Ghostwriter v4: 2FA, RBAC, and Logging, Oh My!
#specterops
via SpecterOps Team Medium (author: Christopher Maddalena)
#specterops
via SpecterOps Team Medium (author: Christopher Maddalena)
Medium
Ghostwriter v4: 2FA, RBAC, and Logging, Oh My!
Ghostwriter v4 is officially here! Technically, it’s been available as a release candidate for a while, but we have arrived at its final…
Basic Authentication Versus CSRF
#trustedsec
I was recently involved in an engagement where access was controlled by Basic Authentication. One (1) of the findings I discovered was a Cross-Site Request Forgery (CSRF) vulnerability. The client was unsure of the best approach to prevent CSRF in the context of using Basic Authentication. In this blog post, I will examine the security...
via TrustedSec Blog (author: Roza Maille)
#trustedsec
I was recently involved in an engagement where access was controlled by Basic Authentication. One (1) of the findings I discovered was a Cross-Site Request Forgery (CSRF) vulnerability. The client was unsure of the best approach to prevent CSRF in the context of using Basic Authentication. In this blog post, I will examine the security...
via TrustedSec Blog (author: Roza Maille)
DOM Invader and the case of direct eval vs indirect eval
#portswigger
What is DOM Invader? DOM Invader is a browser extension that makes it easy to find DOM based XSS by instrumenting various JavaScript functions. You can find out more about DOM Invader here: Introducin
via PortSwigger Blog
#portswigger
What is DOM Invader? DOM Invader is a browser extension that makes it easy to find DOM based XSS by instrumenting various JavaScript functions. You can find out more about DOM Invader here: Introducin
via PortSwigger Blog
Introducing ntdissector, a swiss army knife for your NTDS.dit files
#synacktiv
via Synacktiv Blog (author: Julien Legras)
#synacktiv
via Synacktiv Blog (author: Julien Legras)
Legitimate exfiltration tools : summary and detection for incident response and threat hunting
#synacktiv
via Synacktiv Blog (author: Nathanael Ndong)
#synacktiv
via Synacktiv Blog (author: Nathanael Ndong)
Evilginx Pro - The Future of Phishing
#kgretzky
I've teased the idea of Evilginx Pro long enough and I think it is finally time to make a proper reveal of what it exactly is.
Evilginx Pro will be a paid professional version of Evilginx, with extra features and added advanced reverse proxy anti-detection techniques, available only
via BREAKDEV Blog (author: Kuba Gretzky)
#kgretzky
I've teased the idea of Evilginx Pro long enough and I think it is finally time to make a proper reveal of what it exactly is.
Evilginx Pro will be a paid professional version of Evilginx, with extra features and added advanced reverse proxy anti-detection techniques, available only
via BREAKDEV Blog (author: Kuba Gretzky)
Nighthawk 0.2.6 – Three Wise Monkeys
#mdsec
Overview See no evil, hear no evil, speak no evil. This Japanese maxim epitomises the EDRs coming up against our latest release of Nighthawk. Following copious amounts of research and...
via MDSec Blog (author: Admin)
#mdsec
Overview See no evil, hear no evil, speak no evil. This Japanese maxim epitomises the EDRs coming up against our latest release of Nighthawk. Following copious amounts of research and...
via MDSec Blog (author: Admin)
#tool #conference
📣 For those who have not seen the DEF CON 31 records yet
I prepared a brief descriptions and links to my favorite ones 👇
👉 Spooky Authentication at a Distance by SkelSec - SSPI authentication (Kerberos or NTLM) proxy through VICTIM machine.
Tools:
🔧 wsnet - SSPI authentication and TCP traffic proxy server and client in Python 3.
🔧 wsnet-dotnet - same as wsnet, but only agent written in C#.
The speaker also demonstrated integration with msldap, aiosmb and octopwn, but these changes are not open source (for now, I hope).
👉 A Broken Marriage Abusing Mixed Vendor Kerberos Stacks by CCob - userPrincipalName abuse to authenticate to non-Microsoft Kerberos services (e.g. GSSAPI+Kerberos services like SSH, Postgres, etc.) integrated with Active Directory.
👉 SpamChannel - Spoofing Emails From 2M+ Domains & Virtually Becoming Satan by byt3bl33d3r - how to spoof a lot of domains using MailChannels to send phishing. Also the speaker talks about SPF, DKIM, DMARC and ARC.
Tools:
🔧 SpamChannel - CloudFlare worker to exploit this vulnerability.
⚠️ WARNING: This tool doesn't work anymore, because MailChannels now require a Domain Lockdown Record in order to send emails from Cloudflare Workers. However, relay may be exploited with paid MailChannels account.
👉 ELECTRONizing MacOS Privacy - A New Weapon in Your Red Teaming Armory by _r3ggi - How to abuse Electron application to bypass Transparency, Consent and Control (TCC) restriction on macOS.
Tools:
🔧 electroniz3r - tool to enumerate and takeover macOS Electron apps to bypass TCC.
👉 StackMoonwalk by KlezVirus, waldoirc and trickster012 - explanation of stack spoofing and presentation of a new technique, StackMoonwalk - fully dynamic call stack spoofing. The technique is implemented to remove the original caller from the call stack, using ROP to desynchronize unwinding from control flow.
Tools:
🔧 SilentMoonwalk - call stack spoofing PoC.
Did I miss something interesting? If you think so, feel free to share in the comments below 👇
📣 For those who have not seen the DEF CON 31 records yet
I prepared a brief descriptions and links to my favorite ones 👇
👉 Spooky Authentication at a Distance by SkelSec - SSPI authentication (Kerberos or NTLM) proxy through VICTIM machine.
Tools:
🔧 wsnet - SSPI authentication and TCP traffic proxy server and client in Python 3.
🔧 wsnet-dotnet - same as wsnet, but only agent written in C#.
The speaker also demonstrated integration with msldap, aiosmb and octopwn, but these changes are not open source (for now, I hope).
👉 A Broken Marriage Abusing Mixed Vendor Kerberos Stacks by CCob - userPrincipalName abuse to authenticate to non-Microsoft Kerberos services (e.g. GSSAPI+Kerberos services like SSH, Postgres, etc.) integrated with Active Directory.
👉 SpamChannel - Spoofing Emails From 2M+ Domains & Virtually Becoming Satan by byt3bl33d3r - how to spoof a lot of domains using MailChannels to send phishing. Also the speaker talks about SPF, DKIM, DMARC and ARC.
Tools:
🔧 SpamChannel - CloudFlare worker to exploit this vulnerability.
⚠️ WARNING: This tool doesn't work anymore, because MailChannels now require a Domain Lockdown Record in order to send emails from Cloudflare Workers. However, relay may be exploited with paid MailChannels account.
👉 ELECTRONizing MacOS Privacy - A New Weapon in Your Red Teaming Armory by _r3ggi - How to abuse Electron application to bypass Transparency, Consent and Control (TCC) restriction on macOS.
Tools:
🔧 electroniz3r - tool to enumerate and takeover macOS Electron apps to bypass TCC.
👉 StackMoonwalk by KlezVirus, waldoirc and trickster012 - explanation of stack spoofing and presentation of a new technique, StackMoonwalk - fully dynamic call stack spoofing. The technique is implemented to remove the original caller from the call stack, using ROP to desynchronize unwinding from control flow.
Tools:
🔧 SilentMoonwalk - call stack spoofing PoC.
Did I miss something interesting? If you think so, feel free to share in the comments below 👇
A Thousand Sails, One Harbor - C2 Infra on Azure
#darkvortex
via Dark Vortex Blog (author: Paranoid Ninja)
#darkvortex
via Dark Vortex Blog (author: Paranoid Ninja)
Okta for Red Teamers
#xpn
In this blog post, I'll discuss some of the post-exploitation techniques that I've found to be useful against Okta. Specifically, this post will look at how to use delegated authentication to our advantage, Silver Ticket, Okta AD agent spoofing, and finally how to deploy a fake SAML provider.
via XPN InfoSec Blog
#xpn
In this blog post, I'll discuss some of the post-exploitation techniques that I've found to be useful against Okta. Specifically, this post will look at how to use delegated authentication to our advantage, Silver Ticket, Okta AD agent spoofing, and finally how to deploy a fake SAML provider.
via XPN InfoSec Blog
How to build custom scanners for web security research automation
#portswigger
In this post, I'll share my approach to developing custom automation to aid research into under-appreciated attack classes and (hopefully) push the boundaries of web security. As a worked example, I'l
via PortSwigger Research
#portswigger
In this post, I'll share my approach to developing custom automation to aid research into under-appreciated attack classes and (hopefully) push the boundaries of web security. As a worked example, I'l
via PortSwigger Research
Cobalt Strike Aggressor Callbacks
#rastamouse
The Cobalt Strike 4.9 release introduced support for registering Aggressor callbacks for several functions including bexecute_assembly, bpowerpick, and binline_execute. Prior to this feature, there was no practical way of tasking Beacon and then performing further actions based on the output (other than reading it on the console and then manually issuing more commands). To demonstrate
via Rasta Mouse Blog
#rastamouse
The Cobalt Strike 4.9 release introduced support for registering Aggressor callbacks for several functions including bexecute_assembly, bpowerpick, and binline_execute. Prior to this feature, there was no practical way of tasking Beacon and then performing further actions based on the output (other than reading it on the console and then manually issuing more commands). To demonstrate
via Rasta Mouse Blog
Solving The “Unhooking” Problem
#outflank
For avoiding EDR userland hooks, there are many ways to cook an egg:
Direct system calls (syscalls), Indirect syscalls, unhooking, hardware breakpoints, and bringing and loading your own version of a library. These methods each have advantages and disadvantages. When developing a C2 implant it’s nice to work with a combination of multiple combinations of these. For instance, you could use a strong indirect syscall library for kernel functionality, then use unhooking or hardware breakpoints for user mode-only (i.e.
Regarding system calls, excellent research has already been done. A small selection of relevant blog posts is Klezvirus’ post on syswhispers, MDSec’s post on direct invocation of system calls and our own blog post on combining direct system calls srdi.
So, in this blog we’ll zoom in on protecting calls to user mode functions.
via Outflank Blog (author: Dima)
#outflank
For avoiding EDR userland hooks, there are many ways to cook an egg:
Direct system calls (syscalls), Indirect syscalls, unhooking, hardware breakpoints, and bringing and loading your own version of a library. These methods each have advantages and disadvantages. When developing a C2 implant it’s nice to work with a combination of multiple combinations of these. For instance, you could use a strong indirect syscall library for kernel functionality, then use unhooking or hardware breakpoints for user mode-only (i.e.
Rtl) functions.Regarding system calls, excellent research has already been done. A small selection of relevant blog posts is Klezvirus’ post on syswhispers, MDSec’s post on direct invocation of system calls and our own blog post on combining direct system calls srdi.
So, in this blog we’ll zoom in on protecting calls to user mode functions.
via Outflank Blog (author: Dima)
MacOS "DirtyNIB" Vulnerability
#xpn
While looking for avenues of injecting code into platform binaries back in macOS Monterey, I was able to identify a vulnerability which allowed the hijacking of Apple application entitlements. Recently I decided to revisit this vulnerability after a long time of trying to have it patched, and was surprised to see that it still works. There are some caveats introduced with later versions of macOS which we will explore, but in this post we’ll look at a vulnerability in macOS Sonoma which has been around for a long time, and remains an 0day, urm, to this day.
via XPN InfoSec Blog
#xpn
While looking for avenues of injecting code into platform binaries back in macOS Monterey, I was able to identify a vulnerability which allowed the hijacking of Apple application entitlements. Recently I decided to revisit this vulnerability after a long time of trying to have it patched, and was surprised to see that it still works. There are some caveats introduced with later versions of macOS which we will explore, but in this post we’ll look at a vulnerability in macOS Sonoma which has been around for a long time, and remains an 0day, urm, to this day.
via XPN InfoSec Blog
Out of Band Update: Cobalt Strike 4.9.1
#cobaltstrike
Cobalt Strike 4.9.1 is now available. This is an out of band update to fix an issue that was discovered in the 4.9 release that we felt would negatively impact customers as they start to roll out the release and for which there is no straightforward workaround. We also took the opportunity to address a [...]
via Cobalt Strike Blog (author: Greg Darwin)
#cobaltstrike
Cobalt Strike 4.9.1 is now available. This is an out of band update to fix an issue that was discovered in the 4.9 release that we felt would negatively impact customers as they start to roll out the release and for which there is no straightforward workaround. We also took the opportunity to address a [...]
via Cobalt Strike Blog (author: Greg Darwin)
Phishing for Primary Refresh Tokens and Windows Hello keys
#dirkjanm
In Microsoft Entra ID (formerly Azure AD, in this blog referred to as “Azure AD”), there are different types of OAuth tokens. The most powerful token is a Primary Refresh Token, which is linked to a user’s device and can be used to sign in to any Entra ID connected application and web site. In phishing scenarios, especially those that abuse legit OAuth flows such as device code phishing, the resulting tokens are often less powerful tokens that are limited in scope or usage methods. In this blog, I will describe new techniques to phish directly for Primary Refresh Tokens, and in some scenarios also deploy passwordless credentials that comply with even the strictest MFA policies.
via Dirk-jan Blog (author: Dirk-jan Mollema)
#dirkjanm
In Microsoft Entra ID (formerly Azure AD, in this blog referred to as “Azure AD”), there are different types of OAuth tokens. The most powerful token is a Primary Refresh Token, which is linked to a user’s device and can be used to sign in to any Entra ID connected application and web site. In phishing scenarios, especially those that abuse legit OAuth flows such as device code phishing, the resulting tokens are often less powerful tokens that are limited in scope or usage methods. In this blog, I will describe new techniques to phish directly for Primary Refresh Tokens, and in some scenarios also deploy passwordless credentials that comply with even the strictest MFA policies.
via Dirk-jan Blog (author: Dirk-jan Mollema)