Time to be terrified. I've just dropped my Okta Terrify tool which I demonstrated as part of my
@BSidesCymru
talk last week. You can now backdoor compromised Okta accounts via Windows Okta Verify using attacker controlled passwordless keys. Enjoy -
Been a few months in development on and off, but finally got an end to end POC working for lsarelayx. System wide NTLM relay from Windows which relays all incoming NTLM authentications without affecting the original target application. Silent relay if you will.
Well here it it is, the initial release of lsarelayx. Considered alpha at this stage, so I recommended lab use only for now. Appreciate any feedback, especially non working environments.
BeaconEye: My first defensive tool release for my
#DFIR
friends. Detects and monitors beacon command output. Should be considered alpha at this stage and appreciate any feedback on undetected beacons.
Working on a new tool that will be ready soon. One thing I can say from the research.... if your environment leverages Windows Hello without TPM's, DO NOT allow the default setting of a digit only based pin. Windows stores the pin length and can be brute forced in seconds.
The next blog post should be a good one. Dumping LSASS in memory using a new C# port of MinHook. Dynamic DLL assembly generation using Boo thrown in too, negating the need for opening the LSASS process handle directly.
Look ma, printer bug DC sync from low privileged service by merging
@itm4n
PrintSpoofer and
@tifkin_
SpoolSample. How MS continue to say this is a feature is ridiculous.
Another weekend or so left and lsarelayx should be at least ready for lab testing. In the meantime checkout the latest feature. Kerberos -> NTLM downgrade, so even clients attempting to connect with Kerberos will be forced to use NTLM.
Just got a POC of BeaconEye working (WIP) - My first blue team tool for my
#DFIR
friends. Scans processes for Cobalt Strike's beacon and then spits out a real time log of the activity.
Thanks to everyone who came to my DEF CON talk yesterday. I should have submitted for a 45 minute talk as I didn't have time to cover the DNS update capability of gssapi-abuse tool. DNS mode is super handy if you want to apply instant updates to AD DNS
Sneak preview of Volumeiser. Final version will allow listing and extraction of OS files from common hard disk image formats. My favourite so far is AWS EBS snapshots. Extracting registry hives now takes seconds + a few MB of data instead of unworkable 100G images.
Plot thickens with
#PrinterNighmare
. Whilst SMB paths are not allowed for driver files for remote hosts, they are allowed for the target host or IP. So file servers with writable shares are particularly vulnerable now since you don't even need a valid driver root path.
Last week our
@_EthicalChaos_
promised something tasty: "Want to authenticate to RDP/Citrix using your abused ADCS certificate and live off the land? PIVert has got your back. Will be releasing soon!"
Well, here it is - Living off the land, AD CS style
Well took a bit longer than a weekend but here it is, in memory execution support for SharpBlock's child process. Places a breakpoint on implanted entry point to hide signs of implant. Implant process can be loaded over file, http or pipe. Enjoy!
Here is a sneak preview of an upcoming PR to Rubeus. PKINIT Support for both Smartcard and PFX certificates with private keys for obtaining Kerberos TGT's. Hopefully have chance to finish it this weekend!
#RedTeam
#InfoSec
SweetPotato now supports the latest Windows 10 and Server 2019. I have added
@itm4n
's excellent PrintSpoofer EoP. Thanks to
@tiraniddo
's brill NtApiDotNet library which enabled the C# code to interface with the ALPC port of print spooler.
Well here it is. The first release of for
#CobaltStrike
. Likely to have a few bugs etc... but hopefully enough for you all to have a play with. Look forward to seeing all your BOFNET's.
Hmmm, EDR vendors now trying to bypass SharpBlock? Using KiUserApcDispatcher to call an exported function for applying the patches instead of their DLL entry point. 🤔💡😈
update: Uses Cobalt Strike 4.9's key value store for AppDomain. In-memory file system (VFS), web server BOF that hosts files from the VFS, also simple C# implementation of Screenshot. VFS great for integration with other BOFS.
I hope you can all join me next week at DEF CON for my talk. A Broken Marriage: Abusing Mixed Vendor Kerberos Stacks. It's at Track 4, 4pm on Saturday. I'll cover an interesting vector for impersonating AD users on *nix based hosts. See you all state side ✈️🎉🍾
Want to implement your own custom screen shot, key logger or file upload implementation for Cobalt Strike but retain integration with the GUI. I just pushed a version of BOFNET that will allow you to do just that. Shout out to
@cr0eax
for the hint.
Here you go folks, initial release of Volumiser. Dealing with those 100G virtual disc images during red team ops just got easier. Limited testing so far so would love to hear about any problems that pop up.
Our
@_EthicalChaos_
found that you could remotely install Windows Store apps and execute privileged services on the latest versions of Windows. This post has all the juicy CVE-2022-35841 details
#rce
#cve
Just pushed a small change for the recently released Volumiser tool. You can now read files directly al a NinjaCopy style from physical disk and volume handles. Handy for exfiltrating registry hives or ntds.dit on hosts with EDR's.
Just pushed a small update to SharpBlock. syscall's now used for DLL entry point patch on EDR DLL's (to combat some protections now seen) and console output now works for processes launched with PPID spoofing.
Thanks for testing
@ShitSecure
My
#DEFCON31
talk, A Broken Marriage: Abusing Mixed Vendor Kerberos Stacks is live. Hope you enjoy watching as much as I did presenting. Thank you
@defcon
for having me.
Now I can relax. My first public talk competed at
@BSidesCymru
, my home town. Here's are the slides and the POC released as part of the talk for those who couldn't make it in person
Been prepping the POC for my potential talk at DEF CON this year (if accepted). A side affect of this is that I now have the ability to do direct instant Secure DNS updates to AD DNS over port 53 using any authenticated account, yay.
Nothing ground breaking, a couple of months ago I wrote a new MSBuild plugin called dnMerge for merging .NET assemblies. For those interested in C# offensive tooling compilation and specifically smaller binaries for execute-assembly then check it out.
I have wrote a blog for the GSSAPI abuse vector covered in my
#DEFCON31
talk. I've also covered some DNS shenanigans that I did not have time to cover during my 20 minute slot. Hopefully those that couldn't attend can enjoy too.
Following his
#DEFCON31
#DC31
talk our
@_EthicalChaos_
has written a follow up including further research on abusing mixed vendor Kerberos stacks, so that any user can be spoofed against any service hosted over GSSAPI
Anyone fancy writing
#CobaltStrike
BOF's in .NET? WIP, but the majority of the POC is proven. Needs some polishing up now, then hopefully a release of soon.
For those who wanted to see the talk but could not attend in person, my threadless injection talk is now available online. The demo stage is a little quiet as I needed put the mic down and of course I screwed up the screen switcheroo too😬
@tiraniddo
my friend, I keep saying it but NtApiDotNet is just *the* best library on the internet. A simple web server with full NTLM authentication in 50 lines of code.
Minidump support now added to BeaconEye if anyone is interested. Thanks to
@cube0x0
for his managed Minidump reader port to C# which was used as a reference.
Stage 1 complete. System wide NetNTLMv2 capture on Windows, independent of protocol used and no packet capture needed. Now for stage 2, system wide relay. I fear the next phase is going to be a little more complex than the first 🧐
As
@bugch3ck
and
@gentilkiwi
has already stated, confirmed that the latest
#PrinterNightmare
fix is not fully patched for an RCE. You can use an alternate UNC path for the config file and still use a writable share on the target host for the DriverStore root.
Plot thickens with
#PrinterNighmare
. Whilst SMB paths are not allowed for driver files for remote hosts, they are allowed for the target host or IP. So file servers with writable shares are particularly vulnerable now since you don't even need a valid driver root path.
Implemented PetitPotam/EfsPotato into the awesome SweetPotato project by
@_EthicalChaos_
.
It bypasses the latest MS patch by using EfsRpcEncryptFileSrv. Escalate to SYSTEM from SeImpersonatePrivilege on a fully patched Windows system.
1.1.3 just pushed to GitHub and NuGet. Minor changes, but patchless AMSI bypass integrated and the BOFNET AppDomain name is now random. Further changes coming soon, but enjoy for now!
Well hopefully this weekend I'll have time to finish of in-memory execution of SharpBlock's child process. But until then, a little teaser. powershell.exe hosted inside notepad.exe with patchless AMSI in place.
Finally, a Cylance on disk sandbox and injection bypass for a stageless
#cobaltstrike
beacon. By far the hardest bypass so far. Still got Carbon Black and Defender ATP to look at yet though!
Latest version of BOF[.]NET pushed. Mainly work around compiling on Linux and docker, but there is now a NuGet package for ease of writing your next .NET based BOF.
I needed to crack JBoss/Wildfly admin console passwords on a recent engagement. Seems hashcat doesn't support the format out of the box. Wrote a little script that will convert to mode 20 for hashcat cracking. Have at it you lot!
Well here it is. Latest release of with Boo script execution via the bofnet_boo aggressor script alias. Shoutout to
@byt3bl33d3r
for some the ideas used within the executor.
Just pushed a new version of . Support for both .NET v4/v2 and an update to bofnet_load that supports arbitrary (large) size assembly loading. Boo script execution WIP.
I dissapear from infosec and the twittersphere for a well needed holiday in the sun and I come back to LPE's from
@jonasLyk
via SAM hives and a new remote NTLM cohershion technique from
@topotam77
. Damn this infosec world moves fast.
Just published BeaconEye 0.2. Support for 32 bit beacon detection, initial support for 32 bit monitoring and substantial scanning speed improvements (~100 processes a second).
Another vendor putting far to much trust in the lower privilege helper app communicating with a SYSTEM service. Guess it's that time again, now where did I put that PSIRT email address.
I see privileged service RPC calls commonly expose methods to allocate and free new contexts. These are great vectors for leaking heap pointers which can often reduce the complexity involved in exploiting overflows.
Just had a chance to play with
#CobaltStrike
BOF's. CMake template done for GCC, Visual Studio and cross compile from Linux. Now I need to invest the time to convert a load of code to be BOF compatible. Nice work
@armitagehacker
, brilliant feature!
Although I have a small following of infosec friends, hopefully some may find my new blog post useful for future engagements.
Thanks
@ZephrFish
for taking the time to review it for me prior to publishing.
We are finally done with the living/dining room reno. Some before and after shots for those who have been following. I've got a week off this week to start upstairs.
Just pushed a wee little up to . You can now run a class as a background job on a seperate thread and dump the console output at a later date. This should open up the possibility of running services and other long running jobs.
Microsoft Software Key Storage Provider doesnt isolate non-exportable keys. Keys are stored within %appdata%\Roaming\Microsoft\Crypto\Keys. Private key is encrypted with the users DPAPI key. Providing you know the DPAPI SHA1 or users password they can be exported without SYSTEM
Problem solved. SharpBlock now prevents any VirtualProtect calls originating from the blocked DLL address space, preventing hooks from EDR vendors being applied, but still allows MirrorDump hooks to work 😈
Another room done. That's 3 rooms for the year and one more to go early next year. But first, time for some mulled wine and stuffing my face for a month.
I thought a DEF CON talk was a proud moment in my life, but it's amazing how your own kids achievements always come out on top no matter what. My son performing his own original song "Promise" with his band The Bridge at their debut gig.
It's been a long road but it's finally here. It's been great working on this with
@_EthicalChaos_
, I learned so much! Special thanks to
@harmj0y
for the original tool and putting up with me through development ;-) Say hello to Rubeus 2.0:
Proud dad moment this weekend. Best part of a 1000 mile round trip in 3 days to watch my boy compete for his country in the British and Irish Mountain Running Championship. Team bronze was a bonus, but now I'm only good for one thing... bed.
PR submitted to Rubeus for PKINIT. In the meantime, if you fancy having a go of PKI (Smartcard/PFX) based Kerberos authentication using Rubeus you can get a version from my repo here .
MiniDumpToMem integrated into along with an in-memory HTTP server for exfiltration. Still compression left to do. Do I take
@Cneelis
advice and use native API's to compress or compress within the managed world. That is the big question!
Would anyone be interested in a 2 part blog post on writing a basic EDR solution to demonstrate how elements of them function, followed by an effective method for bypassing them?
My
#DEFCON31
talk, A Broken Marriage: Abusing Mixed Vendor Kerberos Stacks is live. Hope you enjoy watching as much as I did presenting. Thank you
@defcon
for having me.
We finally moved into
#theproject
. It's a mess, windows falling out, everything needs replacing and I'm probably not going to see a weekend for the next gazillion years. But hey, we need something to do in the next lockdown, right?
@vysecurity
This should get you 90% of the way. Throw in Stephen Fewer's RDLL code and DInvoke to call the exported ReflectiveLoader function and you are good to go.