I wrote a follow-up post for Android (on device) fuzzing using Afl++ Frida-Mode, check it out on 🔪🧥
I also created an Ansible playbook to build your toolchain so you don't have to suffer doing that:
You definitely aren't more safe on Apple than on Android. Standardized hardware/software with such a large consumer base just means that VR efforts are more focused with better ROI. I switched to an iPhone earlier this year and it's honestly terrifying that there have been like 5
I wrote up a quick POC, RemoteViewing, to demo RDP credential theft (adapted from
@0x09AL
post => ) using EasyHook and Donut ☠️🖥️. More details on GitHub =>
I have posted the slides for the
#BlackHat
talk
@chompie1337
and I gave yesterday -> Close encounters of the advanced persistent kind: Leveraging rootkits for post-exploitation
👋 I'm releasing StandIn, a small .NET 35/45 AD post-exploitation toolkit I wrote for
@xforcered
. Hacking on endpoint is my regular jam but directory services programming is pretty 🔥🧙♂️🍩
Soon everyone will find out anyway so you should be aware that SandboxEscaper has dropped another 0day ->
I'm pretty tired of this => Not earning 💰 on 0day and putting people at unnecessary risk. It's really kind of lame in my book 👎
I wrote up a POC, WindfarmDynamite, to educate myself on process injection using WNF. This work is based on the great research by
@aionescu
/
@pwissenlit
and the awesome work by modexp ❤️👻⚔️. For further details check out the GitHub page =>
I'm releasing Dendrobate, a framework that can be used to generate managed code hooking payloads. I also added a small case-study on stealing MFA tokens from memory🧙♂️.
Check it out on the
@xforcered
GitHub☠️🐸 =>
I wrote a small tool, SwampThing, to demo command line spoofing as outlined by
@joehowwolf
in his recent talk at Wild West Hackin Fest (definitely go check that out!). Think here about uses cases like WMIC with stylesheets 🧙♂️ =>
I'm so excited today to announce that I'm launching my own online training platform
@CalypsoLabs
🎊
The first course to appear on Labs is "Windows Instrumentation with Frida", check it out:
Labs is partnering with
@vector35
, when you sign up you get a
If you have SharePoint on your estate can you please poke your admins to make sure patches are applied, there is a POC for CVE-2019-0604 which will set you on 🔥 otherwise. For context check this ZDI post =>
Ok I saw people recommending python to new people in the field, please, just stop.
Choose .NET. Choose strong typing for robust code. Choose top-of-the-line IDEs by JetBrains, offering superior debugging capabilities and outstanding compile-time checks. Choose .NET for
I got an interesting question from someone: How can you use a compromised hash from a machine where you have medium integrity? Answer, request a TGT for the user and apply it to the current logon session. Here I'm using Seatbelt & Rubeus from GhostPack =>
I published the slides for my talk at
#SANS
#Hackfest
. I sort of hijacked my own talk to give my perspective on Offensive Security capability engineering, framing it with a practical example.
I want to shout out
@mrd0x
and
@_xpn_
of course <3
I've seen some takes about the Storm actor being "lucky" and the like. Don't kid yourself, there is really good tradecraft happening here:
- Initial compromise (likely not the engineer), at a hard target (if VR angle then more likely the engineer)
- Situational awareness to
I'm releasing a crude POC Melkor. Melkor DPAPI encrypts .Net assemblies in memory and can decrypt & execute them on demand in a new AppDomain. This technique is an adaptation of a TTP used by InvisiMole. More details here -->
I hope defenders have taken note of PrivExchange and kicked their Admin's into action. Don't make me come and investigate that meltdown 👻. Check out this post by
@G0ldenGunSec
-> and the execute-assembly evil by
@den_n1s
->
Don't think attackers can modify your event logs? Are you shipping logs off for remote collection? Have you set traps for EventLogEdit type attacks (e.g. handle duplication, thread state, file write events)? Check out my
#PowerShell
POC demo 🙈🔪💣 -
I am releasing DiscerningFinch, a small toolkit to generate keyed -> encrypted wrappers for .NET binaries. DiscerningFinch itself doesn't know the key and will try to brute force decrypt the inner binary based on OS constants. More details on GitHub =>
The Barracuda story is wild, terminate your devices with 🔥 regardless of patch level is not something you like to hear ->
I grabbed the SALTWATER sample and had a 3 minute look at it (some screenshots below). Can I just say how wild it is that endpoint
I am releasing a small POC, VirtToPhys, to show how you can abuse Driver physical mem map bugs to resolve Kernel Virtual Addresses to Physical Addresses =>
Check out the blog post I wrote for IBM
@XForce
. I provide an analysis of DKOM attacks on Kernel ETW providers, give technical implementation details and tie that back to in-the-wild capabilities used by Lazarus last year 🔪🔥
I implemented doppleganger in
#PowerShell
, still needs a bit of cleanup. Seems to do the trick but there are some limitations (x64->x32 & need write access to the process you want to masquerade).
AtomicBird, a quick crude POC to chain together some things => EasyHook for .NET payloads, Costura to pack modules (managed/unmanaged), Donut for shellcode generation and UrbanBishop for injection ❤️⚔️. More details on Github =>
Today is a special day for me. After almost 10 years of professional service in the UK, I'm in the airport now, leaving the Kingdoms to make a new start in the USA. Do you think they know about English breakfast tea, queueing and sarcasm? 🫡🥲
For science and profit I wrote an exploit for CVE-2022-21882. It works on 10 and 11. It's a really good case-study on win32k callbacks, more details in thread 🧵
I wrote a
#Frida
clr wrapper, Londor, primarily to have a way to capture coverage data by generating DynamoRIO cov files but I also added support for generic script injection => to map coverage in
#Ghidra
I'm using
I have released Fermion, an electron application for
@fridadotre
with integrated Monaco code editor. Check out the repo here => you can also download a pre-built release package for x64 Windows ❤️💀
As people may not be familiar with Frida on Windows I'll add some sample scripts as and when I can. I just added DllLoadBehaviour.js which demonstrates how to hook LoadLibraryA/W, LoadLibraryExA/W, LdrLoadDll and pull out various bits of information 👍 =>
Since there is a lot of talk about Kernel drivers and I have been writing some myself I though it would be beneficial to upload a template people can use if they want to play or get a head start on their own project. =>
I wrote an "aimbot" for XP's minesweeper (any size / configuration) using
@fridadotre
, apparently I got some high scores ❤️😂😂. POC is in the
#Fermion
repo =>
I spent some time studying Donut () recently, great work by
@TheRealWover
and odzhan <3. I wrote a small loader for testing, UrbanBishop, which is doing some interesting tricks. Details on GitHub =>
The recording for the talk I did at SANS HackFest is online:
(Ab)using the Microsoft Identity Platform: Exploring Azure AD Token Caching
I want to thank
@Steph3nSims
for the invitation and putting on such an excellent event 🙇♂️
I wanted to highlight some of the foundational capabilities that we introduced into SharpSploit as part of our
#BlueHatIL
talk --> Manual mapping, generic Syscalls & dynamic module/function resolution. Simple usage examples here =>
A quick repro for CVE-2024-21338 that was used by Lazarus to stage their rootkit in-the-wild. There will be a blogpost later to share the technical details 👻💀
Here is an RCE demo for Cobalt Strike CVE-2022-39197. Like
@0x09AL
said the patch is not a complete fix, be careful. Also I don't want to see any more java code for a while, holy f. Maybe at some point I will post some patch analysis 🥃
I wrote a quick post on setting up your Burp CA on Android 14. I wasted some time getting this to work so I thought I would share steps to save someone else the trouble 🔪🧥
I pushed an update for
@xforcered
StandIn (v1.3) which includes a number of companion functions for Certify and ADCS template attacks 🌶️👻🧙♂️ ==> new docs
I added another quick tool, Canary, it lets you pull browser history from Chrome and the new chromium Edge. It's a DYI extension basically for SharpChrome -
Tonight I'm toasting team red; may your phish always have a ring of truth, may the domain be full of silver and your tickets made of gold. I'm very exited to announce I'm hopping the fence to the blue side on
@FireEye
's Advanced Practices team 🧙♂️🔥 (Cc
@ItsReallyNick
)
So I saw a post about a treat actor using Telegram for C2 (interesting, I dig it). Turns out there is robust API support for telegram. I, however, was curious about signal. I had a quick look at the security profile of Signal Desktop and it's bad ok, like really bad. Do not use
I wrote up a POC, DesertNut, for the so called PROPagate code injection technique using subclassed window callbacks, for further details check out the GitHub page => . Many thanks to
@Hexacorn
and modexp for their thorough research ❤️👻⚔️
Looking at -> Exploiting Windows RPC to bypass CFG mitigation (
@iamelli0t
)
This indirection using NdrServerCall2 is really interesting (not just for VR). I wrote a small Frida script for parsing:
Over the weekend I was reading a post by
@inversecos
on exploiting an Arm64 binary:
I thought it would be interesting to also do the exploit on x64 Windows and show how we can use Frida to autopwn the binary, check it out on 🔪🧥
I wrote a quick introduction post on using unsafe in .NET, I figured there isn't a lot of simple literature on the subject so someone may find it useful 🙇♂️
It's interesting, if you hook ntlmshared!MsvpPasswordValidate and try to auth as any user then Password->_SAMPR_USER_INTERNAL1_INFORMATION.NTHash gives you the hash of that user. This is probably an easy way to write your own DIY hash dumping util.
Wait but why does Windows let you load a driver that was signed with a cert which is now expired and was not timestamped when it was signed? How does that make sense (cc
@mattifestation
)? I recommend that defenders write signatures for files signed with leaked NVIDIA certificate
Over the past few evenings I have been teaching myself more about .NET deserialization vulnerabilities and writing up my notes. Check out my post on ObjectDataProvider Deserialization using XamlReader on 🔪🧥
A quick demo of corrupting an IORING object for arbitrary R/W on Win11 22H2+. Big thanks to
@yarden_shafir
for her excellent research and debugging help 😁💐. Probably I will write a small overview of the process on 🔪🧥 later this week.
Check out this great talk by
@Cyb3rWard0g
&
@cyb3rPandah
at Insomni'hack => If you play with SilkETW remember that you can augment your collection with Yara and only write matches to file/ELK/eventlog ❤️🔪
Windows is the best way to have Linux at hand, period. As a desktop I ran RH (when it was still free), Fedora, Mint, Debian, Ubuntu so don't @ me. The truth is WSL has done more to bring Linux to desktop that any distro has been able to ¯\_(ツ)_/¯
Because online dating is harder than any FromSoft boss I decided to spend a little bit of time today on making a not-really-submission for the Binary Golf
#BGGP4
replicate challenge using .NET PE's. You can read the write-up here: