Authentication and Authorization Testing Mindmap

https://drive.google.com/file/d/1Jt1wzmgG3vDhU-vppms_KhP2ffvcMlD_/view

#appsec #mindmap #auth #testing

EDRChecker

Checks running processes, process metadata, Dlls loaded into your current process and the each DLLs metadata, common install directories, installed services and each service binaries metadata, installed drivers and each drivers metadata, all for the presence of known defensive products such as AV's, EDR's and logging tools.

C#
https://github.com/PwnDexter/SharpEDRChecker

PowerShell
https://github.com/PwnDexter/Invoke-EDRChecker

#edr #checker #csharp #powershell #tools

SpoolFool: Windows Print Spooler Privilege Escalation (CVE-2022–22718)

Research:
https://research.ifcr.dk/spoolfool-windows-print-spooler-privilege-escalation-cve-2022-22718-bf7752b68d81

Exploit:
https://github.com/ly4k/SpoolFool

#windows #print #spooler #lpe #exploit

Exploring Windows UAC Bypasses

https://elastic.github.io/security-research/whitepapers/2022/02/03.exploring-windows-uac-bypass-techniques-detection-strategies/article/

#windows #uac #bypass #research

KrbRelay

The only public tool for relaying Kerberos tickets and the only relaying framework written in C#.

https://github.com/cube0x0/KrbRelay

#ad #kerberos #relay

New article by our researchers Mikhail Klyuchnikov and Egor Dimitrenko about unauth RCEs in VMware products: "Hunting for bugs in VMware: View Planner and vRealize Business for Cloud".

Read the article: https://swarm.ptsecurity.com/hunting-for-bugs-in-vmware-view-planner-and-vrealize-business-for-cloud/

This is the first article about our VMware research. More to come!

Windows Security Log Quick Reference Cheat Sheet

#windows #security #log #blueteam

Password Spraying and MFA Bypasses

https://www.sprocketsecurity.com/blog/how-to-bypass-mfa-all-day

#ntlm #password #spraying #o365 #exchange #mfa

CredMaster

Launch a password spray / brute force attach via Amazon AWS passthrough proxies, shifting the requesting IP address for every authentication attempt. This dynamically creates FireProx APIs for more evasive password sprays.

The following plugins are currently supported:
— OWA
— EWS
— O365
— O365Enum
— MSOL
— Okta
— FortinetVPN
— HTTPBrute
— ADFS
— AzureSSO

https://github.com/knavesec/CredMaster

#owa #o365 #adfs #password #spraying

Useful Libraries for Malware Development

https://captmeelo.com/redteam/maldev/2022/02/16/libraries-for-maldev.html

#edr #evasion #lib #maldev #cpp

Recon — Horizontal Enumeration

https://aaryanapex.medium.com/bug-bounty-methodology-horizontal-enumeration-89f7cd172e6e

#osint #recon #enumeration

S3Scanner

Scan for open S3 buckets and dump the contents

Features:
— Multi-threaded scanning
— Supports tons of S3-compatible APIs
— Scans all bucket permissions to find misconfigurations
— Dump bucket contents to a local folder
— Docker support

https://github.com/sa7mon/S3Scanner

#aws #s3 #bucket #scanner

Zabbix SAML Authentication Bypass (CVE-2022-23131)

Research:
https://blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage

PoC:
https://github.com/jweny/zabbix-saml-bypass-exp

#zabbix #research #auth #bypass #cve

o365recon

Script to retrieve information via O365 and AzureAD with a valid cred.

https://github.com/nyxgeek/o365recon

#azure #recon #tools

Keeping Up with the NTLM Relay

https://www.fortalicesolutions.com/posts/keeping-up-with-the-ntlm-relay

#ad #ntlm #relay #adcs

DumpSMBShare

A script to dump files and folders remotely from a Windows SMB share.

https://github.com/p0dalirius/DumpSMBShare

#ad #smb #share #dump

Certipy 2.0: BloodHound, New Escalations, Shadow Credentials, Golden Certificates, and more!

Blog:
https://research.ifcr.dk/certipy-2-0-bloodhound-new-escalations-shadow-credentials-golden-certificates-and-more-34d1c26f0dc6

Tool:
https://github.com/ly4k/Certipy

#ad #adcs #abuse #tools

DNS Abuse & Misconfiguration


The History of DNS Vulnerabilities and the Cloud
https://unit42.paloaltonetworks.com/dns-vulnerabilities/

Dangling Domains: Security Threats, Detection and Prevalence
https://unit42.paloaltonetworks.com/dangling-domains/

Fishing the AWS IP Pool for Dangling Domains
https://bishopfox.com/blog/fishing-the-aws-ip-pool-for-dangling-domains

Respect My Authority – Hijacking Broken Nameservers to Compromise Your Target
https://thehackerblog.com/respect-my-authority-hijacking-broken-nameservers-to-compromise-your-target/

The Orphaned Internet – Taking Over 120K Domains via a DNS Vulnerability in AWS, Google Cloud, Rackspace and Digital Ocean
https://thehackerblog.com/the-orphaned-internet-taking-over-120k-domains-via-a-dns-vulnerability-in-aws-google-cloud-rackspace-and-digital-ocean/

The .io Error – Taking Control of All .io Domains With a Targeted Registration
https://thehackerblog.com/the-io-error-taking-control-of-all-io-domains-with-a-targeted-registration/

The International Incident – Gaining Control of a .int Domain Name With DNS Trickery
https://thehackerblog.com/the-international-incident-gaining-control-of-a-int-domain-name-with-dns-trickery/

Hostile Subdomain Takeover using Heroku/Github/Desk + more
https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/

Dangling DNS: Amazon EC2 IPs
https://blog.melbadry9.xyz/dangling-dns/aws/ddns-ec2-current-state

Eliminating Dangling Elastic IP Takeovers with Ghostbuster
https://blog.assetnote.io/2022/02/13/dangling-eips/

Internet-Wide Analysis of Subdomain Takeovers
https://redhuntlabs.com/blog/project-resonance-wave-1.html

Subdomain Takeover
https://0xpatrik.com/subdomain-takeover-basics/
https://0xpatrik.com/subdomain-takeover-candidates/
https://0xpatrik.com/takeover-proofs/
https://0xpatrik.com/subdomain-takeover-ns/
https://0xpatrik.com/subdomain-takeover/

#dns #abuse #aws #elastic #subdomain #takeover

Bypass 2FA Using noVNC

Steal credentials and bypass 2FA by giving users remote access to your server via an HTML5 VNC client that has a browser running in kiosk mode.

https://mrd0x.com/bypass-2fa-using-novnc/

#2fa #bypass #novnc