Yes, red teaming is the sexy offensive security job. But there's a huge need for people who can do more than just run a Burp Suite scan while doing web app pentests. I've interviewed dozens of people for a pentest role over the past few weeks and the lack of web app (1/x)
On your Nessus scans, if you get a finding that says Nessus exploited something but you've been unable to exploit it yourself, go to Settings, Advanced, Logging, and change log_whole_attack from No to Yes, then rescan that host. The finding I had said the host was vulnerable and
Meterpreter getsystem tip: Here, I have a shell as a service account with the usual "SeImpersonatePrivilege" privilege enabled. The default "getsystem" command fails and I lose the shell, prob bc of antivirus, but "getsystem -t 6" works. You don't need to upload a "potato"
Web app vulnerability scanners cannot replace a human who knows what they're doing because scanners can't use intuition, find logic bugs, or stuff like overflows that cause the req to return 'true'. I'm no superstar yet I keep finding things missed by Burp. Some are very obvious.
My script parses Nessus files for findings which have Metasploit modules or no exploit code is required and has the option of printing the output to the terminal or output to TSV files for import into Excel.
#Pentesting
If you're a pentester, check out these lists of statistically common usernames in various formats as well as most common corp passwords. Just increased my userlist for somecorp from 13 to 89 using msf owa_login module to verify.
@lawrencekingyo
Many years ago I was a mil recruiter. Guidance counselors directed anyone with a pulse to go to college, even though many couldn’t pass my ASVAB test with a 30! Colleges get paid more if you need remedial classes, and they get that money up front via loans even if you drop out.
Want an easy way to bypass detection by Defender on your Meterpreter shellcode? On your Meterpreter handler, `set AutoLoadStdapi false` before running it. Once you get your meterpreter shell, `load stdapi`.
pentesting skill among applicants is pretty bad. Too many say that their methodology is "test for the OWASP Top Ten" and have never heard of the OWASP ASVS or WSTG. And if their list of XSS payload is reflected unmodified in the response but doesn't pop, most didn't know...
#PEN300
Getting tired of having to regenerate shellcode and recompile my C# implants every time my OffSec or HTP VPN IP changes so I'm testing a little upgrade. First it checks if a URL to my raw (xor encrypted) shellcode is an arg and loads the bytes from there. If no args, it
that they prob need to close out HTML tags before the payload to get it to work. Most would submit an XSS PoC as a popup and not bother to take it further to determine impact. I feel that this lack of skill leads to a false sense of security that tested web apps are secure.
When doing Internal network pentests and looking for those things that Nessus won't find, I frequently find misconfigured routing protocols. In the past I'd write them up but not attempt to exploit them but now theres:
Red Teamers: Are there any good services for sending phishing campaigns if I don't want to host my own service? We were looking at Phishme, but it looks like that's only for user awareness and you can't send malicious payloads to be used for gaining access.
@habswolfpack
@DonutOperator
@Justinjpearson
If he’s not a US citizen, he couldn’t have easily bought one legally. Which means he obtained it through illegal means and no gun law you can ask for would have prevented it.
I extended
@bohops
Dynamic Assembly Loader to load any .Net assembly from http. I know this may be trivial for many of you. It's just something I wanted to do while learning C#.
#csharpnewb
[DynamicDotNet Tooling] Added a POC "Dynamic Assembly Loader" to the repo that loads and executes an assembly using a dynamic method and emitted MSIL instructions (C#).
System.Reflection.Emit is quite powerful (maybe more to come in a future blog post)
But I always wonder what bugs are lurking, waiting to be found by someone who can think outside the box and do manual testing to find things that a Burp Suite scan misses. There's a lot of room for improvement in pentesters web app testing skills.
If you're into HackTheBox, goscan is useful for those times you pivot into a new network and need a self contained scanner that's fast. It's also come in handy on pentests after gaining access to the PCI CDE via a jumpbox.
Junior Pentesters/Red Teamers/Bug Bounty Hunters:
Start taking good notes now and keep them backed up. I've been saving notes in Markdown format for 7 years and they're priceless to me. I stash code snips, commands, anything that could come in handy later.
Why worry about evasion to dump lsass when you can just use a signed exe forensics tool to dump all of memory, then move the dump over to your system and run WinDbg, load the Mimikatz dll and dump hashes?
If you've ever had to run wmiexec to upload procdump to dump lsass.exe and then copy over that lsass dump file to a Windows host to use Mimikatz and dump creds, here's a faster and easier way, run from a Linux host on an Internal pentest:
Pentesters who want to take your web app hacking skills to the next level: Start following the top bug bounty hunter podcasts to learn some next level shit. Mindblowing stuff awaits you. I recommend the Critical Thinking and Bug Bounty Reports Explained podcasts. You won't regret
@newsmax
But they also tell us that you can still get COVID-19 even if vaccinated, so how is her statement true? Like the flu vaccine, you can still get it but it won’t be as severe.
Pentesters: Do NOT trust vulnerability scan severity ratings. Just as scanners will rate some stuff higher than it should be, on numerous occasions I've found valid medium to high severity findings listed with a severity of 'Info'. Don't ignore the info stuff as noise. Sometimes
.
@_RastaMouse
has the patience of a great teacher. I highly recommend
@zeropointsecltd
RTO course! He's in the Slack channel all hours of the day answering n00b questions. I'm learning so much.
If you run Kali in VirtualBox, you should prob be familiar with this command to fix clipboard sync: sudo pkill -fx "/usr/bin/VBoxClient --clipboard" && /usr/bin/VBoxClient --clipboard
I felt like httpx was missing the ability to parse Nmap reports for http/s services and it made more sense to create a standalone utility. Nmapurls parses Nmap xml reports and outputs a list of URL's.
@nullenc0de
It's default meterpreter. I made a custom shellcode loader in C# that uses process hollowing and loads the msf shellcode over http/s instead of storing the sc in my dropper. Before I start the msf handler, I set AutoLoadStdapi to false, then after getting the shell I enter "load
In my first pentesting job, a manager and developer told me that a XSS alert popup doesn't show risk, and asked why they should spend resources on remediating a popup. You shouldn't assume that the pentest report recipient understands the implications of a XSS popup.
Metasploit tip: Want to know a little secret on how to get the most out of it? Learn to write code to bypass endpoint security and get the meterpreter shellcode into memory. If you can't execute it, you can't use it. You'd be surprised how easy it is. Stop using public shellcode
My Internal Pentest Playbook has been updated. Updates to lateral movement/privesc: Hunting for DA sessions > Bypass antivirus to dump lsass and get plaintext creds.
I published what I learned about the differences in methodology between shellcode and DLL injection in Nim here. Shout-outs to
@byt3bl33d3r
@mttaggart
@ShitSecure
and kchen.
To the hackers who have learned both C++ and Rust: for writing offensive security tools/exploits/implants, does Rust hold any advantage over C++? I know it does for the average app/os developer, but for someone who's going to be writing a lot of 'unsafe' code to pop shells?
I'm on the verge of knocking another item off my list: I've created my first working Metasploit module, and it's for an unauthenticated RCE. This was a team effort. My teammates helped with the PoC and the Metasploit devs are awesome and have been a lot of help. Coming soon:
Why pay 7k for such a course when there are already people like
@_RastaMouse
and
@MrUn1k0d3r
teaching it for free or very affordable Patreon donation? SANS is getting too expensive for even many corporate training budgets.
Do you like programming in C/C++
Want to learn how to create offensive Windows tools from scratch?
Been doing dev for *Nix and want to switch to Windows?
Want to advance your Windows dev game?
I have something coming for you....
#SEC670
@SANSOffensive
@SANSInstitute
If I had to pick ONE scripting/programming language that I believe is absolutely essential to pentesters, it would be Bash scripting, not Python. I believe that so strongly that I'm writing a book about Bash for Pentesters. I would recommend learning Python only after getting
@ORCA10K
If I couldn't use Cobalt Strike, I'd use Sliver. It's very stable and can run CS aggressor scripts and BOF's (as of version 1.5). Out of the box Sliver implants usually bypass antivirus, while you have to do your own evasion using CS.
Want to dramatically decrease your password cracking time using Hashcat? Use the '-O' (that's an 'oh' not a zero) which limits Hashcat to attempting 31 characters or less. Just decreased my cracking time from 12 hours to 2.
Note to junior pentesters: when you report XSS, showing a popup is only the first step, not the final poc. If you’re not putting in the effort to show the impact with a poc that harvests credentials, executes CSRF, etc, you’re failing your customer and making yourself look bad.
This is why I previously used slurp() in Nim to store a base64 encoded byte array of shellcode and then reverse the array, at compile time. Base64 is low entropy: const letters = slurp('sc.bin').encode().reverse()
"You’re encrypting your shellcode so you don’t get caught, and that might get you caught."
In this new blog, Principal Consultant
@hardwaterhacker
discusses how the CrowdStrike Falcon detection works, and how to get around it.
READ:
#hacking
#infosec
ldapsearch > enum4linux when enumerating LDAP and null sessions. Usually provides more information and better output. "ldapsearch -h <DC IP> -x -s base namingcontexts" & "ldapsearch -h <DC IP> -x -b "DC=contoso,DC=com".
Working on OSEP brings back memories from 2015 when I was working on OSCP: The roller coaster of emotions when you feel like you suck and you're not going to get this. Then you pwn that shit and feel like you're on top of the world for a moment. And repeat...
If anyone has a job opportunity for a really talented hacker and doesn't mind that they have a felony conviction from about 15 years ago, please DM me. I know someone who's got the skills but that record is holding him back.
@C_C_Krebs
@subtee
@CISAgov
@FBI
I’m more concerned about ballot stuffing than hacking affecting the election. What’s your opinion on “2000 Mules”, if you’ve watched it?
I know that for web app pentesting, Burp Pro is the favored proxy tool, but check out the latest version of ZAP with the HUD (Heads Up Display). This is me walking through the HUD tutorial. Pretty slick being able to do all your manual testing in a browser.
My self-contained scanner is handy in
#hackthebox
Pro labs for scanning from pivot hosts and has also come in handy on some client pentests.. Much faster than scanning through proxychains.
Tailscale is freakin awesome! I just setup a free account and found I can solve multiple problems I'm having at no cost. For example, for bug bounty scanning and enumeration I didn't want my traffic to source from my home IP to avoid potential abuse complaints affecting my
@_rybaz
I think most AD admins are “jack of all trades” and their time is split over managing many systems. That’s my experience before I got into my first dedicated security role.
@rootsecdev
@HackingLZ
Also look into Proxifier. When I want to avoid dealing with AV and EDR, I run Putty to ssh to my internal pentest dropbox, push all traffic through the ssh tunnel using Proxifier, and use runas with a domain user from my VM with Defender disabled.
@mpgn_x64
@codaholikid
This method of planting lnk and scf files works great. One pentest in the most secure net I ever tested... last day, last hour, while writing the report, a sysadmin logged in with a DA account and browsed that file share and I got DA despite all of the great work they had done.
Today I ditched the walker and walked two houses down and back with a cane (and my wound vac “purse”). Progress!
I suspect I won’t be needing the cane for long, because I’m only carrying it with me now just in case I get tired.
@NahamSec
Checking for HSRP default creds, passwords in cleartext comms, LLMNR/NBT-NS, DHCPv6, etc.
I usually use Tcpdump instead of Wireshark so I can script capture and filtering.
My take on "I'm not a pentester (and you might not want to be one either)":
Edited to add: Don't get into this line of work unless you're really passionate about it and willing to outwork the masses to keep learning and excel.
TLDR: There is no shortage of supply of desperate
@PhillipWylie
It seems that any time you tell someone that they should work as a sysadmin or dev and get some general IT experience, someone wants to call you a gatekeeper or boomer. It’s like putting in work and working your way up is a bad thing.
@mttaggart
Every time I've said that I get called a "gatekeeper" for suggesting that people who want to get into cyber security start out in IT admin/engineering/dev roles first. However, just because the truth is inconvenient doesn't make it wrong.
@0gtweet
@MrJamesHemmings
If you can run Mimikatz, you already have full privs. So I usually use PowerShell to set a Defender exclusion path, then use PowerShell wget to download the file. Simple and it works. Or better yet, dump lsass instead and move that dump file to a system that you control. :)
@fabio_viggiani
I’ve seen orgs rely on MFA so much that they allowed weak password policies which result in guessed passwords and getting past MFA by repeatedly sending the employee pushes until they give in and allow.
I'm halfway through my PEN-300 lab time and can already tell that I'll need a lab extension. I keep learning and finding new rabbit holes to dive which distracts me from the course for as long as a week at a time. I'm learning so much.
Now that I'm trying to write my first Metasploit module for a zero day that I'm in process of disclosing, I regret abandoning learning Ruby and Metasploit dev years ago because everyone I worked with hated Ruby. I always liked Ruby's syntax over Python, but of course Python
@H3KTlC
I struggle with ADHD and getting distracted. Smartphones and Social Media are ruining our ability to perform deep work. This book is awesome, but it still takes effort to change your habits and block distractions: "Deep Work: Rules for Focused Success in a Distracted World".
My PEN-300 exam is scheduled. I don't know what else to study over the next few weeks while I wait. I've completed all of the challenges and have good payloads and notes for every situation covered in the course. Any suggestions? Edit: I just signed up for HTB Cybernetics.
I'm just getting started on MalDev Academy and it's mind boggling how many types and specifications you have to remember just to call a function in C. I don't know how I'm going to remember all this stuff.
@vysecurity
I've got 64 GB RAM and I'm running Detection Lab (4 vms's req's 16 GB RAM) plus a Kali vm, in addition to MS Teams, Chrome, Office, etc. eating up many more GB's, and I'm only using 48% of total RAM.
It helps if you think ahead and have some payloads that show impact already created in your arsenal. I have two fav's. One pops up a dialog that says there's been an error and you need to reauthenticate, and captures credentials. The other simply redirects to an arbitrary site.
@_wald0
We compromised the credentials of a Domain Admin account and they had MFA. The admin would click allow if we sent the push repeatedly and then change his password by incrementing the number at the end but didn’t report it. We knew his pw pattern. Repeat, Multiple rounds.
@luketucker
WiFi pentest at a global multi billion dollar corp, found that someone had installed an open AP in a training room next to a parking lot shared with other businesses at one of their satellite offices. I connected to the data center and popped Eternalblue from the parking lot.
Dagnabbit! Windows Defender now seems to be blocking ANYTHING I write in Nim, even completely non-malicious stuff that I'm experimenting with to learn the standard library. What's next? Maybe I'll give Crystal lang a try, or go back to Golang.
Thankfully I'm feeling somewhat better just in time to take my OSEP exam today, even if I did have to sleep in my recliner for the last two nights in a row so I wouldn't wake up my wife with my coughing and wheezing.
External pentest, gained internal access from non-priv user accounts weak passwords and lack of 2FA. Dropped scf files on network shares and watched as password hashes rolled into my host. Damn, there's an admin account hash!
@drb0n3z
I recently found a critical unauthenticated RCE vuln and made an exploit POC for an EoL product that’s still being used and exposed to the internet. There won’t be a patch issued by the vendor, maybe no CVE so those using it will never know they’re vulnerable until after they get