This media is not supported in your browser
VIEW IN TELEGRAM
Microsoft Sharepoint RCE (CVE-2022-22005)
https://hnd3884.github.io/posts/cve-2022-22005-microsoft-sharepoint-RCE/
#sharepoint #rce #cve #research
https://hnd3884.github.io/posts/cve-2022-22005-microsoft-sharepoint-RCE/
#sharepoint #rce #cve #research
Red Teaming Toolkit
A collection of open source and commercial tools that aid in red team operations. This post will help you during red team engagement.
Contents
— Reconnaissance
— Weaponization
— Delivery
— Command and Control
— Lateral Movement
— Establish Foothold
— Escalate Privileges
— Data Exfiltration
— Misc
— References
https://renatoborbolla.medium.com/red-teaming-adversary-simulation-toolkit-da89b20cb5ea
#redteam #toolkit #powershell #c2
A collection of open source and commercial tools that aid in red team operations. This post will help you during red team engagement.
Contents
— Reconnaissance
— Weaponization
— Delivery
— Command and Control
— Lateral Movement
— Establish Foothold
— Escalate Privileges
— Data Exfiltration
— Misc
— References
https://renatoborbolla.medium.com/red-teaming-adversary-simulation-toolkit-da89b20cb5ea
#redteam #toolkit #powershell #c2
OverPass-the-Hash in 1C Enterprise
To gain access to 1C Enterprise, you need a username and password. In case 1C works with LDAP authentication and you only have the user's NTLM hash, you can use Rubeus to launch 1C using the OverPass-the-Hash attack. Thus, you can access 1C Enterprise without having a password in the plaintext.
If the compromised user has permissions to run "External data processors", you can get a reverse shell of the 1C server.
https://github.com/KraudSecurity/1C-Exploit-Kit/tree/master/1C-Shell
#1c #pth #rubeus #ad
To gain access to 1C Enterprise, you need a username and password. In case 1C works with LDAP authentication and you only have the user's NTLM hash, you can use Rubeus to launch 1C using the OverPass-the-Hash attack. Thus, you can access 1C Enterprise without having a password in the plaintext.
Invoke-Rubeus -Command "asktgt /user:i.ivanov /domain:APTNOTES.LOCAL /rc4:A87F3A337D73085C45F9416BE5787D86 /createnetonly:C:\1cestart.exe /show"
Bonus:If the compromised user has permissions to run "External data processors", you can get a reverse shell of the 1C server.
https://github.com/KraudSecurity/1C-Exploit-Kit/tree/master/1C-Shell
#1c #pth #rubeus #ad
🔥7👍2
ShadowMove Pivot Technique
ShadowMove is a novel technique to hijack sockets from non-cooperative processes. It is described in the paper ShadowMove: A Stealthy Lateral Movement Strategy presented at USENIX ‘20. This technique takes advantage of the fact that AFD (Ancillary Function Driver) file handles are treated as socket handles by Windows APIs, so it is possible to duplicate them with
https://adepts.of0x.cc/shadowmove-hijack-socket/
#shadowmove #hijacking #socket #redteam
ShadowMove is a novel technique to hijack sockets from non-cooperative processes. It is described in the paper ShadowMove: A Stealthy Lateral Movement Strategy presented at USENIX ‘20. This technique takes advantage of the fact that AFD (Ancillary Function Driver) file handles are treated as socket handles by Windows APIs, so it is possible to duplicate them with
WSADuplicateSocket().https://adepts.of0x.cc/shadowmove-hijack-socket/
#shadowmove #hijacking #socket #redteam
Forwarded from 1N73LL1G3NC3
This media is not supported in your browser
VIEW IN TELEGRAM
CVE-2022-29072
7-Zip 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area (0-day)
https://github.com/kagancapar/CVE-2022-29072
7-Zip 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area (0-day)
https://github.com/kagancapar/CVE-2022-29072
In-Process Patchless AMSI Bypass
https://ethicalchaos.dev/2022/04/17/in-process-patchless-amsi-bypass/
#amsi #bypass #av #evasion
https://ethicalchaos.dev/2022/04/17/in-process-patchless-amsi-bypass/
#amsi #bypass #av #evasion
Ethical Chaos
In-Process Patchless AMSI Bypass - Ethical Chaos
Some of you may remember my patchless AMSI bypass article and how it was used inside SharpBlock to bypass AMSI on the child process that SharpBlock spawns. This is all well a good when up against client environments that are not too sensitive to the fork…
A blueprint for evading industry leading endpoint protection in 2022
In this post, I’d like to lay out a collection of techniques that together can be used to bypassed industry leading enterprise endpoint protection solutions. This is purely for educational purposes for (ethical) red teamers and alike, so I’ve decided not to publicly release the source code. The aim for this post is to be accessible to a wide audience in the security industry, but not to drill down to the nitty gritty details of every technique. Instead, I will refer to writeups of others that deep dive better than I can:
https://vanmieghem.io/blueprint-for-evading-edr-in-2022/
#av #edr #evasion #research
In this post, I’d like to lay out a collection of techniques that together can be used to bypassed industry leading enterprise endpoint protection solutions. This is purely for educational purposes for (ethical) red teamers and alike, so I’ve decided not to publicly release the source code. The aim for this post is to be accessible to a wide audience in the security industry, but not to drill down to the nitty gritty details of every technique. Instead, I will refer to writeups of others that deep dive better than I can:
https://vanmieghem.io/blueprint-for-evading-edr-in-2022/
#av #edr #evasion #research
This media is not supported in your browser
VIEW IN TELEGRAM
KernelCallbackTable Injection
KernelCallbackTable which could be abused to inject shellcode in a remote process. This method of process injection was used by FinFisher/FinSpy and Lazarus.
https://captmeelo.com/redteam/maldev/2022/04/21/kernelcallbacktable-injection.html
#edr #bypass #injection #cpp #maldev
KernelCallbackTable which could be abused to inject shellcode in a remote process. This method of process injection was used by FinFisher/FinSpy and Lazarus.
https://captmeelo.com/redteam/maldev/2022/04/21/kernelcallbacktable-injection.html
#edr #bypass #injection #cpp #maldev
This media is not supported in your browser
VIEW IN TELEGRAM
WSO2 RCE (CVE-2022-29464)
Critical vulnerability on WSO2 discovered by Orange Tsai. the vulnerability is an unauthenticated unrestricted arbitrary file upload which which allows unauthenticated attackers to gain RCE on WSO2 servers via uploading malicious JSP files.
Google Dorks:
#wso2 #rce #exploit
Critical vulnerability on WSO2 discovered by Orange Tsai. the vulnerability is an unauthenticated unrestricted arbitrary file upload which which allows unauthenticated attackers to gain RCE on WSO2 servers via uploading malicious JSP files.
Google Dorks:
inurl:"/carbon/admin/login.jsp"https://github.com/hakivvi/CVE-2022-29464
inurl:"/authenticationendpoint/login.do"
inurl:"devportal/apis"
intitle:"API Publisher- Login"
intitle:"WSO2 Management Console"
#wso2 #rce #exploit
❤1
Invoke-SocksProxy
The reverse proxy creates a tcp tunnel by initiating outbond SSL connections that can go through the system's proxy. The tunnel can then be used as a socks proxy on the remote host to pivot into the local host's network.
https://github.com/p3nt4/Invoke-SocksProxy
#powershell #socks #proxy #tools
The reverse proxy creates a tcp tunnel by initiating outbond SSL connections that can go through the system's proxy. The tunnel can then be used as a socks proxy on the remote host to pivot into the local host's network.
https://github.com/p3nt4/Invoke-SocksProxy
#powershell #socks #proxy #tools
GitHub
GitHub - p3nt4/Invoke-SocksProxy: Socks proxy, and reverse socks server using powershell.
Socks proxy, and reverse socks server using powershell. - GitHub - p3nt4/Invoke-SocksProxy: Socks proxy, and reverse socks server using powershell.
Abusing LNK "Features" for Initial Access and Persistence
https://v3ded.github.io/redteam/abusing-lnk-features-for-initial-access-and-persistence
#windows #lnk #persistence #redteam
https://v3ded.github.io/redteam/abusing-lnk-features-for-initial-access-and-persistence
#windows #lnk #persistence #redteam
v3ded.github.io
Abusing LNK "Features" for Initial Access and Persistence
Preface Today we’ll talk about the misuse of .LNK trigger keys as a means of achieving initial access and persistence. I first heard about this topic myself ...
Forwarded from 1N73LL1G3NC3
Windows Event logs Cheat Sheet!.pdf
117 KB
Windows Event logs Cheat Sheet
NTLM Relay
This article is not meant to be a tutorial to be followed in order to carry out a successful attack, but it will allow the reader to understand in detail the technical details of this attack, its limitations, and can be a basis to start developing his own tools, or understand how current tools work.
https://en.hackndo.com/ntlm-relay/
#ad #relay #ntlm #ntlmrelay
This article is not meant to be a tutorial to be followed in order to carry out a successful attack, but it will allow the reader to understand in detail the technical details of this attack, its limitations, and can be a basis to start developing his own tools, or understand how current tools work.
https://en.hackndo.com/ntlm-relay/
#ad #relay #ntlm #ntlmrelay
hackndo
NTLM Relay
NTLM relay is a technique of standing between a client and a server to perform actions on the server while impersonating the client. Protections such as SMB signing or MIC allow to limit the actions of an attacker. This article goes into detail about this…
Wordlists
Dictionaries of attack patterns and primitives for black-box application fault injection and resource discovery.
https://github.com/fuzzdb-project/fuzzdb
https://github.com/Karanxa/Bug-Bounty-Wordlists
https://github.com/orwagodfather/WordList
https://wordlists.assetnote.io/
#wordlist #fuzzing #bugbounty
Dictionaries of attack patterns and primitives for black-box application fault injection and resource discovery.
https://github.com/fuzzdb-project/fuzzdb
https://github.com/Karanxa/Bug-Bounty-Wordlists
https://github.com/orwagodfather/WordList
https://wordlists.assetnote.io/
#wordlist #fuzzing #bugbounty
GitHub
GitHub - fuzzdb-project/fuzzdb: Dictionary of attack patterns and primitives for black-box application fault injection and resource…
Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery. - fuzzdb-project/fuzzdb
👍1