Burp Suite - ninja tricks

https://owasp.org/www-chapter-norway/assets/files/Burp%20suite%20ninja%20moves.pdf

#burp #tricks #BugBounty

Bypass Defender AV static detection:

If you name a malicious file *.log Defender doesn't scan it.

UPD:
DumpStack (by any file number) can bypass MDE easily with no detection as mimikatz or eicar mode.
The malicious file can be shown in the console but not identified as malicious.

#defender #evasion #tricks

🦮 BloodHound via Proxychains

For BloodHound.py ingestor to work through proxychains you need to use TCP instead of UDP for DNS queries by adding the --dns-tcp flag.

#ad #bloodhound #proxy #tricks

⚙️ Determining AD domain name via NTLM Auth

If you have nmap (http-ntlm-info) unable to determine the FQND of an Active Directory domain via OWA, for example due to Citrix NetScaler or other SSO solutions, do it manually!

1) curl -Isk -X POST -H 'Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAKANc6AAAADw==' -H 'Content-Length: 0' https://autodiscover.exmaple.com/ews

2) echo 'TlRMTVNTUAACAAAADAAMAD...' | python2 ./ntlmdecoder.py

One-Liner function for bashrc\zshrc\etc-rc:

ntlm_decode() { curl -Isk -X POST -H 'Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAKANc6AAAADw==' -H 'Content-Length: 0' "$1" | awk -F 'NTLM ' '/WWW-Authenticate: NTLM/ {print $2}' | python2 "$(locate ntlmdecoder.py)"; }

Source:
ntlmdecoder.py

#ntlm #auth #sso #tricks #pentest