Zabbix SAML Authentication Bypass (CVE-2022-23131)
Research:
https://blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage
PoC:
https://github.com/jweny/zabbix-saml-bypass-exp
#zabbix #research #auth #bypass #cve
Research:
https://blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage
PoC:
https://github.com/jweny/zabbix-saml-bypass-exp
#zabbix #research #auth #bypass #cve
Sonarsource
Zabbix - A Case Study of Unsafe Session Storage
In this article we discuss the security of client-side session storages and analyze a vulnerable implementation in the IT monitoring solution Zabbix.
o365recon
Script to retrieve information via O365 and AzureAD with a valid cred.
https://github.com/nyxgeek/o365recon
#azure #recon #tools
Script to retrieve information via O365 and AzureAD with a valid cred.
https://github.com/nyxgeek/o365recon
#azure #recon #tools
Certipy 2.0: BloodHound, New Escalations, Shadow Credentials, Golden Certificates, and more!
Blog:
https://research.ifcr.dk/certipy-2-0-bloodhound-new-escalations-shadow-credentials-golden-certificates-and-more-34d1c26f0dc6
Tool:
https://github.com/ly4k/Certipy
#ad #adcs #abuse #tools
Blog:
https://research.ifcr.dk/certipy-2-0-bloodhound-new-escalations-shadow-credentials-golden-certificates-and-more-34d1c26f0dc6
Tool:
https://github.com/ly4k/Certipy
#ad #adcs #abuse #tools
Medium
Certipy 2.0: BloodHound, New Escalations, Shadow Credentials, Golden Certificates, and more!
As the title states, the latest release of Certipy contains many new features, techniques and improvements. This blog post dives into the…
DNS Abuse & Misconfiguration
The History of DNS Vulnerabilities and the Cloud
https://unit42.paloaltonetworks.com/dns-vulnerabilities/
Dangling Domains: Security Threats, Detection and Prevalence
https://unit42.paloaltonetworks.com/dangling-domains/
Fishing the AWS IP Pool for Dangling Domains
https://bishopfox.com/blog/fishing-the-aws-ip-pool-for-dangling-domains
Respect My Authority – Hijacking Broken Nameservers to Compromise Your Target
https://thehackerblog.com/respect-my-authority-hijacking-broken-nameservers-to-compromise-your-target/
The Orphaned Internet – Taking Over 120K Domains via a DNS Vulnerability in AWS, Google Cloud, Rackspace and Digital Ocean
https://thehackerblog.com/the-orphaned-internet-taking-over-120k-domains-via-a-dns-vulnerability-in-aws-google-cloud-rackspace-and-digital-ocean/
The .io Error – Taking Control of All .io Domains With a Targeted Registration
https://thehackerblog.com/the-io-error-taking-control-of-all-io-domains-with-a-targeted-registration/
The International Incident – Gaining Control of a .int Domain Name With DNS Trickery
https://thehackerblog.com/the-international-incident-gaining-control-of-a-int-domain-name-with-dns-trickery/
Hostile Subdomain Takeover using Heroku/Github/Desk + more
https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/
Dangling DNS: Amazon EC2 IPs
https://blog.melbadry9.xyz/dangling-dns/aws/ddns-ec2-current-state
Eliminating Dangling Elastic IP Takeovers with Ghostbuster
https://blog.assetnote.io/2022/02/13/dangling-eips/
Internet-Wide Analysis of Subdomain Takeovers
https://redhuntlabs.com/blog/project-resonance-wave-1.html
Subdomain Takeover
https://0xpatrik.com/subdomain-takeover-basics/
https://0xpatrik.com/subdomain-takeover-candidates/
https://0xpatrik.com/takeover-proofs/
https://0xpatrik.com/subdomain-takeover-ns/
https://0xpatrik.com/subdomain-takeover/
#dns #abuse #aws #elastic #subdomain #takeover
The History of DNS Vulnerabilities and the Cloud
https://unit42.paloaltonetworks.com/dns-vulnerabilities/
Dangling Domains: Security Threats, Detection and Prevalence
https://unit42.paloaltonetworks.com/dangling-domains/
Fishing the AWS IP Pool for Dangling Domains
https://bishopfox.com/blog/fishing-the-aws-ip-pool-for-dangling-domains
Respect My Authority – Hijacking Broken Nameservers to Compromise Your Target
https://thehackerblog.com/respect-my-authority-hijacking-broken-nameservers-to-compromise-your-target/
The Orphaned Internet – Taking Over 120K Domains via a DNS Vulnerability in AWS, Google Cloud, Rackspace and Digital Ocean
https://thehackerblog.com/the-orphaned-internet-taking-over-120k-domains-via-a-dns-vulnerability-in-aws-google-cloud-rackspace-and-digital-ocean/
The .io Error – Taking Control of All .io Domains With a Targeted Registration
https://thehackerblog.com/the-io-error-taking-control-of-all-io-domains-with-a-targeted-registration/
The International Incident – Gaining Control of a .int Domain Name With DNS Trickery
https://thehackerblog.com/the-international-incident-gaining-control-of-a-int-domain-name-with-dns-trickery/
Hostile Subdomain Takeover using Heroku/Github/Desk + more
https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/
Dangling DNS: Amazon EC2 IPs
https://blog.melbadry9.xyz/dangling-dns/aws/ddns-ec2-current-state
Eliminating Dangling Elastic IP Takeovers with Ghostbuster
https://blog.assetnote.io/2022/02/13/dangling-eips/
Internet-Wide Analysis of Subdomain Takeovers
https://redhuntlabs.com/blog/project-resonance-wave-1.html
Subdomain Takeover
https://0xpatrik.com/subdomain-takeover-basics/
https://0xpatrik.com/subdomain-takeover-candidates/
https://0xpatrik.com/takeover-proofs/
https://0xpatrik.com/subdomain-takeover-ns/
https://0xpatrik.com/subdomain-takeover/
#dns #abuse #aws #elastic #subdomain #takeover
👍1🔥1
Bypass 2FA Using noVNC
Steal credentials and bypass 2FA by giving users remote access to your server via an HTML5 VNC client that has a browser running in kiosk mode.
https://mrd0x.com/bypass-2fa-using-novnc/
#2fa #bypass #novnc
Steal credentials and bypass 2FA by giving users remote access to your server via an HTML5 VNC client that has a browser running in kiosk mode.
https://mrd0x.com/bypass-2fa-using-novnc/
#2fa #bypass #novnc
Google Groups Dork
Some Devs use "Google Groups" as a workplace because it is easy and free.
But a lot of sensitive information is leaked Such as "access keys", "aws secrets" ...etc .
Dork:
Some Devs use "Google Groups" as a workplace because it is easy and free.
But a lot of sensitive information is leaked Such as "access keys", "aws secrets" ...etc .
Dork:
site:https://groups.google.com "COMPANY"
#osint #dorks #bugbounty👍2
Bloodhound Custom Queries
A combination of custom cypher queries from various sources for BloodHound, added categories to match newest version of BH.
https://github.com/ZephrFish/Bloodhound-CustomQueries
#ad #azure #bloodhound #queries
A combination of custom cypher queries from various sources for BloodHound, added categories to match newest version of BH.
https://github.com/ZephrFish/Bloodhound-CustomQueries
#ad #azure #bloodhound #queries
GitHub
GitHub - ZephrFish/Bloodhound-CustomQueries: Custom Queries - Brought Up to BH4.1 syntax
Custom Queries - Brought Up to BH4.1 syntax. Contribute to ZephrFish/Bloodhound-CustomQueries development by creating an account on GitHub.
This media is not supported in your browser
VIEW IN TELEGRAM
PowerRunAsSystem
Run application as system with interactive system process support (active Windows session). This technique doesn't rely on any external tools and doesn't require a Microsoft Service. It spawns an NT Authority/System process using the Microsoft Windows Task Scheduler then upgrade to Interactive System Process using cool WinApi's (Run in Active Windows Session)
https://github.com/DarkCoderSc/PowerRunAsSystem
#windows #powershell #runas
Run application as system with interactive system process support (active Windows session). This technique doesn't rely on any external tools and doesn't require a Microsoft Service. It spawns an NT Authority/System process using the Microsoft Windows Task Scheduler then upgrade to Interactive System Process using cool WinApi's (Run in Active Windows Session)
https://github.com/DarkCoderSc/PowerRunAsSystem
#windows #powershell #runas
Container Security Checklist
Checklist for container security devsecops practices
https://github.com/krol3/container-security-checklist
#kubernetes #docker #security #cheatsheet #blueteam
Checklist for container security devsecops practices
https://github.com/krol3/container-security-checklist
#kubernetes #docker #security #cheatsheet #blueteam
GitHub
GitHub - krol3/container-security-checklist: Checklist for container security - devsecops practices
Checklist for container security - devsecops practices - krol3/container-security-checklist
Fortinet Fortimail 7.0.1 — Reflected Cross-Site Scripting (CVE-2021-43062)
An improper neutralization of input during web page generation vulnerability in FortiMail may allow an unauthenticated attacker to perform an XSS attack via crafted HTTP GET requests to the FortiGuard URI protection service.
PoC:
Payload:
Dork:
#fortinet #forimail #xss
An improper neutralization of input during web page generation vulnerability in FortiMail may allow an unauthenticated attacker to perform an XSS attack via crafted HTTP GET requests to the FortiGuard URI protection service.
PoC:
https://example/fmlurlsvc/?=&url=https%3A%2F%https://google.com%3CSvg%2Fonload%3Dalert(1)%3E
Payload:
https%3A%2F%https://google.com%3CSvg%2Fonload%3Dalert(1)%3EDork:
inurl:/fmlurlsvc/#fortinet #forimail #xss
KnockOutlook
KnockOutlook is a C# project that interacts with Outlook's COM object in order to perform a number of operations useful in red team engagements.
https://github.com/eksperience/KnockOutlook
#exchange #outlook #com #recon
KnockOutlook is a C# project that interacts with Outlook's COM object in order to perform a number of operations useful in red team engagements.
https://github.com/eksperience/KnockOutlook
#exchange #outlook #com #recon
GitHub
GitHub - eksperience/KnockOutlook: A little tool to play with Outlook
A little tool to play with Outlook. Contribute to eksperience/KnockOutlook development by creating an account on GitHub.
Relaying Kerberos over DNS using krbrelayx and mitm6
New method of gaining RCE on AD hosts in the same VLAN without credentials or needing NTLM, by abusing Kerberos, DNS and Active Directory Certificate Services.
https://dirkjanm.io/relaying-kerberos-over-dns-with-krbrelayx-and-mitm6/
#ad #kerberos #relay #mitm6
New method of gaining RCE on AD hosts in the same VLAN without credentials or needing NTLM, by abusing Kerberos, DNS and Active Directory Certificate Services.
https://dirkjanm.io/relaying-kerberos-over-dns-with-krbrelayx-and-mitm6/
#ad #kerberos #relay #mitm6
dirkjanm.io
Relaying Kerberos over DNS using krbrelayx and mitm6
One thing I love is when I think I understand a topic well, and then someone proves me quite wrong. That was more or less what happened when James Forshaw published a blog on Kerberos relaying, which disproves my conclusion that you can’t relay Kerberos from…
Windows Event Log Evasion via Native APIs
Some native Windows API calls can be used to install services WITHOUT generating correlating entries in the event log. This was seen in Stuxnet.
https://www.inversecos.com/2022/03/windows-event-log-evasion-via-native.html
#edr #event #log #evasion
Some native Windows API calls can be used to install services WITHOUT generating correlating entries in the event log. This was seen in Stuxnet.
https://www.inversecos.com/2022/03/windows-event-log-evasion-via-native.html
#edr #event #log #evasion
Inversecos
Windows Event Log Evasion via Native APIs
ntTraceControl — Powershell Event Tracing Toolbox
Want to simulate any ETW logs using powershell, even the security one?
Do you want to import any evtx files into the current eventlog session?
ntTraceControl is a set of Powershell commands to forge/generate Windows logs. Simply put, ntTraceControl supports Detection teams by simplifying the testing of detection use cases and alerts without using complex infrastructure, tools, or the testing of vulnerabilities.
https://github.com/airbus-cert/ntTraceControl
#etw #simulate #powershell #redteam #blueteam
Want to simulate any ETW logs using powershell, even the security one?
Do you want to import any evtx files into the current eventlog session?
ntTraceControl is a set of Powershell commands to forge/generate Windows logs. Simply put, ntTraceControl supports Detection teams by simplifying the testing of detection use cases and alerts without using complex infrastructure, tools, or the testing of vulnerabilities.
https://github.com/airbus-cert/ntTraceControl
#etw #simulate #powershell #redteam #blueteam