π [ _nwodtuhs, Charlie βShutdownβ ]
Wrapping things up and pushing a pull request on Impacket, followed by https://t.co/h6yAdPK5NM guidance on the matter
- Kerberoast trough AS-REQ w/o pre-auth
- Service ticket request through AS-REQ
Again, great work by @exploitph
π http://thehacker.recipes
π₯ [ tweet ][ quote ]
Wrapping things up and pushing a pull request on Impacket, followed by https://t.co/h6yAdPK5NM guidance on the matter
- Kerberoast trough AS-REQ w/o pre-auth
- Service ticket request through AS-REQ
Again, great work by @exploitph
π http://thehacker.recipes
π₯ [ tweet ][ quote ]
π₯2
π [ _nwodtuhs, Charlie βShutdownβ ]
THR guidance done : https://t.co/y3YFN4JUFi
π https://www.thehacker.recipes/ad/movement/kerberos/kerberoast#kerberoast-w-o-pre-authentication
π₯ [ tweet ][ quote ]
THR guidance done : https://t.co/y3YFN4JUFi
π https://www.thehacker.recipes/ad/movement/kerberos/kerberoast#kerberoast-w-o-pre-authentication
π₯ [ tweet ][ quote ]
π [ carlospolopm, carlospolop ]
HackTricks Cloud (or CloudTrick) is finally public:
- https://t.co/VwgVsUKo3x
- https://t.co/kZ9XlHAsJR
Thank you again to all the supporters!
#hacktricks #cloud
π https://cloud.hacktricks.xyz/
π https://github.com/carlospolop/hacktricks-cloud
π₯ [ tweet ]
HackTricks Cloud (or CloudTrick) is finally public:
- https://t.co/VwgVsUKo3x
- https://t.co/kZ9XlHAsJR
Thank you again to all the supporters!
#hacktricks #cloud
π https://cloud.hacktricks.xyz/
π https://github.com/carlospolop/hacktricks-cloud
π₯ [ tweet ]
π [ DirectoryRanger, DirectoryRanger ]
DumpThatLSASS. Dumping LSASS by Unhooking MiniDumpWriteDump by getting a fresh DbgHelp.dll copy from the disk
https://t.co/wKgBmr5CR6
π https://github.com/D1rkMtr/DumpThatLSASS
π₯ [ tweet ]
DumpThatLSASS. Dumping LSASS by Unhooking MiniDumpWriteDump by getting a fresh DbgHelp.dll copy from the disk
https://t.co/wKgBmr5CR6
π https://github.com/D1rkMtr/DumpThatLSASS
π₯ [ tweet ]
π [ zux0x3a, Lawrence εε«ζ― ]
https://t.co/k3QhNFrV9R
π https://github.com/Rvn0xsy/AsmShellcodeLoader
π₯ [ tweet ]
https://t.co/k3QhNFrV9R
π https://github.com/Rvn0xsy/AsmShellcodeLoader
π₯ [ tweet ]
This media is not supported in your browser
VIEW IN TELEGRAM
π [ aniqfakhrul, Aniq Fakhrul ]
Simple POC on exfiltrating using google translate. Also resolution is π©, my bad.
π₯ [ tweet ]
Simple POC on exfiltrating using google translate. Also resolution is π©, my bad.
π₯ [ tweet ]
π₯3
π [ cnotin, ClΓ©ment Notin ]
Have you ever wondered how to decrypt βencrypted stub dataβ π fields in Wireshark when analyzing Kerberos, RPC, LDAP... traffic?
β‘οΈ Ask no more!
https://t.co/dkjidQt6Fv
1. get Kerberos keys
2. give keys to Wireshark in a keytab file
3. get decrypted RPC!
Works with NTLM too π
π https://medium.com/tenable-techblog/decrypt-encrypted-stub-data-in-wireshark-deb132c076e7
π₯ [ tweet ]
Have you ever wondered how to decrypt βencrypted stub dataβ π fields in Wireshark when analyzing Kerberos, RPC, LDAP... traffic?
β‘οΈ Ask no more!
https://t.co/dkjidQt6Fv
1. get Kerberos keys
2. give keys to Wireshark in a keytab file
3. get decrypted RPC!
Works with NTLM too π
π https://medium.com/tenable-techblog/decrypt-encrypted-stub-data-in-wireshark-deb132c076e7
π₯ [ tweet ]
π [ NotMedic, Tim McGuffin ]
I don't know what to do with this knowledge, but today I learned that curl has a handler for LDAP URIs.
curl --user $CREDS "ldaps://ldap.foo.com/DC=ads,DC=foo,DC=com?memberOf?sub?(&(sAMAccountName=$USER)(memberOf=CN=$GROUP,OU=Distribution,OU=Groups,DC=ads,DC=foo,DC=com))"
π₯ [ tweet ]
I don't know what to do with this knowledge, but today I learned that curl has a handler for LDAP URIs.
curl --user $CREDS "ldaps://ldap.foo.com/DC=ads,DC=foo,DC=com?memberOf?sub?(&(sAMAccountName=$USER)(memberOf=CN=$GROUP,OU=Distribution,OU=Groups,DC=ads,DC=foo,DC=com))"
π₯ [ tweet ]
π [ PortSwiggerRes, PortSwigger Research ]
Arbitrary cache poisoning on all Akamai websites via 'Connection: Content-Length' - $50k in bounties well-earned by @jacopotediosi
https://t.co/UmlKIGsgWR
https://t.co/OFHGMVA2gP
π https://medium.com/@jacopotediosi/worldwide-server-side-cache-poisoning-on-all-akamai-edge-nodes-50k-bounty-earned-f97d80f3922b
π https://blog.hacktivesecurity.com/index.php/2022/09/17/http/
π₯ [ tweet ]
Arbitrary cache poisoning on all Akamai websites via 'Connection: Content-Length' - $50k in bounties well-earned by @jacopotediosi
https://t.co/UmlKIGsgWR
https://t.co/OFHGMVA2gP
π https://medium.com/@jacopotediosi/worldwide-server-side-cache-poisoning-on-all-akamai-edge-nodes-50k-bounty-earned-f97d80f3922b
π https://blog.hacktivesecurity.com/index.php/2022/09/17/http/
π₯ [ tweet ]
π [ C5pider, 5pider ]
Have fun guys.
https://t.co/hjq5qTYgMc
https://t.co/Z2mAJIiAGQ
https://t.co/WehmmCVCsC
π https://www.virustotal.com/gui/file/ec6896542e726997e4e01d11f4fce88cb97ec59243f291966fb3ce48308041d8
π https://www.virustotal.com/gui/file/56d507046eaf1fcfbdaa5491679c4f7244c9ad5cc9da4a03332c6ccb2f69ee2d
π https://www.virustotal.com/gui/file-analysis/ZGFhZGU5ZWIzNjcxNzA4ODhkNzdmZDljNjViODY4MzU6MTY2NDU0NTE2Mw==
π₯ [ tweet ]
Have fun guys.
https://t.co/hjq5qTYgMc
https://t.co/Z2mAJIiAGQ
https://t.co/WehmmCVCsC
π https://www.virustotal.com/gui/file/ec6896542e726997e4e01d11f4fce88cb97ec59243f291966fb3ce48308041d8
π https://www.virustotal.com/gui/file/56d507046eaf1fcfbdaa5491679c4f7244c9ad5cc9da4a03332c6ccb2f69ee2d
π https://www.virustotal.com/gui/file-analysis/ZGFhZGU5ZWIzNjcxNzA4ODhkNzdmZDljNjViODY4MzU6MTY2NDU0NTE2Mw==
π₯ [ tweet ]
ΡΠΌ, Π° Π³Π΄Π΅ ΡΠΎΡΡΡ-ΡΠΎ??π€2
π [ C5pider, 5pider ]
The Havoc Framework
https://t.co/eBpOaicsI6
π https://github.com/HavocFramework/Havoc
π₯ [ tweet ]
The Havoc Framework
https://t.co/eBpOaicsI6
π https://github.com/HavocFramework/Havoc
π₯ [ tweet ]
ΡΠ°ΠΊ, Π΄ΠΎΠΆΠ΄Π°Π»ΠΈΡΡ ΡΠΎΡΡΠΎΠ²π₯3
π [ codex_tf2, CodeX ]
PyHmmm - third party agent PoC for Havoc C2 - repo + blogpost
https://t.co/kolzUJHL0n
https://t.co/pzPAK77ftn
π https://codex-7.gitbook.io/codexs-terminal-window/red-team/red-team-dev/extending-havoc-c2/third-party-agents
π https://github.com/CodeXTF2/PyHmmm
π₯ [ tweet ]
PyHmmm - third party agent PoC for Havoc C2 - repo + blogpost
https://t.co/kolzUJHL0n
https://t.co/pzPAK77ftn
π https://codex-7.gitbook.io/codexs-terminal-window/red-team/red-team-dev/extending-havoc-c2/third-party-agents
π https://github.com/CodeXTF2/PyHmmm
π₯ [ tweet ]
π [ MrUn1k0d3r, Mr.Un1k0d3r ]
You want to use signed PowerShell scripts?
Have a look at all the signed PowerShell scripts located in C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\
Some of these can execute code and do all kind of interesting stuff.
https://t.co/7uBzACJ4JP
#redteam
π https://github.com/Mr-Un1k0d3r/ATP-PowerShell-Scripts
π₯ [ tweet ]
You want to use signed PowerShell scripts?
Have a look at all the signed PowerShell scripts located in C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\
Some of these can execute code and do all kind of interesting stuff.
https://t.co/7uBzACJ4JP
#redteam
π https://github.com/Mr-Un1k0d3r/ATP-PowerShell-Scripts
π₯ [ tweet ]
π₯1
π [ theluemmel, ADCluemmelSec ]
UPDATES to ADCS blog.
@ly4k_ gave so much input I had to implement.
@n00py1 gave a really good hint for ESC5 with his question.
So here goes:
ESC2 - Update how it works
ESC4 - Automation via Certipy
ESC5 - Full attack path
Bonus - Bloodhound Integration
https://t.co/iWvY9gTIAM
π https://luemmelsec.github.io/Skidaddle-Skideldi-I-just-pwnd-your-PKI/
π₯ [ tweet ]
UPDATES to ADCS blog.
@ly4k_ gave so much input I had to implement.
@n00py1 gave a really good hint for ESC5 with his question.
So here goes:
ESC2 - Update how it works
ESC4 - Automation via Certipy
ESC5 - Full attack path
Bonus - Bloodhound Integration
https://t.co/iWvY9gTIAM
π https://luemmelsec.github.io/Skidaddle-Skideldi-I-just-pwnd-your-PKI/
π₯ [ tweet ]