Sorry, But Your Mouse is Still Admin (SYSS-2023-002, CVE-2022-47631)
#razer #security #vulnerability In this PoC video, a local privilege escalation (LPE) attack exploiting yet another security vulnerability in the Razer Synapse software for Windows is demonstrated. Due to the use of an insecure installation path and improper file integrity checks, the installatio
What is Tier Zero — Part 1
Tier Zero is a crucial group of assets in Active Directory (AD) and Azure. Its purpose is to protect the most critical components by creating a security boundary and preventing a complete compromise. Defining Tier Zero for your environment is not a straightforward task.
Microsoft Azure AD flaw can lead to account takeover
Researchers have found that a flaw in Microsoft Azure AD can be used by attackers to take over accounts that rely on pre-established trust.
Penetrationstester: Angreifer im Dienste des Guten
Kriminelle nutzen für Attacken sowohl technische Schwachstellen als auch die Gutmütigkeit der Menschen. Die Gegenseite geht ebenso vor, erzählt ein Pentester. "Mein Name ist Steffen Stepper, ich bin 32 Jahre und arbeite als IT-Security Consultant.
QNAP SECURITY BOUNTY PROGRAM TERMS AND CONDITIONS
The QNAP Security Bounty Program Terms and Conditions ("T&C") is between QNAP Systems, Inc. ("QNAP," "we" or "us") and any individuals, entities or organizations who participate (“Participants,” “you” or “your”) in the QNAP Security Bounty Program ("Program").
Internal Pentest
Sorry, Pocket didn't save an excerpt for this link.
We’re back!
As I mentioned some time ago, the Impacket project has found a new home at Fortra 🥳. I’m really excited to start working with the team and we’re looking forward to taking Impacket to the next level 🚀🌕. As many of you may have noticed, the project has been on hold for several months.
Automatisiertes Pentesting?
Automatisierung ist die Zukunft Automatisiertes Pentesting? Anbieter zum Thema Rapid7 Germany Arvato Systems TXOne Networks mod IT Services Cyberkriminelle entwickeln stetig neue Methoden um IT-Netzwerke zu hacken und Daten abzugreifen. Damit Schritt zu halten, ist für IT-Admins nicht einfach.
Windows DLL Hijacking (Hopefully) Clarified
Whenever a “new” DLL hijacking / planting trick is posted on Twitter, it generates a lot of comments. “It’s not a vulnerability!” or “There is a lot of hijackable DLLs on Windows…” are the most common reactions.
Dec0ne/ShadowSpray
ShadowSpray A tool to spray Shadow Credentials across an entire domain in hopes of abusing long forgotten GenericWrite/GenericAll DACLs over other objects in the domain.
t3l3machus/eviltree
EvilTree A standalone python3 remake of the classic "tree" command with the additional feature of searching for user provided keywords/regex in files, highlighting those that contain matches.
l+f: Monomorph - ein MD5-Hashwert für alles
Zur Identifizierung von Malware setzen einige Forscher auf MD5-Hashes. Ein Exploit-Entwickler liefert ein Tool, das Shellcode mit stets gleichem Hash verpackt.
The Blind Spots of BloodHound
Let’s get one thing straight: This article is not at all a dig on BloodHound. BloodHound has been nothing short of revolutionary to the way attackers think about attacking large networks, and frankly, the way defenders should think about defending their network.
Home
Within an Active Directory, services can be used by users. Sometimes these services need to contact others, on behalf of the user, like a web service might need to contact a file server.
Examples
Examples host/IP - ./changeme.py 192.168.59.3 proto://host - ./changeme.py mongodb://192.168.59.3 subnet - ./changeme.py 192.168.59.0/24 host list (may contain any of the above) - ./changeme.py hosts.txt nmap xml - ./changeme.py subnet.
Windows Lateral Movement with smb, psexec and alternatives
During a red team engangement there are several choices for lateral movement, whether you have credentials or hashes. Each choice has different configuration requirements in order to work, while it leaves different fingerprints on the remote machine.
Domain Persistence – Machine Account
Machine accounts play a role in red team operations as in a number of techniques are utilized for privilege escalation, lateral movement and domain escalation. However, there are also cases which a machine account could be used for establishing domain persistence.
Extracting Secrets from LSA by Use of PowerShell
During a research project, SySS IT security consultant Sebastian Hölzle worked on the problem of parsing Local Security Authority (LSA) process memory dumps using PowerShell and here are his results.
How To: Bypass File Upload Restrictions on Web Apps to Get a Shell
One of the most promising avenues of attack in a web application is the file upload. With results ranging from XSS to full-blown code execution, file uploads are an attractive target for hackers.
The Cyber Plumber's Handbook
This repo contains the PDF book The Cyber Plumber's Handbook - The definitive guide to Secure Shell (SSH) tunneling, port redirection, and bending traffic like a boss.
Toppling Domino - Testing security in a Lotus Notes environment - Darren Fuller
Although there have been a number of technical papers published by different researchers covering Lotus Notes/Domino security it is rarely covered by the wider pen testing community. In this presentation I'll aim to give a general overview of Domino security and demonstrate ways of breaking in. This
Introducing BloodHound 4.0: The Azure Update
We released BloodHound in 2016. Since then, BloodHound has been used by attackers and defenders alike to identify and analyze attack paths in on-prem Active Directory environments. Now, I am very proud to announce the release of BloodHound 4.0: The Azure Update.
ike-trans
A variation of the IKE-SCAN user guide's transforms discovery script, adding a few features. Handshakes can be done in Main or Aggressive Modes. For Aggresive Mode, a custom group ID can be given. Targets can be specified as a single IP, or an input file of multiple IPs. ike-trans.
500/udp - Pentesting IPsec/IKE VPN
IPsec is the most commonly used technology for both gateway-to-gateway (LAN-to-LAN) and host to gateway (remote access) enterprise VPN solutions. IKE is a type of ISAKMP (Internet Security Association Key Management Protocol) implementation, which is a framework for authentication and key exchange.
Puppet Assessment Techniques
Hardening guides for different systems that can be managed by Puppet are easy to find, but not the guides for hardening Puppet itself. The enterprise software configuration management (SCM) tool Puppet is valued by many SysAdmins and DevOps, e.g.
Sponsor eth0izzle/shhgit
shhgit helps secure forward-thinking development, operations, and security teams by finding secrets across their code before it leads to a security breach.
dazzleUP
dazzleUP A tool that detects the privilege escalation vulnerabilities caused by misconfigurations and missing updates in the Windows operating systems. dazzleUP detects the following vulnerabilities.
Tiny-XSS-Payloads
Tiny-XSS-Payloads A collection of short XSS payloads that can be used in different contexts. The DEMO available here: https://tinyxss.terjanq.
Docker for Pentesters
Over the last few years I have done a complete 180 on Docker (well, containerization in general). One of the very first posts I wrote on this blog was about plundering Docker images, and at the time I was not a fan.
Reverse Engineering Nike Run Club Android App Using Frida
Hi everyone! 👋 If you have been following my blog then you might have already read the article on reverse engineering an Android app by writing custom smali code. I am still very much a reverse engineering beginner so after that article, I got to learn about Frida.
Slicer
Slicer accepts a path to an extracted APK file and then returns all the activities, receivers, and services which are exported and have null permissions and can be externally provoked. Note: The APK has to be extracted via jadx or apktool.
BloodHound Cypher Cheatsheet
Bloodhound uses Neo4j, a graphing database, which uses the Cypher language. Cypher is a bit complex since it’s almost like programming with ASCII art.
sysdream/ligolo
Ligolo : Reverse Tunneling made easy for pentesters, by pentesters Table of ContentsIntroduction Use case Quick Demo Performance Usage Setup / Compiling How to use? TL;DR Options Features To Do Licensing Credits Introduction Ligolo is a simple and lightweight tool for establishing SOCKS5 or TCP tun
Scrcpy (the Android Mirroring App) Picks Up New Features
If you read this blog regularly enough you’ll be familiar with scrcpy, an ace root-free way to mirror your Android smartphone on your Ubuntu desktop and interact with it. Scrcpy is free, it’s open source, it’s awesome.
Sandboxie: Windows-Tool für Sandboxing ist jetzt Open Source
Das bei Entwicklern und Sicherheitsforschern beliebte Windows-Tool Sandboxie wurde von Sophos unter der GPLv3-Lizenz veröffentlicht. Sandboxie ist nun unter der GPLv3-Lizenz erhältlich.
Taking Back What Is Already Yours: Router Wars Episode III
In the previous part, we gathered the firmware and caught the password for Root user. Note that the password is for the web Interface. First, I want to log in to the web interface to see if the Root user has extra control than usual admin user. Also it is easier to try than reversing the firmware.
Taking Back What Is Already Yours: Router Wars Episode II
In the previous post, we’ve learned that our router is connecting to acs.superonline.net and we assumed it’s an Auto Configuration Server. Since it was a TLS connection, we couldn’t see the details of that communication. There isn’t any known attack on TLS v1.2 which our router is using.
Taking Back What Is Already Yours: Router Wars Episode I
I have been living in my current apartment for more than a year now and I noticed I have never inspected my router which was provided by my ISP when I moved in. The only thing I changed in router is the default login password(admin/password) to the web interface.
Oh, My Kerberos! Do Not Get Kerberoasted!
Part of an upcoming series trying to shed the light on attacks targeting Microsoft Kerberos implementation in Active Directory Environments. According to myth, Cerberus guards the Gates to the Underworld. As It’s a big 3 headed dog with a snake’s tail.
Runtime Mobile Security (RMS) 📱🔥
Runtime Mobile Security (RMS), powered by FRIDA, is a powerful web interface that helps you to manipulate Android and iOS Apps at Runtime.
Permission Memo
To properly secure this organization's information technology assets, the information security team is required to assess our security stance periodically by conducting vulnerability assessments and penetration testing.
Lateral movement via MSSQL: a tale of CLR and socket reuse
Recently, our Red Team had to deal with a restricted scenario, where all traffic from the DMZ to the main network was blocked, except for connections to specific services like databases and some web applications.
Hershell
Simple TCP reverse shell written in Go. It uses TLS to secure the communications, and provide a certificate public key fingerprint pinning feature, preventing from traffic interception.
Exploiting Netgear's Routerlogin.com
A recent tweet about Netgear’s inclusion of private keys for trusted HTTPS certificates in their router firmware sparked a discussion about whether this presents a material security risk.
Abusing Exchange Mailbox Permissions with MailSniper
Microsoft Exchange users have the power to grant other users various levels of access to their mailbox folders. For example, a user can grant other users access to read emails from their Inbox.
Tenable Community
Sorry, Pocket didn't save an excerpt for this link.
5 CSRF Vulnerabilities Known For Highest Bounty Rewards
If you don’t know, a bug bounty program is a modern strategy to encourage the public to find and report bugs or vulnerabilities in software — especially the security bugs that may be misused by cybercriminals.
THC's favourite Tips, Tricks & Hacks (Cheat Sheet)
A collection of our favourite tricks. Many of those tricks are not from us. We merely collect them. We show the tricks 'as is' without any explanation why they work. You need to know Linux to understand how and why they work.
iPhone: Überwachungsfirmen integrieren Boot-ROM-Exploit
Der unpatchbare Exploit ist ein "Durchbruch" für das Erfassen "digitaler Beweise", so Cellebrite. Auch auf gesperrte iPhones sei begrenzter Zugriff möglich.
File Inclusions: kleiner Programmierfehler, fatale Wirkung, Teil 1
Ein Verständnis für die allgemeinen Sicherheitslücken, die sich durch File Inclusions ergeben, ist vor allem für Softwareentwickler relevant, die lernen möchten, wie sie die Schwachstellen vermeiden können und für Pentester, die mit den Angriffsmustern vertraut sein müssen, die sich daraus e
New reverse proxy tool posted on Github can easily bypass 2FA and automate phishing attacks
What just happened? A security researcher in Poland has released a tool that automates phishing attacks and can easily bypass two-factor authentication (2FA). Piotr Duszynsky released the tool a few days ago and it has put the security community on high alert.
Umgang mit Sicherheitslücken
Was macht man eigentlich, wenn man eine gravierende Sicherheitslücke in einem von vielen Menschen genutzten Programm oder Gerät entdeckt? Der ganzen Welt davon zu erzählen, scheint da im ersten Moment eine denkbar schlechte Idee.
pypykatz
Mimikatz implementation in pure Python. At least a part of it 🙂 Runs on all OS's which support python>=3.6 Since version 0.1.1 the command line changed a little. Worry not, I have an awesome WIKI for you.
Professional 2.1.04
This release includes a number of minor enhancements and bugfixes. In Burp Repeater, there are new options to close a tab, close all other tabs, and reopen a closed tab. You can access these actions via the context menu on the tab header, or by assigning hotkeys.
MimiPenguin 2.0
A tool to dump the login password from the current linux desktop user. Adapted from the idea behind the popular Windows tool mimikatz. This was assigned CVE-2018-20781 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781). Fun fact it's still not fixed after GNOME Keyring 3.27.
:: Research ::
In 2012, Bloomberg published a somewhat famous (at least to bug bounty participants) article on Facebook's "Whitehat" bug bounty program. In this article, Facebook is quoted as saying: "If there's a million-dollar bug, we will pay it out".
Command Injection with USB Peripherals
When this Project Zero report came out I started thinking more about USB as an interesting attack surface for IoT devices.
Android deserialization vulnerabilities: A brief history
In this post I will review some deserialization vulnerabilities in Android, and show how one simple QL query can identify most of them. To minimize the damage from malicious apps and malware, every Android application runs in a sandbox as a separate Linux user with very limited privileges.
Consensual phishing: How to crack your half-forgotten crypto password
Phil Dougherty has a side hustle as a friendly hacker. By day, he's a software developer at the University of Wisconsin, building free educational games and conducting research on the ways people play them.
QUICK EXAMPLE:
expandpass is a simple string-expander. Useful for cracking passwords you kinda-remember. Note: This had to be a (very) short example- because the output grows very fast!
PSD2 – Mandatory Account Access for Third Party Providers
On September 14th the final deadline of complying with the new Payment Service Directive PSD2 will be reached. Among other things, this directive will bring quite a few technical challenges for credit institutions.
How I Could Have Hacked Any Instagram Account
This article is about how I found a vulnerability on Instagram that allowed me to hack any Instagram account without consent permission. Facebook and Instagram security team fixed the issue and rewarded me $30000 as a part of their bounty program.
Bypassing IP Based Blocking with AWS API Gateway
In external and red team engagements, we often come across different forms of IP based blocking. This prevents things like password brute forcing, password spraying, API rate limiting, and other forms of IP blocking like web application firewalls (WAFs).
IPRotate_Burp_Extension
Extension for Burp Suite which uses AWS API Gateway to change your IP on every request. This extension allows you to easily spin up API Gateways across multiple regions.
Pentesting Dropbox on Steroids
Many of you have probably already looked at Beau Bullock’s fine blog entry on a penetration testing dropbox. Beau has some excellent guidance on how to build the base dropbox platform using different platforms.
Abusing Windows Remote Management (WinRM) with Metasploit
Late one night at Derbycon, Mubix and I were discussing various techniques of mass ownage. When Mubix told me about the WinRM service, I wondered: "Why don't we have any Metasploit modules for this yet?" After I got back , I began digging.
Testing Multiple Factors Authentication (OWASP-AT-009)
This article is part of the OWASP Testing Guide v3. The entire OWASP Testing Guide v3 can be downloaded here. Evaluating the strength of a “Multiple Factors Authentication System” (MFAS) is a critical task for the Penetration tester.