A Deep Dive into TPM-based BitLocker Drive Encryption
#itm4n
When I investigated CVE-2022-41099, a BitLocker Drive Encryption bypass through the Windows Recovery Environment (WinRE), the fact that the latter was able to transparently access an encrypted drive without requiring the recovery password struck me. My initial thought was that there had to be a way to reproduce this behavior and obtain the master key from the Recovery Environment (WinRE). The o...
via Itm4n Blog (author: itm4n)
#itm4n
When I investigated CVE-2022-41099, a BitLocker Drive Encryption bypass through the Windows Recovery Environment (WinRE), the fact that the latter was able to transparently access an encrypted drive without requiring the recovery password struck me. My initial thought was that there had to be a way to reproduce this behavior and obtain the master key from the Recovery Environment (WinRE). The o...
via Itm4n Blog (author: itm4n)
The single-packet attack: making remote race-conditions 'local'
#portswigger
The single-packet attack is a new technique for triggering web race conditions. It works by completing multiple HTTP/2 requests with a single TCP packet, which effectively eliminates network jitter an
via PortSwigger Research
#portswigger
The single-packet attack is a new technique for triggering web race conditions. It works by completing multiple HTTP/2 requests with a single TCP packet, which effectively eliminates network jitter an
via PortSwigger Research
Uncovering RPC Servers through Windows API Analysis
#specterops
via SpecterOps Team Medium (author: Kai Huang)
#specterops
via SpecterOps Team Medium (author: Kai Huang)
Medium
Uncovering RPC Servers through Windows API Analysis
Intro
Listing remote named pipes
#outflank
On Windows, named pipes are a form of interprocess communication (IPC) that allows processes to communicate with one another, both locally and across the network. Named pipes serve as a mechanism to transfer data between Windows components as well as third-party applications and services. Both locally as well as on a domain. From an offensive perspective, named pipes may leak some information that could be useful for reconnaissance purposes. Since named pipes can also be used (depending on configuration) to access services remotely – they could allow remote exploits (MS08-067).
In this post we will explore how named pipes can be listed remotely in offensive operations, for example via an implant running on a compromised Windows system.
via Outflank Blog (author: Cedric Van Bockhaven)
#outflank
On Windows, named pipes are a form of interprocess communication (IPC) that allows processes to communicate with one another, both locally and across the network. Named pipes serve as a mechanism to transfer data between Windows components as well as third-party applications and services. Both locally as well as on a domain. From an offensive perspective, named pipes may leak some information that could be useful for reconnaissance purposes. Since named pipes can also be used (depending on configuration) to access services remotely – they could allow remote exploits (MS08-067).
In this post we will explore how named pipes can be listed remotely in offensive operations, for example via an implant running on a compromised Windows system.
via Outflank Blog (author: Cedric Van Bockhaven)
Bloodhound Enterprise: securing Active Directory using graph theory
#specterops
via SpecterOps Team Medium (author: Irshad Ajmal Ahmed)
#specterops
via SpecterOps Team Medium (author: Irshad Ajmal Ahmed)
Medium
BloodHound Enterprise: securing Active Directory using graphs
Prior to my employment at SpecterOps, I hadn’t worked in the information security industry- as a result, many security related terms and…
CVE-2023–4632: Local Privilege Escalation in Lenovo System Updater
#specterops
via SpecterOps Team Medium (author: Matt Nelson)
#specterops
via SpecterOps Team Medium (author: Matt Nelson)
Medium
CVE-2023–4632: Local Privilege Escalation in Lenovo System Updater
Version: Lenovo Updater Version <= 5.08.01.0009
Operating System Tested On: Windows 10 22H2 (x64)
Vulnerability: Lenovo System Updater…
Operating System Tested On: Windows 10 22H2 (x64)
Vulnerability: Lenovo System Updater…
Lateral Movement: Abuse the Power of DCOM Excel Application
#specterops
via SpecterOps Team Medium (author: Raj Patel)
#specterops
via SpecterOps Team Medium (author: Raj Patel)
SpecterOps
Lateral Movement: Abuse the Power of DCOM Excel Application - SpecterOps
Learn about an interesting lateral movement technique called ActivateMicrosoftApp() method within the distributed component object model (DCOM) Excel application.
Forwarded from Offensive Xwitter
😈 [ Almond OffSec @AlmondOffSec ]
Understanding the different types of LDAP authentication methods is fundamental to apprehend subjects such as relay attacks or countermeasures. This post by @lowercase_drm introduces them through the lens of Python libraries.
🔗 https://offsec.almond.consulting/ldap-authentication-in-active-directory-environments.html
🐥 [ tweet ]
Understanding the different types of LDAP authentication methods is fundamental to apprehend subjects such as relay attacks or countermeasures. This post by @lowercase_drm introduces them through the lens of Python libraries.
🔗 https://offsec.almond.consulting/ldap-authentication-in-active-directory-environments.html
🐥 [ tweet ]
👍1
Reflecting on a Year with Fortra and Next Steps for Outflank
#outflank
When we debuted OST back in 2021, we wrote a blog detailing both the product features and the rationale for investing time into this toolset. In 2022, we joined forces with Fortra and we can hardly believe it’s been over a year already. It was a big decision to go from being a small team of red teamers to becoming part of a large company, but we’re very pleased with the switch. In this reflection on the past 12 months, we want to provide an update on our mission, detail our continued dedication to OST, discuss the process of growing the Outflank community, and touch on where we’re headed next.
A Product Oriented Focus
One of our biggest challenges when we joined Fortra was the decision to put most of our energy into Outflank Security Tooling (OST).
via Outflank Blog (author: Marc Smeets)
#outflank
When we debuted OST back in 2021, we wrote a blog detailing both the product features and the rationale for investing time into this toolset. In 2022, we joined forces with Fortra and we can hardly believe it’s been over a year already. It was a big decision to go from being a small team of red teamers to becoming part of a large company, but we’re very pleased with the switch. In this reflection on the past 12 months, we want to provide an update on our mission, detail our continued dedication to OST, discuss the process of growing the Outflank community, and touch on where we’re headed next.
A Product Oriented Focus
One of our biggest challenges when we joined Fortra was the decision to put most of our energy into Outflank Security Tooling (OST).
via Outflank Blog (author: Marc Smeets)
Lateral Movement without Lateral Movement (Brought to you by ConfigMgr)
#specterops
via SpecterOps Team Medium (author: Diego lomellini)
#specterops
via SpecterOps Team Medium (author: Diego lomellini)
Medium
Lateral Movement without Lateral Movement (Brought to you by ConfigMgr)
Introduction
Abusing Slack for Offensive Operations: Part 2
#specterops
via SpecterOps Team Medium (author: Matt Creel)
#specterops
via SpecterOps Team Medium (author: Matt Creel)
Medium
Abusing Slack for Offensive Operations: Part 2
When I first started diving into offensive Slack access, one of the best public resources I found was a blog post by Cody Thomas from back…
Forwarded from road to OSCP
Introducing Bambdas
#portswigger
You've might have heard of Lambdas. But have you heard of Bambdas? They're a unique new way to customize Burp Suite directly from the UI, using only small snippets of Java. Changing the face of Burp Suite
via PortSwigger Blog
#portswigger
You've might have heard of Lambdas. But have you heard of Bambdas? They're a unique new way to customize Burp Suite directly from the UI, using only small snippets of Java. Changing the face of Burp Suite
via PortSwigger Blog
Merlin’s Evolution: Multi-Operator CLI and Peer-to-Peer Magic
#specterops
via SpecterOps Team Medium (author: Russel Van Tuyl)
#specterops
via SpecterOps Team Medium (author: Russel Van Tuyl)
Medium
Merlin’s Evolution: Multi-Operator CLI and Peer-to-Peer Magic
Over the past year, I’ve been working on making significant updates to Merlin in my free time. Today, I’m ready to release version 2 of…