NTLM Relay
This article is not meant to be a tutorial to be followed in order to carry out a successful attack, but it will allow the reader to understand in detail the technical details of this attack, its limitations, and can be a basis to start developing his own tools, or understand how current tools work.
https://en.hackndo.com/ntlm-relay/
#ad #relay #ntlm #ntlmrelay
This article is not meant to be a tutorial to be followed in order to carry out a successful attack, but it will allow the reader to understand in detail the technical details of this attack, its limitations, and can be a basis to start developing his own tools, or understand how current tools work.
https://en.hackndo.com/ntlm-relay/
#ad #relay #ntlm #ntlmrelay
hackndo
NTLM Relay
NTLM relay is a technique of standing between a client and a server to perform actions on the server while impersonating the client. Protections such as SMB signing or MIC allow to limit the actions of an attacker. This article goes into detail about this…
Wordlists
Dictionaries of attack patterns and primitives for black-box application fault injection and resource discovery.
https://github.com/fuzzdb-project/fuzzdb
https://github.com/Karanxa/Bug-Bounty-Wordlists
https://github.com/orwagodfather/WordList
https://wordlists.assetnote.io/
#wordlist #fuzzing #bugbounty
Dictionaries of attack patterns and primitives for black-box application fault injection and resource discovery.
https://github.com/fuzzdb-project/fuzzdb
https://github.com/Karanxa/Bug-Bounty-Wordlists
https://github.com/orwagodfather/WordList
https://wordlists.assetnote.io/
#wordlist #fuzzing #bugbounty
GitHub
GitHub - fuzzdb-project/fuzzdb: Dictionary of attack patterns and primitives for black-box application fault injection and resource…
Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery. - fuzzdb-project/fuzzdb
👍1
Forwarded from r0 Crew (Channel)
Convert curl commands to Python, JavaScript, PHP, R, Go, Rust, Elixir, Java, MATLAB, Dart, CFML, Ansible URI, Strest or JSON
Web (Live Demo): https://curlconverter.com/
Project: https://github.com/curlconverter/curlconverter
#tool #converter #curl #darw1n
Web (Live Demo): https://curlconverter.com/
Project: https://github.com/curlconverter/curlconverter
#tool #converter #curl #darw1n
Curlconverter
Convert curl commands to code
Utility for converting cURL commands to code
👍1
APT
KrbRelay with RBCD Privilege Escalation The short step-by-step writeup about how to do the LPE with KrbRelay + RBCD on a domain-joined machine using KrbRelay + Rubeus: https://gist.github.com/tothi/bf6c59d6de5d0c9710f23dae5750c4b9 #ad #kerberos #relay #rbcd…
NTLMRelay2Self over HTTP
Just a walkthrough of how to escalate privileges locally by forcing the system you landed initial access on to reflectively authenticate over HTTP to itself and forward the received connection to an HTTP listener (ntlmrelayx) configured to relay to DC servers over LDAP/LDAPs for either setting shadow credentials or configuring RBCD.
https://github.com/med0x2e/NTLMRelay2Self
#ad #ntlm #relay #rbcd #redteam
Just a walkthrough of how to escalate privileges locally by forcing the system you landed initial access on to reflectively authenticate over HTTP to itself and forward the received connection to an HTTP listener (ntlmrelayx) configured to relay to DC servers over LDAP/LDAPs for either setting shadow credentials or configuring RBCD.
https://github.com/med0x2e/NTLMRelay2Self
#ad #ntlm #relay #rbcd #redteam
GitHub
GitHub - med0x2e/NTLMRelay2Self: An other No-Fix LPE, NTLMRelay2Self over HTTP (Webdav).
An other No-Fix LPE, NTLMRelay2Self over HTTP (Webdav). - med0x2e/NTLMRelay2Self
👍4
📒 Enabling ADCS Audit and Fix Bad Configs
Auditing is not enabled by default in AD CS. For some mysterious reason, Microsoft has decided to not enable AD CS auditing OOB.
To find the issue, run this command on every one of your CAs:
Fix for AD CS Templates with Bad Configs:
https://github.com/trimarcjake/adcs-snippets#fix-1-for-templates-with-bad-configs---remove-ability-to-set-a-san
#adcs #audit #recommendations #blueteam
Auditing is not enabled by default in AD CS. For some mysterious reason, Microsoft has decided to not enable AD CS auditing OOB.
To find the issue, run this command on every one of your CAs:
certutil -getreg CA\AuditFilterTo enable all auditing, do this:
certutil –setreg CA\AuditFilter 127
net stop certsvc
net start certsvc
You'll also need to enable the Certificate Service advanced auditing subcategories in a GPO linked to the OU containing your CA host objects (Figure 1). Lastly, enforce the advanced auditing subcategories! All of your previous work will be for naught if you don't enforce (Figure 2).Fix for AD CS Templates with Bad Configs:
https://github.com/trimarcjake/adcs-snippets#fix-1-for-templates-with-bad-configs---remove-ability-to-set-a-san
#adcs #audit #recommendations #blueteam
👍3
This media is not supported in your browser
VIEW IN TELEGRAM
⏱ Scheduled Task Tampering
In this post we will explore two approaches that can be used to achieve the same result: create or modify a scheduled task and execute it, without generating the relevant telemetry. First, we will explore how direct registry manipulation could be used to create or modify tasks and how this did not generate the usual entries in the eventlog. Finally, an alternative route based on tampering with the Task Scheduler ETW will be presented that will completely suppress most of logging related to the Task Scheduler.
https://labs.f-secure.com/blog/scheduled-task-tampering/
#windows #schedule #task #redteam #blueteam
In this post we will explore two approaches that can be used to achieve the same result: create or modify a scheduled task and execute it, without generating the relevant telemetry. First, we will explore how direct registry manipulation could be used to create or modify tasks and how this did not generate the usual entries in the eventlog. Finally, an alternative route based on tampering with the Task Scheduler ETW will be presented that will completely suppress most of logging related to the Task Scheduler.
https://labs.f-secure.com/blog/scheduled-task-tampering/
#windows #schedule #task #redteam #blueteam
Forwarded from SHADOW:Group
🧨 RCE в BIG-IP iControl REST (CVE-2022-1388)
Эта уязвимость может позволить неаутентифицированному злоумышленнику с сетевым доступом к системе BIG-IP выполнять произвольные системные команды, создавать или удалять файлы или отключать службы (CVE-2022-1388)
Дорк для Shodan:
PoC представлен на изображении ниже или по ссылке.
Ссылка на PoC
#web #cve #rce
Эта уязвимость может позволить неаутентифицированному злоумышленнику с сетевым доступом к системе BIG-IP выполнять произвольные системные команды, создавать или удалять файлы или отключать службы (CVE-2022-1388)
Дорк для Shodan:
http.title:"BIG-IP®-+Redirect" +"Server"PoC представлен на изображении ниже или по ссылке.
Ссылка на PoC
#web #cve #rce
APT
NTLMRelay2Self over HTTP Just a walkthrough of how to escalate privileges locally by forcing the system you landed initial access on to reflectively authenticate over HTTP to itself and forward the received connection to an HTTP listener (ntlmrelayx) configured…
🛡️Defending the Three Headed Relay
This blog discusses possible attack paths and various protections associated with Kerberos Relay activity.
https://jsecurity101.medium.com/defending-the-three-headed-relay-17e1d6b6a339
#ad #kerberos #relay #mitigation #blueteam
This blog discusses possible attack paths and various protections associated with Kerberos Relay activity.
https://jsecurity101.medium.com/defending-the-three-headed-relay-17e1d6b6a339
#ad #kerberos #relay #mitigation #blueteam
🛠️ Cobalt Strike and BloodHound Integration
PyCobaltHound is an Aggressor script, an extension to CobaltStrike that allows you to integrate with BloodHound so that you can request and receive reports from the same interface.
Features:
— Automatically querying the BloodHound database to discover escalation paths opened up by newly collected credentials.
— Automatically marking compromised users and computers as owned.
— Allowing operators to quickly and easily investigate the escalation potential of beacon sessions and users.
https://github.com/NVISOsecurity/pyCobaltHound
#cobaltstrike #bloodhound #redteam
PyCobaltHound is an Aggressor script, an extension to CobaltStrike that allows you to integrate with BloodHound so that you can request and receive reports from the same interface.
Features:
— Automatically querying the BloodHound database to discover escalation paths opened up by newly collected credentials.
— Automatically marking compromised users and computers as owned.
— Allowing operators to quickly and easily investigate the escalation potential of beacon sessions and users.
https://github.com/NVISOsecurity/pyCobaltHound
#cobaltstrike #bloodhound #redteam
🔥6👍1
📜 Abuse AD CS via dNSHostName Spoofing
This blog covers the technical details of CVE-2022-26923. Active Directory Domain Services Elevation of Privilege Vulnerability via AD CS dNSHostName Spoofing.
https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4
When you have SYSTEM on server/workstation:
https://gist.github.com/Wh04m1001/355c0f697bfaaf6546e3b698295d1aa1
#ad #adcs #privesc #redteam
This blog covers the technical details of CVE-2022-26923. Active Directory Domain Services Elevation of Privilege Vulnerability via AD CS dNSHostName Spoofing.
https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4
When you have SYSTEM on server/workstation:
https://gist.github.com/Wh04m1001/355c0f697bfaaf6546e3b698295d1aa1
#ad #adcs #privesc #redteam
💉 From Process Injection to Function Hijacking
This post about FunctionHijacking, a "new" process injection technique built upon Module/Function Stomping, along with experiments to break behavioral based detection of other common process injection techniques.
https://klezvirus.github.io/RedTeaming/AV_Evasion/FromInjectionToHijacking/
#av #evasion #maldev #redteam #research
This post about FunctionHijacking, a "new" process injection technique built upon Module/Function Stomping, along with experiments to break behavioral based detection of other common process injection techniques.
https://klezvirus.github.io/RedTeaming/AV_Evasion/FromInjectionToHijacking/
#av #evasion #maldev #redteam #research
👍4
🦮 BloodHound via Proxychains
For BloodHound.py ingestor to work through proxychains you need to use TCP instead of UDP for DNS queries by adding the
#ad #bloodhound #proxy #tricks
For BloodHound.py ingestor to work through proxychains you need to use TCP instead of UDP for DNS queries by adding the
--dns-tcp flag.#ad #bloodhound #proxy #tricks
👍2
Forwarded from 1N73LL1G3NC3
Exploiting RBCD Using a Normal User Account*
https://www.tiraniddo.dev/2022/05/exploiting-rbcd-using-normal-user.html
https://www.tiraniddo.dev/2022/05/exploiting-rbcd-using-normal-user.html
www.tiraniddo.dev
Exploiting RBCD Using a Normal User Account*
* Caveats apply. Resource Based Constrained Delegate (RBCD) privilege escalation, described by Elad Shamir in the "Wagging the Dog" blog p...