recentpopularlog in

whip_lash : pentest   442

« earlier  
The Rise of C# and using Kali as a C2 Server with SILENTTRINITY – root@Hausec
byt3bl33d3r, who wrote crackmapexec, Empire, and Deathstar, developed a tool called SILENTTRINITY, which utilizes IronPython to create the C# code in python, then develop the XML file needed by msbuild (If using that payload option). This is how it works:
silenttrinity  pentest  c2  C# 
9 days ago by whip_lash
linuz/Sticky-Keys-Slayer: Scans for accessibility tools backdoors via RDP
Establishes a Remote Destop session (RDP) with the specified hosts and sends key presses to launch the accessibility tools within the Windows Login screen. stickyKeysSlayer.sh will analyze the console and alert if a command prompt window opens up. Screenshots will be put into a folder ('./rdp-screenshots' by default) and screenshots with a cmd.exe window are put in a subfolder ('./rdp-screenshots/discovered' by default). stickyKeysSlayer.sh accepts a single host or a list of hosts, delimited by line and works with multiple hosts in parallel.
pentest  rdp  scanner  osint  recon 
18 days ago by whip_lash
Rotten Potato – Privilege Escalation from Service Accounts to SYSTEM
NTLM relay from the local “NT AUTHORITY\SYSTEM” (we will just call it SYSTEM for brevity) account back to some other system service has been the theme for the Potato privilege escalation exploits. The first step is to trick the SYSTEM account into performing authentication to some TCP listener we control.

In the original Hot Potato exploit, we did some complex magic with NBNS spoofing, WPAD, and Windows Update services to trick it into authenticating to us over HTTP. For more information, see the original blog post.

Today, we’ll be discussing another method to accomplish the same end goal which James Forshaw discussed here. We’ll basically be tricking DCOM/RPC into NTLM authenticating to us. The advantage of this more complex method is that it is 100% reliable, consistent across Windows versions, and fires instantly rather than sometimes having to wait for Windows Update.
security  pentest  windows  privesc  privilegeescalation 
27 days ago by whip_lash
Juicy Potato (abusing the golden privileges) | juicy-potato
If the user has SeImpersonate or SeAssignPrimaryToken privileges then you are SYSTEM.

It’s nearly impossible to prevent the abuse of all these COM Servers. You could think to modify the permissions of these objects via DCOMCNFG but good luck, this is gonna be challenging.

The actual solution is to protect sensitive accounts and applications which run under the * SERVICE accounts. Stopping DCOM would certainly inhibit this exploit but could have a serious impact on the underlying OS.
pentest  windows  privilegeescalation  security 
27 days ago by whip_lash
From Kekeo to Rubeus – Posts By SpecterOps Team Members
Today I’m releasing Rubeus, the start of a C# reimplementation of some (not all) of Kekeo’s functionality. I’ve wanted to dive deeper into Kerberos structures and exchanges for a while in order to better understand the entire system, and this project provided the perfect excuse to jump right in.
kerberos  activedirectory  security  pentest  tool 
27 days ago by whip_lash
Singularity - A DNS Rebinding Attack Framework - KitPloit - PenTest Tools for your Security Arsenal ☣
DNS rebinding changes the IP address of an attacker controlled machine name to the IP address of a target application, bypassing the same-origin policy and thus allowing the browser to make arbitrary requests to the target application and read their responses. The Singularity DNS server is responding with short time to live (TTL) records, minimizing the time the response is cached. When the victim browses to the Singularity manager interface, the Singularity's DNS server first responds with the IP address of Singularity itself where the client-side code (payload) is hosted. When the DNS record times out, the Singularity DNS server responds with the IP address of the target host (e.g. 127.0.0.1) and the victim's browser can access the target application, circumventing the browser's same-origin policy.
dns  pentest  tool 
4 weeks ago by whip_lash
FuzzySecurity | Windows Userland Persistence Fundamentals
This tutorial will cover several techniques that can be used to gain persistent access to Windows machines. Usually this doesn't enter into play during a pentest (with the exception of red team engagements) as there is no benefit to adding it to the scope of the project. That is not to say it is not an interesting subject, both from a defensive and offensive perspective.
persistence  windows  pentest  redteam  security 
4 weeks ago by whip_lash
What you really need for Pentesting by Paul Stewart - how to, learning, OSCP | Peerlyst
Working as a pentester is a very different thing to training to be one. I wanted to shed a little light on what you really need to be a competent pentester.
pentest 
4 weeks ago by whip_lash
Dumping Domain Password Hashes
There are various techniques that can be used to extract this file or the information that is stored inside it however the majority of them are using one of these methods:

Domain Controller Replication Services
Native Windows Binaries
WMI
hash  activedirectory  pentest 
5 weeks ago by whip_lash
Bypassing CSRF tokens with Python's CGIHTTPServer | Pure Hacking
There are ways to configure Burp using macros to bypass CSRF tokens on HTML forms, so we can use Burp Active Scans, Burp Intruder, Burp Repeater, and (cautiously) even Burp Proxy. There's also Grep-Extract and pitchfork attack type specifically for Intruder. And, you might even develop your Burp Extension to do it. Sqlmap has a --csrf-token and a --csrf-url for the same purpose, or you can just configure Burp as previously stated, and run sqlmap through Burp using --proxy.

Now, here's another way, using CGIHTTPServer from python.
bugbounty  pentest  webapp  csrf 
5 weeks ago by whip_lash
Wildpwn - Unix Wildcard Attack Tool - KitPloit - PenTest Tools for your Security Arsenal ☣
Wildpwn is a Python UNIX wildcard attack tool that helps you generate attacks, based on a paper by Leon Juranic. It’s considered a fairly old-skool attack vector, but it still works quite often.
unix  exploit  linux  pentest  tool 
5 weeks ago by whip_lash
Quickpost: Compiling EXEs and Resources with MinGW on Kali | Didier Stevens
Compile for 64-bit:

x86_64-w64-mingw32-windres demo.rc demo-resource-x64.o
x86_64-w64-mingw32-gcc -o demo-x64.exe demo-resource-x64.o demo.c
Compile for 32-bit:

i686-w64-mingw32-windres demo.rc demo-resource-x86.o
i686-w64-mingw32-gcc -o demo-x86.exe demo-resource-x86.o demo.c
mingw  c  c++  windows  kali  pentest 
5 weeks ago by whip_lash
Clientside Exploitation - Tricks of the Trade 0x01 - Sharpshooter + SquibblyTwo - Malware - 0x00sec - The Home of the Hacker
Today I am going to show you how to:

Create a payload that isn’t detected by Windows Defender, even with real-time protection, advanced threat protection, and AMSI
Do all of this without Cobalt Strike, and instead with Sharpshooter + Metasploit/Msfvenom*
malware  sharpshooter  payload  pentest 
5 weeks ago by whip_lash
Advisory: CVE-2018-7572 – Pulse Secure Client Authentication Bypass – MDSec
By default, the Pulse client attempts to connect to the configured proxy service on port TCP port 80; supplying the configuration for a proxy server with a self-signed certificate forces the Pulse client to warn the user that the certificate is invalid but provides the option to “View” the certificate which when selected loads the standard Windows certificate wizard running as SYSTEM. From the Windows certificate wizard it is possible to select the option to export the certificate, then browse to a location where the certificate should be stored on the file system. Inevitably this provides the option to browse to cmd.exe, right click to obtain a command prompt as SYSTEM and full access to the workstation.
windows  privesc  pentest  pulsesecure 
6 weeks ago by whip_lash
Persistence using Universal Windows Platform apps (APPX) – Oddvar Moe's Blog
Persistence can be achieved with Appx/UWP apps using the debugger options. This technique will not be visible by Autoruns.
Two different approaches exists (registry keys). Listed below are the two techniques for two different apps that starts at logon:
windows  persistence  pentest 
6 weeks ago by whip_lash
Leveraging Expired Domains for Red Team Engagements - DomainHunter
Retrieves specified number of recently expired and deleted domains (.com, .net, .org primarily)
Retrieves available domains based on keyword search
Performs reputation checks against the Blue Coat Site Review service
Sorts results by domain age (if known)
Generates Text-based table and HTML report output with links to reputation sources and associated Archive.org entry
bluecoat  pentest  domain 
7 weeks ago by whip_lash
GitHub - mdsecactivebreach/CACTUSTORCH: CACTUSTORCH: Payload Generation for Adversary Simulations
A JavaScript and VBScript shellcode launcher. This will spawn a 32 bit version of the binary specified and inject shellcode into it.
shellcode  pentest  exploit 
7 weeks ago by whip_lash
Out of Band Exploitation (OOB) CheatSheet - NotSoSecure
Out-Of-Band (OOB) technique provides an attacker with an alternative way to confirm and exploit a vulnerability which is otherwise “blind”. In a blind vulnerability, as an attacker you do not get the output of the vulnerability in the direct response to the vulnerable request. The OOB techniques often require a vulnerable entity to generate an outbound TCP/UDP/ICMP request and that will then allow an attacker to exfiltrate data. The success of an OOB attack is based on the egress firewall rules i.e. which outbound request is permitted from the vulnerable system and the perimeter firewall.
oob  pentest  cheatsheet  cheatsheets 
7 weeks ago by whip_lash
Transferring files from Kali to Windows (post exploitation)
Often times on an engagement I find myself needing to copy a tool or a payload from my Kali linux attack box to a compromised Windows machine. As a perfect example, on a recent pentest, I found a vulnerable ColdFusion server and was able to upload a CFM webshell. It was a very limited, non-interactive shell and I wanted to download and execute a reverse Meterpreter binary from my attack machine. I generated the payload with Veil but needed a way to transfer the file to the Windows server running ColdFusion through simple commands.

I'm putting this post together as a "cheat sheet" of sorts for my favorite ways to transfer files.
kali  windows  pentest  filesharing 
7 weeks ago by whip_lash
GitHub - DiabloHorn/cliramdisk: A reduced functionality cli client for the imdisk ram disk driver. To be used through a backdoor like meterpreter
A reduced version of the original client, intended to be used through meterpreter or other backdoor setups.
Mostly written to learn about loading drivers and communicating with a loaded driver.
Since this is a POC it has been made incident response / forensic friendly friendly, by having tons of strings and not optimizing or clearing in memory variables. If you want to use this during a red team, make sure you adjust the source accordingly :)
pentest  memory  github 
7 weeks ago by whip_lash
Creating a ram disk through meterpreter | DiabloHorn
The magical ‘in memory execution‘ option of meterpreter is of course one of the better options that we as attackers love to use. However if you want to store ‘random files’ in memory or need to execute more complex applications which contain dependencies on other files, there is no ‘in memory’ option for that as far as i know. To be more specific, on Linux you can do it with build in commands, on Windows you need to install third party software (list of ram drive software). I decided to dig into it and see if I could achieve this through a meterpreter session.
metasploit  pentest 
7 weeks ago by whip_lash
Aggressor 101: Unleashing Cobalt Strike for Fun and Profit
Favorite tweet:

Came across this awesome intro to aggressor scripts by @001SPARTaN today. Maybe I've come across it before today, but I definitely found it today too.https://t.co/P8QMygNsDh

— Jared Haight (@jaredhaight) August 28, 2018
aggressor  cobaltstrike  pentest  Scripting 
7 weeks ago by whip_lash
GitHub - nshalabi/ATTACK-Tools: Utilities for MITRE™ ATT&CK
ATT&CK™ View: an adversary emulation planning tool

ATT&CK™ Data Model: a relational data model for ATT&CK™ and STIX™ (SQLite for simplicity and portability, support for other relational databases is under development)
att&ck  pentest  planning  redteam 
8 weeks ago by whip_lash
GitHub - lanjelot/patator: Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage.
Patator was written out of frustration from using Hydra, Medusa, Ncrack, Metasploit modules and Nmap NSE scripts for password guessing attacks. I opted for a different approach in order to not create yet another brute-forcing tool and avoid repeating the same shortcomings.
bruteforce  pentest  patator  tool  passwords 
8 weeks ago by whip_lash
AnonOpsecPrivacy - InfoSec Reference
Colossal InfoSec reference on every subject imaginable
security  pentest 
8 weeks ago by whip_lash
Rotten Potato | Penetration Testing Lab
However there is a technique which can be used that tries to trick the “NT Authority\System” account to negotiate and authenticate via NTLM locally so the token for the “NT Authority\System” account would become available and therefore privilege escalation possible. This technique is called Rotten Potato and it was introduced in DerbyCon 2016 by Stephen Breen and Chris Mallz.
windows  privesc  privilegeescalation  pentest  security 
9 weeks ago by whip_lash
GitHub - quentinhardy/odat: ODAT: Oracle Database Attacking Tool
ODAT (Oracle Database Attacking Tool) is an open source penetration testing tool that tests the security of Oracle Databases remotely.
oracle  database  pentest  security  tool 
9 weeks ago by whip_lash
GitHub - ZerBea/hcxdumptool: Small tool to capture packets from wlan devices.
Favorite tweet:

hcxdumptool : Small tool to capture packets from wlan devices : https://t.co/b4f9XTLaVQ

— Binni Shah (@binitamshah) August 11, 2018
wifi  pentest 
10 weeks ago by whip_lash
infodox/python-pty-shells: Python PTY backdoors - full PTY or nothing!
The following is a collection of bind and reverse shells which give you a fully working PTY.

This is far superior to a normal bind or reverse shell, as you have job control and an interactive PTY and can do such things as use nano/vi to write files, su to elevate privs/change user, and ssh onward. You can also CTRL+C and suchlike.
pentest  reverseshell  tty 
11 weeks ago by whip_lash
JSON Web Tokens - jwt.io
JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties.

JWT.IO allows you to decode, verify and generate JWT.
authentication  javascript  json  security  webapp  pentest 
11 weeks ago by whip_lash
GitHub - pentestmonkey/pysecdump: Python-based tool to dump security information from Windows systems
pysecdump is a python tool to extract various credentials and secrets from running Windows systems. It currently extracts:

LM and NT hashes (SYSKEY protected)
Cached domain passwords
LSA secrets
Secrets from Credential Manager (only some)
pentest  security  tool 
11 weeks ago by whip_lash
maK-/parameth: This tool can be used to brute discover GET and POST parameters
This tool can be used to brute discover GET and POST parameters

Often when you are busting a directory for common files, you can identify scripts (for example test.php) that look like they need to be passed an unknown parameter. This hopefully can help find them.
pentest  webapp 
12 weeks ago by whip_lash
danielmiessler/RobotsDisallowed: A harvest of the Disallowed directories from the robots.txt files of the world's top websites.
The RobotsDisallowed project is a harvest of the Disallowed directories from the robots.txt files of the world's top websites--specifically the Alexa 100K.

This list of Disallowed directories is a great way to supplement content discovery during a web security assessment, since the website owner is basically saying "Don't go here; there's sensitive stuff in there!".
pentest  webapp  wordlist  gobuster 
12 weeks ago by whip_lash
GerbenJavado/LinkFinder: A python script that finds endpoints in JavaScript files
LinkFinder is a python script written to discover endpoints and their parameters in JavaScript files. This way penetration testers and bug hunters are able to gather new, hidden endpoints on the websites they are testing. Resulting in new testing ground, possibility containing new vulnerabilities.
javascript  pentest  webapp 
12 weeks ago by whip_lash
Retire.js
There is a plethora of JavaScript libraries for use on the web and in node.js apps out there. This greatly simplifies, but we need to stay update on security fixes. "Using Components with Known Vulnerabilities" is now a part of the OWASP Top 10 and insecure libraries can pose a huge risk for your webapp. The goal of Retire.js is to help you detect use of version with known vulnerabilities.
javascript  security  pentest  webapp 
12 weeks ago by whip_lash
GitHub - s0md3v/Photon: Incredibly fast crawler which extracts urls, emails, files, website accounts and much more.
Photon is a lightning fast web crawler which extracts URLs, files, intel & endpoints from a target.

160 requests per second while extensive data extraction is just another day for Photon!
python  security  tools  web  recon  pentest 
12 weeks ago by whip_lash
x90skysn3k/brutespray: Brute-Forcing from Nmap output - Automatically attempts default creds on found services.
BruteSpray takes nmap GNMAP/XML output and automatically brute-forces services with default credentials using Medusa. BruteSpray can even find non-standard ports by using the -sV inside Nmap.
bruteforce  defaultcreds  pentest 
12 weeks ago by whip_lash
vysec/DomLink: A tool to link a domain with registered organisation names and emails, to other domains.
DomLink is a tool that uses a domain name to discover organisation name and associated e-mail address to then find further associated domains.

This is useful for bug bounty and red team engagements where you need to discover more domains associated with the target.
recon  dns  pentest 
12 weeks ago by whip_lash
presidentbeef/brakeman: A static analysis security vulnerability scanner for Ruby on Rails applications
Brakeman is a static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
rails  ruby  analysis  git  recon  pentest 
12 weeks ago by whip_lash
PyCQA/bandit: Bandit is a tool designed to find common security issues in Python code.
Bandit is a tool designed to find common security issues in Python code. To do this Bandit processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files it generates a report.
git  recon  pentest  python  analysis 
12 weeks ago by whip_lash
appsecco/bugcrowd-levelup-subdomain-enumeration: This repository contains all the material from the talk "Esoteric sub-domain enumeration techniques" given at Bugcrowd LevelUp 2017 virtual conference
cheatsheet.pdf - cheat sheet on the sub-domain enumeration techniques covered in the talk
cloudflare_enum.py - A script to do DNS enumeration using Cloudflare service
crt_psql.sh - Extract sub-domains for a given domain using crt.sh postgres interface
esoteric_subdomain_enumeration_techniques.pdf - Slides from the talk
subdomain_enum_censys.py - Extract sub-domains for a given domain using Censys.io API
subdomain_enum_crtsh.py - Extract sub-domains for a given domain using crt.sh RSS feed
subdomain_wordlist.txt - A collection of sub-domain names(around 3 million)
dns  recon  enumeration  pentest 
12 weeks ago by whip_lash
Love letters from the red team: from e-mail to NTLM hashes with Microsoft Outlook
Even though all it takes to exploit the issue is the ability to send an HTML e-mail, meaning it is possible to use any e-mail client or even a script to automate this attack, in this section we will describe how to achieve this using Microsoft Outlook itself.
responder  outlook  hash  email  pentest 
12 weeks ago by whip_lash
Bring Your Own Land (BYOL) – A Novel Red Teaming Technique « Bring Your Own Land (BYOL) – A Novel Red Teaming Technique | FireEye Inc
In this blog post, I will discuss an alternative to current LotL techniques. With the most current build of Cobalt Strike (version 3.11), it is now possible to execute .NET assemblies entirely within memory by using the “execute-assembly” command. By developing custom C#-based assemblies, attackers no longer need to rely on the tools present on the target system; they can instead write and deliver their own tools, a technique I call Bring Your Own Land (BYOL).
cobaltstrike  byol  c#  pentest 
12 weeks ago by whip_lash
Web Application Penetration Testing Tool: Tracy
Tracy is a pentesting tool designed to assist with finding all sinks and sources of a web application and display these results in a digestible manner. tracy should be used during the mapping-the-application phase of the pentest to identify sources of input and their corresponding outputs. tracy can use this data to intelligently find vulnerable instances of XSS, especially with web applications that use lots of JavaScript.
webapp  pentest  xss 
12 weeks ago by whip_lash
exploitexcel.png (1272×694)
Which privesc exploits work on which Windows versions
Windows  exploits  pentest  privesc  privilegeescalation 
12 weeks ago by whip_lash
« earlier      
per page:    204080120160

Copy this bookmark:





to read