#tools
#Red_Team_Tactics
1. Talon - password guessing tool that targets the Kerberos/LDAP services within the Windows AD environment
https://github.com/optiv/Talon
2. Bypass Rails::Html::SafeListSanitizer filtering and perform an XSS attack
https://hackerone.com/reports/1656627
3. Tool which can help to get NT AUTHORITY\SYSTEM from arbitrary directory creation bugs
https://github.com/binderlabs/DirCreate2System
#Red_Team_Tactics
1. Talon - password guessing tool that targets the Kerberos/LDAP services within the Windows AD environment
https://github.com/optiv/Talon
2. Bypass Rails::Html::SafeListSanitizer filtering and perform an XSS attack
https://hackerone.com/reports/1656627
3. Tool which can help to get NT AUTHORITY\SYSTEM from arbitrary directory creation bugs
https://github.com/binderlabs/DirCreate2System
GitHub
GitHub - optiv/Talon: A password guessing tool that targets the Kerberos and LDAP services within the Windows Active Directory…
A password guessing tool that targets the Kerberos and LDAP services within the Windows Active Directory environment. - optiv/Talon
#exploit
1. CVE-2022-42895:
Linux Kernel: Infoleak in Bluetooth L2CAP Handling
https://seclists.org/oss-sec/2022/q4/190
2. CVE-2021-43444 - 43449:
Exploiting ONLYOFFICE Web Sockets for Unauth RCE
https://labs.nettitude.com/blog/exploiting-onlyoffice-web-sockets-for-unauthenticated-remote-code-execution
3. Exploiting SUID Binaries
https://medium.com/@tinopreter/linux-privesc-3-exploiting-suid-binaries-72ec5460c6a
1. CVE-2022-42895:
Linux Kernel: Infoleak in Bluetooth L2CAP Handling
https://seclists.org/oss-sec/2022/q4/190
2. CVE-2021-43444 - 43449:
Exploiting ONLYOFFICE Web Sockets for Unauth RCE
https://labs.nettitude.com/blog/exploiting-onlyoffice-web-sockets-for-unauthenticated-remote-code-execution
3. Exploiting SUID Binaries
https://medium.com/@tinopreter/linux-privesc-3-exploiting-suid-binaries-72ec5460c6a
seclists.org
oss-sec: Re: Linux Kernel: Infoleak in Bluetooth L2CAP Handling
👍2
DACLs_abuse.png
1.1 MB
#Infographics
#Offensive_security
DACLs (Active Directory Discretionary Access Control Lists) abuse
https://www.thehacker.recipes/ad/movement/dacl
#Offensive_security
DACLs (Active Directory Discretionary Access Control Lists) abuse
https://www.thehacker.recipes/ad/movement/dacl
Cooprudea.com.sql
249.9 MB
🌐 Cooprudea.com
ip, ip_long, user_login, user_id, stamp, activity, session_id, country, details, ac_bot, ac_status, ac_by_user
email_to, subject, content, sender_name, sender_email, debug_mode, debugging_output, timestamp, status
📣CVE-2022-28672.zip
16.3 KB
🔥🔥🔥Foxit PDF Reader UAF RCE Exploit JIT Spraying(CVE-2022-28672) - blog post.
This research shows that if Foxit Reader had been compiled with CFG support, the discovered bug would have been more difficult to exploit. However, the lack of CFG support allowed the attacker to use JIT spraying to bypass existing mitigations such as ASLR and DEP. This highlights the importance of using multiple layers of defense to protect against attacks.
💥PoC Exploit
📺Demo: Foxit PDF Reader RCE Demo - CVE-2022-28672
This research shows that if Foxit Reader had been compiled with CFG support, the discovered bug would have been more difficult to exploit. However, the lack of CFG support allowed the attacker to use JIT spraying to bypass existing mitigations such as ASLR and DEP. This highlights the importance of using multiple layers of defense to protect against attacks.
💥PoC Exploit
📺Demo: Foxit PDF Reader RCE Demo - CVE-2022-28672
🔥CVE-2021-43444 to 43449: Exploiting ONLYOFFICE Web Sockets for Unauthenticated RCE.
Javascript-Keylogger.zip
13.7 KB
⌨️Javascript Keylogger can come handy in case you are able to access only
DOM/JS of a website and want to get naughty.
Usage:
💾change url variable in keylogger.js to url address where keylogger.php is located
💾load keylogger.js in the DOM of the attacked application
💾put keylogger.php and data.txt to your server where you have data write access (don't forget to set pertinent file privileges).
💥Profit! You're done, just let the victim come to attacked website with JS allowed in the browser and type something.
DOM/JS of a website and want to get naughty.
Usage:
💾change url variable in keylogger.js to url address where keylogger.php is located
💾load keylogger.js in the DOM of the attacked application
💾put keylogger.php and data.txt to your server where you have data write access (don't forget to set pertinent file privileges).
💥Profit! You're done, just let the victim come to attacked website with JS allowed in the browser and type something.
🔓Defeating Windows ASLR via low-entropy shared libraries in 2 hours
As it was demonstrated in this article, ASLR implementation on Windows has important nuances and in some situation can introduce additional risk for an application, especially if the target is a 32-bit program or it is linked with a library which was compiled without /HIGHENTROPYVA and /LARGEADDRESSAWARE flags. While the best solution would be to have per-execution randomization as it is done in Linux and modern MacOS, the good decision would be to move away from 32-bit to 64-bit applications and avoid linkage with shared libraries compiled without /HIGHENTROPYVA and /LARGEADDRESSAWARE flags. This would help to significantly increase complexity of an attack.
As it was demonstrated in this article, ASLR implementation on Windows has important nuances and in some situation can introduce additional risk for an application, especially if the target is a 32-bit program or it is linked with a library which was compiled without /HIGHENTROPYVA and /LARGEADDRESSAWARE flags. While the best solution would be to have per-execution randomization as it is done in Linux and modern MacOS, the good decision would be to move away from 32-bit to 64-bit applications and avoid linkage with shared libraries compiled without /HIGHENTROPYVA and /LARGEADDRESSAWARE flags. This would help to significantly increase complexity of an attack.
MurkyStrings.zip
10 KB
🔥String Obfuscation The Malware Way - blog post
While this technique is not as secure as encryption, it can still be useful for malware authors who want to avoid detection by simple string analysis and other static analysis techniques. Not encrypting or encoding the strings will also help avoid entropy-based detections.
💥MurkyStrings is a string obfuscator for .NET applications, built to evade static string analysis. It does not rely on encryption or encoding to evade entropy-based detections. Instead, it transforms strings into a murky mess by inserting special characters and random words. Removing them again on runtime.
Usage:
MurkyStrings.exe <file path> [--mode=<mode>]
Available modes:
💾replace[glyph] - Insert a variety of homoglyph characters that look identical to alphabetical characters
💾replace[simple] - Insert random amounts of a special character in between all actual characters
💾combine[glyph] - Combines remove and replace[glyph]
💾combine[simple] - Combines remove and replace[simple]
While this technique is not as secure as encryption, it can still be useful for malware authors who want to avoid detection by simple string analysis and other static analysis techniques. Not encrypting or encoding the strings will also help avoid entropy-based detections.
💥MurkyStrings is a string obfuscator for .NET applications, built to evade static string analysis. It does not rely on encryption or encoding to evade entropy-based detections. Instead, it transforms strings into a murky mess by inserting special characters and random words. Removing them again on runtime.
Usage:
MurkyStrings.exe <file path> [--mode=<mode>]
Available modes:
💾replace[glyph] - Insert a variety of homoglyph characters that look identical to alphabetical characters
💾replace[simple] - Insert random amounts of a special character in between all actual characters
💾combine[glyph] - Combines remove and replace[glyph]
💾combine[simple] - Combines remove and replace[simple]
На Source Zero Con 2022 представили данный инструмент. Если кратко: кидаете скомпилированный бинарь, тулза из бинаря убирает известные IoC строки, подписывает сертом из другого бинаря, ну и помогает EDR обходить (за счёт увеличения размера файла)
https://github.com/optiv/Mangle
#redteam #pentest #bypass
https://github.com/optiv/Mangle
#redteam #pentest #bypass
GitHub
GitHub - optiv/Mangle: Mangle is a tool that manipulates aspects of compiled executables (.exe or DLL) to avoid detection from…
Mangle is a tool that manipulates aspects of compiled executables (.exe or DLL) to avoid detection from EDRs - optiv/Mangle
🛡Akamai’s Perspective on December’s Patch Tuesday 2022
In this report, we’ll assess how critical the vulnerabilities really are and how commonplace the affected applications and services are, and we’ll provide a realistic perspective on the bugs that were fixed.
🛡December 2022 Patch Tuesday: 10 Critical CVEs, One Zero-Day, One Under Active Attack(crowdstrike)
🛡Microsoft Patch Tuesday for December 2022 — Snort rules and prominent vulnerabilities(talos intelligence)
🛡The December 2022 Security Update Review(ZDI)
🛡Microsoft’s December 2022 Patch Tuesday Addresses 48 CVEs(tenable)
🛡Microsoft Patch Tuesday, December 2022 Edition(KrebsonSecurity)
🛡Patch Tuesday - December 2022(rapid7)
In this report, we’ll assess how critical the vulnerabilities really are and how commonplace the affected applications and services are, and we’ll provide a realistic perspective on the bugs that were fixed.
🛡December 2022 Patch Tuesday: 10 Critical CVEs, One Zero-Day, One Under Active Attack(crowdstrike)
🛡Microsoft Patch Tuesday for December 2022 — Snort rules and prominent vulnerabilities(talos intelligence)
🛡The December 2022 Security Update Review(ZDI)
🛡Microsoft’s December 2022 Patch Tuesday Addresses 48 CVEs(tenable)
🛡Microsoft Patch Tuesday, December 2022 Edition(KrebsonSecurity)
🛡Patch Tuesday - December 2022(rapid7)