@Detectify

@Detectify

sn🥶vvcr💥sh

@snovvcrash

🧵 (1/x) I know you love #pentest stories, so here’s one of those ⬇️

There’s a non-DC computer (Victim) that is a member of the Exchange Trusted Subsytem group and has DCSync privs. The WebClient is ON but the MAQ=0 and domain functional level is 2012 R2 which prevents us ⤵️

@tiraniddo

(2/x) from abusing Key Credentials. Relaying to AD CS HTTP is not possible either. Here’s when I decided to go for SPN-less RBCD (credits to @tiraniddo) on a prod domain 🤦🏻‍♂️

But first let’s add a DNS record pointing to the attacker’s machine to coerce Victim over WebDav ⤵️

(3/x) Now it’s all ready to go: Printer Bug + ntlmrelayx[.]py and we’re escalating a low privilege user (j.doe) to be trusted for delegation by Victim ⤵️

Read 9 tweets

Cyber Security Topics

@Mawg0ud

Here's a list of free #PenetrationTesting and #RedTeam Labs you may set up in your own home to enhance your #hacking abilities :

1) Red Team Attack Lab
A simulated setting where red teams can practice exploiting #vulnerabilities in various operating systems.
lnkd.in/ernefQv8

2) Capsulecorp Pentest
#Capsulecorp is a lightweight virtual infrastructure operated using Vagrant and Ansible. One #Linux attacking system running #Xubuntu is included, along with four #Windows 2019 servers hosting a variety of #exploitable services.

lnkd.in/eYfGmNBe

Read 10 tweets

Mahmoud Youssef

@0xmahmoudJo0

🧵Some tricks lead to Admin takeover🧵

While scanning some internal IPs I found that someone gives me 403 with a message :
"You can't access https://IP/"

So I passed the request to the proxy and changed the host header to:

Host: localhost

1/5 🧵

#bugbountytips #bugbounty

And an admin login panel appeared XDD

So I tried some of the default creds, but I got an error, so I analyzed the request and figured out that the Origin and Referer headers were set to the IP, so I changed them to localhost too, and forwarded the request

2/5 🧵

Then Finally, I got an error about the wrong username or password, so I started to test some default creds,
but I got nothing, then I discovered that there's no rate limit, so it's brute-force time, but brute-forcing with all usernames and passwords is such a mess

3/5 🧵

Read 5 tweets

sn🥶vvcr💥sh

@snovvcrash

@_ZakSec

🧶 (1/) Reproducing Masky Thread

So it’s a relaxing Friday evening to play with the new awesome #Masky tool by @_ZakSec. I’ll show you here how to reproduce its behavior with #CrackMapExec, #Impacket, #Sliver, #Certify and #Certipy.

Let’s go! ⤵️

#pentest #adcs

@nopernik

🧶 (2/) First things first, I shall enumerate AD CS environment with #CrackMapExec and qwinsta the Victim machine via newly introduced tstool[.]py from #Impacket (thx @nopernik!). For the purpose of this demo I’ll use a DA account to interact with the Victim but any LA will do 👨🏻‍💻

🧶 (3/) I shall now prepare my team server and generate an encrypted Sliver beacon to use it with DInjector 💉

Read 7 tweets

Porya.eth

@Poryadev

@officer_cia

1) here is my twittes about #smartcontract #security since 4 months ago. do not to be hesitated to share with others.

and special thanks to @officer_cia for support me.
@bantg @developer_dao @cyb_detective @immunefi @Hacker0x01 #web3 #opsec #javascript #development

2)How to become #smartcontract auditor. graph.org/Pel-Ada-Del-As…

#Web3 #blockchain #Ethereum #Solidity #programming

3)Here is list of great resources for #crypto and #economics education. airtable.com/shraQiFHFxU7rm…

graph.org/Solidity-Cheat…

graph.org/ETHSec-Tools-0…

#fintech #cryptocurrency #Tokenomics #investing #Web3 #crypto #cryptocurrencies

Read 25 tweets

Lutra Security

@lutrasecurity

#Penetrationstests sind ein wichtiger Bestandteil eines #ISMS und helfen ein tiefgreifendes Verständnis des Sicherheitsniveaus der eigenen IT-Systeme zu erlangen.

lutrasecurity.com/services/penet…

Was ist das? Ein 🧵

Ein Penetrationstest (oder kurz #Pentest), beschreibt die Untersuchung eines oder mehrerer Assets, zum Beispiel einer Webanwendung oder einem ganzen Netzwerk. Dabei werden Schwachstellen gesucht und ausgenutzt, um möglichst tief in das betrachtete System einzudringen.

2/

Dies gibt einem Unternehmen nicht nur einen Überblick über die vorhandenen Schwachstellen, sondern auch eine Einschätzung, wie tief ein Angreifer in das System eindringen kann.

3/

Read 16 tweets

sn🥶vvcr💥sh

@snovvcrash

[#HackStory 🧵] (1/4) Here’s a generic case of reaching a locked-down PC from a firewalled segment in AD. The background is: 172.16.66.6 (the target) can talk to 192.168.1.11 (a PWNed server) but not vice versa and to no one else in the foreseeable network 👀

#ad #pentest

(2/4) Being a DA an adversary can create an evil GPO that will coerce Immediate Scheduled Task execution on the target. The task downloads and executes a PS cradle pointing to the PWNed server. Sure, there’re fancy (py|Sharp)GPOAbuse, etc… But when it’s a pentest, who cares 😒

(3/4) Meanwhile, some v4tov4 port proxies are configured on the pivot point by the adversary via netsh 😈

Read 5 tweets

Sourajeet Majumder

@TechCrucio

@_DigitalIndia

🧵 How a misconfig let anyone view PII of Covid-19 patients and modify data related to Covid-19 sero survey (Of Haryana)

So, the Govt Of Haryana has 2 state projects under the @_DigitalIndia programme called :
1. Covid Sample Report Portal
2. Covid-19 Sero Survey Portal

(1/13)

@cmohry

According to official docs, the first portal is used to store COVID-19 testing details uploaded by all COVID-19 laboratories (public or private) for effective monitoring directly by @cmohry

Source : negd.gov.in/sites/default/…

(2/13)
#infosec #bugbounty #hacking

And the second portal is used to estimate and monitor the trends of sero-prevalence of SARS-CoV infection in the general population and high burden cities of Haryana.

Source : negd.gov.in/sites/default/…

(3/13)
#infosec #bugbounty #hacking

Read 14 tweets

Cyber Detective

@cyb_detective

Today I am starting to collect a list of Twitter accounts of Linux distribution creators for #osint, #hacking, #pentest, #cybersecurity.

In this thread🧵 I will tell you which project is behind each of the accounts on the list.

🧵🧵🧵⤵️⤵️⤵️

@muts

@muts Mati Aharoni
@dookie2000ca Devon Kearns

Kali Linux (@kalilinux )

#osint #cybersecurity Linux distribution creators🧵🧵⤵️⤵️⤴️

@comrumino

@comrumino James Stronz
@Cthulu201 Michael Henze

Arch Linux @ArchStrike

#osint #cybersecurity Linux distribution creators🧵🧵⤵️⤵️⤴️

Read 14 tweets

Podalirius

@podalirius_

[#thread 🧵] For this third day of #CyberAdvent (3/24), I'll tell you a story. The story of how I gained root access to a server by leveraging a really fun feature in a web application. This #pentest #writeup will explain the complete process from recon to root. 🦋

[#thread 🧵(2/9)] In the recon phase of my pentest, as usual I was performing a port scan. In the output from nmap, I saw an uncommon port 86 with an HTTP server running "Micro Focus DSD 1.0.0":

[#thread 🧵(3/9)] When going on the page from a browser, surprise 🥳🎉 we have an unauthenticated access! This is cool, but I never saw this app before so I didn't know whether we could exploit it simply or not!

Read 11 tweets

Nishith K

@busk3r

Android Webview Hacking 🧵👇

#pentest #MobileSecurity #frida #bugbounty #bugbountytips #smali

Android Webview:
Android WebView is a system component powered by Chrome that allows Android apps to display web content.
There are many apps out there that are simply wrappers around web pages, or web content stored in the app.

Android Webview debugging:
In Android WebViews have a debugging feature, that allows you to use the ADB remote debugging extension for chrome to debug the contents of the WebView.

Read 13 tweets

Cyber Detective

@cyb_detective

twitter.com/i/lists/144346…

Today I started compiling a list of twitter accounts of online media who write articles on #hacking, #cybersecurity, #pentest, #forensics, #osint etc

twitter.com/i/lists/144346…

In this thread🧵 I will tell you what project is behind each account on this list

@PenTestMag

@PenTestMag The online magazine devoted to penetration testing and IT security assessment pentestmag.com
@thehackersnews The most trusted, widely read, independent source for breaking news and tech coverage on #cybersecurity, #infosec, #hacking. thehackernews.com

@magcybersec

@magcybersec Cybersecurity for everyone cybersecurity-magazine.com

@CyberSecurityM8 Source for cyber security news all around the globe cybersecuritymagazine.com

Read 15 tweets

Harsh Bothra

@harshbothra_

#learn365 Day-29: Common Business Logic Issues (Part - 2)

(cont'd...)
5. Premium Feature Abuse
- Try forcefully browsing the areas or some particular endpoints which come under premium accounts.

#bugbountytips #AppSec #infosec #pentest

(1/n)

(2/n)
- Pay for a premium feature and cancel your subscription. If you get a refund but the feature is still usable, it's a monetary impact issue.
- Some applications use true-false request/response values to validate if a user is having access to premium features or not.

(3/n)
- Try using Burp's Match & Replace to see if you can replace these values whenever you browse the app & access the premium features.
- Always check cookies or local storage to see if any variable is checking if the user should have access to premium features or not.

Read 8 tweets

Infosec Scarlett

@infosec_scarlet

@PortSwigger

How many of you will agree that @PortSwigger @PortSwiggerRes @burpsuite is the best #Web #AppSec #bugbounty Tool available on the internet?

This thread includes some of the best Burp Extensions, which I personally love.

#pentest #security #infosec #bugbounty

Turbo Intruder

Turbo Intruder is a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results.
portswigger.net/bappstore/9aba…

#pentest #security #infosec #bugbounty

Retire.js
This extension integrates Burp with the Retire.js repository to find vulnerable JavaScript libraries.
portswigger.net/bappstore/3623…

#pentest #security #infosec #bugbounty

Read 20 tweets

Infosec Scarlett

@infosec_scarlet

I have seen a lot of #pentesters struggle with tunneling and port-forwarding concepts. All #hackers should definitely understand these concepts for successful tests.

This thread is dedicated to Tunneling/PortForwarding tricks.

#infosec #pentest #tunneling #security #bugbounty

Local Port2Port

Open new Port in SSH Server --> Other port

ssh -R 0.0.0.0:10521:127.0.0.1:1521 user@10.0.0.1 #Local port 1521 accessible in port 10521 from everywhere

ssh -R 0.0.0.0:10521:10.0.0.1:1521 user@10.0.0.1 #Remote port 1521 accessible in port 10521 from everywhere

Port2hostnet (proxychains)

Local Port --> Compromised host(SSH) --> Wherever

ssh -f -N -D <attacker_port> <username>@<ip_compromised>

#pentest #security #infosec #bugbounty

Read 13 tweets

Soroush Dalili 🤖

@irsdl

Self promotion time - if you are testing a payment system or a shop, check the whitepaper that I had written and updated last year: nccgroup.trust/globalassets/o… 💰💰💰 #bugbountytip #pentest #Financial

examples: slideshare.net/SoroushDalili/…

@MDSecLabs

I should also add this; when I joined @MDSecLabs , they had some of these as part of their web app training already because of the great work of Marcus Pinto!

Read 3 tweets

Ammar Amer🇸🇾

@cry__pto