🤖 BBOT: OSINT automation for hackers

This tools is capable of executing the entire OSINT process in a single command, including subdomain enumeration, port scanning, web screenshots (with its gowitness module), vulnerability scanning (with nuclei), and much more. BBOT currently has over 50 modules and counting.

Features:
— Recursive;
— Graphing;
— Modular;
— Multi-Target;
— Automatic Dependencies;
— Smart Dictionary Attacks;
— Scope Distance;
— Easily Configurable via YAML.

Blog:
https://blog.blacklanternsecurity.com/p/bbot

Source:
https://github.com/blacklanternsecurity/bbot

#external #recon #osint #redteam #bugbounty

🎭 Masky

Masky is a python library providing an alternative way to remotely dump domain users' credentials thanks to an ADCS. A command line tool has been built on top of this library in order to easily gather PFX, NT hashes and TGT on a larger scope.

This tool does not exploit any new vulnerability and does not work by dumping the LSASS process memory. Indeed, it only takes advantage of legitimate Windows and Active Directory features (token impersonation, certificate authentication via kerberos & NT hashes retrieval via PKINIT).

Blog:
https://z4ksec.github.io/posts/masky-release-v0.0.3/

Source:
https://github.com/Z4kSec/Masky

#ad #adcs #lsass #redteam

⚙️ Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection

If you utilise API hashing in your malware or offensive security tooling. Try rotating your API hashes. This can have a significant impact on detection rates and improve your chances of remaining undetected by AV/EDR.

Blog:
https://www.huntress.com/blog/hackers-no-hashing-randomizing-api-hashes-to-evade-cobalt-strike-shellcode-detection

Source:
https://github.com/matthewB-huntress/APIHashReplace

#maldev #evasion #hinvoke #cobaltstrike #redteam

📡 NTLMv1 vs NTLMv2: Digging into an NTLM Downgrade Attack

This article discusses the NTLM specifications to better understand how various aspects of the NTLM protocol function. As well as bypassing the SMB signature, relaying SMB to LDAP, and relaying NTLMv1 authentication attempts to the ADFS service.

https://www.praetorian.com/blog/ntlmv1-vs-ntlmv2/

#ad #ntlm #smb #relay

MSSQL Analysis Services — Coerced Authentication

New technique to coerce an SMB authentication on Windows SQL Server as the machine account

PoC:
https://github.com/p0dalirius/MSSQL-Analysis-Coerce

#ad #mssql #smb #relay

🔎 GEOINT Protip

Landmark identification and pinpointing locations where an image or video was taken is a very good skill when investigating current and past events.

— geohints.com
— landmark.toolpie.com
— brueckenweb.de/2content/suchen/suche.php

#geoint #osint #tips

⚔️ Microsoft Teams C2 — Covert Attack Chain Utilizing GIFShell

Seven different insecure design elements/vulnerabilities present in Microsoft Teams, can be leveraged by an attacker, to execute a reverse shell between an attacker and victim, where no communication is directly exchanged between an attacker and a victim, but is entirely piped through malicious GIFs sent in Teams messages, and Out of Bounds (OOB) lookups of GIFs conducted by Microsoft’s own servers. This unique C2 infrastructure can be leveraged by sophisticated threat actors to avoid detection by EDR and other network monitoring tools. Particularly in secure network environments, where Microsoft Teams might be one of a handful of allowed, trusted hosts and programs, this attack chain can be particularly devastating.

Source:
https://medium.com/@bobbyrsec/gifshell-covert-attack-chain-and-c2-utilizing-microsoft-teams-gifs-1618c4e64ed7

#c2 #teams #gifshell #edr #redteam

🦊 CloudFox

Security firm BishopFox has open-sourced on Tuesday a new security tool named CloudFox that can find exploitable attack paths in cloud infrastructure.

Blog:
https://bishopfox.com/blog/introducing-cloudfox

Tool:
https://github.com/BishopFox/cloudfox

#cloud #aws #pentest #tools

Azure Threat Research Matrix

The purpose of the Azure Threat Research Matrix is to conceptualize the known TTP that adversaries may use against Azure

https://microsoft.github.io/Azure-Threat-Research-Matrix/

#azure #ttp #blueteam

🤤 LDAP Nom Nom

Stuck on a network with no credentials?
No worry, you can anonymously bruteforce Active Directory controllers for usernames over LDAP Pings (cLDAP) using new tool - with parallelization you'll get 10K usernames/sec. No Windows audit logs generated.

Features:
— Tries to autodetect DC from environment variables on domain joined machines or falls back to machine hostname FDQN DNS suffix
— Reads usernames to test from stdin (default) or file
— Outputs to stdout (default) or file
— Parallelized (defaults to 8 connections)
— Shows progressbar if you're using both input and output files

https://github.com/lkarlslund/ldapnomnom

#ad #ldap #userenum #tools

🎲 Fileless Remote PE

Loading Fileless Remote PE from URI to memory with argument passing and ETW patching and NTDLL unhooking and No New Thread technique

https://github.com/D1rkMtr/FilelessRemotePE

#maldev #evasion #fileless #pe

Just another Windows Local Privilege Escalation from Service Account to System. Full details at

https://decoder.cloud/2022/09/21/giving-juicypotato-a-second-chance-juicypotatong/

POC:
https://github.com/antonioCoco/JuicyPotatoNG

📞 Persistence on Skype for Business

This article provides a tool for Red Teams helping to achieve persistence on the latest patched version of Skype for Business 2019 server using a new method.

https://frycos.github.io/vulns4free/2022/09/22/skype-audit-part1.html

#ad #skype #persistence #redteam

Havoc is a modern and malleable post-exploitation command and control framework

Features:
Client
- Modern, dark theme based on Dracula
Teamserver
- Multiplayer
- Payload generation (exe/shellcode/dll)
- HTTP/HTTPS listeners
- Customizable C2 profiles
- External C2
Demon
- Sleep Obfuscation via Ekko or FOLIAGE
- x64 return address spoofing
- Indirect Syscalls for Nt* APIs
- SMB support
- Token vault
- Variety of built-in post-exploitation commands

😈 [ pdiscoveryio, ProjectDiscovery.io ]

The Ultimate Guide to Finding Bugs With Nuclei by @v3natoris

https://t.co/2GY3QZlTft

#hackwithautomation #cybersecurity #infosec #bugbounty

🔗 https://blog.projectdiscovery.io/ultimate-nuclei-guide/

🐥 [ tweet ]

😈 Fortinet RCE (CVE-2022-40684)

Fortinet recently patched a critical authentication bypass vulnerability in their FortiOS, FortiProxy, and FortiSwitchManager projects (CVE-2022-40684). This vulnerability gives an attacker the ability to login as an administrator on the affected system.

Shodan Dork:
product:"Fortinet FortiGate"

Research:
https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/

PoC:
https://github.com/horizon3ai/CVE-2022-40684

Detection for SOC:
https://www.horizon3.ai/fortinet-iocs-cve-2022-40684/

#fortinet #rce #research #poc #exploit

⌛ Attacking Predictable GUID

Few penetration testers and bug bounty hunters are aware of the different versions of GUIDs and the security issues associated with using the wrong one. In this blog post walk through an account takeover issue from a recent penetration test where GUIDs were used as password reset tokens.

https://www.intruder.io/research/in-guid-we-trust

#web #pentest #guid #account #takeover

📄 Detecting ADCS Web Services Abuse (ESC8)

One of the popular attack vectors against Active Directory Certificate Services is ESC8. This article covers detecting irregular access to some ADCS web services exposed, as well as detecting the NTLM relaying itself.

https://medium.com/falconforce/falconfriday-detecting-adcs-web-services-abuse-0xff20-9f660c83cb36

#adcs #detection #esc8 #blueteam

🔑 YubiKeys Relaying Attack

That is, the APDU packets that the server application wants to get signed by a private key to verify the identity of the authentication. This attack works on all PIV Smart Cards.

Research:
Relaying YubiKeys Part 1
Relaying YubiKeys Part 2

Tools:
https://github.com/cube0x0/YubiKey-Relay

#ad #2fa #fido2 #ybikeys