

#git #cheatsheet

The Pentester's Guide

https://0xffsec.com/handbook/

#bugbounty #handbook #pentest

Bypass Defender and dump LSASS via procdump.exe

If you rename procdump.exe to dump64.exe and place it in the "C:\Program Files (x86)\Microsoft Visual Studio\*" folder, you can bypass Defender and dump LSASS.

#lsass #dump #defender #bypass #dump64

InlineWhispers2

Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2

https://github.com/Sh0ckFR/InlineWhispers2

#cobaltstrike #BOF #syswhispers

DLL Hollowing

Deep dive into a stealthier DLL hollowing/memory allocation variant.

https://www.secforce.com/blog/dll-hollowing-a-deep-dive-into-a-stealthier-memory-allocation-variant/

#malware #dll #hollowing

KerbMon

Continuous kerberoast monitor

https://github.com/Retrospected/kerbmon

#kerberos #monitor #pentest

OffensiveRust — Rust Weaponization for Red Team Engagements.

Examples in this repo:

• Allocate_With_Syscalls — It uses NTDLL functions directly with the ntapi Library
• Create_DLL — Creates DLL and pops up a msgbox, Rust does not fully support this so things might get weird since Rust DLL do not have a main function
• DeviceIoControl — Opens driver handle and executing DeviceIoControl
• EnableDebugPrivileges — Enable SeDebugPrivilege in the current process
• Shellcode_Local_inject — Executes shellcode directly in local process by casting pointer
• Execute_With_CMD — Executes cmd by passing a command via Rust
• ImportedFunctionCall — It imports minidump from dbghelp and executes it
• Kernel_Driver_Exploit — Kernel Driver exploit for a simple buffer overflow
• Named_Pipe_Client — Named Pipe Client
• Named_Pipe_Server — Named Pipe Server
• Process_Injection_CreateThread — Process Injection in remote process with CreateRemoteThread
• Unhooking — Unhooking calls
• asm_syscall — Obtaining PEB address via asm
• base64_system_enum — Base64 encoding/decoding strings
• http-https-requests — HTTP/S requests by ignoring cert check for GET/POST
• patch_etw — Patch ETW
• ppid_spoof — Spoof parent process for created process
• tcp_ssl_client — TCP client with SSL that ignores cert check (Requires openssl and perl to be installed for compiling)
• tcp_ssl_server — TCP Server, with port parameter(Requires openssl and perl to be installed for compiling)
• wmi_execute — Executes WMI query to obtain the AV/EDRs in the host
• Windows.h+ Bindings — This file contains structures of Windows.h plus complete customized LDR,PEB,etc.. that are undocumented officially by Microsoft, add at the top of your file include!("../bindings.rs");
• UUID_Shellcode_Execution — Plants shellcode from UUID array into heap space and uses EnumSystemLocalesA Callback in order to execute the shellcode.

https://github.com/trickster0/OffensiveRust

#rust #redteam #malware

Oh365 User Finder

Oh365UserFinder is used for identifying valid o365 accounts without the risk of account lockouts. The tool parses responses to identify the "IfExistsResult" flag is null or not, and responds appropriately if the user is valid.

https://github.com/dievus/Oh365UserFinder

#office365 #user #enumeration

Default Passwords

Before performing password attacks, it is worth trying a couple of default passwords against the targeted service. Here are some website that provide default passwords for various products.

# https://cirt.net/passwords
# https://default-password.info/
# https://datarecovery.com/rd/default-passwords/

#default #passwords #services

When You sysWhisper Loud Enough for AV to Hear You

https://captmeelo.com/redteam/maldev/2021/11/18/av-evasion-syswhisper.html

#av #evasion #syswhisper

Microsoft Exchange Deserialization RCE (CVE-2021–42321)

https://peterjson.medium.com/some-notes-about-microsoft-exchange-deserialization-rce-cve-2021-42321-110d04e8852

#exchange #rce #cve #deserialization