Nighthawk 0.2.6 – Three Wise Monkeys
#mdsec
Overview See no evil, hear no evil, speak no evil. This Japanese maxim epitomises the EDRs coming up against our latest release of Nighthawk. Following copious amounts of research and...
via MDSec Blog (author: Admin)
#mdsec
Overview See no evil, hear no evil, speak no evil. This Japanese maxim epitomises the EDRs coming up against our latest release of Nighthawk. Following copious amounts of research and...
via MDSec Blog (author: Admin)
#tool #conference
📣 For those who have not seen the DEF CON 31 records yet
I prepared a brief descriptions and links to my favorite ones 👇
👉 Spooky Authentication at a Distance by SkelSec - SSPI authentication (Kerberos or NTLM) proxy through VICTIM machine.
Tools:
🔧 wsnet - SSPI authentication and TCP traffic proxy server and client in Python 3.
🔧 wsnet-dotnet - same as wsnet, but only agent written in C#.
The speaker also demonstrated integration with msldap, aiosmb and octopwn, but these changes are not open source (for now, I hope).
👉 A Broken Marriage Abusing Mixed Vendor Kerberos Stacks by CCob - userPrincipalName abuse to authenticate to non-Microsoft Kerberos services (e.g. GSSAPI+Kerberos services like SSH, Postgres, etc.) integrated with Active Directory.
👉 SpamChannel - Spoofing Emails From 2M+ Domains & Virtually Becoming Satan by byt3bl33d3r - how to spoof a lot of domains using MailChannels to send phishing. Also the speaker talks about SPF, DKIM, DMARC and ARC.
Tools:
🔧 SpamChannel - CloudFlare worker to exploit this vulnerability.
⚠️ WARNING: This tool doesn't work anymore, because MailChannels now require a Domain Lockdown Record in order to send emails from Cloudflare Workers. However, relay may be exploited with paid MailChannels account.
👉 ELECTRONizing MacOS Privacy - A New Weapon in Your Red Teaming Armory by _r3ggi - How to abuse Electron application to bypass Transparency, Consent and Control (TCC) restriction on macOS.
Tools:
🔧 electroniz3r - tool to enumerate and takeover macOS Electron apps to bypass TCC.
👉 StackMoonwalk by KlezVirus, waldoirc and trickster012 - explanation of stack spoofing and presentation of a new technique, StackMoonwalk - fully dynamic call stack spoofing. The technique is implemented to remove the original caller from the call stack, using ROP to desynchronize unwinding from control flow.
Tools:
🔧 SilentMoonwalk - call stack spoofing PoC.
Did I miss something interesting? If you think so, feel free to share in the comments below 👇
📣 For those who have not seen the DEF CON 31 records yet
I prepared a brief descriptions and links to my favorite ones 👇
👉 Spooky Authentication at a Distance by SkelSec - SSPI authentication (Kerberos or NTLM) proxy through VICTIM machine.
Tools:
🔧 wsnet - SSPI authentication and TCP traffic proxy server and client in Python 3.
🔧 wsnet-dotnet - same as wsnet, but only agent written in C#.
The speaker also demonstrated integration with msldap, aiosmb and octopwn, but these changes are not open source (for now, I hope).
👉 A Broken Marriage Abusing Mixed Vendor Kerberos Stacks by CCob - userPrincipalName abuse to authenticate to non-Microsoft Kerberos services (e.g. GSSAPI+Kerberos services like SSH, Postgres, etc.) integrated with Active Directory.
👉 SpamChannel - Spoofing Emails From 2M+ Domains & Virtually Becoming Satan by byt3bl33d3r - how to spoof a lot of domains using MailChannels to send phishing. Also the speaker talks about SPF, DKIM, DMARC and ARC.
Tools:
🔧 SpamChannel - CloudFlare worker to exploit this vulnerability.
⚠️ WARNING: This tool doesn't work anymore, because MailChannels now require a Domain Lockdown Record in order to send emails from Cloudflare Workers. However, relay may be exploited with paid MailChannels account.
👉 ELECTRONizing MacOS Privacy - A New Weapon in Your Red Teaming Armory by _r3ggi - How to abuse Electron application to bypass Transparency, Consent and Control (TCC) restriction on macOS.
Tools:
🔧 electroniz3r - tool to enumerate and takeover macOS Electron apps to bypass TCC.
👉 StackMoonwalk by KlezVirus, waldoirc and trickster012 - explanation of stack spoofing and presentation of a new technique, StackMoonwalk - fully dynamic call stack spoofing. The technique is implemented to remove the original caller from the call stack, using ROP to desynchronize unwinding from control flow.
Tools:
🔧 SilentMoonwalk - call stack spoofing PoC.
Did I miss something interesting? If you think so, feel free to share in the comments below 👇
A Thousand Sails, One Harbor - C2 Infra on Azure
#darkvortex
via Dark Vortex Blog (author: Paranoid Ninja)
#darkvortex
via Dark Vortex Blog (author: Paranoid Ninja)
Okta for Red Teamers
#xpn
In this blog post, I'll discuss some of the post-exploitation techniques that I've found to be useful against Okta. Specifically, this post will look at how to use delegated authentication to our advantage, Silver Ticket, Okta AD agent spoofing, and finally how to deploy a fake SAML provider.
via XPN InfoSec Blog
#xpn
In this blog post, I'll discuss some of the post-exploitation techniques that I've found to be useful against Okta. Specifically, this post will look at how to use delegated authentication to our advantage, Silver Ticket, Okta AD agent spoofing, and finally how to deploy a fake SAML provider.
via XPN InfoSec Blog
How to build custom scanners for web security research automation
#portswigger
In this post, I'll share my approach to developing custom automation to aid research into under-appreciated attack classes and (hopefully) push the boundaries of web security. As a worked example, I'l
via PortSwigger Research
#portswigger
In this post, I'll share my approach to developing custom automation to aid research into under-appreciated attack classes and (hopefully) push the boundaries of web security. As a worked example, I'l
via PortSwigger Research
Cobalt Strike Aggressor Callbacks
#rastamouse
The Cobalt Strike 4.9 release introduced support for registering Aggressor callbacks for several functions including bexecute_assembly, bpowerpick, and binline_execute. Prior to this feature, there was no practical way of tasking Beacon and then performing further actions based on the output (other than reading it on the console and then manually issuing more commands). To demonstrate
via Rasta Mouse Blog
#rastamouse
The Cobalt Strike 4.9 release introduced support for registering Aggressor callbacks for several functions including bexecute_assembly, bpowerpick, and binline_execute. Prior to this feature, there was no practical way of tasking Beacon and then performing further actions based on the output (other than reading it on the console and then manually issuing more commands). To demonstrate
via Rasta Mouse Blog
Solving The “Unhooking” Problem
#outflank
For avoiding EDR userland hooks, there are many ways to cook an egg:
Direct system calls (syscalls), Indirect syscalls, unhooking, hardware breakpoints, and bringing and loading your own version of a library. These methods each have advantages and disadvantages. When developing a C2 implant it’s nice to work with a combination of multiple combinations of these. For instance, you could use a strong indirect syscall library for kernel functionality, then use unhooking or hardware breakpoints for user mode-only (i.e.
Regarding system calls, excellent research has already been done. A small selection of relevant blog posts is Klezvirus’ post on syswhispers, MDSec’s post on direct invocation of system calls and our own blog post on combining direct system calls srdi.
So, in this blog we’ll zoom in on protecting calls to user mode functions.
via Outflank Blog (author: Dima)
#outflank
For avoiding EDR userland hooks, there are many ways to cook an egg:
Direct system calls (syscalls), Indirect syscalls, unhooking, hardware breakpoints, and bringing and loading your own version of a library. These methods each have advantages and disadvantages. When developing a C2 implant it’s nice to work with a combination of multiple combinations of these. For instance, you could use a strong indirect syscall library for kernel functionality, then use unhooking or hardware breakpoints for user mode-only (i.e.
Rtl) functions.Regarding system calls, excellent research has already been done. A small selection of relevant blog posts is Klezvirus’ post on syswhispers, MDSec’s post on direct invocation of system calls and our own blog post on combining direct system calls srdi.
So, in this blog we’ll zoom in on protecting calls to user mode functions.
via Outflank Blog (author: Dima)
MacOS "DirtyNIB" Vulnerability
#xpn
While looking for avenues of injecting code into platform binaries back in macOS Monterey, I was able to identify a vulnerability which allowed the hijacking of Apple application entitlements. Recently I decided to revisit this vulnerability after a long time of trying to have it patched, and was surprised to see that it still works. There are some caveats introduced with later versions of macOS which we will explore, but in this post we’ll look at a vulnerability in macOS Sonoma which has been around for a long time, and remains an 0day, urm, to this day.
via XPN InfoSec Blog
#xpn
While looking for avenues of injecting code into platform binaries back in macOS Monterey, I was able to identify a vulnerability which allowed the hijacking of Apple application entitlements. Recently I decided to revisit this vulnerability after a long time of trying to have it patched, and was surprised to see that it still works. There are some caveats introduced with later versions of macOS which we will explore, but in this post we’ll look at a vulnerability in macOS Sonoma which has been around for a long time, and remains an 0day, urm, to this day.
via XPN InfoSec Blog
Out of Band Update: Cobalt Strike 4.9.1
#cobaltstrike
Cobalt Strike 4.9.1 is now available. This is an out of band update to fix an issue that was discovered in the 4.9 release that we felt would negatively impact customers as they start to roll out the release and for which there is no straightforward workaround. We also took the opportunity to address a [...]
via Cobalt Strike Blog (author: Greg Darwin)
#cobaltstrike
Cobalt Strike 4.9.1 is now available. This is an out of band update to fix an issue that was discovered in the 4.9 release that we felt would negatively impact customers as they start to roll out the release and for which there is no straightforward workaround. We also took the opportunity to address a [...]
via Cobalt Strike Blog (author: Greg Darwin)
Phishing for Primary Refresh Tokens and Windows Hello keys
#dirkjanm
In Microsoft Entra ID (formerly Azure AD, in this blog referred to as “Azure AD”), there are different types of OAuth tokens. The most powerful token is a Primary Refresh Token, which is linked to a user’s device and can be used to sign in to any Entra ID connected application and web site. In phishing scenarios, especially those that abuse legit OAuth flows such as device code phishing, the resulting tokens are often less powerful tokens that are limited in scope or usage methods. In this blog, I will describe new techniques to phish directly for Primary Refresh Tokens, and in some scenarios also deploy passwordless credentials that comply with even the strictest MFA policies.
via Dirk-jan Blog (author: Dirk-jan Mollema)
#dirkjanm
In Microsoft Entra ID (formerly Azure AD, in this blog referred to as “Azure AD”), there are different types of OAuth tokens. The most powerful token is a Primary Refresh Token, which is linked to a user’s device and can be used to sign in to any Entra ID connected application and web site. In phishing scenarios, especially those that abuse legit OAuth flows such as device code phishing, the resulting tokens are often less powerful tokens that are limited in scope or usage methods. In this blog, I will describe new techniques to phish directly for Primary Refresh Tokens, and in some scenarios also deploy passwordless credentials that comply with even the strictest MFA policies.
via Dirk-jan Blog (author: Dirk-jan Mollema)
Finding a POP chain on a common Symfony bundle : part 2
#synacktiv
via Synacktiv Blog (author: Rémi Matasse)
#synacktiv
via Synacktiv Blog (author: Rémi Matasse)
A Deep Dive into TPM-based BitLocker Drive Encryption
#itm4n
When I investigated CVE-2022-41099, a BitLocker Drive Encryption bypass through the Windows Recovery Environment (WinRE), the fact that the latter was able to transparently access an encrypted drive without requiring the recovery password struck me. My initial thought was that there had to be a way to reproduce this behavior and obtain the master key from the Recovery Environment (WinRE). The o...
via Itm4n Blog (author: itm4n)
#itm4n
When I investigated CVE-2022-41099, a BitLocker Drive Encryption bypass through the Windows Recovery Environment (WinRE), the fact that the latter was able to transparently access an encrypted drive without requiring the recovery password struck me. My initial thought was that there had to be a way to reproduce this behavior and obtain the master key from the Recovery Environment (WinRE). The o...
via Itm4n Blog (author: itm4n)
The single-packet attack: making remote race-conditions 'local'
#portswigger
The single-packet attack is a new technique for triggering web race conditions. It works by completing multiple HTTP/2 requests with a single TCP packet, which effectively eliminates network jitter an
via PortSwigger Research
#portswigger
The single-packet attack is a new technique for triggering web race conditions. It works by completing multiple HTTP/2 requests with a single TCP packet, which effectively eliminates network jitter an
via PortSwigger Research
Uncovering RPC Servers through Windows API Analysis
#specterops
via SpecterOps Team Medium (author: Kai Huang)
#specterops
via SpecterOps Team Medium (author: Kai Huang)
Medium
Uncovering RPC Servers through Windows API Analysis
Intro
Listing remote named pipes
#outflank
On Windows, named pipes are a form of interprocess communication (IPC) that allows processes to communicate with one another, both locally and across the network. Named pipes serve as a mechanism to transfer data between Windows components as well as third-party applications and services. Both locally as well as on a domain. From an offensive perspective, named pipes may leak some information that could be useful for reconnaissance purposes. Since named pipes can also be used (depending on configuration) to access services remotely – they could allow remote exploits (MS08-067).
In this post we will explore how named pipes can be listed remotely in offensive operations, for example via an implant running on a compromised Windows system.
via Outflank Blog (author: Cedric Van Bockhaven)
#outflank
On Windows, named pipes are a form of interprocess communication (IPC) that allows processes to communicate with one another, both locally and across the network. Named pipes serve as a mechanism to transfer data between Windows components as well as third-party applications and services. Both locally as well as on a domain. From an offensive perspective, named pipes may leak some information that could be useful for reconnaissance purposes. Since named pipes can also be used (depending on configuration) to access services remotely – they could allow remote exploits (MS08-067).
In this post we will explore how named pipes can be listed remotely in offensive operations, for example via an implant running on a compromised Windows system.
via Outflank Blog (author: Cedric Van Bockhaven)
Bloodhound Enterprise: securing Active Directory using graph theory
#specterops
via SpecterOps Team Medium (author: Irshad Ajmal Ahmed)
#specterops
via SpecterOps Team Medium (author: Irshad Ajmal Ahmed)
Medium
BloodHound Enterprise: securing Active Directory using graphs
Prior to my employment at SpecterOps, I hadn’t worked in the information security industry- as a result, many security related terms and…