πŸ”’
❌
There are new articles available, click to refresh the page.
Today β€” 4 October 2022Bad Sector Labs Blog

Last Week in Security (LWiS) - 2022-10-03

4 October 2022 at 03:52
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-09-26 to 2022-10-03.

News

Techniques and Write-ups

Tools and Exploits

  • Havoc. This is the much anticipated C2 from @C5pider. It also supports Third Party Agents.
  • ASNMap - A Golang CLI tool for speedy reconnaissance using ASN data.
  • constellation is the first Confidential Kubernetes. Constellation shields entire Kubernetes clusters from the (cloud) infrastructure using confidential computing.
  • VirusTotalC2 Abusing VirusTotal API to host our C2 traffic, useful for bypassing blocking firewall rules if VirusTotal is in the target white list, and in case you don't have C2 infrastructure, now you have a free one.
  • AzTokenFinder is a small tool to extract JWT (or JWT like looking data) from different processes, like PowerShell, Excel, Word or others.
  • Freeze is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls, and alternative execution methods.
  • ChTimeStamp - Changing the Creation time and the Last Written time of a dropped file by the timestamp of other one , like the "kernel32.dll" timestamp.
  • ADSrunner - Write a UUIDs bytes array "*" collected to the Alternate Data Stream of the current binary , then the ADS Runner will get the DATA tranfert it into a char table nice UUIDS shellcode and Run it.
  • FileLessRemoteShellcode - Run Fileless Remote Shellcode directly in memory with Module Unhooking, Module Stomping, No New Thread. This repository contains the TeamServer and the Stager.
  • DumpThatLSASS - Dumping LSASS by Unhooking MiniDumpWriteDump by getting a fresh DbgHelp.dll copy from the disk, plus functions and strings obfuscation, it contains Anti-sandbox, if you run it under unperformant Virtual Machine you need to uncomment the code related to it and recompile.
  • airstrike is a basic stage 0 implant.
  • KnownDllUnhook - Replace the .txt section of the current loaded modules from KnownDllsto bypass edrs.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • monkey365 provides a tool for security consultants to easily conduct not only Microsoft 365, but also Azure subscriptions and Azure Active Directory security configuration reviews.
  • lemmeknow. The fastest way to identify anything!
  • jot - Rapid note management for the terminal.
  • SnaffPoint - A tool for pointesters to find candies in SharePoint.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Before yesterdayBad Sector Labs Blog

Last Week in Security (LWiS) - 2022-09-26

27 September 2022 at 03:59
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-09-19 to 2022-09-26.

News

Techniques and Write-ups

Tools and Exploits

  • AutoHoneyPoC. Automatically generate "HoneyPoC" scripts to catch people running things without understanding them.
  • SandboxSpy. Code for profiling sandboxes - Initially an idea to profile sandboxes, the code is written to take enviromental variables and send them back in a Base32 string over HTTP to an endpoint.
  • githubC2 - Abusing Github API to host our C2 traffic, useful for bypassing blocking firewall rules if github is in the target white list , and in case you don't have C2 infrastructure, now you have a free one.
  • monomorph- MD5-Monomorphic Shellcode Packer - all payloads have the same MD5 hash.
  • FilelessRemotePE - Loading Fileless Remote PE from URI to memory with argument passing and ETW patching and NTDLL unhooking and No New Thread technique.
  • mordor-rs - Rusty Hell's Gate / Halo's Gate / Tartarus' Gate and FreshyCalls / Syswhispers2 Library.
  • GwisinMsi - PoC MSI payload based on ASEC/AhnLab's blog post.
  • BloodHound.py-Kerberos - A Python based ingestor for BloodHound, now with kerberos support on Linux.
  • DLLirant is a tool to automatize the DLL Hijacking researches on a specified binary.
  • CVE-2022-2588 This linux LPE effects 3.17 to 5.19 (Ubuntu 17-22).
  • Cronos PoC for a new sleep obfuscation technique leveraging waitable timers to evade memory scanners.
  • spycast A crossplatform mDNS enumeration tool.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • bbot - OSINT automation for hackers.
  • NetCoreServer - Ultra fast and low latency asynchronous socket server & client C# .NET Core library with support TCP, SSL, UDP, HTTP, HTTPS, WebSocket protocols and 10K connections problem solution.
  • A Free Pen Testing Learning Platform. Spin up your own cloud scenarios using these free templates.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-09-19

20 September 2022 at 03:50
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-09-05 to 2022-09-19.

News

Techniques and Write-ups

Tools and Exploits

  • Mimikatz update. Now you can dump plaintext Citrix passwords from memory. Best part is you don't even need elevated rights for the current use context! If anyone has this as a BOF, DM me!
  • ldapnomnom - Anonymously bruteforce Active Directory usernames from Domain Controllers by abusing LDAP Ping requests (cLDAP).
  • CVE-2022-37706-LPE-exploit - A reliable exploit + write-up to elevate privileges to root. (Tested on Ubuntu 22.04) - NOTE: only for enlightenment window manager (Tizen based TVs and... thats it?).
  • MasqueradingPEB - Maquerade any legitimate Windows binary by changing some fields in the PEB structure.
  • CVE North Stars - Leveraging CVEs as North Stars in vulnerability discovery and comprehension.
  • ExecRemoteAssembly - Execute Remote Assembly with args passing and with AMSI and ETW patching.
  • Teamsniper is a tool for fetching keywords in a Microsoft Teams such as (passwords, emails, database, etc.).
  • DylibHijackTest - Discover DYLD_INSERT_LIBRARIES hijacks on macOS.
  • Codecepticon is a .NET application that allows you to obfuscate C#, VBA/VB6 (macros), and PowerShell source code, and is developed for offensive security engagements such as Red/Purple Teams. What separates Codecepticon from other obfuscators is that it targets the source code rather than the compiled executables, and was developed specifically for AV/EDR evasion.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-09-12

12 September 2022 at 23:45
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-09-06 to 2022-09-12.

News

Techniques and Write-ups

Tools and Exploits

  • Athena v0.2. A big update to an up and coming Mythic C2 agent.
  • pfBlockerNG Unauth RCE Vulnerability. This is only vulnerable on the LAN side of the firewall, unless you have some strange WAN rules that allow access to the pfblockerNG pages from WAN. Patched in 2022-06, its still a bad vulnerability. Poc here.
  • QUEST KACE Desktop Authority Pre-Auth Remote Code Execution (CVE-2021-44031). Pre-Auth RCE is the flavor of the week it seems.
  • Tool Release - Monkey365. Monkey 365 is an Open Source security tool that can be used to easily conduct not only Microsoft 365, but also Azure subscriptions and Azure Active Directory security configuration reviews without the significant overhead of learning tool APIs or complex admin panels from the start.
  • Command injection vulnerability in Netgear R6200_v2 and R6300v2 routers. Authenticated and LAN side only it looks like.
  • Sandbox_Scryer is an open-source tool for producing threat hunting and intelligence data from public sandbox detonation output The tool leverages the MITRE ATT&CK Framework to organize and prioritize findings, assisting in the assembly of IOCs, understanding attack movement and in threat hunting.
  • cobaltstrike-headless - Aggressorscript that turns the headless aggressor client into a (mostly) functional cobalt strike client.
  • CVE-2022-27925 - Zimbra Unauthenticated Remote Code Execution Exploit (CVE-2022-27925)
  • TangledWinExec - This repository is for investigation of Windows process execution techniques. Most of PoCs are given a name corresponding to the technique. WmiSpawn is brand new and looks very interesting.
  • chameleon provides better content discovery by using wappalyzer's set of technology fingerprints alongside custom wordlists tailored to each detected technologies.
  • autobloody - Tool to automatically exploit Active Directory privilege escalation paths shown by BloodHound. "Automatic" and "Exploit" are two words that when used together cause me great concern.
  • evilgophish - evilginx2 + gophish.
  • rust_syscalls Single stub direct and indirect syscalling with runtime SSN resolving for windows.
  • HideProcessHook - DLL that hooks the NtQuerySystemInformation API and hides a process name.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • ContainerSSH: Launch containers on demand. ContainerSSH launches a new container for each SSH connection in Kubernetes, Podman, or Docker. The user is transparently dropped in the container and the container is removed when the user disconnects. Authentication and container configuration are dynamic using webhooks, no system users required.
  • TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts.
  • buildg - Interactive debugger for Dockerfile, with support for IDEs (VS Code, Emacs, Neovim, etc.).
  • wappalyzergo - A high performance go implementation of Wappalyzer Technology Detection Library.
  • Ekko_CFG_Bypass A PoC for adding NtContinue to CFG allowed list in order to make Ekko work in a CFG protected process

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-09-06

7 September 2022 at 03:59
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-08-29 to 2022-09-06.

News

Techniques and Write-ups

Tools and Exploits

  • SSD Advisory - Linux CONFIG_WATCH_QUEUE LPE. A vulnerability in the way Linux handles the CONFIG_WATCH_QUEUE allows local attackers to reach a race condition and use this to elevate their privileges to root. PoC and Exploit included.
  • EvilnoVNC - Ready to go Phishing Platform built on noVNC. Why intercept creds when you can have your victim use a real browser you control?
  • PXEThief is a set of tooling that can extract passwords from the Operating System Deployment functionality in Microsoft Endpoint Configuration Manager. You'll probably also want configmgr-cryptderivekey-hashcat-module, a Hashcat module that can crack a password used to derive an AES-128 key with CryptDeriveKey from CryptoAPI.
  • MsSettingsDelegateExecute. Bypass UAC on Windows 10/11 x64 using ms-settings DelegateExecute registry key.
  • NoFaxGiven. Code Execution & Persistence in NETWORK SERVICE FAX Service.
  • CVE-2022-2639-PipeVersion. It was taken down before I even got to it. Untested. Kernels 3.13 to 5.18 are vulnerable (fix committed 2022-04-15).
  • Origami - Packer compressing .net assemblies, (ab)using the PE format for data storage. Updated last week with .NET Core support, Costura support, and a simplified loader.
  • reinschauer - A PoC to remotely control Windows machines over Websockets.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • SCMKit allows the user to specify the Source Code Management system and attack module to use, along with specifying valid credentials (username/password or API key) to the respective SCM system. Currently, the SCM systems that SCMKit supports are GitHub Enterprise, GitLab Enterprise and Bitbucket Server. The attack modules supported include reconnaissance, privilege escalation and persistence.
  • Headway Self-hostable maps stack, powered by OpenStreetMap.
  • Use TouchID to Authenticate sudo on macOS. Your TouchID equipped Mac can easily be configured to use your fingerprint to approve sudo commands.
  • The Immediate Sound of Distant Hammers. The first sci-fi short story from Universal Shards in over a year!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-08-30

31 August 2022 at 02:21
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-07-25 to 2022-08-30.

News

Techniques and Write-ups

Tools and Exploits

  • TamperingSyscalls is a 2 part novel project consisting of argument spoofing and syscall retrieval which both abuse EH in order to subvert EDRs. This project consists of both of these projects in order to provide an alternative solution to direct syscalls.
  • EntropyFix is a tool with no ascii art that reduces the entropy of your payload.
  • BlueHound is an open-source tool that helps blue teams pinpoint the security issues that actually matter. By combining information about user permissions, network access and unpatched vulnerabilities, BlueHound reveals the paths attackers would take if they were inside your network.
  • AceLdr Cobalt Strike UDRL for memory scanner evasion. [This is the best UDRL yet.]
  • Hijack Libs - The database contains 341 Sideloading, 88 Environment Variable, 8 Phantom and 5 Search Order entries.
  • Burp2Malleable Quick python utility I wrote to turn HTTP requests from burp suite into Cobalt Strike Malleable C2 profiles.
  • ExportDumper A small tool to dump the export table of PE files. The primary use case was intended for use within DLL proxying.
  • WFH - Windows Feature Hunter (WFH) is a proof of concept python script that uses Frida, a dynamic instrumentation toolkit, to assist in potentially identifying common β€œvulnerabilities” or β€œfeatures” within Windows executables. WFH currently has the capability to automatically identify potential Dynamic Linked Library (DLL) sideloading and Component Object Model (COM) hijacking opportunities at scale.
  • jscythe - Abuse the node.js inspector mechanism in order to force any node.js/electron/v8 based process to execute arbitrary javascript code.
  • DirtyCred is a kernel exploitation concept that swaps unprivileged kernel credentials with privileged ones to escalate privilege. Instead of overwriting any critical data fields on kernel heap, DirtyCred abuses the heap memory reuse mechanism to get privileged.
  • SilentHound - Quietly enumerate an Active Directory Domain via LDAP parsing users, admins, groups, etc.
  • jwt-reauth is a Burp plugin to cache authentication tokens from an "auth" URL, and then add them as headers on all requests going to a certain scope.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-07-25

26 July 2022 at 03:59
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-07-18 to 2022-07-25.

News

Techniques and Write-ups

Tools and Exploits

  • DiagTrackEoP - another way to abuse SeImpersonate privilege.
  • terry-the-terraformer A Python CLI tool for deploying red team infrastructure across multiple cloud providers, all integrated with a virtual Nebula network.
  • IAM-Deescalate IAM-Deescalate helps mitigate privilege escalation risk in AWS identity and access management (IAM). More info here.
  • RIPPL is a tool that abuses a usermode only exploit to manipulate PPL processes on Windows (patched in the July 2022 patch).
  • AlanFramework - A C2 post-exploitation framework. This framework has been around for a while, but last week became open source (Attribution-NonCommercial-NoDerivatives 4.0 International).
  • Lastenzug - Socks4a proxy leveraging PIC, Websockets and static obfuscation on assembly level.
  • CVE-2022-34918-LPE-PoC - This exploit has been written for the kernel Linux ubuntu 5.15.0-39-generic. More details here.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • ropr - A blazing fastβ„’ multithreaded ROP Gadget finder. ropper / ropgadget alternative.
  • RedGuard "is a derivative work of the C2 facility pre-flow control technology." Looks a lot like RedWarden?

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-07-18

19 July 2022 at 03:59
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-07-05 to 2022-07-18.

News

Techniques and Write-ups

Tools and Exploits

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Raycast is a blazingly fast, totally extendable launcher. It lets you complete tasks, calculate, share common links, and much more.
  • cervantes is an opensource collaborative platform for pentesters or red teams who want to save time to manage their projects, clients, vulnerabilities and reports in one place.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-07-05

5 July 2022 at 21:45
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-06-27 to 2022-07-05.

News

Techniques and Write-ups

Tools and Exploits

  • PINKPANTHER Windows x64 handcrafted token stealing kernel-mode shellcode. Be sure to check out the caveats.
  • the-poor-mans-obfuscator - Binary & scripts associated with "The Poor Man's Obfuscator" presentation.
  • TripleCross - A Linux eBPF rootkit with a backdoor, C2, library injection, execution hijacking, persistence and stealth capabilities.
  • CVE-2019-7040 + CVE-2021-21042. POCs and exploit code for Microsoft Internet Explorer & Microsoft Word (in DOCX & RTF formats).

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • awsEnum - Enumerate AWS cloud resources based on provided credentials.
  • nali - An offline tool for querying IP geographic information and CDN provider.
  • maldev-for-dummies - A workshop about Malware Development.
  • ExtractedDefender - An attempt to group extracted data from Defender for research purposes.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-06-27

28 June 2022 at 03:59
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-06-20 to 2022-06-27.

News

Techniques and Write-ups

Tools and Exploits

  • Add WerFault Silent Process Exit: --werfault to nanodump. You can now force WerFault.exe to dump LSASS for you.
  • FLOSS Version 2.0. "Over the last few months, we've added new functionality and improved the tool's performance. In this blog post we will share exciting new features and improvements including a new string deobfuscation technique, simplified tool usage, and much faster result output."
  • awesome-hacker-search-engines - A list of search engines useful during Penetration testing, vulnerability assessments, red team operations, bug bounty, and more.
  • kernel-mii - Cobalt Strike (CS) Beacon Object File (BOF) foundation for kernel exploitation using CVE-2021-21551.
  • Chrome-Android-and-Windows-0day-RCE-SBX - Chrome Android and (patched) Windows 0day RCE+SBX... from the DPRK (in 2021).
  • Mangle is a tool that manipulates aspects of compiled executables (.exe or DLL) to avoid detection from EDRs.
  • callback_injection-Csharp - this repo is to cover the other undocumented or published / in different languages to achieve shellcode injection via windows callback functions.
  • tlsx - Fast and configurable TLS grabber focused on TLS based data collection.
  • dismember - πŸ”ͺ Scan memory for secrets and more (linux).

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Damn Vulnerable DeFi - The offensive security playground for decentralized finances. Learn up and get those massive bounties. Also check out CryptoVulhub.
  • HTTPLoot - An automated tool which can simultaneously crawl, fill forms, trigger error/debug pages and "loot" secrets out of the client-facing code of sites.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-06-20

21 June 2022 at 03:59
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-06-14 to 2022-06-20.

News

Techniques and Write-ups

Tools and Exploits

  • DFSCoerce - PoC for MS-DFSNM coerce authentication using NetrDfsRemoveStdRoot method. This can be used when the Spooler service is disable, and RPC filters prevent PetitPotam/File Server VSS authentication elicitation.
  • CVE-2022-26937 - Windows Network File System crash PoC.
  • hunter-1 (l)user hunter using WinAPI calls only.
  • cloud-middleware-dataset. This project contains cloud middleware (i.e. agents installed by cloud security providers) used across the major cloud service providers (Azure, AWS and GCP).
  • Ekko. A small sleep obfuscation technique that uses CreateTimerQueueTimer to queue up the ROP chain that performs Sleep obfuscation. Detection: patriot.
  • NlsCodeInjectionThroughRegistry Dll injection through code page id modification in registry. Based on jonas lykk research.
  • Using macros and constexpr to make API hashing a bit more friendly.
  • antnium - A C2 framework and RAT written in Go. Slides about the development process here.
  • aced is a tool to parse and resolve a single targeted Active Directory principal's DACL. Aced will identify interesting inbound access allowed privileges against the targeted account, resolve the SIDS of the inbound permissions, and present that data to the operator.
  • SliverKeylogger is a Sliver C2 extension to log keystrokes on Windows.
  • OfficeIMO Fast and easy to use cross-platform .NET library that creates or modifies Microsoft Word and later also Excel files without installing any software. This could be useful to automate phishing lures.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • AlternativeShellcodeExec - Alternative Shellcode Execution Via Callbacks.
  • Sealighter - Sysmon-Like research tool for ETW.
  • npmdomainchecker - Checks all maintainers of all NPM packages for hijackable domains.
  • snallybuckster - Locate interesting files in grayhatwarfare.com open S3 buckets and Azure blobs automatically!
  • NoteThief - Grab unsaved Notepad contents with a Beacon Object File.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-06-14

15 June 2022 at 03:59
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-06-06 to 2022-06-14.

News

Techniques and Write-ups

Tools and Exploits

  • CVE-2022-23222 - Linux Kernel eBPF Local Privilege Escalation.
  • CVE-2022-30075 - Tp-Link Archer AX50 Authenticated RCE (CVE-2022-30075).
  • apk-instrumentation Some tools to rewrite code of release APK packages.
  • dot The Deepfake Offensive Toolkit.
  • VX-API Malware rapid development framework. "We've released the vx-underground "VX-API", a Windows malware rapid application development framework written in C/C++. It is a compilation of code written by @smelly__vx & @am0nsec. A lot of work needs to be done (including a ReadMe file). More to come."
  • Dogwalk-rce-poc 🐾Dogwalk PoC (using diagcab file to obtain RCE on windows).
  • sourcegraph-scripts Scripts for Sourcegraph search results. Useful for static analysis.
  • kcthijacklib - A Small Library For a Cleaner Execution.
  • collector - Utility to analyse, ingest and push out credentials from common data sources during an internal penetration test.
  • FirmLoader is an IDA plugin that allows to automatically identify parts of the memory for the firmware images extracted from microcontrollers.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • np - A tool to parse, deduplicate, and query multiple port scans.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-06-06

7 June 2022 at 03:59
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-05-30 to 2022-06-06.

News

Techniques and Write-ups

Tools and Exploits

  • COM-Hunter - COM Hijacking voodoo.
  • VoightKampff - Beating Google ReCaptcha and the funCaptcha using AWS Rekognition.
  • Nidhogg Nidhogg is an all-in-one simple to use rootkit for red teams.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-05-31

1 June 2022 at 03:59
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-05-23 to 2022-05-31.

News

  • Rapid Response: Microsoft Office RCE - β€œFollina” MSDT Attack. Follina aka CVE-2022-30190 is an RCE vector that uses the Microsoft Support Diagnostic Tool via a URL handler in a Word document (no macro) to execute code. There is more analysis here as well as official guidance. follina.py is the PoC.
  • Welcome to the next generation of ngrok. The popular tunneling utility used to exposed local ports to the public internet released version 3 with some cool new features. Oauth and OpenID support with a few command line switches make authentication easy. Ngrok has been used to host short lived phishing pages by threat actors in the past.
  • Broadcom to Acquire VMware for Approximately $61 Billion in Cash and Stock. If anyone witnessed the Symantec acquisition br Broadcom this is scary if you use any VMware products (vCenter, Carbon Black, etc). For what it's worth I've been using Proxmox at home and in production for a while and it's pretty great.
  • How I hacked CTX and PHPass Modules. This is a great example of how NOT to conduct "security research." By deploying malicious packages that actively harvested sensitive environment variables, this crosses the line and I would not consider it "good faith" research. However, the automated techniques used to target package registries are relatively low effort for an extremely high impact. The next attacker will not claim "research" and will use this access for ransomware or worse.
  • FTC fines Twitter $150M for using 2FA info for targeted advertising. Twitter used its 2FA phone numbers for advertising and got caught. I suppose when you loose 221 million USD a year you get desperate and every piece of data is up for sale.
  • Serious security vulnerability in Tails 5.0. Tor Browser in Tails 5.0 and earlier is unsafe to use for sensitive information. 5.1 will be released 2022-05-31.

Techniques and Write-ups

Tools and Exploits

  • DeepSleep is a variant of Gargoyle for x64 to hide memory artifacts using ROP only and PIC.
  • VLANPWN is a VLAN attack toolkit (double tagging and DTP hijacking).
  • mempeek is a command line tool that resembles a debugger as well as Cheat Engine, to search for values in memory.
  • KaynStrike is a User Defined Reflective Loader for Cobalt Strike Beacon that spoofs the thread start address and frees itself after entry point was executed.
  • freeBokuLoader is a simple BOF that tries to free the memory region where the User Defined Reflective Loader is stored.
  • Shelltropy - A technique of hiding malicious shellcode via Shannon encoding.
  • MachoBins is designed to provide information on Mac lolbins, similar to https://gtfobins.github.io/ or https://lolbas-project.github.io/, but specifically for Mac!
  • NimlineWhispers3 - A tool for converting SysWhispers3 syscalls for use with Nim projects.
  • CdpSvcLPE - Windows Local Privilege Escalation via CdpSvc service (Writeable SYSTEM path Dll Hijacking).

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • BofRoast - Beacon Object Files for roasting Active Directory.
  • BatchGuard - Batch file AV evasion and obfuscation solution.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-05-23

24 May 2022 at 02:35
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-05-16 to 2022-05-23.

News

Techniques and Write-ups

Tools and Exploits

  • ghostrings - Ghidra scripts for recovering string definitions in Go binaries. More info in this blog post.
  • Mortar Loader v2. Lots of improvements to this loader in version 2.
  • SharpEventPersist. Persistence by writing/reading shellcode from Event Log.
  • DynamicWrapperDotNet. Dynamically Loads Assembly and Calls Methods from JScript.
  • bin2memfd. Encodes a program (which can be a script, despite the name) to a Perl or Python script which sticks it in a Linux memfd and runs it. The goal is to enable staged implants to be run with curl | perl, or something similar.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • BinAbsInspector - Vulnerability Scanner for Binaries.
  • Labtainers - Docker-based cyber lab framework.
  • privaxy - (work in progress) Privaxy is the next generation tracker and advertisement blocker. It blocks ads and trackers by MITMing HTTP(s) traffic.
  • Argus is a lightweight monitor to notify of new software releases via Gotify/Slack messages and/or WebHooks.
  • Red-Lambda - Leveraging AWS Lambda Function URLs for C2 Redirection.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-05-16

17 May 2022 at 03:59
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous 2 weeks. This post covers 2022-05-02 to 2022-05-16.

News

Techniques and Write-ups

Tools and Exploits

  • ELFLoader. Be sure to read the blog post.
  • hakoriginfinder is a tool for discovering the origin host behind a reverse proxy. Useful for bypassing cloud WAFs.
  • SpoolTrigger - Weaponizing for privileged file writes bugs with windows problem reporting
  • XLL_Phishing - XLL Phishing Tradecraft
  • mitmproxy2swagger - Automagically reverse-engineer REST APIs via capturing traffic
  • uru is a payload generation tool that enables you to create payload based on a configuration file.
  • pyldapsearch - Tool for issuing manual LDAP queries which offers bofhound compatible output

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-05-02

3 May 2022 at 03:30
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-04-25 to 2022-05-02.

News

Techniques and Write-ups

Tools and Exploits

  • BeaconDownloadSync is a fine-tuned control mechanism for syncing files from the Cobalt Strike Downloads entries in the data model.
  • minbeacon is a work in progress of constructing a minimal http(s) beacon for Cobalt Strike.
  • CS-Remote-OPs-BOF is an addition to TrustedSec's CS-Situational-Awareness-BOFs that modify systems (injection, persistence, etc).
  • Dylib_Runner is Swift code to run a dylib on disk.
  • okta-sprayer is a Python3 Script to perform a password spray against an okta instance.
  • nimc2 is a c2 fully written in nim.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • pyscript. Python directly in HTML (via a WASM shim).
  • O365-Doppelganger is a quick handy script to harvest credentials off of a user during a Red Team and get execution of a file from the user.
  • ecapture can capture SSL/TLS text content without CA cert using eBPF.
  • howdy is Windows Helloβ„’ style facial authentication for Linux.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-04-25

26 April 2022 at 16:00
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-04-18 to 2022-04-25.

News

Techniques and Write-ups

Tools and Exploits

  • KrbRelayUp is a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings).
  • memray is a memory profiler for Python. Not specifically security related, but very cool.
  • Issue 2274: Linux: watch_queue filter OOB write (and other bugs). Google Project Zero found another Linux LPE. This one affects kernel from 5.8 to 2022-03-11 (5.16.15, 5.15.29, 5.10.106). PoC exploit is included, but may be unstable.
  • C2-Tool-Collection is a collection of tools which integrate with Cobalt Strike (and possibly other C2 frameworks) through BOF and reflective DLL loading techniques. This is from Outflank so you know its going to be good.
  • cdnstrip is a tool for striping CDN IPs from a list of IP Addresses.
  • elfpack does ELF Binary Section Docking for Stageless Payload Delivery.
  • HalosUnhooker is a Halos Gate-based NTAPI Unhooker.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • htmlq is like jq, but for HTML. Uses CSS selectors to extract bits of content from HTML files.
  • KDStab is a BOF combination of KillDefender and Backstab.
  • ADReaper is a fast enumeration tool for Windows Active Directory Pentesting written in Go.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-04-18

19 April 2022 at 03:59
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-04-11 to 2022-04-18.

News

Techniques and Write-ups

Tools and Exploits

  • frostbyte is a POC project that combines different defense evasion techniques to build better redteam payloads.
  • msprobe is a tool for finding all things on-prem Microsoft products for password spraying and enumeration.
  • spooler-splenumforms-iov is a memory corruption vulnerability in windows spooler service that was patched on most recent Microsoft Patch Tuesday, 2022-04-12.
  • SharpWnfScan dumps Windows Notification Facility subscription information from process.
  • stunner is a tool to test and exploit STUN, TURN and TURN over TCP servers.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • cdn-proxy is a tool that can be used by web app pentesters to create a copy of a targeted website with CDN and WAF restrictions disabled.
  • ADInspect is a PowerShell script that automates the security assessment of Microsoft Active Directory environments.
  • maat is an open-source symbolic execution framework. Bonus, the project's site uses m.css like this blog!
  • wpgarlic is a proof-of-concept WordPress plugin fuzzer.
  • ShadowClone - Unleash the power of cloud. Distribute your long running tasks dynamically across thousands of serverless functions and gives you the results within seconds where it would have taken hours to complete.
  • SSOh-No is a tool for user enumeration and password spraying tool for testing Azure AD.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

❌