Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
sn🥶vvcr💥sh Profile picture
sn🥶vvcr💥sh
@snovvcrash
Sr. Penetration Tester / Red Team Operator @ptswarm :: Author of Pentester’s Promiscuous Notebook (https://t.co/rL1sv5A2R7) :: He/him :: Tweets’re my pwn 🐣
Jul 9, 2023 5 tweets 2 min read
🧶 (1/5) Given an unmanaged offensive binary, I will show how easily it can be adopted for in-memory execution with CSExec[.]py and bin2pwsh without a mature C2. As an example I will take the recent fork of @D1rkMtr’s TakeMyRDP keylogger PoC from NoceraLabs - TakeMyRDP2.0 ⤵️ 🧶 (2/5) Firstly, I will clone the project and amend a tiny patch: switch the runtime library from /MD to /MT, get rid of hidden window creation and bring the ability of specifying the log file path on target via a CLI argument ⤵️

Mar 6, 2023 8 tweets 4 min read
🧵 (1/7) Sponsorship Thread

I've been getting a lot of DMs asking to share #DInjector after I moved it to a private repo, so I’ve finally decided to give sponsorship a try ⤵️

boosty.to/snovvcrash 🧵 (2/7) For me it’s more of a way to keep some of my projects hidden from prying eyes while still leaving them somewhat public. I do not claim to have super l33t code there, so no 0-days for sure 🤪 At the same time, I got too uncomfortable giving personal links to ppl in DMs ⤵️
Feb 6, 2023 6 tweets 4 min read
🧵 (1/) Bypassing IDS DCSync Signature for #secretsdump

I’ve been asked lately to bypass a private IDS rule for #impacket’s DCSync operation and I’ve immediately remembered this Charlie’s question ⬇️ 🧵 (2/) The rule triggers when a bunch of SMB requests are followed by all this DRSUAPI stuff. Unlike #mimikatz or #DSInternals DCSync, the sequence of SMB+DRSUAPI traffic is unique for secretsdump[.]py attack, thus it becomes an IOC and can be fingerprinted ⬇️ Image
Nov 24, 2022 9 tweets 4 min read
🧵 (1/x) I know you love #pentest stories, so here’s one of those ⬇️

There’s a non-DC computer (Victim) that is a member of the Exchange Trusted Subsytem group and has DCSync privs. The WebClient is ON but the MAQ=0 and domain functional level is 2012 R2 which prevents us ⤵️ (2/x) from abusing Key Credentials. Relaying to AD CS HTTP is not possible either. Here’s when I decided to go for SPN-less RBCD (credits to @tiraniddo) on a prod domain 🤦🏻‍♂️

But first let’s add a DNS record pointing to the attacker’s machine to coerce Victim over WebDav ⤵️
Oct 2, 2022 9 tweets 5 min read
🧵 (1/) Forged Tickets Thread

Golden 🔑 tickets are no longer in fashion, so here’s a short memo on using Diamond 💎 (@exploitph) and Sapphire (@_nwodtuhs) tickets with ticketer[.]py from #Impacket. At first let’s recap what we already know about Golden tickets ⤵️

#ad #kerberos 🧵 (2/) Golden tickets are forged privileged TGTs that’re crafted completely offline. Having got krbtgt RC4 (NT hash) or AES key, a TA can specify some params (e.g., group membership, user’s RID, ticket validity period) to create and sign a fake PAC embedded inside the TGT ⤵️
Aug 26, 2022 7 tweets 6 min read
🧶 (1/) Reproducing Masky Thread

So it’s a relaxing Friday evening to play with the new awesome #Masky tool by @_ZakSec. I’ll show you here how to reproduce its behavior with #CrackMapExec, #Impacket, #Sliver, #Certify and #Certipy.

Let’s go! ⤵️

#pentest #adcs 🧶 (2/) First things first, I shall enumerate AD CS environment with #CrackMapExec and qwinsta the Victim machine via newly introduced tstool[.]py from #Impacket (thx @nopernik!). For the purpose of this demo I’ll use a DA account to interact with the Victim but any LA will do 👨🏻‍💻
Jul 29, 2022 5 tweets 4 min read
🧵 (1/x) Reanimating ADCSPwn thread (in a simple way) ⏬

You all know this great tool by @_batsec_, but unfortunately Microsoft broke it with one of those anti-PetitPotam patches a while ago ⏬

github.com/bats3c/ADCSPwn…

#lpe #adcs #petitpotam #webdav 🧵 (2/x) So that now the execution hangs like follows ⏬
Jul 1, 2022 5 tweets 3 min read
[#HackStory 🧵] (1/4) Here’s a generic case of reaching a locked-down PC from a firewalled segment in AD. The background is: 172.16.66.6 (the target) can talk to 192.168.1.11 (a PWNed server) but not vice versa and to no one else in the foreseeable network 👀

#ad #pentest (2/4) Being a DA an adversary can create an evil GPO that will coerce Immediate Scheduled Task execution on the target. The task downloads and executes a PS cradle pointing to the PWNed server. Sure, there’re fancy (py|Sharp)GPOAbuse, etc… But when it’s a pentest, who cares 😒
Oct 29, 2021 5 tweets 6 min read
Yo, ho, was doing a bit of pentesting today. Inspired by @ippsec I shall give you my short story of 3 different paths to DA in 5 hours of work (hot pics are inside). Enjoy! Path 1. DHCPv6 poisoning for initial access (thx to @_dirkjan)➡️authenticated PetitPotam to grab NTLMv1-SSP (thx to @topotam77)➡️ntlmv1-multi (thx to @Evil_Mog) + crack.sh to crack the response and get NT hash of DC➡️DCSync (thx to @SecureAuth) ImageImageImageImage