Take a deep dive into #exploit writing and see the proof of concept #PoC process for CVE-2022-21907: coresecurity.com/core-labs/arti…

Ridiculously fast DNS/Network/Port Scanner - (Skanuvaty)🤯 - In testing, I was able to discover 1000's of subdomains in less than 20 seconds. Check the repo for more info! - Repo: github.com/Esc4iCEscEsc/s… - Creator: ChockChocsChoirChoke - #CyberSecurity #bugbountytips #CTF #infosec

"Abusing HTTP hop-by-hop request headers" by Nathan was nominated as a top web hacking technique back in 2019, and has just blossomed into an F5 BIG-IP unauth RCE! nathandavison.com/blog/abusing-h… portswigger.net/research/top-1… github.com/horizon3ai/CVE…

The first blog post is here. This one covers the technical details of CVE-2022-26923 (Active Directory Domain Services Elevation of Privilege Vulnerability). The vulnerability was patched as part of the May 2022 Security Updates from Microsoft. research.ifcr.dk/9e098fe298f4

New chapter of #AzureAD Attack & Defense ☁️🔐 playbook has been published by Sami Lamppu and me: „Replay of #PRT and other issued #tokens“. It covers attack scenarios on #AAD joined devices but also mitigations & detections across Microsoft security stack. github.com/Cloud-Architek…

After 18 months #RemotePotato0 has been silently fixed 🥳 The downgrade attack performed in the ResolveOxid2 response (part of DCOM activation) does not work anymore and with the October 22 patch the client always authenticates with level INTEGRITY during the IRemUnkown bind

"GoodHound: Uses Sharphound, Bloodhound and Neo4j to produce an actionable list of attack paths for targeted remediation." #infosec #redteam #pentest github.com/idnahacks/Good…

New PR on Impacket: github.com/fortra/impacke…. It add --enum-domain option on ntlmrelayx in order to do SID bruteforce over SMB relaying. Compared to domain enumeration though LDAP relay, there is no need to relay to a DC and SMB authentication relay is possible

Disclosed today at Disobey - psexec from #impacket expose the target system for authenticated command execution as SYSTEM. That means any user that can authenticate over the network (usually Domain Users) can run code as SYSTEM over the network.

Releasing a NFS Client today, it's written in Go, has file list, upload, download, delete, make directory and delete directory functions without having to mount the drive or permissions (locally) to do so. This can be super helpful from a Win host. github.com/mubix/nfsclient

👀 GitHub - aress31/burpgpt: A Burp Suite extension that integrates OpenAI's GPT to perform an additional passive scan for discovering highly bespoke vulnerabilities, and enables running traffic-based analysis of any type. github.com/aress31/burpgpt

CVE-2023-29489: XSS in million websites cPanel... Poc blog.assetnote.io/2023/04/26/xss…

Took me a few days, still don't know exactly how/why it works, but I now have a new-ish on-prem to cloud technique via a Seamless SSO (Kerberos) backdoor key. Some features: - No GA needed to add key - Invisible backdoor (no logs in AAD) 🫣 - 1st factor auth to any synced user

Did you know, that instead of killing the Windows Defender process, you can remove the signatures (requires local admin privs)? After that you can do pretty much what you want, e.g. downloading & running mimikatz. Here is a small PoC, I made for Cyvisory Group

Lol

During a recent Active Directory intrusion test, @croco_byte was led to devise a new versatile attack vector targeting Group Policy Objects, allowing their exploitation through NTLM relaying. synacktiv.com/publications/g…

My friend Wael Masri just published his talk from BSides Cyprus 2023 where he gave one of the best live demos of a phishing attack using Evilginx, together with great explaination of all the steps how he perfected the attack. 🔥🪝🐟 Highly recommended! youtube.com/watch?v=p1opa2…

So, you think you have MFA??? Thanks Merill Fernando for including ropci in this edition of the newsletter. 🙂 It is not uncommon for M365 tenants to be vulnerable to ROPC OAuth flow based MFA bypasses. 👉 Test your own tenant: embracethered.com/blog/posts/202…

Merry Christmas, here is my gift to you 🎁 I'm releasing "Internal All The Things", which contains all my cheatsheets and methodologies for Active Directory, Internal Pentests and Cloud Assessments 🎅 swisskyrepo.github.io/InternalAllThe…

How to WebDAV Relay LPE on Windows 11: 1-3. Trigger start of EFS service trough Explorer 4-11. Continue like on Windows 10 Thanks again ret2src for the idea. Any tip for triggering EFS remotely on Windows 11 would be greatly appreciated by the way :D