π [ jack_halon, Jack Halon ]
Today I am finally releasing a new 3-part browser exploitation series on Chrome! This was written to help beginners break into the browser exploitation field.
Part 1 covers V8 internals such as objects, properties, and memory optimizations. Enjoy! https://t.co/bbFjOOzlOu
π https://jhalon.github.io/chrome-browser-exploitation-1/
π₯ [ tweet ]
Today I am finally releasing a new 3-part browser exploitation series on Chrome! This was written to help beginners break into the browser exploitation field.
Part 1 covers V8 internals such as objects, properties, and memory optimizations. Enjoy! https://t.co/bbFjOOzlOu
π https://jhalon.github.io/chrome-browser-exploitation-1/
π₯ [ tweet ]
π [ mpgn_x64, mpgn ]
CrackMapExec can now retrieve gMSA passwords using LDAP protocol and option --gmsa π₯ Thanks to @pentest_swissky for this addition into CME π«‘
Also, I probably don't say it enough but thanks to all the sponsors from @porchetta_ind πͺ
π₯ [ tweet ]
CrackMapExec can now retrieve gMSA passwords using LDAP protocol and option --gmsa π₯ Thanks to @pentest_swissky for this addition into CME π«‘
Also, I probably don't say it enough but thanks to all the sponsors from @porchetta_ind πͺ
π₯ [ tweet ]
π [ kalilinux, Kali Linux ]
New Blog Post - Kali Community Themes https://t.co/G0IVtG4hcl
Everyone loves the default Kali themes, but some people like too heavily customize their install to make it their own. In this community blog post we discuss customizations some have made along with their configs.
π https://www.kali.org/blog/kali-community-themes/
π₯ [ tweet ]
New Blog Post - Kali Community Themes https://t.co/G0IVtG4hcl
Everyone loves the default Kali themes, but some people like too heavily customize their install to make it their own. In this community blog post we discuss customizations some have made along with their configs.
π https://www.kali.org/blog/kali-community-themes/
π₯ [ tweet ]
π [ mpgn_x64, mpgn ]
Dumping LSASS is such a 2020 move, let me introduce a new CrackMapExec module called Masky developed by @_ZakSec π
If you have admin privilege, the module will impersonate all users connected -> ask a certificate (ADCS) -> retrieve the NT hash using PKINIT π
Crazy module πͺ
π₯ [ tweet ]
Dumping LSASS is such a 2020 move, let me introduce a new CrackMapExec module called Masky developed by @_ZakSec π
If you have admin privilege, the module will impersonate all users connected -> ask a certificate (ADCS) -> retrieve the NT hash using PKINIT π
Crazy module πͺ
π₯ [ tweet ]
π [ BlackArrowSec, BlackArrow ]
π₯One shell to HANDLE them all
New approach to escalate privileges from a web shell by abusing open token handles. #RedTeam /cc @_Kudaes_
β‘ https://t.co/8KWQw4q5U5
π https://www.tarlogic.com/blog/token-handles-abuse-one-shell-to-handle-them-all/
π₯ [ tweet ]
π₯One shell to HANDLE them all
New approach to escalate privileges from a web shell by abusing open token handles. #RedTeam /cc @_Kudaes_
β‘ https://t.co/8KWQw4q5U5
π https://www.tarlogic.com/blog/token-handles-abuse-one-shell-to-handle-them-all/
π₯ [ tweet ]
π [ _dirkjan, Dirk-jan ]
If you missed my Black Hat US talk about abusing External Identities in Azure AD, I will be giving the talk again as a BH webcast on Thursday November 10th!
You can register on the BH site: https://t.co/9QgT5Cd5Xk
I'll be joined by @kfosaaen sharing more Azure AD research π
π https://www.blackhat.com/html/webcast/11102022-backdooring-and-hijacking-azure-ad-accounts.html
π₯ [ tweet ]
If you missed my Black Hat US talk about abusing External Identities in Azure AD, I will be giving the talk again as a BH webcast on Thursday November 10th!
You can register on the BH site: https://t.co/9QgT5Cd5Xk
I'll be joined by @kfosaaen sharing more Azure AD research π
π https://www.blackhat.com/html/webcast/11102022-backdooring-and-hijacking-azure-ad-accounts.html
π₯ [ tweet ]
π [ _RastaMouse, Rasta Mouse ]
I finally got around to publishing release binaries for #SharpC2. They're self-contained, so no need to have a .NET runtime or SDK installed to use.
https://t.co/sGFr5XbAtf
π https://github.com/rasta-mouse/SharpC2/releases/latest
π₯ [ tweet ]
I finally got around to publishing release binaries for #SharpC2. They're self-contained, so no need to have a .NET runtime or SDK installed to use.
https://t.co/sGFr5XbAtf
π https://github.com/rasta-mouse/SharpC2/releases/latest
π₯ [ tweet ]
Forwarded from 1N73LL1G3NC3
A PoC that combines AutodialDLL lateral movement technique and SSP to scrape NTLM hashes from LSASS process.
Description
Upload a DLL to the target machine. Then it enables remote registry to modify AutodialDLL entry and start/restart BITS service. Svchosts would load our DLL, set again AutodiaDLL to default value and perform a RPC request to force LSASS to load the same DLL as a Security Support Provider. Once the DLL is loaded by LSASS, it would search inside the process memory to extract NTLM hashes and the key/IV.
Description
Upload a DLL to the target machine. Then it enables remote registry to modify AutodialDLL entry and start/restart BITS service. Svchosts would load our DLL, set again AutodiaDLL to default value and perform a RPC request to force LSASS to load the same DLL as a Security Support Provider. Once the DLL is loaded by LSASS, it would search inside the process memory to extract NTLM hashes and the key/IV.
π [ praetorianlabs, Praetorian ]
As CI/CD pipelines become more prevalent, their attack surface and abuse are being leveraged more and more by advanced red teams and real-world APTs
https://t.co/okEik1OrsK
π http://ow.ly/erVT50LmSL7
π₯ [ tweet ]
As CI/CD pipelines become more prevalent, their attack surface and abuse are being leveraged more and more by advanced red teams and real-world APTs
https://t.co/okEik1OrsK
π http://ow.ly/erVT50LmSL7
π₯ [ tweet ]
π [ _RastaMouse, Rasta Mouse ]
[BLOG]
Short post on using the different methods for getting a Domain object in .NET and why you should care in your tools.
https://t.co/4l8jcx8ozN
π https://rastamouse.me/getdomain-vs-getcomputerdomain-vs-getcurrentdomain/
π₯ [ tweet ]
[BLOG]
Short post on using the different methods for getting a Domain object in .NET and why you should care in your tools.
https://t.co/4l8jcx8ozN
π https://rastamouse.me/getdomain-vs-getcomputerdomain-vs-getcurrentdomain/
π₯ [ tweet ]
π [ ShitSecure, S3cur3Th1sSh1t ]
Colleage of mine is currently on fire with blog posts and YouTube videos. π₯Basic AV evasion stuff but also Pentest topics, and more. Worth checking out: @lsecqt
https://t.co/xMFoxckU9D
π https://m.youtube.com/c/Lsecqt
π₯ [ tweet ]
Colleage of mine is currently on fire with blog posts and YouTube videos. π₯Basic AV evasion stuff but also Pentest topics, and more. Worth checking out: @lsecqt
https://t.co/xMFoxckU9D
π https://m.youtube.com/c/Lsecqt
π₯ [ tweet ]
π [ tiraniddo, James Forshaw ]
Finally got around to writing a blog about the Kerberos RC4-MD4 downgrade attack, how it works, and how you can exploit it. https://t.co/cBKoVtZKug
π https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
π₯ [ tweet ]
Finally got around to writing a blog about the Kerberos RC4-MD4 downgrade attack, how it works, and how you can exploit it. https://t.co/cBKoVtZKug
π https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
π₯ [ tweet ]
π [ n00py1, n00py ]
Itβs back!
https://t.co/OrO5khXz2f
π https://crack.sh/get-cracking/
π₯ [ tweet ]
Itβs back!
https://t.co/OrO5khXz2f
π https://crack.sh/get-cracking/
π₯ [ tweet ]
π₯4
π [ ORCx41, ORCA ]
had some time, so i made this; does process injection, ppid spoofing stuff, and a few other neat things ;p
https://t.co/oMgC16MubJ
π https://github.com/ORCx41/TerraLdr
π₯ [ tweet ]
had some time, so i made this; does process injection, ppid spoofing stuff, and a few other neat things ;p
https://t.co/oMgC16MubJ
π https://github.com/ORCx41/TerraLdr
π₯ [ tweet ]
π [ 424f424f, rvrsh3ll ]
Excellent demonstration of LPE via WebDAV to Shadow Credentials over C2 by @vendetce https://t.co/UWHAI4k51j
π https://youtu.be/b0lLxLJKaRs?t=3549
π₯ [ tweet ]
Excellent demonstration of LPE via WebDAV to Shadow Credentials over C2 by @vendetce https://t.co/UWHAI4k51j
π https://youtu.be/b0lLxLJKaRs?t=3549
π₯ [ tweet ]
π [ SkelSec, SkelSec ]
Managed to create the exploit for @tiraniddo 's latest Kerberos findings!
#feelsaccomplished
π₯ [ tweet ]
Managed to create the exploit for @tiraniddo 's latest Kerberos findings!
#feelsaccomplished
π₯ [ tweet ]
π [ sensepost, Orange Cyberdefense's SensePost Team ]
Read @defte_'s Windows authentication token manipulation deep dive to compromise Active Directory in this new blog post. Includes a new tool and a CrackMapExec module using it as a, "token" of appreciation.
https://t.co/ML8FHoIi5f
π https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/
π₯ [ tweet ]
Read @defte_'s Windows authentication token manipulation deep dive to compromise Active Directory in this new blog post. Includes a new tool and a CrackMapExec module using it as a, "token" of appreciation.
https://t.co/ML8FHoIi5f
π https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/
π₯ [ tweet ]
π [ mpgn_x64, mpgn ]
We worked together with @_zblurx to pull this new feature on CME ! CrackMapExec can now authenticate using kerberos with login/pass/nthash/aeskey without the need of a KRB5CCNAME ticket env π
But wait there is more! by adding this feature we can now mimic kerbrute features π₯π«‘
π₯ [ tweet ]
We worked together with @_zblurx to pull this new feature on CME ! CrackMapExec can now authenticate using kerberos with login/pass/nthash/aeskey without the need of a KRB5CCNAME ticket env π
But wait there is more! by adding this feature we can now mimic kerbrute features π₯π«‘
π₯ [ tweet ]
π₯4
π [ an0n_r0, an0n ]
here is a basic meterpreter protocol stager for PE stages using the libpeconv project by @hasherezade:
https://t.co/qsdb9XWvgj
no evasion included, using this only as a template. but already able to run it with a Sliver EXE beacon as a stage against Defender for Endpoint.
π https://github.com/tothi/stager_libpeconv
π₯ [ tweet ]
here is a basic meterpreter protocol stager for PE stages using the libpeconv project by @hasherezade:
https://t.co/qsdb9XWvgj
no evasion included, using this only as a template. but already able to run it with a Sliver EXE beacon as a stage against Defender for Endpoint.
π https://github.com/tothi/stager_libpeconv
π₯ [ tweet ]