APT

2022-08-31 21:10:21 MSSQL Analysis Services — Coerced Authentication

New technique to coerce an SMB authentication on Windows SQL Server as the machine account

PoC:
https://github.com/p0dalirius/MSSQL-Analysis-Coerce

#ad #mssql #smb #relay Open / Comment

2022-08-31 11:21:59 NTLMv1 vs NTLMv2: Digging into an NTLM Downgrade Attack

This article discusses the NTLM specifications to better understand how various aspects of the NTLM protocol function. As well as bypassing the SMB signature, relaying SMB to LDAP, and relaying NTLMv1 authentication attempts to the ADFS service.

https://www.praetorian.com/blog/ntlmv1-vs-ntlmv2/

#ad #ntlm #smb #relay Open / Comment

2022-08-29 10:31:04 Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection

If you utilise API hashing in your malware or offensive security tooling. Try rotating your API hashes. This can have a significant impact on detection rates and improve your chances of remaining undetected by AV/EDR.

Blog:
https://www.huntress.com/blog/hackers-no-hashing-randomizing-api-hashes-to-evade-cobalt-strike-shellcode-detection

Source:
https://github.com/matthewB-huntress/APIHashReplace

#maldev #evasion #hinvoke #cobaltstrike #redteam Open / Comment

2022-08-23 01:56:18 Masky

Masky is a python library providing an alternative way to remotely dump domain users' credentials thanks to an ADCS. A command line tool has been built on top of this library in order to easily gather PFX, NT hashes and TGT on a larger scope.

This tool does not exploit any new vulnerability and does not work by dumping the LSASS process memory. Indeed, it only takes advantage of legitimate Windows and Active Directory features (token impersonation, certificate authentication via kerberos & NT hashes retrieval via PKINIT).

Blog:
https://z4ksec.github.io/posts/masky-release-v0.0.3/

Source:
https://github.com/Z4kSec/Masky

#ad #adcs #lsass #redteam Open / Comment

2022-08-21 20:12:08 BBOT: OSINT automation for hackers

This tools is capable of executing the entire OSINT process in a single command, including subdomain enumeration, port scanning, web screenshots (with its gowitness module), vulnerability scanning (with nuclei), and much more. BBOT currently has over 50 modules and counting.

Features:
— Recursive;
— Graphing;
— Modular;
— Multi-Target;
— Automatic Dependencies;
— Smart Dictionary Attacks;
— Scope Distance;
— Easily Configurable via YAML.

Blog:
https://blog.blacklanternsecurity.com/p/bbot

Source:
https://github.com/blacklanternsecurity/bbot

#external #recon #osint #redteam #bugbounty Open / Comment

2022-08-18 12:48:10 EDRSandBlast EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland… Open / Comment

2022-08-16 18:15:53 #api #params

> Ничего не могу найти на сайте, может ещё что-то посмотреть?

Иногда встречается сайт, на котором всего лишь несколько конечных точек. Казалось, все параметры были проверены на уязвимости, а в чек-листе отмечены любые возможные проверки на инъекции и логику.

Однако, бывают уязвимости, которые не видны с первого взгляда. Например (CAPEC-460) HTTP Parameter Pollution или (CWE-472) External Control of Assumed-Immutable Web Parameter. Данные ошибки возникают из-за неожиданного поведения в функциях обработки параметров.

Давайте рассмотрим первую атаку HTTP Parameter Pollution, она состоит из возможности добавления повторяющихся параметров с помощью специальных разделителей запроса.

Например, у нас открыт сайт по продаже арбузов в браузере

example.com/profile.jsp?client_id=1

Для кнопки "Открыть профиль" устанавливается динамически в ответе от сервера html:

Открыть профиль" задаётся html:

GetMethod get = new GetMethod("https://example.com/profile");
get.setQueryString("client_id=" + client_id + "&action=" + action);
href_link=get.URL;

Разработчик должен был учесть такое поведение и проверить возможность внедрения параметра action в client_id

Вообще, приоритет и процесс обработки параметров можно взять из этой таблицы ниже:

Technology/HTTP backend | Parsing Result | Example |
---------------------------------------------------------------------
ASP.NET/IIS | All occurrences | par1=val1,val2 |
ASP/IIS | All occurrences | par1=val1,val2 |
PHP/Apache | Last occurrence | par1=val2 |
JSP Servlet/Apache Tomcat | First occurrence | par1=val1 |
JSP Servlet/Oracle Application | First occurrence | par1=val1 |
IBM HTTP Server | First occurrence | par1=val1 |

Так, для Server: Apache Tomcat будет взято значение из первого совпадения action=delete
А для Server: Apache значение уже будет action=view — последний параметр

Но не все сервера используют приоритет порядка, так, например, ASP.NET/IIS конкатенирует значения. Поэтому в случаях, когда выполнению XSS мешает санитизация или WAF, можно составить следующий payload:

example.com/search?param= Open / Comment

2022-08-16 13:00:00 Save the Environment

Many applications appear to rely on Environment Variables such as %SYSTEMROOT% to load DLLs from protected locations.
By changing these variables on process level, it is possible to let a legitimate program load arbitrary DLLs.

Research:
https://www.wietzebeukema.nl/blog/save-the-environment-variables

Source Code:
https://github.com/wietze/windows-dll-env-hijacking

#maldev #dll #hijacking #environment Open / Comment

2022-08-14 19:06:01 Determining AD domain name via NTLM Auth

If you have nmap (http-ntlm-info) unable to determine the FQND of an Active Directory domain via OWA, for example due to Citrix NetScaler or other SSO solutions, do it manually!

1) curl -I -k -X POST -H 'Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAKANc6AAAADw==' -H 'Content-Length: 0' https://autodiscover.exmaple.com/ews

2) echo 'TlRMTVNTUAACAAAADAAMAD...' | python2 ./ntlmdecoder.py

Source:
ntlmdecoder.py

#ntlm #auth #sso #tricks #pentest Open / Comment

2022-08-13 22:50:09 Cobalt Strike Token Vault

This Beacon Object File (BOF) creates in-memory storage for stolen/duplicated Windows access tokens allow you to:

— Hot swap/re-use already stolen tokens without re-duplicating;
— Store tokens for later use in case of a person log out.

https://github.com/Henkru/cs-token-vault

#ad #tokens #c2 #cobalt #redteam Open / Comment