Examples
Examples host/IP - ./changeme.py 192.168.59.3 proto://host - ./changeme.py mongodb://192.168.59.3 subnet - ./changeme.py 192.168.59.0/24 host list (may contain any of the above) - ./changeme.py hosts.txt nmap xml - ./changeme.py subnet.
Toppling Domino - Testing security in a Lotus Notes environment - Darren Fuller
Although there have been a number of technical papers published by different researchers covering Lotus Notes/Domino security it is rarely covered by the wider pen testing community. In this presentation I'll aim to give a general overview of Domino security and demonstrate ways of breaking in. This
Docker for Pentesters
Over the last few years I have done a complete 180 on Docker (well, containerization in general). One of the very first posts I wrote on this blog was about plundering Docker images, and at the time I was not a fan.
eth0izzle/shhgit
Accidentally leaking secrets — usernames and passwords, API tokens, or private keys — in a public code repository is a developers and security teams worst nightmare. Fraudsters constantly scan public code repositories for these secrets to gain a foothold in to systems.
Home
Password spraying is a well-known technique which consists of testing the same password on several accounts, in the hope that it will work for one of them. This technique is used in many different contexts: On web applications, the Cloud, services like SSH, FTP, and many others.
500/udp - Pentesting IPsec/IKE VPN
IPsec is widely recognized as the principal technology for securing communications between networks (LAN-to-LAN) and from remote users to the network gateway (remote access), serving as the backbone for enterprise VPN solutions.
Windows DLL Hijacking (Hopefully) Clarified
Whenever a “new” DLL hijacking / planting trick is posted on Twitter, it generates a lot of comments. “It’s not a vulnerability!” or “There is a lot of hijackable DLLs on Windows…” are the most common reactions.
Reverse Engineering Nike Run Club Android App Using Frida
Hi everyone! 👋 If you have been following my blog then you might have already read the article on reverse engineering an Android app by writing custom smali code. I am still very much a reverse engineering beginner so after that article, I got to learn about Frida.
terjanq/Tiny-XSS-Payloads
A collection of short XSS payloads that can be used in different contexts. The DEMO available here: https://tinyxss.terjanq.
hlldz/dazzleUP
A tool that detects the privilege escalation vulnerabilities caused by misconfigurations and missing updates in the Windows operating systems. dazzleUP detects the following vulnerabilities.
Puppet Assessment Techniques
Hardening guides for different systems that can be managed by Puppet are easy to find, but not the guides for hardening Puppet itself. The enterprise software configuration management (SCM) tool Puppet is valued by many SysAdmins and DevOps, e.g.
actuated/ike-trans
A variation of the IKE-SCAN user guide's transforms discovery script, adding a few features. Handshakes can be done in Main or Aggressive Modes. For Aggresive Mode, a custom group ID can be given. Targets can be specified as a single IP, or an input file of multiple IPs. ike-trans.
How To: Bypass File Upload Restrictions on Web Apps to Get a Shell
One of the most promising avenues of attack in a web application is the file upload. With results ranging from XSS to full-blown code execution, file uploads are an attractive target for hackers.
Introducing BloodHound 4.0: The Azure Update
We released BloodHound in 2016. Since then, BloodHound has been used by attackers and defenders alike to identify and analyze attack paths in on-prem Active Directory environments. Now, I am very proud to announce the release of BloodHound 4.0: The Azure Update.
Windows Lateral Movement with smb, psexec and alternatives
During a red team engangement there are several choices for lateral movement, whether you have credentials or hashes. Each choice has different configuration requirements in order to work, while it leaves different fingerprints on the remote machine.
opsdisk/the_cyber_plumbers_handbook
This repo contains the PDF book The Cyber Plumber's Handbook - The definitive guide to Secure Shell (SSH) tunneling, port redirection, and bending traffic like a boss.
Domain Persistence – Machine Account
Machine accounts play a role in red team operations as in a number of techniques are utilized for privilege escalation, lateral movement and domain escalation. However, there are also cases which a machine account could be used for establishing domain persistence.
Extracting Secrets from LSA by Use of PowerShell
During a research project, SySS IT security consultant Sebastian Hölzle worked on the problem of parsing Local Security Authority (LSA) process memory dumps using PowerShell and here are his results.
The Blind Spots of BloodHound
Let’s get one thing straight: This article is not at all a dig on BloodHound. BloodHound has been nothing short of revolutionary to the way attackers think about attacking large networks, and frankly, the way defenders should think about defending their network.
l+f: Monomorph - ein MD5-Hashwert für alles
Zur Identifizierung von Malware setzen einige Forscher auf MD5-Hashes. Ein Exploit-Entwickler liefert ein Tool, das Shellcode mit stets gleichem Hash verpackt.
t3l3machus/eviltree
A standalone python3 remake of the classic "tree" command with the additional feature of searching for user provided keywords/regex in files, highlighting those that contain matches.
Dec0ne/ShadowSpray
A tool to spray Shadow Credentials across an entire domain in hopes of abusing long forgotten GenericWrite/GenericAll DACLs over other objects in the domain.
Automatisiertes Pentesting?
Cyberkriminelle entwickeln stetig neue Methoden um IT-Netzwerke zu hacken und Daten abzugreifen. Damit Schritt zu halten, ist für IT-Admins nicht einfach. Automatisierte Security Validation ist eine Lösung, die genau das kann.
We're back! - 0xdeaddood
Sorry, Pocket didn't save an excerpt for this link.
PingCastle
Ping Castle is a tool designed to assess quickly the Active Directory security level with a methodology based on risk assessment and a maturity framework. It's a simple zipped download that you can just run as a normal domain user, no install required.
QNAP SECURITY BOUNTY PROGRAM TERMS AND CONDITIONS
The QNAP Security Bounty Program Terms and Conditions ("T&C") is between QNAP Systems, Inc. ("QNAP," "we" or "us") and any individuals, entities or organizations who participate (“Participants,” “you” or “your”) in the QNAP Security Bounty Program ("Program").
Penetrationstester: Angreifer im Dienste des Guten
Kriminelle nutzen für Attacken sowohl technische Schwachstellen als auch die Gutmütigkeit der Menschen. Die Gegenseite geht ebenso vor, erzählt ein Pentester. "Mein Name ist Steffen Stepper, ich bin 32 Jahre und arbeite als IT-Security Consultant.
What is Tier Zero — Part 1
Tier Zero is a crucial group of assets in Active Directory (AD) and Azure. Its purpose is to protect the most critical components by creating a security boundary and preventing a complete compromise. Defining Tier Zero for your environment is not a straightforward task.
Microsoft Azure AD flaw can lead to account takeover
Researchers have found that a flaw in Microsoft Azure AD can be used by attackers to take over accounts that rely on pre-established trust.
Sorry, But Your Mouse is Still Admin // Another Razer Synapse LPE (SYSS-2023-002, CVE-2022-47631)
In this PoC video, a local privilege escalation (LPE) attack exploiting yet another security vulnerability in the Razer Synapse software for Windows is demonstrated. Due to the use of an insecure installation path and improper file integrity checks, the installation of the associated Razer system s