In corporate penetration tests, lateral movement and elevation of privilege are two fundamental concepts for advancing and gaining control of the target.
Targets can be specified in a number of ways. Below are examples of how targets can be fed into changeme. Normally when you specify a target, only the default port (as specified in the yaml file) is checked. For example, when scanning for Apache Tomcat, only port 8080 is checked.
During a red team engangement there are several choices for lateral movement, whether you have credentials or hashes. Each choice has different configuration requirements in order to work, while it leaves different fingerprints on the remote machine.
Machine accounts play a role in red team operations as in a number of techniques are utilized for privilege escalation, lateral movement and domain escalation. However, there are also cases which a machine account could be used for establishing domain persistence.
During a research project, SySS IT security consultant Sebastian Hölzle worked on the problem of parsing Local Security Authority (LSA) process memory dumps using PowerShell and here are his results.
One of the most promising avenues of attack in a web application is the file upload. With results ranging from XSS to full-blown code execution, file uploads are an attractive target for hackers.
This repo contains the PDF book The Cyber Plumber's Handbook - The definitive guide to Secure Shell (SSH) tunneling, port redirection, and bending traffic like a boss.
Although there have been a number of technical papers published by different researchers covering Lotus Notes/Domino security it is rarely covered by the wider pen testing community. In this presentation I'll aim to give a general overview of Domino security and demonstrate ways of breaking in. This
We released BloodHound in 2016. Since then, BloodHound has been used by attackers and defenders alike to identify and analyze attack paths in on-prem Active Directory environments. Now, I am very proud to announce the release of BloodHound 4.0: The Azure Update.
A variation of the IKE-SCAN user guide's transforms discovery script, adding a few features. Handshakes can be done in Main or Aggressive Modes. For Aggresive Mode, a custom group ID can be given. Targets can be specified as a single IP, or an input file of multiple IPs. ike-trans.
IPsec is the most commonly used technology for both gateway-to-gateway (LAN-to-LAN) and host to gateway (remote access) enterprise VPN solutions. IKE is a type of ISAKMP (Internet Security Association Key Management Protocol) implementation, which is a framework for authentication and key exchange.
Hardening guides for different systems that can be managed by Puppet are easy to find, but not the guides for hardening Puppet itself. The enterprise software configuration management (SCM) tool Puppet is valued by many SysAdmins and DevOps, e.g.
shhgit helps secure forward-thinking development, operations, and security teams by finding secrets across their code before it leads to a security breach.
dazzleUP A tool that detects the privilege escalation vulnerabilities caused by misconfigurations and missing updates in the Windows operating systems. dazzleUP detects the following vulnerabilities.
Tiny-XSS-Payloads A collection of short XSS payloads that can be used in different contexts. The DEMO available here: https://tinyxss.terjanq.
Over the last few years I have done a complete 180 on Docker (well, containerization in general). One of the very first posts I wrote on this blog was about plundering Docker images, and at the time I was not a fan.
Hi everyone! 👋 If you have been following my blog then you might have already read the article on reverse engineering an Android app by writing custom smali code. I am still very much a reverse engineering beginner so after that article, I got to learn about Frida.
Slicer accepts a path to an extracted APK file and then returns all the activities, receivers, and services which are exported and have null permissions and can be externally provoked. Note: The APK has to be extracted via jadx or apktool.
Bloodhound uses Neo4j, a graphing database, which uses the Cypher language. Cypher is a bit complex since it’s almost like programming with ASCII art.
Ligolo : Reverse Tunneling made easy for pentesters, by pentesters Table of ContentsIntroduction Use case Quick Demo Performance Usage Setup / Compiling How to use? TL;DR Options Features To Do Licensing Credits Introduction Ligolo is a simple and lightweight tool for establishing SOCKS5 or TCP tun
If you read this blog regularly enough you’ll be familiar with scrcpy, an ace root-free way to mirror your Android smartphone on your Ubuntu desktop and interact with it. Scrcpy is free, it’s open source, it’s awesome.
Das bei Entwicklern und Sicherheitsforschern beliebte Windows-Tool Sandboxie wurde von Sophos unter der GPLv3-Lizenz veröffentlicht. Sandboxie ist nun unter der GPLv3-Lizenz erhältlich.
In the previous part, we gathered the firmware and caught the password for Root user. Note that the password is for the web Interface. First, I want to log in to the web interface to see if the Root user has extra control than usual admin user. Also it is easier to try than reversing the firmware.
In the previous post, we’ve learned that our router is connecting to acs.superonline.net and we assumed it’s an Auto Configuration Server. Since it was a TLS connection, we couldn’t see the details of that communication. There isn’t any known attack on TLS v1.2 which our router is using.
I have been living in my current apartment for more than a year now and I noticed I have never inspected my router which was provided by my ISP when I moved in. The only thing I changed in router is the default login password(admin/password) to the web interface.
Part of an upcoming series trying to shed the light on attacks targeting Microsoft Kerberos implementation in Active Directory Environments. According to myth, Cerberus guards the Gates to the Underworld. As It’s a big 3 headed dog with a snake’s tail.
Runtime Mobile Security (RMS), powered by FRIDA, is a powerful web interface that helps you to manipulate Android and iOS Apps at Runtime.
To properly secure this organization's information technology assets, the information security team is required to assess our security stance periodically by conducting vulnerability assessments and penetration testing.
Recently, our Red Team had to deal with a restricted scenario, where all traffic from the DMZ to the main network was blocked, except for connections to specific services like databases and some web applications.
Simple TCP reverse shell written in Go. It uses TLS to secure the communications, and provide a certificate public key fingerprint pinning feature, preventing from traffic interception.
A recent tweet about Netgear’s inclusion of private keys for trusted HTTPS certificates in their router firmware sparked a discussion about whether this presents a material security risk.
Microsoft Exchange users have the power to grant other users various levels of access to their mailbox folders. For example, a user can grant other users access to read emails from their Inbox.
Sorry, Pocket didn't save an excerpt for this link.
If you don’t know, a bug bounty program is a modern strategy to encourage the public to find and report bugs or vulnerabilities in software — especially the security bugs that may be misused by cybercriminals.
A collection of our favourite tricks. Many of those tricks are not from us. We merely collect them. We show the tricks 'as is' without any explanation why they work. You need to know Linux to understand how and why they work.
Der unpatchbare Exploit ist ein "Durchbruch" für das Erfassen "digitaler Beweise", so Cellebrite. Auch auf gesperrte iPhones sei begrenzter Zugriff möglich.
Ein Verständnis für die allgemeinen Sicherheitslücken, die sich durch File Inclusions ergeben, ist vor allem für Softwareentwickler relevant, die lernen möchten, wie sie die Schwachstellen vermeiden können und für Pentester, die mit den Angriffsmustern vertraut sein müssen, die sich daraus e
What just happened? A security researcher in Poland has released a tool that automates phishing attacks and can easily bypass two-factor authentication (2FA). Piotr Duszynsky released the tool a few days ago and it has put the security community on high alert.
Was macht man eigentlich, wenn man eine gravierende Sicherheitslücke in einem von vielen Menschen genutzten Programm oder Gerät entdeckt? Der ganzen Welt davon zu erzählen, scheint da im ersten Moment eine denkbar schlechte Idee.
Mimikatz implementation in pure Python. At least a part of it 🙂 Runs on all OS's which support python>=3.6 Since version 0.1.1 the command line changed a little. Worry not, I have an awesome WIKI for you.
This release includes a number of minor enhancements and bugfixes. In Burp Repeater, there are new options to close a tab, close all other tabs, and reopen a closed tab. You can access these actions via the context menu on the tab header, or by assigning hotkeys.
A tool to dump the login password from the current linux desktop user. Adapted from the idea behind the popular Windows tool mimikatz. This was assigned CVE-2018-20781 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781). Fun fact it's still not fixed after GNOME Keyring 3.27.
In 2012, Bloomberg published a somewhat famous (at least to bug bounty participants) article on Facebook's "Whitehat" bug bounty program. In this article, Facebook is quoted as saying: "If there's a million-dollar bug, we will pay it out".
When this Project Zero report came out I started thinking more about USB as an interesting attack surface for IoT devices.
In this post I will review some deserialization vulnerabilities in Android, and show how one simple QL query can identify most of them. To minimize the damage from malicious apps and malware, every Android application runs in a sandbox as a separate Linux user with very limited privileges.
Phil Dougherty has a side hustle as a friendly hacker. By day, he's a software developer at the University of Wisconsin, building free educational games and conducting research on the ways people play them.
expandpass is a simple string-expander. Useful for cracking passwords you kinda-remember. Note: This had to be a (very) short example- because the output grows very fast!
On September 14th the final deadline of complying with the new Payment Service Directive PSD2 will be reached. Among other things, this directive will bring quite a few technical challenges for credit institutions.
This article is about how I found a vulnerability on Instagram that allowed me to hack any Instagram account without consent permission. Facebook and Instagram security team fixed the issue and rewarded me $30000 as a part of their bounty program.
In external and red team engagements, we often come across different forms of IP based blocking. This prevents things like password brute forcing, password spraying, API rate limiting, and other forms of IP blocking like web application firewalls (WAFs).
Extension for Burp Suite which uses AWS API Gateway to change your IP on every request. This extension allows you to easily spin up API Gateways across multiple regions.
Many of you have probably already looked at Beau Bullock’s fine blog entry on a penetration testing dropbox. Beau has some excellent guidance on how to build the base dropbox platform using different platforms.
Late one night at Derbycon, Mubix and I were discussing various techniques of mass ownage. When Mubix told me about the WinRM service, I wondered: "Why don't we have any Metasploit modules for this yet?" After I got back , I began digging.
This article is part of the OWASP Testing Guide v3. The entire OWASP Testing Guide v3 can be downloaded here. Evaluating the strength of a “Multiple Factors Authentication System” (MFAS) is a critical task for the Penetration tester.
Pocket WP by @ciaransm