Zeroed

I’ve recently done a deep dive into how IIS view state machine keys are generated and how they are used to decrypt view state messages. I’ve written up my findings in a new blog post and developed an application to assist with the decryption of view states zeroed.tech/blog/decryptin…

...so yes

Not the response I want when I resort to AI to debug some mutual TLS issues

@irsdl @BSidesLondon I'd be very keen, viewstate exploration is a massive issue these days but getting people to under the issue is a nightmare

Unfortunately my workshop for exploiting asp .net viewstate in most scenarios didn't make it to @BSidesLondon due to other better workshops perhaps! Damn it AI categories 🤭 Please comment if you would like to read a blog post in a lab like style about it. You will need to have your own IIS server to follow it. Given it is asp net and IIS I thought people might not be too interested. I had presented a version of this in a Synack (SRT) meeting a few months ago.

@BertJanCyber I suspect this will follow the same route as the recent SharePoint vulns, adversaries will start simple with basic subprocesses execution but within a few days we'll have malicious .NET assemblies being reflectively loaded

If you have not implemented a detection for suspicious IIS worker (w3wp.exe) processes, now is your time to do it. The Windows server components rely on IIS, not only WSUS, the same was the case with the last SharePoint vulnerability. github.com/Bert-JanP/Hunt…

I've recently been experimenting with using .NET profilers to hook .NET functions under IIS and decided to write up a blog post while it was fresh in my mind zeroed.tech/blog/hooking-n…

TOLLBOOTH: What's yours, IIS mine elastic.co/security-labs/…

12 months ago I presented a 3 hour course on attacking and defending Microsoft IIS servers to a packed room at BSides Canberra, today the 30+ hour version went live on @XintraOrg !

@lucho_in_Oz The weekend

SharePoint attacks are slowing down. What is next 🥹

@irsdl @0xTib3rius @TheRealC3rul34n You don't like waiting 5 mins for the installer to launch, just to tell you you're missing a dependency?

@0xTib3rius @TheRealC3rul34n Now start installing Exchange for the next things to come :D

.@TheRealC3rul34n sent me this after I was telling her about my SharePoint struggles + success. She gets me. 🥰

Not a bad read, I think they may be overanalysing a compiled webshell and its a shame they didn't get a memory dump but its great to see more companies talking about this stuff github.com/RedDrip7/Night…

@vinopaljiri Nice, I've always assumed these timestamps had just been tampered with

[1/4] Have you ever seen a malware sample with a weird—maybe even future—PE timestamp? ➡️ Is it a .NET app? I recently saw some research publications labeled as "timestomped"...but that’s wrong. 🧠 It’s probably just a deterministic/repro build 🔍 Watch this video for a quick demo #malware #reversing #research

After a bit more digging it look like its referenced in Microsoft.JScript, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a but not Microsoft.JScript, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a The later of which is used by my IIS

For years I've seen adversaries using the "unsafe" keyword in their JScript eval shells and assumed it was required to eval complex statements (i.e code), but after trying to work out what it actually does for some training I'm working on I found it does nothing! Its unreferenced

@AlienPacket @DebugPrivilege Sometimes you just don't care, as long as you achieve your objective, does it really matter that the blue team knows how you did it? A lot of the c# malware I look at does very little to hide what it's doing

@DebugPrivilege Is there something dnSpy isn't handling for you?

@0x706972686f @fr0gger_ For sure. It's good to see some official advice from Microsoft, even if it only covers static machine keys

@fr0gger_ @Zeroedtech you're probably already all over this, but in case you're not.

📢 New Microsoft Threat Report: "ViewState Code Injection Attacks Using Publicly Disclosed ASP.NET Machine Keys" I wanted to understand deeper how works the attack so I created a detailed overview. Hope that helps 🤓 👉 microsoft.com/en-us/security…

@inversecos @XintraOrg Can you clarify how the payment terms work? Are the values you have listed ranging from you can take a lump sum of 10k plus 50% of training sales through to a lump sum of 30k to essentially buy the rights to the training course?

XINTRA: Call for Trainings is NOW OPEN 🚨😍 We are actively seeking new trainings for @XintraOrg targeting blue/red teams. XINTRA PAYMENT TERMS Total Paid      +    Royalty --------------------------------- $10,000 USD     |     50% Split $25,000 USD     |     25% Split $30,000 USD     |     0% Split All trainings will be assessed by our Review Board. Apply Here 👇 forms.gle/afVCifhpCRc1pK… Read More Information 👇 xintra.org/community @XintraOrg

It put my life on hold for a month and I'm very sleep deprived but thanks for the great CTF @HuntressLabs @_JohnHammond @HuskyHacksMK @_BensonBoy23 @sudo_Rem @IzzyBoopFPV @Kaspertame #HuntressCTF

Thank you to everyone who attended my training session and a massive thanks to @BSidesCbr for providing me the opportunity to run it. The slides and any code we used can be found here zeroed.tech/blog/bsides-20… I'd love any feedback on the session