👹 [ snovvcrash, sn🥶vvcr💥sh ]
[#HackTip 🛠] Some tips and links on how NTDS reversible encryption usage (means you can DCSync cleartext passwords) can be enumerated during an AD security assessment:
🔗 https://t.co/pjUzcqzxYK
🔗 https://t.co/km8ZhkrJrt
#ntds #ad #adsecurity
🔗 https://adsecurity.org/?p=2053
🔗 https://www.blackhillsinfosec.com/how-i-cracked-a-128-bit-password/
🐥 [ tweet ]
[#HackTip 🛠] Some tips and links on how NTDS reversible encryption usage (means you can DCSync cleartext passwords) can be enumerated during an AD security assessment:
🔗 https://t.co/pjUzcqzxYK
🔗 https://t.co/km8ZhkrJrt
#ntds #ad #adsecurity
🔗 https://adsecurity.org/?p=2053
🔗 https://www.blackhillsinfosec.com/how-i-cracked-a-128-bit-password/
🐥 [ tweet ]
👹 [ snovvcrash, sn🥶vvcr💥sh ]
[#HackTip ⚒] When there’s not much info revealed about AD sites from CME subnets module, we can combine @_dirkjan’s adidnsdump with @pdiscoveryio mapcidr to get a nicely formatted list of the target intranetworks 🕸
#ad #dns
🐥 [ tweet ]
[#HackTip ⚒] When there’s not much info revealed about AD sites from CME subnets module, we can combine @_dirkjan’s adidnsdump with @pdiscoveryio mapcidr to get a nicely formatted list of the target intranetworks 🕸
#ad #dns
🐥 [ tweet ]
🔥1
👹 [ snovvcrash, sn🥶vvcr💥sh ]
[#HackTip ⚒] Such a tiny code snippet that can help you bypass some automatic sandbox detections ⏳
#maldev
🐥 [ tweet ]
[#HackTip ⚒] Such a tiny code snippet that can help you bypass some automatic sandbox detections ⏳
#maldev
🐥 [ tweet ]
👹 [ snovvcrash, sn🥶vvcr💥sh ]
[#HackTip ⚒] A cool technique for initial AD access during a pentest. Got a Cisco IP Phone nearby? Congrats, you’re (almost) a domain user!
#pentest #ad #cisco
🔗 https://www.trustedsec.com/blog/seeyoucm-thief-exploiting-common-misconfigurations-in-cisco-phone-systems/
🔗 https://www.n00py.io/2022/01/unauthenticated-dumping-of-usernames-via-cisco-unified-call-manager-cucm/
🔗 https://github.com/llt4l/iCULeak.py
🐥 [ tweet ]
[#HackTip ⚒] A cool technique for initial AD access during a pentest. Got a Cisco IP Phone nearby? Congrats, you’re (almost) a domain user!
#pentest #ad #cisco
🔗 https://www.trustedsec.com/blog/seeyoucm-thief-exploiting-common-misconfigurations-in-cisco-phone-systems/
🔗 https://www.n00py.io/2022/01/unauthenticated-dumping-of-usernames-via-cisco-unified-call-manager-cucm/
🔗 https://github.com/llt4l/iCULeak.py
🐥 [ tweet ]
👹 [ snovvcrash, sn🥶vvcr💥sh ]
[#HackTip ⚒] Looking for a legitimate way of achieving #persistence on Windows? How about #AnyDesk silent deployment? 😉
🐥 [ tweet ]
[#HackTip ⚒] Looking for a legitimate way of achieving #persistence on Windows? How about #AnyDesk silent deployment? 😉
🐥 [ tweet ]
🔥2
👹 [ snovvcrash, sn🥶vvcr💥sh ]
[#HackTip ⚒] While guys @_EthicalChaos_ and @an0n_r0 are talking about a legitimate way of jumping into RDP via smart card auth having a certificate, I’ll give a more clumsy approach: UnPAC-the-Hash (PKINIT) ⏭ DisableRestrictedAdmin=0 ⏭ scforceoption=0 ⏭ xfreerdp /pth 🎉
🐥 [ tweet ]
[#HackTip ⚒] While guys @_EthicalChaos_ and @an0n_r0 are talking about a legitimate way of jumping into RDP via smart card auth having a certificate, I’ll give a more clumsy approach: UnPAC-the-Hash (PKINIT) ⏭ DisableRestrictedAdmin=0 ⏭ scforceoption=0 ⏭ xfreerdp /pth 🎉
🐥 [ tweet ]
🔥1
Про то, что делать, когда у тебя на руках есть только NT-хеш машинной учетки, чтобы стать на ней локал админом 👇🏻
https://threadreaderapp.com/thread/1576176699300990976.html
https://threadreaderapp.com/thread/1576176699300990976.html
Threadreaderapp
Thread by @snovvcrash on Thread Reader App
@snovvcrash: [#HackTip ⚒️] (1/3) There’re a couple of ways to become a local admin on a box when you possess only the corresponding machine account NT hash. The first one being the well known Silver ticket...…
🔥1
👹 [ snovvcrash, sn🥶vvcr💥sh ]
[#HackTip ⚒️] A simple post-exploitation tip when you’ve added a GitLab admin from a compomised gitlab-rails console: if there’s only LDAP auth available and you cannot sign in even when you possess valid creds, do this to enable password auth for web 🤓
https://t.co/uJCcbhQZNz
🔗 https://ppn.snovvcrash.rocks/pentest/infrastructure/devops/gitlab#gitlab-rails
🐥 [ tweet ]
[#HackTip ⚒️] A simple post-exploitation tip when you’ve added a GitLab admin from a compomised gitlab-rails console: if there’s only LDAP auth available and you cannot sign in even when you possess valid creds, do this to enable password auth for web 🤓
https://t.co/uJCcbhQZNz
🔗 https://ppn.snovvcrash.rocks/pentest/infrastructure/devops/gitlab#gitlab-rails
🐥 [ tweet ]
🔥2
👹 [ snovvcrash, sn🥶vvcr💥sh ]
[#HackTip ⚒️] One idea for NTDS on-site dumping without VSS: NTFSCopy (thx @RedCursorSec) + #impacket’s RemoteOperations.getBootKey() + secretsdump[.]py (e.g., via a pre-compiled binary or @naksyn’s awesome Pyramid) 🤪
https://t.co/0UATJuJ1ob
🔗 https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/credentials-dump/ntds#raw-ntds.dit-copy
🐥 [ tweet ][ quote ]
[#HackTip ⚒️] One idea for NTDS on-site dumping without VSS: NTFSCopy (thx @RedCursorSec) + #impacket’s RemoteOperations.getBootKey() + secretsdump[.]py (e.g., via a pre-compiled binary or @naksyn’s awesome Pyramid) 🤪
https://t.co/0UATJuJ1ob
🔗 https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/credentials-dump/ntds#raw-ntds.dit-copy
🐥 [ tweet ][ quote ]