🐙🐍 OctoPwn & OctoPwnWeb
Pentest framework running (almost) entirely in the browser via pyodide. OctoPwnWeb has been presented a41con.
Talk:
https://youtu.be/jStdrDHTmD4
Slides:
https://docs.google.com/presentation/d/1XQFYr_OBI1lrpybsLrHWTWcYNZcF_zOmGDHiIBwSMng
Tool:
https://octopwn.porchetta.industries/
Repository:
https://github.com/skelsec/octopwnweb
Readme:
https://octopwn.porchetta.industries/readme.html
Sponsor for more features:
https://porchetta.industries
#pentest #framework
Pentest framework running (almost) entirely in the browser via pyodide. OctoPwnWeb has been presented a41con.
Talk:
https://youtu.be/jStdrDHTmD4
Slides:
https://docs.google.com/presentation/d/1XQFYr_OBI1lrpybsLrHWTWcYNZcF_zOmGDHiIBwSMng
Tool:
https://octopwn.porchetta.industries/
Repository:
https://github.com/skelsec/octopwnweb
Readme:
https://octopwn.porchetta.industries/readme.html
Sponsor for more features:
https://porchetta.industries
#pentest #framework
👍5🔥2
APT
🐙🐍 OctoPwn & OctoPwnWeb Pentest framework running (almost) entirely in the browser via pyodide. OctoPwnWeb has been presented a41con. Talk: https://youtu.be/jStdrDHTmD4 Slides: https://docs.google.com/presentation/d/1XQFYr_OBI1lrpybsLrHWTWcYNZcF_zOmGDHiIBwSMng…
How it started:
“I waited 2 years for this, rewrote impacket for this, asked cryptographers to remake algos in python for this, spent enormous time of my life to make this happen. and it's finally here this finally works and I can't find the words to express my satisfaction.” (SkelSec)
“For the record: the two crypto guys who eventually helped me in pure-python rewrite of some algos tole me to never ever use it anywhere and also they dont want to be mentioned.” (SkelSec)
“I waited 2 years for this, rewrote impacket for this, asked cryptographers to remake algos in python for this, spent enormous time of my life to make this happen. and it's finally here this finally works and I can't find the words to express my satisfaction.” (SkelSec)
“For the record: the two crypto guys who eventually helped me in pure-python rewrite of some algos tole me to never ever use it anywhere and also they dont want to be mentioned.” (SkelSec)
👍2
🦠 Hiding C2 Traffic Using Tyk.io
A small article on the topic of hiding your malicious C2 traffic through of the TYK cloud API management service domains.
Tyk API gateway will let you manage your API ingress and routing them to different endpoints, some of them could be internally but some of them could be publicly exposed, and you can add some controls for authentication purposes while calling one of your APIs.
🔗 https://shells.systems/oh-my-api-abusing-tyk-cloud-api-management-service-to-hide-your-malicious-c2-traffic/
#c2 #rederectors #trafic #redteam
A small article on the topic of hiding your malicious C2 traffic through of the TYK cloud API management service domains.
Tyk API gateway will let you manage your API ingress and routing them to different endpoints, some of them could be internally but some of them could be publicly exposed, and you can add some controls for authentication purposes while calling one of your APIs.
🔗 https://shells.systems/oh-my-api-abusing-tyk-cloud-api-management-service-to-hide-your-malicious-c2-traffic/
#c2 #rederectors #trafic #redteam
👍5🔥2
😈 How to Detect Linux Anti-Forensics Log Tampering
When forensically examining Linux systems for malicious intrusion, responders often rely on the following three artefacts to determine logins and logouts:
—
—
—
Of course, these artefacts are not all you can forensically investigate for malicious access, however, these will be the focus of this anti-forensics blog post.
https://www.inversecos.com/2022/06/detecting-linux-anti-forensics-log.html
#linux #log #evasion #antiforensics
When forensically examining Linux systems for malicious intrusion, responders often rely on the following three artefacts to determine logins and logouts:
—
/var/run/utmp – currently logged in users—
/var/run/wtmp – current, past logins and system reboot —
/var/log/btmp – bad login attempts Of course, these artefacts are not all you can forensically investigate for malicious access, however, these will be the focus of this anti-forensics blog post.
https://www.inversecos.com/2022/06/detecting-linux-anti-forensics-log.html
#linux #log #evasion #antiforensics
👍4
🦠 Mangle
Mangle is a tool that manipulates aspects of compiled executables (.exe or DLL). Mangle can remove known Indicators of Compromise (IoC) based strings and replace them with random characters, change the file by inflating the size to avoid EDRs, and can clone code-signing certs from legitimate files. In doing so, Mangle helps loaders evade on-disk and in-memory scanners.
https://github.com/optiv/Mangle
#av #edr #memory #evasion #redteam
Mangle is a tool that manipulates aspects of compiled executables (.exe or DLL). Mangle can remove known Indicators of Compromise (IoC) based strings and replace them with random characters, change the file by inflating the size to avoid EDRs, and can clone code-signing certs from legitimate files. In doing so, Mangle helps loaders evade on-disk and in-memory scanners.
https://github.com/optiv/Mangle
#av #edr #memory #evasion #redteam
GitHub
GitHub - optiv/Mangle: Mangle is a tool that manipulates aspects of compiled executables (.exe or DLL) to avoid detection from…
Mangle is a tool that manipulates aspects of compiled executables (.exe or DLL) to avoid detection from EDRs - optiv/Mangle
❤🔥7
Forwarded from SHADOW:Group
🐘 Удаленная эксплуатация переполнения кучи в веб-приложениях PHP (
Представлен PoC для RCE уязвимости в PHP <=7.4.29, которая может быть запущена через мошеннический сервер MySQL/MariaDB.
Ссылка на PoC
#web #rce
CVE 2022-31626)Представлен PoC для RCE уязвимости в PHP <=7.4.29, которая может быть запущена через мошеннический сервер MySQL/MariaDB.
Ссылка на PoC
#web #rce
📡 Relaying to ADFS Attacks
Praetorian has developed and is releasing an open source tool ADFSRelay and NTLMParse, which can be used for performing relaying attacks targeting ADFS and analyzing NTLM messages respectively.
https://www.praetorian.com/blog/relaying-to-adfs-attacks/
#ad #adfs #relay #ntlm
Praetorian has developed and is releasing an open source tool ADFSRelay and NTLMParse, which can be used for performing relaying attacks targeting ADFS and analyzing NTLM messages respectively.
https://www.praetorian.com/blog/relaying-to-adfs-attacks/
#ad #adfs #relay #ntlm
Praetorian
Relaying to ADFS Attacks
Overview During red team engagements over the last few years, I’ve been curious whether it would be possible to authenticate to cloud services such as Office365 via a relay from New Technology Lan Manager (NTLM) to Active Directory Federation Services (ADFS).…
❤🔥5🔥1
😡 Brute-Ratel-C4-Community-Kit
This repository contains scripts, configurations and deprecated payload loaders for Brute Ratel C4. Anything which is added in the deprecated folder will not be a part of the latest release of BRc4.
https://github.com/paranoidninja/Brute-Ratel-C4-Community-Kit
#c2 #bof #shellcode #injection
This repository contains scripts, configurations and deprecated payload loaders for Brute Ratel C4. Anything which is added in the deprecated folder will not be a part of the latest release of BRc4.
https://github.com/paranoidninja/Brute-Ratel-C4-Community-Kit
#c2 #bof #shellcode #injection
GitHub
GitHub - paranoidninja/Brute-Ratel-C4-Community-Kit: This repository contains scripts, configurations and deprecated payload loaders…
This repository contains scripts, configurations and deprecated payload loaders for Brute Ratel C4 (https://bruteratel.com/) - paranoidninja/Brute-Ratel-C4-Community-Kit
🔎 ldeep
In-depth LDAP enumeration utility.
https://github.com/franc-pentest/ldeep
Install:
Enumerate ACEs of the AdminSDHolder object
In-depth LDAP enumeration utility.
https://github.com/franc-pentest/ldeep
Install:
$ pip3 install ldeepUsage Example:
Enumerate ACEs of the AdminSDHolder object
$ ldeep ldap -s 'ldap://10.10.13.37' -d megacorp -u j.doe -p 'Passw0rd!' -b 'CN=System,DC=megacorp,DC=local' sddl AdminSDHolder | jq '.[].nTSecurityDescriptor.DACL.ACEs[] | select(.Type | contains("Allowed")) | .SID + " :: " + .Type'
Convert SID to name$ ldeep ldap -s 'ldap://10.10.13.37' -d megacorp -u j.doe -p 'Passw0rd!' from_sid <SID>#ad #ldap
🔥5👍1
⚙️ A Few Ways to Get TrustedInstaller Privileges
GetTrustedInstaller
Make an executable run with TrustedInstaller permissions under SYSTEM account.
https://github.com/rara64/GetTrustedInstaller
NtObjectManager
This module adds a provider and cmdlets to access the NT object manager namespace.
Example. Apply TrustedInstaller impersonation token to the current PowerShell process:
#localsystem #trustedinstaller
GetTrustedInstaller
Make an executable run with TrustedInstaller permissions under SYSTEM account.
https://github.com/rara64/GetTrustedInstaller
NtObjectManager
This module adds a provider and cmdlets to access the NT object manager namespace.
Example. Apply TrustedInstaller impersonation token to the current PowerShell process:
Install-Module -Name NtObjectManager -Confirm:$falsehttps://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/tree/main/NtObjectManager
Restart-Service TrustedInstaller
$procId = (Get-Process TrustedInstaller).Id
$token = Get-NtTokenFromProcess -ProcessId $procId
$current = Get-NtThread -Current -PseudoHandle
$ctx = $current.Impersonate($token)
$impToken = Get-NtToken -Impersonation
$impToken.Groups
#localsystem #trustedinstaller
👍9
🐾 ChopHound
Some scripts for dealing with any challenges that might arise when importing (large) JSON datasets into BloodHound.
Blog post:
https://blog.bitsadmin.com/blog/dealing-with-large-bloodhound-datasets
Scripts:
https://github.com/bitsadmin/chophound
#ad #bloodhound #cypher
Some scripts for dealing with any challenges that might arise when importing (large) JSON datasets into BloodHound.
Blog post:
https://blog.bitsadmin.com/blog/dealing-with-large-bloodhound-datasets
Scripts:
https://github.com/bitsadmin/chophound
#ad #bloodhound #cypher
BITSADMIN Blog
Dealing with large BloodHound datasets
Article discussing some of the challenges I faced importing large datasets into BloodHound including some scripts to overcome these challenges. Additionally some tricks are discussed on how to use Neo4j's Cypher language from PowerShell to get the right results…
⚔️ Maelstrom: C2 Development Blog Series
We wanted to explore how C2s function in 2022, what evasive behavior's are required, and what a minimum viable C2 looks like in a world of sophisticated endpoint protection.
Which gave us our goals for this blog series:
- Document the internals of a minimum viable C2:
* What are the ideas behind popular C2 implementations?
* What are their goals and objectives?
- Analyse and implement evasive behaviors:
* What is required to run on a contemporary Windows system?
* What is required to bypass up-to-date, modern endpoint protection?
- Produce a proof-of-concept C2:
* What is the minimum viable C2 for an operator in 2022?
* What is required to detect this minimum viable C2?
🔗 Maelstrom: An Introduction
🔗 Maelstrom: The C2 Architecture
🔗 Maelstrom: Building the Team Server
🔗 Maelstrom: Writing a C2 Implant
🔗 Maelstrom: EDR Kernel Callbacks, Hooks, and Call Stacks
#maldev #c2
We wanted to explore how C2s function in 2022, what evasive behavior's are required, and what a minimum viable C2 looks like in a world of sophisticated endpoint protection.
Which gave us our goals for this blog series:
- Document the internals of a minimum viable C2:
* What are the ideas behind popular C2 implementations?
* What are their goals and objectives?
- Analyse and implement evasive behaviors:
* What is required to run on a contemporary Windows system?
* What is required to bypass up-to-date, modern endpoint protection?
- Produce a proof-of-concept C2:
* What is the minimum viable C2 for an operator in 2022?
* What is required to detect this minimum viable C2?
🔗 Maelstrom: An Introduction
🔗 Maelstrom: The C2 Architecture
🔗 Maelstrom: Building the Team Server
🔗 Maelstrom: Writing a C2 Implant
🔗 Maelstrom: EDR Kernel Callbacks, Hooks, and Call Stacks
#maldev #c2
👍8
🐞 Malware Development for Dummies
In the age of EDR, red team operators cannot get away with using pre-compiled payloads anymore. As such, malware development is becoming a vital skill for any operator. Getting started with maldev may seem daunting, but is actually very easy. This workshop will show you all you need to get started!
Slides:
https://github.com/chvancooten/maldev-for-dummies/tree/main/Slides
Exercises:
https://github.com/chvancooten/maldev-for-dummies/tree/main/Exercises
#maldev #csharp #nim
In the age of EDR, red team operators cannot get away with using pre-compiled payloads anymore. As such, malware development is becoming a vital skill for any operator. Getting started with maldev may seem daunting, but is actually very easy. This workshop will show you all you need to get started!
Slides:
https://github.com/chvancooten/maldev-for-dummies/tree/main/Slides
Exercises:
https://github.com/chvancooten/maldev-for-dummies/tree/main/Exercises
#maldev #csharp #nim
👍4
🔴 Reversing BRc4 Red-Teaming Tool Used by APT 29
On May 19, a malicious payload associated with Brute Ratel C4 (BRc4) was uploaded to VirusTotal, where it received a benign verdict from all 56 vendors that evaluated it. Beyond the obvious detection concerns, we believe this sample is also significant in terms of its malicious payload, command and control (C2), and packaging.
Blog post:
https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/
Reversing the Malware by IppSec:
https://youtu.be/a7W6rhkpVSM
#maldev #c2 #brc4
On May 19, a malicious payload associated with Brute Ratel C4 (BRc4) was uploaded to VirusTotal, where it received a benign verdict from all 56 vendors that evaluated it. Beyond the obvious detection concerns, we believe this sample is also significant in terms of its malicious payload, command and control (C2), and packaging.
Blog post:
https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/
Reversing the Malware by IppSec:
https://youtu.be/a7W6rhkpVSM
#maldev #c2 #brc4
Unit 42
When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors
Pentest and adversary emulation tool Brute Ratel C4 is effective at defeating modern detection capabilities – and malicious actors have begun to adopt it.
👍3👎1
Forwarded from Волосатый бублик
#ad #rpc #ntlm #privesc
[ Coercer ]
atricle: https://github.com/p0dalirius/windows-coerced-authentication-methods
There is currently 15 known methods in 5 protocols.
tool: https://github.com/p0dalirius/Coercer
A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through 9 methods.
[ Coercer ]
atricle: https://github.com/p0dalirius/windows-coerced-authentication-methods
There is currently 15 known methods in 5 protocols.
tool: https://github.com/p0dalirius/Coercer
A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through 9 methods.
👍2👎1
🔒 TLSX
Collection of additional assets of a target CIDR/IP/HOST from TLS certificates.
Features:
— Fast And fully configurable TLS Connection
— Multiple Modes for TLS Connection
— Multiple TLS probes
— Auto TLS Fallback for older TLS version
— Pre Handshake TLS connection (early termination)
— Customizable Cipher / SNI / TLS selection
— TLS Misconfigurations
— HOST, IP, URL and CIDR input
— STD IN/OUT and TXT/JSON output
Example:
#recon #tls #grabber #tools
Collection of additional assets of a target CIDR/IP/HOST from TLS certificates.
Features:
— Fast And fully configurable TLS Connection
— Multiple Modes for TLS Connection
— Multiple TLS probes
— Auto TLS Fallback for older TLS version
— Pre Handshake TLS connection (early termination)
— Customizable Cipher / SNI / TLS selection
— TLS Misconfigurations
— HOST, IP, URL and CIDR input
— STD IN/OUT and TXT/JSON output
Example:
tlsx -u 209.133.79.0/24 -san -cn -silent -resp-only | dnsx -silent | httpx | nucleihttps://github.com/projectdiscovery/tlsx
#recon #tls #grabber #tools
👍5👎1
This media is not supported in your browser
VIEW IN TELEGRAM
🧦 Chisel Strike
A .NET XOR encrypted cobalt strike aggressor implementation for chisel to utilize faster proxy and advanced socks5 capabilities.
https://github.com/m3rcer/Chisel-Strike
#cobaltstrike #socks #proxy #redteam
A .NET XOR encrypted cobalt strike aggressor implementation for chisel to utilize faster proxy and advanced socks5 capabilities.
https://github.com/m3rcer/Chisel-Strike
#cobaltstrike #socks #proxy #redteam
🔥4👎1
🎲 Abusing forgotten permissions on computer objects in Active Directory
The post is a dive into permissions that are set when you pre-create computer accounts the wrong way, why BloodHound missed those and how to abuse, fix, or monitor for this.
Resource:
🔗 https://dirkjanm.io/abusing-forgotten-permissions-on-precreated-computer-objects-in-active-directory/
🔗 https://www.trustedsec.com/blog/diving-into-pre-created-computer-accounts/
#ad #permission #acl
The post is a dive into permissions that are set when you pre-create computer accounts the wrong way, why BloodHound missed those and how to abuse, fix, or monitor for this.
Resource:
🔗 https://dirkjanm.io/abusing-forgotten-permissions-on-precreated-computer-objects-in-active-directory/
🔗 https://www.trustedsec.com/blog/diving-into-pre-created-computer-accounts/
#ad #permission #acl
dirkjanm.io
Abusing forgotten permissions on computer objects in Active Directory
A while back, I read an interesting blog by Oddvar Moe about Pre-created computer accounts in Active Directory. In the blog, Oddvar also describes the option to configure who can join the computer to the domain after the object is created. This sets an interesting…
👍3
Forwarded from Caster (necreas1ng)
Моя статья по пост-эксплуатации взломанного оборудования Cisco вышла в свет.
https://habr.com/ru/post/676942/
ᛝ
https://habr.com/ru/post/676942/
ᛝ
👍4🔥1
👀 PowerView.py
This is an alternative for the awesome original PowerView script. Most of the modules used in PowerView are available in this project.
https://github.com/aniqfakhrul/powerview.py
#ad #powerview #python #tools
This is an alternative for the awesome original PowerView script. Most of the modules used in PowerView are available in this project.
https://github.com/aniqfakhrul/powerview.py
#ad #powerview #python #tools
🔥11❤2