Discover and read the best of Twitter Threads about #Masky
Most recents (2)
🧵 (1/3) Some notes on fileless #Masky execution here.
Firstly, I shall grab the compiled Masky agent, convert it to a PowerShell script and prepare the cradle ⤵️
github.com/penetrarnya-tm…
Firstly, I shall grab the compiled Masky agent, convert it to a PowerShell script and prepare the cradle ⤵️
github.com/penetrarnya-tm…
🧵 (2/3) Now, when operating from Linux, I shall use @MrUn1k0d3r’s SCShell to invoke the cradle from SYSTEM context ⤵️
github.com/Mr-Un1k0d3r/SC…
github.com/Mr-Un1k0d3r/SC…
🧵 (3/3) On the other hand, when operating from Windows, I shall use @magnusstubman’s TokenDuplicator (also converted to PS) to invoke the cradle and get my certificates ⤵️
github.com/magnusstubman/…
github.com/magnusstubman/…
🧶 (1/) Reproducing Masky Thread
So it’s a relaxing Friday evening to play with the new awesome #Masky tool by @_ZakSec. I’ll show you here how to reproduce its behavior with #CrackMapExec, #Impacket, #Sliver, #Certify and #Certipy.
Let’s go! ⤵️
#pentest #adcs
So it’s a relaxing Friday evening to play with the new awesome #Masky tool by @_ZakSec. I’ll show you here how to reproduce its behavior with #CrackMapExec, #Impacket, #Sliver, #Certify and #Certipy.
Let’s go! ⤵️
#pentest #adcs
🧶 (2/) First things first, I shall enumerate AD CS environment with #CrackMapExec and qwinsta the Victim machine via newly introduced tstool[.]py from #Impacket (thx @nopernik!). For the purpose of this demo I’ll use a DA account to interact with the Victim but any LA will do 👨🏻💻
🧶 (3/) I shall now prepare my team server and generate an encrypted Sliver beacon to use it with DInjector 💉
