Steve Campbell
@lpha3ch0
Followers
2,779
Following
231
Media
273
Statuses
5,687
Retired Navy Aviation Electrician. Technical Lead - Offensive Security. The opinions I share are my own.
127.0.0.5
Joined August 2017
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
England
• 360493 Tweets
Noah Lyles
• 274864 Tweets
ヒロアカ
• 171006 Tweets
Polônia
• 122655 Tweets
NBA Twitter
• 105932 Tweets
World Champion
• 83275 Tweets
フワちゃん
• 83093 Tweets
Corinthians
• 69552 Tweets
堀越先生
• 68878 Tweets
Alemania
• 65242 Tweets
Gabi
• 61500 Tweets
Thompson
• 58039 Tweets
Carol
• 48787 Tweets
Rosamaria
• 48289 Tweets
Bolt
• 48196 Tweets
Peillat
• 46538 Tweets
Evandro
• 40747 Tweets
Wesley
• 39981 Tweets
Tamworth
• 32098 Tweets
GABRIELA
• 31531 Tweets
Seville
• 30796 Tweets
#VoleiNoSporTV
• 29790 Tweets
thaisa
• 27719 Tweets
エンティーム
• 24682 Tweets
#めざましテレビ
• 21579 Tweets
やす子さん
• 19411 Tweets
ケイくん
• 18095 Tweets
Greggs
• 18043 Tweets
Juventude
• 16820 Tweets
Solari
• 15107 Tweets
神さま学校の落ちこぼれ
• 14934 Tweets
Central Park
• 13484 Tweets
#エンタメプレゼンターK
• 10292 Tweets
Yes, red teaming is the sexy offensive security job. But there's a huge need for people who can do more than just run a Burp Suite scan while doing web app pentests. I've interviewed dozens of people for a pentest role over the past few weeks and the lack of web app (1/x)
29
126
921
On your Nessus scans, if you get a finding that says Nessus exploited something but you've been unable to exploit it yourself, go to Settings, Advanced, Logging, and change log_whole_attack from No to Yes, then rescan that host. The finding I had said the host was vulnerable and
5
71
432
If you want to learn web app pentesting, read the OWASP WSTG and then work through the Portswigger Web Academy. All free.
13
39
394
Meterpreter getsystem tip: Here, I have a shell as a service account with the usual "SeImpersonatePrivilege" privilege enabled. The default "getsystem" command fails and I lose the shell, prob bc of antivirus, but "getsystem -t 6" works. You don't need to upload a "potato"
6
69
315
I'm sharing my Internal Network Penetration Test workflow in an XMind document. Please share and contribute your edits to make it better!
7
101
309
Web app vulnerability scanners cannot replace a human who knows what they're doing because scanners can't use intuition, find logic bugs, or stuff like overflows that cause the req to return 'true'. I'm no superstar yet I keep finding things missed by Burp. Some are very obvious.
12
49
281
My script parses Nessus files for findings which have Metasploit modules or no exploit code is required and has the option of printing the output to the terminal or output to TSV files for import into Excel.
#Pentesting
1
68
214
If you're a pentester, check out these lists of statistically common usernames in various formats as well as most common corp passwords. Just increased my userlist for somecorp from 13 to 89 using msf owa_login module to verify.
0
71
174
@lawrencekingyo
Many years ago I was a mil recruiter. Guidance counselors directed anyone with a pulse to go to college, even though many couldn’t pass my ASVAB test with a 30! Colleges get paid more if you need remedial classes, and they get that money up front via loans even if you drop out.
5
10
151
Want an easy way to bypass detection by Defender on your Meterpreter shellcode? On your Meterpreter handler, `set AutoLoadStdapi false` before running it. Once you get your meterpreter shell, `load stdapi`.
3
30
158
pentesting skill among applicants is pretty bad. Too many say that their methodology is "test for the OWASP Top Ten" and have never heard of the OWASP ASVS or WSTG. And if their list of XSS payload is reflected unmodified in the response but doesn't pop, most didn't know...
2
7
141
#PEN300
Getting tired of having to regenerate shellcode and recompile my C# implants every time my OffSec or HTP VPN IP changes so I'm testing a little upgrade. First it checks if a URL to my raw (xor encrypted) shellcode is an arg and loads the bytes from there. If no args, it
5
14
138
@ObamaMalik
@CassandraRules
@JoeBiden
@POTUS
@TheView
It's going to be really interesting watching the 2020 Presidential debate!
10
1
110
that they prob need to close out HTML tags before the payload to get it to work. Most would submit an XSS PoC as a popup and not bother to take it further to determine impact. I feel that this lack of skill leads to a false sense of security that tested web apps are secure.
5
6
113
When doing Internal network pentests and looking for those things that Nessus won't find, I frequently find misconfigured routing protocols. In the past I'd write them up but not attempt to exploit them but now theres:
1
32
114
Red Teamers: Are there any good services for sending phishing campaigns if I don't want to host my own service? We were looking at Phishme, but it looks like that's only for user awareness and you can't send malicious payloads to be used for gaining access.
22
12
110
@habswolfpack
@DonutOperator
@Justinjpearson
If he’s not a US citizen, he couldn’t have easily bought one legally. Which means he obtained it through illegal means and no gun law you can ask for would have prevented it.
3
0
100
I extended
@bohops
Dynamic Assembly Loader to load any .Net assembly from http. I know this may be trivial for many of you. It's just something I wanted to do while learning C#.
#csharpnewb
[DynamicDotNet Tooling] Added a POC "Dynamic Assembly Loader" to the repo that loads and executes an assembly using a dynamic method and emitted MSIL instructions (C#).
System.Reflection.Emit is quite powerful (maybe more to come in a future blog post)
7
67
210
2
26
88
But I always wonder what bugs are lurking, waiting to be found by someone who can think outside the box and do manual testing to find things that a Burp Suite scan misses. There's a lot of room for improvement in pentesters web app testing skills.
3
5
87
If you're into HackTheBox, goscan is useful for those times you pivot into a new network and need a self contained scanner that's fast. It's also come in handy on pentests after gaining access to the PCI CDE via a jumpbox.
0
15
86
Junior Pentesters/Red Teamers/Bug Bounty Hunters:
Start taking good notes now and keep them backed up. I've been saving notes in Markdown format for 7 years and they're priceless to me. I stash code snips, commands, anything that could come in handy later.
6
6
83
A longtime goal is checked off. I successfully landed my first Metasploit exploit module with the help of my teammates and the
@metasploit
devs.
2
11
77
Why worry about evasion to dump lsass when you can just use a signed exe forensics tool to dump all of memory, then move the dump over to your system and run WinDbg, load the Mimikatz dll and dump hashes?
6
11
76
If you've ever had to run wmiexec to upload procdump to dump lsass.exe and then copy over that lsass dump file to a Windows host to use Mimikatz and dump creds, here's a faster and easier way, run from a Linux host on an Internal pentest:
2
22
77
Meanwhile, a lot of those pentesters want to focus on Red Teaming, which is a really crowded scene.
3
4
72
Pentesters who want to take your web app hacking skills to the next level: Start following the top bug bounty hunter podcasts to learn some next level shit. Mindblowing stuff awaits you. I recommend the Critical Thinking and Bug Bounty Reports Explained podcasts. You won't regret
7
9
73
Pentesters: Do NOT trust vulnerability scan severity ratings. Just as scanners will rate some stuff higher than it should be, on numerous occasions I've found valid medium to high severity findings listed with a severity of 'Info'. Don't ignore the info stuff as noise. Sometimes
9
13
67
.
@_RastaMouse
has the patience of a great teacher. I highly recommend
@zeropointsecltd
RTO course! He's in the Slack channel all hours of the day answering n00b questions. I'm learning so much.
0
13
66
If you run Kali in VirtualBox, you should prob be familiar with this command to fix clipboard sync: sudo pkill -fx "/usr/bin/VBoxClient --clipboard" && /usr/bin/VBoxClient --clipboard
2
12
62
Without a doubt, learning OSINT techniques from bug bounty hunters has made me a better penetration tester.
4
13
59
I felt like httpx was missing the ability to parse Nmap reports for http/s services and it made more sense to create a standalone utility. Nmapurls parses Nmap xml reports and outputs a list of URL's.
1
11
52
@nullenc0de
It's default meterpreter. I made a custom shellcode loader in C# that uses process hollowing and loads the msf shellcode over http/s instead of storing the sc in my dropper. Before I start the msf handler, I set AutoLoadStdapi to false, then after getting the shell I enter "load
0
4
55
In my first pentesting job, a manager and developer told me that a XSS alert popup doesn't show risk, and asked why they should spend resources on remediating a popup. You shouldn't assume that the pentest report recipient understands the implications of a XSS popup.
7
5
53
Metasploit tip: Want to know a little secret on how to get the most out of it? Learn to write code to bypass endpoint security and get the meterpreter shellcode into memory. If you can't execute it, you can't use it. You'd be surprised how easy it is. Stop using public shellcode
2
2
54
As I'm learning to create .Net implants, 2/26 aint bad. AMSI bypass > reflectively load dll > Meterpreter.
6
4
51
There are multiple ways to extract SAM hashes from a VMWare VMDK. After some trial and error, this was the easiest way to get it done:
2
13
51
My Internal Pentest Playbook has been updated. Updates to lateral movement/privesc: Hunting for DA sessions > Bypass antivirus to dump lsass and get plaintext creds.
0
19
49
I published what I learned about the differences in methodology between shellcode and DLL injection in Nim here. Shout-outs to
@byt3bl33d3r
@mttaggart
@ShitSecure
and kchen.
1
14
49
To the hackers who have learned both C++ and Rust: for writing offensive security tools/exploits/implants, does Rust hold any advantage over C++? I know it does for the average app/os developer, but for someone who's going to be writing a lot of 'unsafe' code to pop shells?
10
7
44
I'm on the verge of knocking another item off my list: I've created my first working Metasploit module, and it's for an unauthenticated RCE. This was a team effort. My teammates helped with the PoC and the Metasploit devs are awesome and have been a lot of help. Coming soon:
2
1
46
Why pay 7k for such a course when there are already people like
@_RastaMouse
and
@MrUn1k0d3r
teaching it for free or very affordable Patreon donation? SANS is getting too expensive for even many corporate training budgets.
Do you like programming in C/C++
Want to learn how to create offensive Windows tools from scratch?
Been doing dev for *Nix and want to switch to Windows?
Want to advance your Windows dev game?
I have something coming for you....
#SEC670
@SANSOffensive
@SANSInstitute
5
14
52
2
6
43
If I had to pick ONE scripting/programming language that I believe is absolutely essential to pentesters, it would be Bash scripting, not Python. I believe that so strongly that I'm writing a book about Bash for Pentesters. I would recommend learning Python only after getting
7
5
42
@Ocasio2018
If you’re not ready to stand up for what you believe in and debate it then you’re not ready for an elected office.
2
3
21
Want to dramatically decrease your password cracking time using Hashcat? Use the '-O' (that's an 'oh' not a zero) which limits Hashcat to attempting 31 characters or less. Just decreased my cracking time from 12 hours to 2.
0
10
38
Note to junior pentesters: when you report XSS, showing a popup is only the first step, not the final poc. If you’re not putting in the effort to show the impact with a poc that harvests credentials, executes CSRF, etc, you’re failing your customer and making yourself look bad.
5
8
37
This is why I previously used slurp() in Nim to store a base64 encoded byte array of shellcode and then reverse the array, at compile time. Base64 is low entropy: const letters = slurp('sc.bin').encode().reverse()
"You’re encrypting your shellcode so you don’t get caught, and that might get you caught."
In this new blog, Principal Consultant
@hardwaterhacker
discusses how the CrowdStrike Falcon detection works, and how to get around it.
READ:
#hacking
#infosec
2
19
70
2
3
36
ldapsearch > enum4linux when enumerating LDAP and null sessions. Usually provides more information and better output. "ldapsearch -h <DC IP> -x -s base namingcontexts" & "ldapsearch -h <DC IP> -x -b "DC=contoso,DC=com".
2
7
36
SensePost | Abusing windows’ tokens to compromise active directory without touching lsass
0
14
32
Working on OSEP brings back memories from 2015 when I was working on OSCP: The roller coaster of emotions when you feel like you suck and you're not going to get this. Then you pwn that shit and feel like you're on top of the world for a moment. And repeat...
3
2
35
@malmoeb
Microsoft says that disabling IPv6 may break things and says it’s better to set “Prefer IPv4 over IPv6” rather than disable it:
3
9
35
I found colorls while trying to figure out how
@byt3bl33d3r
showed icons for fils/dirs in his terminal:
2
5
29
If anyone has a job opportunity for a really talented hacker and doesn't mind that they have a felony conviction from about 15 years ago, please DM me. I know someone who's got the skills but that record is holding him back.
3
9
32
@C_C_Krebs
@subtee
@CISAgov
@FBI
I’m more concerned about ballot stuffing than hacking affecting the election. What’s your opinion on “2000 Mules”, if you’ve watched it?
7
0
30
I converted my Internal Pentest Playbook from Xmind to Github markdown to make it easier for you to contribute your notes!
0
8
33
I know that for web app pentesting, Burp Pro is the favored proxy tool, but check out the latest version of ZAP with the HUD (Heads Up Display). This is me walking through the HUD tutorial. Pretty slick being able to do all your manual testing in a browser.
0
14
32
My self-contained scanner is handy in
#hackthebox
Pro labs for scanning from pivot hosts and has also come in handy on some client pentests.. Much faster than scanning through proxychains.
3
11
32
Tailscale is freakin awesome! I just setup a free account and found I can solve multiple problems I'm having at no cost. For example, for bug bounty scanning and enumeration I didn't want my traffic to source from my home IP to avoid potential abuse complaints affecting my
7
3
27
@rootsecdev
@HackingLZ
Also look into Proxifier. When I want to avoid dealing with AV and EDR, I run Putty to ssh to my internal pentest dropbox, push all traffic through the ssh tunnel using Proxifier, and use runas with a domain user from my VM with Defender disabled.
1
8
30
@nando_mendonca
Here's a screenshot of my Internal Pentest playbook. Most of the nodes have notes with commands I run.
3
4
30
@mpgn_x64
@codaholikid
This method of planting lnk and scf files works great. One pentest in the most secure net I ever tested... last day, last hour, while writing the report, a sysadmin logged in with a DA account and browsed that file share and I got DA despite all of the great work they had done.
5
3
29
Today I ditched the walker and walked two houses down and back with a cane (and my wound vac “purse”). Progress!
I suspect I won’t be needing the cane for long, because I’m only carrying it with me now just in case I get tired.
3
0
27
I wonder if I'll be the oldest person to earn OSEP and eventually OSCE3. Once I pass I'll have to ask OffSec if they can answer that question.
4
0
26
I’m getting admitted to the hospital for a blocked artery in a leg. Wish me luck. I’ll be here into next week. Fun times.
9
1
25
My take on "I'm not a pentester (and you might not want to be one either)":
Edited to add: Don't get into this line of work unless you're really passionate about it and willing to outwork the masses to keep learning and excel.
TLDR: There is no shortage of supply of desperate
2
1
26
Anyone looking for a new job in penetration testing? Rapid7 just opened up two jobs for a Consultant and Senior Consultant. DM me if interested.
1
18
25
@PhillipWylie
It seems that any time you tell someone that they should work as a sysadmin or dev and get some general IT experience, someone wants to call you a gatekeeper or boomer. It’s like putting in work and working your way up is a bad thing.
4
1
26
Out of all of the programming languages I’ve learned, Nim is the only one that has excited me enough to start writing my own C2.
4
3
23
@mttaggart
Every time I've said that I get called a "gatekeeper" for suggesting that people who want to get into cyber security start out in IT admin/engineering/dev roles first. However, just because the truth is inconvenient doesn't make it wrong.
3
0
25
@0gtweet
@MrJamesHemmings
If you can run Mimikatz, you already have full privs. So I usually use PowerShell to set a Defender exclusion path, then use PowerShell wget to download the file. Simple and it works. Or better yet, dump lsass instead and move that dump file to a system that you control. :)
1
0
22
@fabio_viggiani
I’ve seen orgs rely on MFA so much that they allowed weak password policies which result in guessed passwords and getting past MFA by repeatedly sending the employee pushes until they give in and allow.
1
2
24
I'm halfway through my PEN-300 lab time and can already tell that I'll need a lab extension. I keep learning and finding new rabbit holes to dive which distracts me from the course for as long as a week at a time. I'm learning so much.
2
0
24
I made an Ohmyzsh theme for pentesters which shows your private or public IP address in the prompt:
0
3
24
Now that I'm trying to write my first Metasploit module for a zero day that I'm in process of disclosing, I regret abandoning learning Ruby and Metasploit dev years ago because everyone I worked with hated Ruby. I always liked Ruby's syntax over Python, but of course Python
2
0
24
@H3KTlC
I struggle with ADHD and getting distracted. Smartphones and Social Media are ruining our ability to perform deep work. This book is awesome, but it still takes effort to change your habits and block distractions: "Deep Work: Rules for Focused Success in a Distracted World".
1
1
23
I had to go through a second round of surgery today to try to save my right leg. It’s looking like it was a success!
3
0
22
My PEN-300 exam is scheduled. I don't know what else to study over the next few weeks while I wait. I've completed all of the challenges and have good payloads and notes for every situation covered in the course. Any suggestions? Edit: I just signed up for HTB Cybernetics.
8
1
23
I'm just getting started on MalDev Academy and it's mind boggling how many types and specifications you have to remember just to call a function in C. I don't know how I'm going to remember all this stuff.
4
0
21
@vysecurity
I've got 64 GB RAM and I'm running Detection Lab (4 vms's req's 16 GB RAM) plus a Kali vm, in addition to MS Teams, Chrome, Office, etc. eating up many more GB's, and I'm only using 48% of total RAM.
0
0
22
It helps if you think ahead and have some payloads that show impact already created in your arsenal. I have two fav's. One pops up a dialog that says there's been an error and you need to reauthenticate, and captures credentials. The other simply redirects to an arbitrary site.
1
0
22
When hunting for XSS in POST, its always a good idea to test if you can flip it from POST to GET before you waste and hour and a half on it.
1
9
21
I finished the last of the PEN-300 challenges this evening. That makes me feel more confident that I can pass the exam.
2
0
20
@_wald0
We compromised the credentials of a Domain Admin account and they had MFA. The admin would click allow if we sent the push repeatedly and then change his password by incrementing the number at the end but didn’t report it. We knew his pw pattern. Repeat, Multiple rounds.
1
0
21
@luketucker
WiFi pentest at a global multi billion dollar corp, found that someone had installed an open AP in a training room next to a parking lot shared with other businesses at one of their satellite offices. I connected to the data center and popped Eternalblue from the parking lot.
0
1
21
Dagnabbit! Windows Defender now seems to be blocking ANYTHING I write in Nim, even completely non-malicious stuff that I'm experimenting with to learn the standard library. What's next? Maybe I'll give Crystal lang a try, or go back to Golang.
7
2
17
Thankfully I'm feeling somewhat better just in time to take my OSEP exam today, even if I did have to sleep in my recliner for the last two nights in a row so I wouldn't wake up my wife with my coughing and wheezing.
8
0
21
I'll be speaking at
@BSidesTLH
on April 18th. I'm proud to say that my first conference pres will be held in the capitol city of my state of birth. :)
8
0
20
External pentest, gained internal access from non-priv user accounts weak passwords and lack of 2FA. Dropped scf files on network shares and watched as password hashes rolled into my host. Damn, there's an admin account hash!
3
1
20
@drb0n3z
I recently found a critical unauthenticated RCE vuln and made an exploit POC for an EoL product that’s still being used and exposed to the internet. There won’t be a patch issued by the vendor, maybe no CVE so those using it will never know they’re vulnerable until after they get
4
0
20