🔔Call and Register — Relay Attack on WinReg RPC Client
A critical vulnerability (CVE-2024-43532) has been identified in Microsoft’s Remote Registry client. This flaw allows attackers to exploit insecure fallback mechanisms in the WinReg client, enabling them to relay authentication details and make unauthorized certificate requests through Active Directory Certificate Services (ADCS).
🔗 Research:
https://www.akamai.com/blog/security-research/winreg-relay-vulnerability
🔗 RPC Visibility Tool:
https://github.com/akamai/akamai-security-research/tree/main/rpc_toolkit/rpc_visibility
🔗 PoC:
https://github.com/akamai/akamai-security-research/tree/main/PoCs/cve-2024-43532
#ad #adcs #rpc #ntlm #relay #etw #advapi
A critical vulnerability (CVE-2024-43532) has been identified in Microsoft’s Remote Registry client. This flaw allows attackers to exploit insecure fallback mechanisms in the WinReg client, enabling them to relay authentication details and make unauthorized certificate requests through Active Directory Certificate Services (ADCS).
🔗 Research:
https://www.akamai.com/blog/security-research/winreg-relay-vulnerability
🔗 RPC Visibility Tool:
https://github.com/akamai/akamai-security-research/tree/main/rpc_toolkit/rpc_visibility
🔗 PoC:
https://github.com/akamai/akamai-security-research/tree/main/PoCs/cve-2024-43532
#ad #adcs #rpc #ntlm #relay #etw #advapi
1🔥9👍6❤2
Forwarded from Offensive Xwitter
😈 [ Steph @w34kp455 ]
Call it the biggest #NTLM #password database or monstrous #MD5 leak, but on, you can find precomputed datasets for various wordlists and different hashes - all free!
FYI:
🔗 https://weakpass.com
🐥 [ tweet ]
Call it the biggest #NTLM #password database or monstrous #MD5 leak, but on, you can find precomputed datasets for various wordlists and different hashes - all free!
FYI:
all_in_one.latin.txt for NTLM contains 26.5 billion pairs of hash:password inside!🔥🔗 https://weakpass.com
🐥 [ tweet ]
🔥9❤2👏1
Forwarded from 1N73LL1G3NC3
TypeLibWalker
Hijack the TypeLib. New COM persistence technique
So I decided to look for some new way of persistence. The object of study was the COM (Component Object Model) system. The choice was not made by chance, it is quite an old, not too simple and not too complex system that not many people understand.
In this article, i will introduce TypeLib libraries, see the relationship between TypeLib and COM, and achieve persistent code execution using TypeLib.
Hijack the TypeLib. New COM persistence technique
So I decided to look for some new way of persistence. The object of study was the COM (Component Object Model) system. The choice was not made by chance, it is quite an old, not too simple and not too complex system that not many people understand.
In this article, i will introduce TypeLib libraries, see the relationship between TypeLib and COM, and achieve persistent code execution using TypeLib.
👍13🔥3❤1
Forwarded from 1N73LL1G3NC3
BOFHound
Generate BloodHound compatible JSON from logs written by ldapsearch BOF, pyldapsearch and Brute Ratel's LDAP Sentinel.
Blog Posts:
• BOFHound: AD CS Integration
• BOFHound: Session Integration
• Granularize Your AD Recon Game
• Granularize Your AD Recon Game Part 2
P.S:
Generate BloodHound compatible JSON from logs written by ldapsearch BOF, pyldapsearch and Brute Ratel's LDAP Sentinel.
Blog Posts:
• BOFHound: AD CS Integration
• BOFHound: Session Integration
• Granularize Your AD Recon Game
• Granularize Your AD Recon Game Part 2
P.S:
BOFHound can now parse Active Directory Certificate Services (AD CS) objects, manually queried from LDAP, for review and attack path mapping within BloodHound Community Edition (BHCE).
👍12🔥4❤1💯1
New extension that helps you highlight and capture the web in your browser. Anything you save is stored as durable Markdown files that you can read offline, and preserve for the long term.
Source:
https://obsidian.md/clipper
#obsidian #markdown #extensions
Please open Telegram to view this post
VIEW IN TELEGRAM
1🔥17👍5❤2
✉️ Finding Email Addresses without Paywalls
Every Pentester or Red Teamer has likely encountered situations where they need to perform User Enumeration or Password Spraying, but where can you find a list of valid users? Snov.io, Hunter.io, and Phonebook.cz no longer provide easy access to email lists and instead hit you with a paywall.
Here’s the solution — Prospeo! Just log in with Google SSO, enter the target domain, and get a list of email addresses with no strings attached.
Source:
https://app.prospeo.io/domain-search
#user #email #enumeration #wordlist
Every Pentester or Red Teamer has likely encountered situations where they need to perform User Enumeration or Password Spraying, but where can you find a list of valid users? Snov.io, Hunter.io, and Phonebook.cz no longer provide easy access to email lists and instead hit you with a paywall.
Here’s the solution — Prospeo! Just log in with Google SSO, enter the target domain, and get a list of email addresses with no strings attached.
Source:
https://app.prospeo.io/domain-search
#user #email #enumeration #wordlist
🔥17👍5❤3
⚙️ Citrix Virtual Apps and Desktops — Unauthenticated RCE
This vulnerability in Citrix Virtual Apps and Desktops enables unauthorized users to achieve remote code execution through a misconfigured Microsoft Message Queuing (MSMQ) service accessible over HTTP. The issue stems from using an outdated BinaryFormatter for data deserialization, allowing attackers to run commands with SYSTEM privileges on the Citrix server.
🔗 Research:
https://labs.watchtowr.com/visionaries-at-citrix-have-democratised-remote-network-access-citrix-virtual-apps-and-desktops-cve-unknown/
🔗 Source:
https://github.com/watchtowrlabs/Citrix-Virtual-Apps-XEN-Exploit
#citrix #msmq #deserialization #unauth #rce
This vulnerability in Citrix Virtual Apps and Desktops enables unauthorized users to achieve remote code execution through a misconfigured Microsoft Message Queuing (MSMQ) service accessible over HTTP. The issue stems from using an outdated BinaryFormatter for data deserialization, allowing attackers to run commands with SYSTEM privileges on the Citrix server.
🔗 Research:
https://labs.watchtowr.com/visionaries-at-citrix-have-democratised-remote-network-access-citrix-virtual-apps-and-desktops-cve-unknown/
🔗 Source:
https://github.com/watchtowrlabs/Citrix-Virtual-Apps-XEN-Exploit
#citrix #msmq #deserialization #unauth #rce
watchTowr Labs
Visionaries Have Democratised Remote Network Access - Citrix Virtual Apps and Desktops (CVE-2024-8068 and CVE-2024-8069)
Well, we’re back again, with yet another fresh-off-the-press bug chain (and associated Interactive Artifact Generator). This time, it’s in Citrix’s “Virtual Apps and Desktops” offering.
This is a tech stack that enables end-users (and likely, your friendly…
This is a tech stack that enables end-users (and likely, your friendly…
👍4❤3😱2👎1🔥1
🌐 URLFinder
URLFinder is a high-speed, passive URL discovery tool designed to simplify and accelerate web asset discovery, ideal for penetration testers, security researchers, and developers looking to gather URLs without active scanning.
🚀 Features:
— Passive source discovery
— JSON/file/stdout output
— Optimized speed & efficiency
🔗 Source:
https://github.com/projectdiscovery/urlfinder
#url #domain #finder #osint
URLFinder is a high-speed, passive URL discovery tool designed to simplify and accelerate web asset discovery, ideal for penetration testers, security researchers, and developers looking to gather URLs without active scanning.
🚀 Features:
— Passive source discovery
— JSON/file/stdout output
— Optimized speed & efficiency
🔗 Source:
https://github.com/projectdiscovery/urlfinder
#url #domain #finder #osint
❤16❤🔥1👍1
🚨 Fortinet FortiManager Unauthenticated RCE (CVE-2024-47575)
The remote code execution vulnerability in FortiManager allows attackers to perform arbitrary operations by exploiting commands via the FGFM protocol, circumventing authentication. Referred to as FortiJump, this vulnerability provides unauthorized access to FortiManager, enabling control over FortiGate devices by taking advantage of insufficient security in command handling and device registration processes.
🛠 Affected Versions:
🔗 Research:
https://labs.watchtowr.com/hop-skip-fortijump-fortijumphigher-cve-2024-23113-cve-2024-47575/
🔗 Source:
https://github.com/watchtowrlabs/Fortijump-Exploit-CVE-2024-47575
#fortinet #fortimanager #fgfm #unauth #rce
The remote code execution vulnerability in FortiManager allows attackers to perform arbitrary operations by exploiting commands via the FGFM protocol, circumventing authentication. Referred to as FortiJump, this vulnerability provides unauthorized access to FortiManager, enabling control over FortiGate devices by taking advantage of insufficient security in command handling and device registration processes.
🛠 Affected Versions:
FortiManager 7.6.0
FortiManager 7.4.0 through 7.4.4
FortiManager 7.2.0 through 7.2.7
FortiManager 7.0.0 through 7.0.12
FortiManager 6.4.0 through 6.4.14
FortiManager 6.2.0 through 6.2.12
FortiManager Cloud 7.4.1 through 7.4.4
FortiManager Cloud 7.2.1 through 7.2.7
FortiManager Cloud 7.0.1 through 7.0.12
FortiManager Cloud 6.4
🔗 Research:
https://labs.watchtowr.com/hop-skip-fortijump-fortijumphigher-cve-2024-23113-cve-2024-47575/
🔗 Source:
https://github.com/watchtowrlabs/Fortijump-Exploit-CVE-2024-47575
#fortinet #fortimanager #fgfm #unauth #rce
👍9🔥9🎉6❤4😁1
LSASS memory dumper using only NTAPIs, creating a minimal minidump, built in Rust with
no_std and independent of the C runtime (CRT). It can be compiled as shellcode (PIC), supports XOR encryption, and remote file transmission.🚀 Features:
— NT System Calls for Everything
— No-Std and CRT-Independent
— Position Independent Code (PIC)
— Indirect NT Syscalls
— Lean Memory Dump
— XOR Encryption
🔗 Source:
https://github.com/safedv/RustiveDump
#lsass #indirect #syscall #pic #rust
Please open Telegram to view this post
VIEW IN TELEGRAM
GitHub
GitHub - safedv/RustiveDump: LSASS memory dumper using only NTAPIs, creating a minimal minidump. It can be compiled as shellcode…
LSASS memory dumper using only NTAPIs, creating a minimal minidump. It can be compiled as shellcode (PIC), supports XOR encryption, and remote file transmission. - safedv/RustiveDump
❤7👍4🔥3🤔3
A critical vulnerability chain in Palo Alto PAN-OS, combining an authentication bypass (CVE-2024-0012) and a command injection flaw (CVE-2024-9474) in the management web interface, allows unauthenticated attackers to execute arbitrary code with root privileges.
🛠 Affected Versions:
— PAN-OS 11.2 (up to and including 11.2.4-h1)
— PAN-OS 11.1 (up to and including 11.1.5-h1)
— PAN-OS 11.0 (up to and including 11.0.6-h1)
— PAN-OS 10.2 (up to and including 10.2.12-h2)
🔗 Research:
https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/
🔗 PoC:
https://github.com/watchtowrlabs/palo-alto-panos-cve-2024-0012
🔗 Exploit:
https://github.com/Chocapikk/CVE-2024-9474
#paloalto #panos #sslvpn #unauth #rce
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥8👍7
Forwarded from Offensive Xwitter
😈 [ Synacktiv @Synacktiv ]
Oh, you didn't know? Cool kids are now relaying Kerberos over SMB 😏
Check out our latest blogpost by @hugow_vincent to discover how to perform this attack:
🔗 https://www.synacktiv.com/publications/relaying-kerberos-over-smb-using-krbrelayx
🐥 [ tweet ]
Oh, you didn't know? Cool kids are now relaying Kerberos over SMB 😏
Check out our latest blogpost by @hugow_vincent to discover how to perform this attack:
🔗 https://www.synacktiv.com/publications/relaying-kerberos-over-smb-using-krbrelayx
🐥 [ tweet ]
👍8❤1
🔑 PanGPA Extractor
Tool to extract username and password of current user from PanGPA in plaintext under Windows. Palo Alto Networks GlobalProtect client queries the GlobalProtect Service for your username and password everytime you log on or refresh the connection.
🔗 Research:
https://shells.systems/extracting-plaintext-credentials-from-palo-alto-global-protect/
🔗 Source:
https://github.com/t3hbb/PanGP_Extractor
#paloalto #globalprotect #credentials #dump
Tool to extract username and password of current user from PanGPA in plaintext under Windows. Palo Alto Networks GlobalProtect client queries the GlobalProtect Service for your username and password everytime you log on or refresh the connection.
🔗 Research:
https://shells.systems/extracting-plaintext-credentials-from-palo-alto-global-protect/
🔗 Source:
https://github.com/t3hbb/PanGP_Extractor
#paloalto #globalprotect #credentials #dump
🔥6👍4❤🔥3🤔1
📜 ADCS Attack Techniques Cheatsheet
This is a handy table outlining the various methods of attack against Active Directory Certificate Services (ADCS)
🔗 Source:
https://docs.google.com/spreadsheets/d/1E5SDC5cwXWz36rPP_TXhhAvTvqz2RGnMYXieu4ZHx64/edit?gid=0#gid=0
#ad #adcs #esc #cheatsheet
This is a handy table outlining the various methods of attack against Active Directory Certificate Services (ADCS)
🔗 Source:
https://docs.google.com/spreadsheets/d/1E5SDC5cwXWz36rPP_TXhhAvTvqz2RGnMYXieu4ZHx64/edit?gid=0#gid=0
#ad #adcs #esc #cheatsheet
Google Docs
ADCS Attack Techniques Cheatsheet
👍17🔥3
🎭 Spoofing Call Stacks To Confuse EDRs
The article focuses on techniques for call stack spoofing to bypass detection by EDR. It explains how to fake call stacks during Windows API interactions to mask malicious activity, such as accessing the lsass process, as legitimate operations. The text details the mechanics of call stacks in the x64 architecture, the use of unwind codes, tools for analysis, and provides a PoC implementation demonstrating call stack spoofing in practice.
🔗 Research:
https://labs.withsecure.com/publications/spoofing-call-stacks-to-confuse-edrs
🔗 Source:
https://github.com/WithSecureLabs/CallStackSpoofer
#edr #evasion #stack #spoofing #lsass
The article focuses on techniques for call stack spoofing to bypass detection by EDR. It explains how to fake call stacks during Windows API interactions to mask malicious activity, such as accessing the lsass process, as legitimate operations. The text details the mechanics of call stacks in the x64 architecture, the use of unwind codes, tools for analysis, and provides a PoC implementation demonstrating call stack spoofing in practice.
🔗 Research:
https://labs.withsecure.com/publications/spoofing-call-stacks-to-confuse-edrs
🔗 Source:
https://github.com/WithSecureLabs/CallStackSpoofer
#edr #evasion #stack #spoofing #lsass
🔥12❤2
Forwarded from Offensive Xwitter
😈 [ ap @decoder_it ]
M'm glad to release the tool I have been working hard on the last month: #KrbRelayEx
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub:
🔗 https://github.com/decoder-it/KrbRelayEx
🐥 [ tweet ]
M'm glad to release the tool I have been working hard on the last month: #KrbRelayEx
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub:
🔗 https://github.com/decoder-it/KrbRelayEx
🐥 [ tweet ]
👍14🔥4
🎉 Happy New Year!
Дорогие друзья и подписчики канала,
Прошедший год был полон увлекательных открытий и новых достижений. Спасибо, что все это время оставались с нами, делились знаниями, юмором и поддержкой.
В новом году желаю нам всем оставаться открытыми друг для друга, ведь самое ценное в нашем сообществе — это люди. Пусть ваши проекты будут изящнее, а сердца — теплее. Не забывайте отдыхать, любить и проводить время с близкими.
Счастливого Нового года и до встречи в 2025-м!
❤️✨
———
Dear friends and subscribers,
The past year has been filled with exciting discoveries and new achievements. Thank you for staying with us all this time, sharing knowledge, humor, and support.
In the new year, I wish for all of us to remain open to one another, because the most valuable thing in our community is its people. May your projects become more elegant and your hearts grow warmer. Don’t forget to rest, love, and spend time with your loved ones.
Happy New Year, and see you in 2025!
❤️✨
Дорогие друзья и подписчики канала,
Прошедший год был полон увлекательных открытий и новых достижений. Спасибо, что все это время оставались с нами, делились знаниями, юмором и поддержкой.
В новом году желаю нам всем оставаться открытыми друг для друга, ведь самое ценное в нашем сообществе — это люди. Пусть ваши проекты будут изящнее, а сердца — теплее. Не забывайте отдыхать, любить и проводить время с близкими.
Счастливого Нового года и до встречи в 2025-м!
❤️✨
———
Dear friends and subscribers,
The past year has been filled with exciting discoveries and new achievements. Thank you for staying with us all this time, sharing knowledge, humor, and support.
In the new year, I wish for all of us to remain open to one another, because the most valuable thing in our community is its people. May your projects become more elegant and your hearts grow warmer. Don’t forget to rest, love, and spend time with your loved ones.
Happy New Year, and see you in 2025!
❤️✨
3🎄23☃12❤11👍2🎅2
Forwarded from Ralf Hacker Channel (Ralf Hacker)
Эта работа заслуживает внимание! Если кратко, то механизм MS UIA позволяет читать любые текстовые значения на экране, открывать меню, закрывать окна, ну и все такое)) А раз он дает такие возможности, то этим нужно пользоваться... Как пример, PoC от @Michaelzhm:
https://github.com/CICADA8-Research/Spyndicapped
Не думаю, что на данную технику вообще есть какие-то детекты. Все подробности в блоге.
#redteam #pentest #spyware
https://github.com/CICADA8-Research/Spyndicapped
Не думаю, что на данную технику вообще есть какие-то детекты. Все подробности в блоге.
#redteam #pentest #spyware
🔥19❤1👍1
Forwarded from Ralf Hacker Channel (Ralf Hacker)
CVE-2024-43468: ConfigMgr/SCCM 2403 Unauth SQLi to RCE
PATCHED: Oct 8, 2024
Exploit: https://github.com/synacktiv/CVE-2024-43468
Blog: https://www.synacktiv.com/advisories/microsoft-configuration-manager-configmgr-2403-unauthenticated-sql-injections
#git #exploit #ad #rce #sccm #pentest #redteam
PATCHED: Oct 8, 2024
Exploit: https://github.com/synacktiv/CVE-2024-43468
Blog: https://www.synacktiv.com/advisories/microsoft-configuration-manager-configmgr-2403-unauthenticated-sql-injections
#git #exploit #ad #rce #sccm #pentest #redteam
GitHub
GitHub - synacktiv/CVE-2024-43468
Contribute to synacktiv/CVE-2024-43468 development by creating an account on GitHub.
🔥5👍2❤1
🔍 Exploring WinRM plugins for lateral movement
In this blog, the process of leveraging WinRM plugins to perform lateral movement to other systems is explored. Additionally, the use of the
🔗 Research:
https://falconforce.nl/exploring-winrm-plugins-for-lateral-movement/
🔗 Source:
https://github.com/FalconForceTeam/bof-winrm-plugin-jump
#ad #winrm #cobaltstrike #bof #redteam
In this blog, the process of leveraging WinRM plugins to perform lateral movement to other systems is explored. Additionally, the use of the
CIM_LogicFile WMI class to bypass certain tricky detections by Microsoft Defender is examined. Finally, all the logic is incorporated into a Cobalt Strike BOF.🔗 Research:
https://falconforce.nl/exploring-winrm-plugins-for-lateral-movement/
🔗 Source:
https://github.com/FalconForceTeam/bof-winrm-plugin-jump
#ad #winrm #cobaltstrike #bof #redteam
FalconForce
Exploring WinRM plugins for lateral movement - FalconForce
We explore how to leverage WinRM plugins to perform lateral movement to other systems and put all the logic in a Cobalt Strike BOF.
🔥6❤3👍3🤔1