LATERAL MOVEMENT TO THE CLOUD WITH PASS-THE-PRT
Benjamin Delpy, author of Mimikatz, along with Dirk-jan Mollema have released research and code that show how attackers can perform lateral movement to the cloud with an attack called Pass-the-PRT. There have been some great detailed posts on this topic which I will reference throughout. My hope in this blog is to provide a simplified overview of the attack, how it works, and what you can do to protect yourself.
https://blog.stealthbits.com/lateral-movement-to-the-cloud-pass-the-prt/?utm_source=feedly&utm_medium=rss&utm_campaign=lateral-movement-to-the-cloud-pass-the-prt
#windows #ad #pentesting #redteaming
Benjamin Delpy, author of Mimikatz, along with Dirk-jan Mollema have released research and code that show how attackers can perform lateral movement to the cloud with an attack called Pass-the-PRT. There have been some great detailed posts on this topic which I will reference throughout. My hope in this blog is to provide a simplified overview of the attack, how it works, and what you can do to protect yourself.
https://blog.stealthbits.com/lateral-movement-to-the-cloud-pass-the-prt/?utm_source=feedly&utm_medium=rss&utm_campaign=lateral-movement-to-the-cloud-pass-the-prt
#windows #ad #pentesting #redteaming
Stealthbits Technologies
Lateral Movement to the Cloud with Pass-the-PRT
New research has shown similar techniques that are effective in moving laterally from a compromised workstation to connected cloud resources on Azure. Click in to learn about lateral movement to the cloud with pass-the-PRT.
Content-Type Research
Did you know that browsers support multiple Content-Type in HTTP response header?
https://github.com/BlackFan/content-type-research
#web #appsec #bugbounty #evasion
Did you know that browsers support multiple Content-Type in HTTP response header?
https://github.com/BlackFan/content-type-research
#web #appsec #bugbounty #evasion
GitHub
GitHub - BlackFan/content-type-research: Content-Type Research
Content-Type Research. Contribute to BlackFan/content-type-research development by creating an account on GitHub.
Penetration Testing Cheat Sheet
This is more of a checklist for myself. May contain useful tips and tricks.
https://github.com/ivan-sincek/penetration-testing-cheat-sheet
#cheatsheet #pentesting #linux #windows
This is more of a checklist for myself. May contain useful tips and tricks.
https://github.com/ivan-sincek/penetration-testing-cheat-sheet
#cheatsheet #pentesting #linux #windows
GitHub
GitHub - ivan-sincek/penetration-testing-cheat-sheet: Work in progress...
Work in progress... Contribute to ivan-sincek/penetration-testing-cheat-sheet development by creating an account on GitHub.
GoPurple
This project is a simple collection of various shell code injection techniques, aiming to streamline the process of endpoint detection evaluation, beside challenging myself to get into Golang world.
https://github.com/sh4hin/GoPurple
#evasion #bypass #redteaming #tools #golang
This project is a simple collection of various shell code injection techniques, aiming to streamline the process of endpoint detection evaluation, beside challenging myself to get into Golang world.
https://github.com/sh4hin/GoPurple
#evasion #bypass #redteaming #tools #golang
GitHub
GitHub - sh4hin/GoPurple: Yet another shellcode runner consists of different techniques for evaluating detection capabilities of…
Yet another shellcode runner consists of different techniques for evaluating detection capabilities of endpoint security solutions - sh4hin/GoPurple
SSRFIRE
An automated SSRF finder. Just give the domain name and your server and chill! ;) Also has options to find XSS and open redirects
https://github.com/micha3lb3n/SSRFire
#appsec #web #ssrf #tools
An automated SSRF finder. Just give the domain name and your server and chill! ;) Also has options to find XSS and open redirects
https://github.com/micha3lb3n/SSRFire
#appsec #web #ssrf #tools
GitHub
GitHub - ksharinarayanan/SSRFire: An automated SSRF finder. Just give the domain name and your server and chill! ;) Also has options…
An automated SSRF finder. Just give the domain name and your server and chill! ;) Also has options to find XSS and open redirects - ksharinarayanan/SSRFire
N1QLMap
The tool exfiltrates data from Couchbase database by exploiting N1QL injection vulnerabilities.
https://github.com/FSecureLABS/N1QLMap
#n1ql #tools #web #appsec
The tool exfiltrates data from Couchbase database by exploiting N1QL injection vulnerabilities.
https://github.com/FSecureLABS/N1QLMap
#n1ql #tools #web #appsec
GitHub
GitHub - FSecureLABS/N1QLMap: The tool exfiltrates data from Couchbase database by exploiting N1QL injection vulnerabilities.
The tool exfiltrates data from Couchbase database by exploiting N1QL injection vulnerabilities. - FSecureLABS/N1QLMap
Bypass AMSI by manual modification
This is my very first blog post. Its about how to manually change AMSI signatures/triggers to bypass it.
https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/
#redteaming #bypass #evasion #windows
This is my very first blog post. Its about how to manually change AMSI signatures/triggers to bypass it.
https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/
#redteaming #bypass #evasion #windows
s3cur3th1ssh1t.github.io
Bypass AMSI by manual modification | S3cur3Th1sSh1t
This is my very first blog post. Its about how to manually change AMSI signatures/triggers to bypass it.
Bypass AMSI by manual modification part II - Invoke-Mimikatz
This blog post will cover some lets say more advanced AMSI triggers. I decided to build a custom Invoke-Mimikatz script without AMSI trigger. I will also cover some information how Invoke-Mimikatz basically works for those who did not know it before.
https://s3cur3th1ssh1t.github.io/Bypass-AMSI-by-manual-modification-part-II/
#windows #redteaming #bypass #evasion #amsi
This blog post will cover some lets say more advanced AMSI triggers. I decided to build a custom Invoke-Mimikatz script without AMSI trigger. I will also cover some information how Invoke-Mimikatz basically works for those who did not know it before.
https://s3cur3th1ssh1t.github.io/Bypass-AMSI-by-manual-modification-part-II/
#windows #redteaming #bypass #evasion #amsi
s3cur3th1ssh1t.github.io
Bypass AMSI by manual modification part II - Invoke-Mimikatz | S3cur3Th1sSh1t
This blog post will cover some lets say more advanced AMSI triggers. I decided to build a custom Invoke-Mimikatz script without AMSI trigger. I will also cov...
StreamDivert: Relaying (specific) network connections
The first part of this blog will be the story of how this tool found it’s way into existence, the problems we faced and the thought process followed. The second part will be a more technical deep dive into the tool itself, how to use it, and how it works.
https://research.nccgroup.com/2020/09/10/streamdivert-relaying-specific-network-connections/
#redteaming #windows #tools
The first part of this blog will be the story of how this tool found it’s way into existence, the problems we faced and the thought process followed. The second part will be a more technical deep dive into the tool itself, how to use it, and how it works.
https://research.nccgroup.com/2020/09/10/streamdivert-relaying-specific-network-connections/
#redteaming #windows #tools
NCC Group Research Blog
StreamDivert: Relaying (specific) network connections
Author: Jelle Vergeer The first part of this blog will be the story of how this tool found it’s way into existence, the problems we faced and the thought process followed. The second part wil…
Detecting Microsoft 365 and Azure Active Directory Backdoors
Mandiant has seen an uptick in incidents involving Microsoft 365 (M365) and Azure Active Directory (Azure AD). Most of these incidents are the result of a phishing email coercing a user to enter their credentials used for accessing M365 into a phishing site. Other incidents have been a result of password spraying, password stuffing, or simple brute force attempts against M365 tenants. In almost all of these incidents, the user or account was not protected by multi-factor authentication (MFA).
https://www.fireeye.com/blog/threat-research/2020/09/detecting-microsoft-365-azure-active-directory-backdoors.html
#windows #blueteam #redteaming
Mandiant has seen an uptick in incidents involving Microsoft 365 (M365) and Azure Active Directory (Azure AD). Most of these incidents are the result of a phishing email coercing a user to enter their credentials used for accessing M365 into a phishing site. Other incidents have been a result of password spraying, password stuffing, or simple brute force attempts against M365 tenants. In almost all of these incidents, the user or account was not protected by multi-factor authentication (MFA).
https://www.fireeye.com/blog/threat-research/2020/09/detecting-microsoft-365-azure-active-directory-backdoors.html
#windows #blueteam #redteaming
Google Cloud Blog
Detecting Microsoft 365 and Azure Active Directory Backdoors | Mandiant | Google Cloud Blog
Building a custom Mimikatz binary
This post will cover how to build a custom Mimikatz binary by doing source code modification to get past AV/EDR software.
https://s3cur3th1ssh1t.github.io/Building-a-custom-Mimikatz-binary/
#tools #windows #mimikatz #redteaming #evasion
This post will cover how to build a custom Mimikatz binary by doing source code modification to get past AV/EDR software.
https://s3cur3th1ssh1t.github.io/Building-a-custom-Mimikatz-binary/
#tools #windows #mimikatz #redteaming #evasion
s3cur3th1ssh1t.github.io
Building a custom Mimikatz binary | S3cur3Th1sSh1t
This post will cover how to build a custom Mimikatz binary by doing source code modification to get past AV/EDR software.
Abusing RDP’s Remote Credential Guard with Rubeus PTT
Historically, attacks on RDP using Pass-The-Hash and Pass-The-Ticket techniques have not been possible. Typically, Windows performed an interactive logon when connecting to RDP, therefore valid credentials were always required to perform such logins.
https://www.pentestpartners.com/security-blog/abusing-rdps-remote-credential-guard-with-rubeus-ptt/
#creds #windows #pentesting #rdp
Historically, attacks on RDP using Pass-The-Hash and Pass-The-Ticket techniques have not been possible. Typically, Windows performed an interactive logon when connecting to RDP, therefore valid credentials were always required to perform such logins.
https://www.pentestpartners.com/security-blog/abusing-rdps-remote-credential-guard-with-rubeus-ptt/
#creds #windows #pentesting #rdp
Pentestpartners
Abusing RDP’s Remote Credential Guard with Rubeus PTT | Pen Test Partners
TL;DR Microsoft’s Remote Credential Guard (RCG) for RDP protects creds if an RDP server is compromised. It leaves little scope for password or NTLM credential dumping when a user connects to the server. It does however introduce workstation attack vectors.…
Attack of the clones: Git clients remote code execution
The main focus of this blog post is GitHub Desktop. Other Git clients such as GitKraken, Git-Tower and SourceTree were also found to be vulnerable, however these have different exploitation scenarios that require user interaction.
https://blog.blazeinfosec.com/attack-of-the-clones-github-desktop-remote-code-execution/
#exploitation #windows #git
The main focus of this blog post is GitHub Desktop. Other Git clients such as GitKraken, Git-Tower and SourceTree were also found to be vulnerable, however these have different exploitation scenarios that require user interaction.
https://blog.blazeinfosec.com/attack-of-the-clones-github-desktop-remote-code-execution/
#exploitation #windows #git
Hands off my service account!
Windows service accounts are one of the preferred attack surface for privilege escalation. If you are able to compromise such an account, it is quite easy to get the highest privileges, mainly due to the powerful impersonation privileges that are granted by default to services by the operating system.
https://decoder.cloud/2020/11/05/hands-off-my-service-account/
#windows #internals
Windows service accounts are one of the preferred attack surface for privilege escalation. If you are able to compromise such an account, it is quite easy to get the highest privileges, mainly due to the powerful impersonation privileges that are granted by default to services by the operating system.
https://decoder.cloud/2020/11/05/hands-off-my-service-account/
#windows #internals
Decoder's Blog
Hands off my service account!
Windows service accounts are one of the preferred attack surface for privilege escalation. If you are able to compromise such an account, it is quite easy to get the highest privileges, mainly due …
Using and detecting C2 printer pivoting
This post introduces the novel concept of Command & Control (C2) using print jobs, and demonstrates how this can be achieved using C3's Print channel. It also explores the OPSEC considerations behind the use of this technique, and outlines the detection opportunities that it can create.
https://labs.f-secure.com/blog/print-c2/
#windows #ad #pivoting #redteaming #pentesting
This post introduces the novel concept of Command & Control (C2) using print jobs, and demonstrates how this can be achieved using C3's Print channel. It also explores the OPSEC considerations behind the use of this technique, and outlines the detection opportunities that it can create.
https://labs.f-secure.com/blog/print-c2/
#windows #ad #pivoting #redteaming #pentesting
Advanced MSSQL Injection Tricks
We compiled a list of several techniques for improved exploition of MSSQL injections. All the vectors have been tested on at least three of the latest versions of Microsoft SQL Server: 2019, 2017, 2016SP2.
https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/
#redteaming #windows #pentesting #mssql
We compiled a list of several techniques for improved exploition of MSSQL injections. All the vectors have been tested on at least three of the latest versions of Microsoft SQL Server: 2019, 2017, 2016SP2.
https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/
#redteaming #windows #pentesting #mssql
PT SWARM
Advanced MSSQL Injection Tricks
We compiled a list of several techniques for improved exploition of MSSQL injections. All the vectors have been tested on at least three of the latest versions of Microsoft SQL Server: 2019, 2017, 2016SP2. DNS Out-of-Band If confronted with a fully blind…
31k$ SSRF in Google Cloud Monitoring led to metadata exposure
Google Cloud Monitoring (formerly called Stackdriver) is a service, which provides monitoring for cloud resources (VM instances, App Engine, Cloud functions...). It is available from Google Cloud Console. This service offers monitoring, alerting, uptime checks of cloud resources and much more. It is important to note that the Google Cloud Monitoring service itself is running on Google Cloud virtual machines.
https://nechudav.blogspot.com/2020/11/31k-ssrf-in-google-cloud-monitoring.html
#bugbounty #web #ssrf
Google Cloud Monitoring (formerly called Stackdriver) is a service, which provides monitoring for cloud resources (VM instances, App Engine, Cloud functions...). It is available from Google Cloud Console. This service offers monitoring, alerting, uptime checks of cloud resources and much more. It is important to note that the Google Cloud Monitoring service itself is running on Google Cloud virtual machines.
https://nechudav.blogspot.com/2020/11/31k-ssrf-in-google-cloud-monitoring.html
#bugbounty #web #ssrf
Blogspot
31k$ SSRF in Google Cloud Monitoring led to metadata exposure
Update 25.01.2021: Added Google engineers exploit method for getting access token. Google Cloud Monitoring (formerly called Stackdriver)...
Client-Side Prototype Pollution
If you are unfamiliar with Prototype Pollution Attack, you should read the following first:
JavaScript prototype pollution attack in NodeJS by Olivier Arteau
Prototype pollution – and bypassing client-side HTML sanitizers by Michał Bentkowski
https://github.com/BlackFan/client-side-prototype-pollution
#appsec #bugbounty #javascript
If you are unfamiliar with Prototype Pollution Attack, you should read the following first:
JavaScript prototype pollution attack in NodeJS by Olivier Arteau
Prototype pollution – and bypassing client-side HTML sanitizers by Michał Bentkowski
https://github.com/BlackFan/client-side-prototype-pollution
#appsec #bugbounty #javascript
GitHub
GitHub - BlackFan/client-side-prototype-pollution: Prototype Pollution and useful Script Gadgets
Prototype Pollution and useful Script Gadgets. Contribute to BlackFan/client-side-prototype-pollution development by creating an account on GitHub.
CVE-2020-17049: Kerberos Bronze Bit Attack – Theory
This attack expands upon the excellent research documented by Elad Shamir in “Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory.” I’ll cover the key points below, but his article a great resource and primer for Kerberos and constrained delegation in AD.
https://blog.netspi.com/cve-2020-17049-kerberos-bronze-bit-theory/
#windows #ad #pentesting #kerberos #cve
This attack expands upon the excellent research documented by Elad Shamir in “Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory.” I’ll cover the key points below, but his article a great resource and primer for Kerberos and constrained delegation in AD.
https://blog.netspi.com/cve-2020-17049-kerberos-bronze-bit-theory/
#windows #ad #pentesting #kerberos #cve
NetSPI
CVE-2020-17049: Kerberos Bronze Bit Attack - Theory
This post is an overview of the theory of the Bronze Bit attack (CVE-2020-17049) against Kerberos implementations in Windows Active Directory.
CVE-2020-17049: Kerberos Bronze Bit Attack – Practical Exploitation
This post reviews how the Kerberos Bronze Bit vulnerability (CVE-2020-17049) can be exploited in practice. I strongly suggest first reading the Bronze Bit Attack in Theory post to understand why and how this attacks works.
https://blog.netspi.com/cve-2020-17049-kerberos-bronze-bit-attack/
#windows #ad #pentesting #kerberos #cve
This post reviews how the Kerberos Bronze Bit vulnerability (CVE-2020-17049) can be exploited in practice. I strongly suggest first reading the Bronze Bit Attack in Theory post to understand why and how this attacks works.
https://blog.netspi.com/cve-2020-17049-kerberos-bronze-bit-attack/
#windows #ad #pentesting #kerberos #cve
NetSPI
CVE-2020-17049: Kerberos Bronze Bit Attack - Practical Exploitation
This post is an overview of the practical exploitation of the Bronze Bit attack (CVE-2020-17049) in a Windows Active Directory environment.