⚙️ Active Directory Delegation Management Tool
Is an Active Directory delegation management tool. It allows you to make a detailed inventory of delegations set up so far in a forest, along with their potential issues:
— Objects owned by users
— Objects with ACEs for users
— Non canonical ACL
— Disabled ACL inheritance
— Default ACL modified in schema
— Deleted delegation trustees
It also allows you to document your delegation model in JSON files, to obtain a more readable view:
https://github.com/mtth-bfft/adeleg
#ad #delegations #ace #acl #tools
Is an Active Directory delegation management tool. It allows you to make a detailed inventory of delegations set up so far in a forest, along with their potential issues:
— Objects owned by users
— Objects with ACEs for users
— Non canonical ACL
— Disabled ACL inheritance
— Default ACL modified in schema
— Deleted delegation trustees
It also allows you to document your delegation model in JSON files, to obtain a more readable view:
https://github.com/mtth-bfft/adeleg
#ad #delegations #ace #acl #tools
🔥3👍1
Forwarded from Codeby
Media is too big
VIEW IN TELEGRAM
🔥 Фильм о команде Codeby на The Standoff 2022
Друзья, уже в скором времени мы будем готовы представить вам документальный фильм об участии команды Codeby на мероприятии The Standoff 2022!
Вспомним, какие эмоции испытывали все мы каждый день соревнований, а также узнаем, что происходило в эти дни от лица игроков. А пока предлагаем вам насладиться просмотром небольшого трейлера!
Друзья, уже в скором времени мы будем готовы представить вам документальный фильм об участии команды Codeby на мероприятии The Standoff 2022!
Вспомним, какие эмоции испытывали все мы каждый день соревнований, а также узнаем, что происходило в эти дни от лица игроков. А пока предлагаем вам насладиться просмотром небольшого трейлера!
🔥16👍1👎1
This media is not supported in your browser
VIEW IN TELEGRAM
🔑 Extracting Credentials from Chrome Memory
An excellent study on how Chrome's memory works and how to extract credentials, cookies, etc. in а low privileges plain text format.
https://www.cyberark.com/resources/threat-research-blog/extracting-clear-text-credentials-directly-from-chromium-s-memory
#chrome #memory #dump #creds
An excellent study on how Chrome's memory works and how to extract credentials, cookies, etc. in а low privileges plain text format.
https://www.cyberark.com/resources/threat-research-blog/extracting-clear-text-credentials-directly-from-chromium-s-memory
#chrome #memory #dump #creds
👍10🔥5
APT
📜 Abuse AD CS via dNSHostName Spoofing This blog covers the technical details of CVE-2022-26923. Active Directory Domain Services Elevation of Privilege Vulnerability via AD CS dNSHostName Spoofing. https://research.ifcr.dk/certifried-active-directory-domain…
📜 Defused That SAN Flag
One more post about Microsoft's recent security updates - re changes to Kerberos and the new certificate extension containing the requester's SID.
The changes 'defuse' the impact of the flag that allows adding custom subject alternative names to any certificate (including the ones that 'actually' should be auto-enrolled).
https://elkement.blog/2022/06/13/defused-that-san-flag/
#ad #adcs #privesc #redteam
One more post about Microsoft's recent security updates - re changes to Kerberos and the new certificate extension containing the requester's SID.
The changes 'defuse' the impact of the flag that allows adding custom subject alternative names to any certificate (including the ones that 'actually' should be auto-enrolled).
https://elkement.blog/2022/06/13/defused-that-san-flag/
#ad #adcs #privesc #redteam
👍2
This media is not supported in your browser
VIEW IN TELEGRAM
⚔️ Remote Code Injection by Abusing CreateProcess and GetEnvironmentVariable
New method of injecting code into a remote process without using WriteProcessMemory.
CreateProcess:
https://www.x86matthew.com/view_post?id=proc_env_injection
GetEnvironmentVariable:
https://x-c3ll.github.io/posts/GetEnvironmentVariable-Process-Injection/
#maldev #process #inject #pinvoke #winapi
New method of injecting code into a remote process without using WriteProcessMemory.
CreateProcess:
https://www.x86matthew.com/view_post?id=proc_env_injection
GetEnvironmentVariable:
https://x-c3ll.github.io/posts/GetEnvironmentVariable-Process-Injection/
#maldev #process #inject #pinvoke #winapi
👍5
Forwarded from RedTeam brazzers
Bitrix.pdf
799.4 KB
Меньше месяца назад вышло исследование под названием "Уязвимости и атаки на CMS Bitrix". Вдохновившись этим исследованием, мой коллега Юрий (Компания BSS-Security) докрутил один из путей до RCE. Пообшавшись с разработчиками и убедившись, что уязвимость в последней версии устранена - со спокойной душой выкладываем разбор и PoC уязвимости.
Ну и как всегда рекомендация - обновляйтесь вовремя))
Ну и как всегда рекомендация - обновляйтесь вовремя))
🔥9
🧲 PoC for MS-DFSNM coerce authentication using NetrDfsRemoveStdRoot method
Spooler service disabled, RPC filters installed to prevent PetitPotam and File Server VSS Agent Service not installed but you still want to relay DC authentication to ADCS? Don't worry MS-DFSNM have your back:
🔗 https://github.com/Wh04m1001/DFSCoerce
Inspired by:
🔗 https://github.com/topotam/PetitPotam
🔗 https://github.com/ShutdownRepo/ShadowCoerce
🔗 https://github.com/leechristensen/SpoolSample
#authentication #coercion #petitpotam #dfsnm
Spooler service disabled, RPC filters installed to prevent PetitPotam and File Server VSS Agent Service not installed but you still want to relay DC authentication to ADCS? Don't worry MS-DFSNM have your back:
🔗 https://github.com/Wh04m1001/DFSCoerce
Inspired by:
🔗 https://github.com/topotam/PetitPotam
🔗 https://github.com/ShutdownRepo/ShadowCoerce
🔗 https://github.com/leechristensen/SpoolSample
#authentication #coercion #petitpotam #dfsnm
🔥7👍2
🐙🐍 OctoPwn & OctoPwnWeb
Pentest framework running (almost) entirely in the browser via pyodide. OctoPwnWeb has been presented a41con.
Talk:
https://youtu.be/jStdrDHTmD4
Slides:
https://docs.google.com/presentation/d/1XQFYr_OBI1lrpybsLrHWTWcYNZcF_zOmGDHiIBwSMng
Tool:
https://octopwn.porchetta.industries/
Repository:
https://github.com/skelsec/octopwnweb
Readme:
https://octopwn.porchetta.industries/readme.html
Sponsor for more features:
https://porchetta.industries
#pentest #framework
Pentest framework running (almost) entirely in the browser via pyodide. OctoPwnWeb has been presented a41con.
Talk:
https://youtu.be/jStdrDHTmD4
Slides:
https://docs.google.com/presentation/d/1XQFYr_OBI1lrpybsLrHWTWcYNZcF_zOmGDHiIBwSMng
Tool:
https://octopwn.porchetta.industries/
Repository:
https://github.com/skelsec/octopwnweb
Readme:
https://octopwn.porchetta.industries/readme.html
Sponsor for more features:
https://porchetta.industries
#pentest #framework
👍5🔥2
APT
🐙🐍 OctoPwn & OctoPwnWeb Pentest framework running (almost) entirely in the browser via pyodide. OctoPwnWeb has been presented a41con. Talk: https://youtu.be/jStdrDHTmD4 Slides: https://docs.google.com/presentation/d/1XQFYr_OBI1lrpybsLrHWTWcYNZcF_zOmGDHiIBwSMng…
How it started:
“I waited 2 years for this, rewrote impacket for this, asked cryptographers to remake algos in python for this, spent enormous time of my life to make this happen. and it's finally here this finally works and I can't find the words to express my satisfaction.” (SkelSec)
“For the record: the two crypto guys who eventually helped me in pure-python rewrite of some algos tole me to never ever use it anywhere and also they dont want to be mentioned.” (SkelSec)
“I waited 2 years for this, rewrote impacket for this, asked cryptographers to remake algos in python for this, spent enormous time of my life to make this happen. and it's finally here this finally works and I can't find the words to express my satisfaction.” (SkelSec)
“For the record: the two crypto guys who eventually helped me in pure-python rewrite of some algos tole me to never ever use it anywhere and also they dont want to be mentioned.” (SkelSec)
👍2
🦠 Hiding C2 Traffic Using Tyk.io
A small article on the topic of hiding your malicious C2 traffic through of the TYK cloud API management service domains.
Tyk API gateway will let you manage your API ingress and routing them to different endpoints, some of them could be internally but some of them could be publicly exposed, and you can add some controls for authentication purposes while calling one of your APIs.
🔗 https://shells.systems/oh-my-api-abusing-tyk-cloud-api-management-service-to-hide-your-malicious-c2-traffic/
#c2 #rederectors #trafic #redteam
A small article on the topic of hiding your malicious C2 traffic through of the TYK cloud API management service domains.
Tyk API gateway will let you manage your API ingress and routing them to different endpoints, some of them could be internally but some of them could be publicly exposed, and you can add some controls for authentication purposes while calling one of your APIs.
🔗 https://shells.systems/oh-my-api-abusing-tyk-cloud-api-management-service-to-hide-your-malicious-c2-traffic/
#c2 #rederectors #trafic #redteam
👍5🔥2
😈 How to Detect Linux Anti-Forensics Log Tampering
When forensically examining Linux systems for malicious intrusion, responders often rely on the following three artefacts to determine logins and logouts:
—
—
—
Of course, these artefacts are not all you can forensically investigate for malicious access, however, these will be the focus of this anti-forensics blog post.
https://www.inversecos.com/2022/06/detecting-linux-anti-forensics-log.html
#linux #log #evasion #antiforensics
When forensically examining Linux systems for malicious intrusion, responders often rely on the following three artefacts to determine logins and logouts:
—
/var/run/utmp – currently logged in users—
/var/run/wtmp – current, past logins and system reboot —
/var/log/btmp – bad login attempts Of course, these artefacts are not all you can forensically investigate for malicious access, however, these will be the focus of this anti-forensics blog post.
https://www.inversecos.com/2022/06/detecting-linux-anti-forensics-log.html
#linux #log #evasion #antiforensics
👍4
🦠 Mangle
Mangle is a tool that manipulates aspects of compiled executables (.exe or DLL). Mangle can remove known Indicators of Compromise (IoC) based strings and replace them with random characters, change the file by inflating the size to avoid EDRs, and can clone code-signing certs from legitimate files. In doing so, Mangle helps loaders evade on-disk and in-memory scanners.
https://github.com/optiv/Mangle
#av #edr #memory #evasion #redteam
Mangle is a tool that manipulates aspects of compiled executables (.exe or DLL). Mangle can remove known Indicators of Compromise (IoC) based strings and replace them with random characters, change the file by inflating the size to avoid EDRs, and can clone code-signing certs from legitimate files. In doing so, Mangle helps loaders evade on-disk and in-memory scanners.
https://github.com/optiv/Mangle
#av #edr #memory #evasion #redteam
GitHub
GitHub - optiv/Mangle: Mangle is a tool that manipulates aspects of compiled executables (.exe or DLL) to avoid detection from…
Mangle is a tool that manipulates aspects of compiled executables (.exe or DLL) to avoid detection from EDRs - optiv/Mangle
❤🔥7
Forwarded from SHADOW:Group
🐘 Удаленная эксплуатация переполнения кучи в веб-приложениях PHP (
Представлен PoC для RCE уязвимости в PHP <=7.4.29, которая может быть запущена через мошеннический сервер MySQL/MariaDB.
Ссылка на PoC
#web #rce
CVE 2022-31626)Представлен PoC для RCE уязвимости в PHP <=7.4.29, которая может быть запущена через мошеннический сервер MySQL/MariaDB.
Ссылка на PoC
#web #rce
📡 Relaying to ADFS Attacks
Praetorian has developed and is releasing an open source tool ADFSRelay and NTLMParse, which can be used for performing relaying attacks targeting ADFS and analyzing NTLM messages respectively.
https://www.praetorian.com/blog/relaying-to-adfs-attacks/
#ad #adfs #relay #ntlm
Praetorian has developed and is releasing an open source tool ADFSRelay and NTLMParse, which can be used for performing relaying attacks targeting ADFS and analyzing NTLM messages respectively.
https://www.praetorian.com/blog/relaying-to-adfs-attacks/
#ad #adfs #relay #ntlm
Praetorian
Relaying to ADFS Attacks
Overview During red team engagements over the last few years, I’ve been curious whether it would be possible to authenticate to cloud services such as Office365 via a relay from New Technology Lan Manager (NTLM) to Active Directory Federation Services (ADFS).…
❤🔥5🔥1
😡 Brute-Ratel-C4-Community-Kit
This repository contains scripts, configurations and deprecated payload loaders for Brute Ratel C4. Anything which is added in the deprecated folder will not be a part of the latest release of BRc4.
https://github.com/paranoidninja/Brute-Ratel-C4-Community-Kit
#c2 #bof #shellcode #injection
This repository contains scripts, configurations and deprecated payload loaders for Brute Ratel C4. Anything which is added in the deprecated folder will not be a part of the latest release of BRc4.
https://github.com/paranoidninja/Brute-Ratel-C4-Community-Kit
#c2 #bof #shellcode #injection
GitHub
GitHub - paranoidninja/Brute-Ratel-C4-Community-Kit: This repository contains scripts, configurations and deprecated payload loaders…
This repository contains scripts, configurations and deprecated payload loaders for Brute Ratel C4 (https://bruteratel.com/) - paranoidninja/Brute-Ratel-C4-Community-Kit
🔎 ldeep
In-depth LDAP enumeration utility.
https://github.com/franc-pentest/ldeep
Install:
Enumerate ACEs of the AdminSDHolder object
In-depth LDAP enumeration utility.
https://github.com/franc-pentest/ldeep
Install:
$ pip3 install ldeepUsage Example:
Enumerate ACEs of the AdminSDHolder object
$ ldeep ldap -s 'ldap://10.10.13.37' -d megacorp -u j.doe -p 'Passw0rd!' -b 'CN=System,DC=megacorp,DC=local' sddl AdminSDHolder | jq '.[].nTSecurityDescriptor.DACL.ACEs[] | select(.Type | contains("Allowed")) | .SID + " :: " + .Type'
Convert SID to name$ ldeep ldap -s 'ldap://10.10.13.37' -d megacorp -u j.doe -p 'Passw0rd!' from_sid <SID>#ad #ldap
🔥5👍1