Glad to finally get my AS-REQ research out there. Microsoft decided requesting ST's from the AS was by design so here's a couple of ways to Kerberoast without any creds and bypass detections based on 4769's

Audit your DNS config, you'd be shocked at how bad it can get github.com/punk-security/…

🧵 (1/) Forged Tickets Thread Golden 🔑 tickets are no longer in fashion, so here’s a short memo on using Diamond 💎 (Charlie Clark) and Sapphire (Charlie Bromberg « Shutdown ») tickets with ticketer[.]py from #Impacket. At first let’s recap what we already know about Golden tickets ⤵️ #ad #kerberos

In early 2022 our Mandiant (part of Google Cloud) team responded to an incident where #APT29 successfully phished a EU diplomatic entity and ultimately abused the Windows Credential Roaming feature. Today one of our #redteam colleagues wrote a blog about it! mandiant.com/resources/blog… #DFIR #teamwork

Welcome to the new AD Mindmap upgrade ! v2022_11 will be dark only (this is too painful to maintain two versions). Thx again to : Viking and Hocine for their help 👍 Full quality and zoomable version here : orange-cyberdefense.github.io/ocd-mindmaps/i… Overview :

Tunneling Internet through WhatsApp to avoid network restrictions github.com/aleixrodriala/…

In this post Hocine shows an attack chain where you can abuse ADCS to escalate from a Virtual Account / Service account to local SYSTEM. As homage to other *potato tools, it could even be called CertPotato. 👀 sensepost.com/blog/2022/cert…

Today we're publishing new techniques for recovering NTLM hashes from encrypted credentials protected by Windows Defender Credential Guard. These techniques also work on victims logged on before the server was compromised. research.ifcr.dk/pass-the-chall…

New technique to dump NTDS remotely WITHOUT DSRUAPI: github.com/zblurx/certsync (Golden Certificates + UnPAC the hash automation) Thanks Oliver Lyak for certipy, which my script heavily relies on.

Great new tool by Daniel Santos to find folders excluded from antivirus scanning by comparing file write times across tested folders. Writes to excluded folders finish much faster as they don't have their writes intercepted by AV. Clever! github.com/bananabr/TimeE…

A few months ago, we reported a pre-auth Remote Code Execution #RCE vulnerability to vBulletin. The exploitation of this unserialize() bug was tricky, as vBulletin classes are not deserialisable. Discover the exploitation in our latest blogpost: ambionics.io/blog/vbulletin…

Just dropped some new cool things on the AD cheatsheets: - SCCM primary site takeover - RODC attacks and pivoting - Techniques I have previously forgotten about retrieving credentials hideandsec.sh/books/cheatshe… hideandsec.sh/books/cheatshe…

Introducing sshimpanzee, a reverse shell made by Titouan Lazard based on openssh's sshd. It supports DNS, ICMP and HTTP encapsulation as well as SOCKS and HTTP Proxies : blog.lexfo.fr/sshimpanzee.ht…

Our researchers found a pre-auth RCE on #Fortigate SSL VPN. Stay tuned for the blogpost ! (CVE-2023-27997)

#Fortinet patched #CVE-2023-27997, a critical vulnerability affecting its VPN #Fortigate. Our latest blogpost describes the technical details about the bug, a pre-auth heap overflow, with a twist. #xortigate blog.lexfo.fr/xortigate-cve-…

Here's an educational POC for #xortigate (CVE-2023-27997). I'll cover the vulnerability at Hexacon this Saturday, and BlackAlps a few days later! github.com/lexfo/xortigat…

Iconv, set the charset to RCE: in the first blog post of this series, Charles Fol will show a new exploitation vector to get RCE in PHP from a file read primitive, using a bug in iconv() (CVE-2024-2961) ambionics.io/blog/iconv-cve…

Scalpel is here: this Burp Suite extension lets you edit your requests, in Python 3, in the repeater or on-the-fly. ambionics.io/blog/scalpel

Since an exploit has been published, here's ours: #CosmicSting (2024-34102) + #CNEXT (CVE-2024-2961), giving RCE on #Magento github.com/ambionics/cnex…

Nouvel article technique concernant les comptes machines dans Active Directory. Découvrez comment ils sont exploités et comment s’en protéger dans notre dernier blog post : mobeta.fr/active-directo… #cybersecurity #pentest #activedirectory