WHOAMI

SharpADWS is an Active Directory Recon and Exploit tool for Red Teams via the ADWS protocol, Inspired by @FalconForceTeam Without the LDAP protocol, it can easily bypass most traffic monitoring for LDAP #BloodHound #redteam #Pentesting #CyberSecurity github.com/wh0amitz/Sharp…

M'm glad to release the tool I have been working hard on the last month: #KrbRelayEx A Kerberos relay & forwarder for MiTM attacks! >Relays Kerberos AP-REQ tickets >Manages multiple SMB consoles >Works on Win& Linux with .NET 8.0 >... GitHub: github.com/decoder-it/Krb…

Relaying DCOM has always intrigued me, so I decided to dive in. Started with a MiTM attack using a fake DNS entry, targeting certificate requests to an ADCS server and relaying to SMB.

Sleepy🥱

It seems amazing to me that MS have spent years talking about this feature and have not fixed well known public bypasses. My similar Kerberos trick probably works tiraniddo.dev/2022/03/bypass… as does googleprojectzero.blogspot.com/2019/12/callin… if you accept a prompt :)

''New Windows Backdoor BITSLOTH Exploits BITS for Stealthy Communication'' #infosec #pentest #redteam #blueteam thehackernews.com/2024/08/new-wi…

New Module 46: Exploiting EDRs For Evasion - Preventing EDR From Taking Action This module demonstrates a logic vulnerability in an EDR. Setting the "Read-Only" attribute on a malicious file prevents it from being quarantined or deleted. We exploit this vulnerability to successfully execute Mimikatz via Local PE Injection.

NEW release (v1.3) of ADOKit is out NOW which includes 7 new modules from @NicolasHeiniger and myself, among other fixes/improvements. I will be doing a talk on ADOKit at @BlackHatEvents #BlackHatArsenal next week on Wednesday at 1:55pm PT at Station 5👍 github.com/xforcered/ADOK…

[Tool & Blog release] - smbtakeover, a technique to unbind/rebind port 445 without loading a driver, loading a module into LSASS, or rebooting the target machine. The goal is to ease exploitation of targeted NTLM relay primitives while operating over C2. Github repo is linked at the bottom of the blog post, which provides technical analysis of the technique. posts.specterops.io/relay-your-hea…

Implementing a session manager is a tons of fun… and pain 😅 Have learned so much about CreateProcess and Logon APIs studying @splinter_code’s RunasCs, a very handy tool once again 🙌🏻

Oldy but goody from one of my favorite researchers, itm4n, about DLL proxying and privilege escalation from implmentations outside of "c:\Program Files" itm4n.github.io/dll-proxying/

''CcmPwn: leverages the CcmExec service to remotely hijack user sessions'' #infosec #pentest #redteam #blueteam meterpreter.org/ccmpwn-leverag…

We have a (draft) @metasploit exploit module in the queue for CVE-2024-4577, the new PHP CGI argument injection vuln disclosed yesterday. h/t to @orange_8361 for the discovery and @watchtowrcyber for their analysis. github.com/rapid7/metaspl…

An interesting SSRF fix bypass (CVE-2024-4084) in AnythingLLM that I found a few months ago has been made public. #llm #Pentesting #CyberSecurity #BugBounty huntr.com/bounties/bf445…

As expected, NTLM is now "deprecated." #features-were-no-longer-developing" target="_blank" rel="nofollow noopener">learn.microsoft.com/en-us/windows-… @splinter_code Was wondering what would have happened if we had discovered #LocalPotato after this article🤔

Just published a short blog post on abusing the SeRelabelPrivilege ;) decoder.cloud/2024/05/30/abu…

SharpCollection and IronSharpPack twitter.com/i/broadcasts/1…

One thing I always look for when starting in a network without AD creds is user enumeration with RPC null sessions. impacket SAMR (samrdump) and LSARPC (lookupsid) tools will give you only a small part of the story. Here's my minimal RID cycling script gist.github.com/naksyn/8204c76… that outplayed everything else, enabling me to find some crackable ASREP-roastable DA accounts hiding with RID > 50000 that were unable to be found using other tools. I am using chunks to avoid DoS and getting NT_STATUS_INSUFFICIENT_RESOURCES, ofc you can tweak it according to your YOLO level. there will be a new RPC connection for every chunk, it's a bit better than cycling and using rpcclient every time and always starting RPC connections from scratch. However, RID cycling with rpcclient will generate a ton of STATUS_NO_SUCH_USER responses that are sus, if someone is looking and knows what to look for ofc

ADCS strikes again (sounds a lot like ESC1). Just as a reminder, despite our recommendation of alerting IT administrators of this very common dangerous misconfiguration (AT A MINIMUM via an event log). Microsoft chose not to include any additional logging in ADCS.

So MSRC first say that they cannot reproduce ,now say that no security boundary is crossed. Tested this on few different machines and it was successful on all of them. This is bug in GamingServices , non default service so impact is not high. github.com/Wh04m1001/Gami…

I created another variant of our so-loved *potato family, the #FakePotato. But have to wait MSRC response before disclosing, hopefully soon ;)