Uncategorized

Just clearing out some tabs and doing a preliminary categorization...

General Resources

A section explaining various technologies would probably be wise.

• Designing an Authentication System: a Dialogue in Four Scenes
  • Explanation of how Kerberos works
• Tutorial: Introduction to ldap3
  • Good LDAP intro
• malwarejake materials for conferences

AppSec

• HTML Smuggling Explained
• fuxploider: File upload vuln scanner + exploitation
• JDWP Misconfiguration in Container Images and K8s
• Pwning Your Java Messaging With Deserialization Vulnerabilities
• Java RMI for pentesters part two — reconnaissance & attack against non-JMX registries
• GadgetProbe
  • Probe endpoints consuming Java serialized objects to identify classes, libraries, and library versions on remote Java classpaths.
• Java-Deserialization-Cheat-Sheet
• jdwp-shellifier
  • Gain RCE with Java Debug Wire Protocol (JDWP)
• Hacking the Java Debug Wire Protocol - or - "How I met your Java debugger"
• REcollapse
  • Black-box regex fuzzing to bypass validations and discover normalizations in web applications

Other

• Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware
• The DFIR Report: Quantum Ransomware
• nccgroup: LAPSUS$ TTPs
• @cocomelonc
  • Malware analysis/dev
• ADB Toolkit
• AD Forest Recovery - Procedures
• 010 Editor
• How to recursively print parent processes
• burritun
  • Wrap tun interface in tap interface
  • Originally for making tools work over OpenVPN that otherwise couldn't
• emoji-shellcoding
  • RISC-V only
• ImHex
  • Pretty hex editor
• ZXing Decoder Online
  • Barcode decoder
• ssdeep
  • Fuzzy hashes

Defense

• PowerShell Guides
  • Windows PowerShell Programmer's Guide
  • Getting Started with PowerShell on Linux
• Active Directory Lightweight Directory Services Overview
• libesedb
  • Python bindings for ESE DB
  • Also see: esedb-kb

Red Team

• Injecting Rogue DNS Records using DHCP
• DLP Test Data
• Various BOF collection
• Pivoting with Property Hashes | Shodan
  • E.g. telnet has empty banner -> hash is zero -> can exclude uninteresting results with filter -hash:0

Awesome Repos

• Awesome Penetration Testing
• awesome-hacking
• Red-Teaming-TTPs

Linux

• Unset RO variable in bash
• How to stop sudo PAM messages in auth.log for a specific user?
• OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow

Mainframes

Because why not.

• Mainframed
• mainframed/Enumeration

Browsers

• Chrome Browser Exploitation, Part 1: Introduction to V8 and JavaScript Internals
• chlonium
  • Import/export Chrome cookies

Exploit Dev

• ropper
• syzkaller
  • Kernel fuzzer
• Hacking the Apple Webcam (again)
• elfloader
  • gamozolabs
  • trustedsec

Windows-specific

• hoaxshell
  • Unconventional Windows shell currently undetected due to purely HTTP(S) traffic?
  • Need to see what tricks are at play here
• SMTP Matching Abuse in Azure AD
• Practical guide for golden SAML
• DLL Side-loading & Hijacking — Using Threat Intelligence to Weaponize R&D
• Reflective DLL injection
• certerator
  • Create "signed" binaries on the fly
  • Create a CA, sign a binary, then install CA on target
• Abusing Trust Account$: Accessing Resources on a Trusted Domain from a Trusting Domain
• Attacking and Remediating Excessive Network Share Permissions in Active Directory Environments
• Invoke-SocksProxy
• RpcView
  • Useful for exploring/decompiling RPC interfaces
• Offensive Windows IPC Internals 1: Named Pipes
  • This is a series!
• CVE-2022-30216 - Authentication coercion of the Windows "Server" service
• How to secure a Windows RPC Server, and how not to.
• LNK File Analysis: LNKing It Together!
  • Also: SentnelOne - Understanding How .LINK Files Work
• SentinelOne - Inside Malicious Windows Apps for Malware Deployment
• SentinelOne - Who Needs Macros? | Threat Actors Pivot to Abusing Explorer and Other LOLBins via Windows Shortcuts
• NTLMquic
  • Repo: NTLMquic POC Collection
• CanaryHunter
  • PowerShell script to check for Common Canaries
• I'M BRINGING RELAYING BACK: A COMPREHENSIVE GUIDE ON RELAYING ANNO 2022
• SharpRDP
  • RDP app for the CLI that performs command execution
• Blackbyte Ransomware Bypass EDR Security Using Drive Vulnerability
  • "Bring Your Own Vulnerable Driver" (BYOVD) attack analysis
• NTFS.com
  • Technical reference for NTFS
• Export-MFT.ps1
  • Extracts master file table from volume
• ebpf-for-windows
• TcbElevation.cpp
  • TODO: What even is this...?
• TamperingAllArgumentsSyscalls.cpp
  • TODO: Dead link, need to find archive
• pylnk
  • Python lib for reading/writing Windows shortcut files (.lnk)
• User-Behavior-Mapping-Tool
  • Project aims to map out common user behavior on the computer

Uncategorized

• Emotet's Uncommon Approach of Masking IP Addresses
• zerosum0x0-archive
  • Loads of handy tools that to check out later
• SIET
  • Attack Cisco devices by exploiting lack of auth for Cisco Smart Install
• drltrace
  • Library calls tracer for Windows and Linux applications
• DanderSpritz
  • Also see: DoubleFeature (CheckPoint Research)
• Shared Sections for Code Injection
• gost: Simple tunnel written in golang
• KrbRelayUp: Privesc when LDAP signing isn't enforced
• How Attackers Dump Active Directory Database Credentials (for reference)
• icmpdoor - ICMP Reverse Shell
  • Article: icmpdoor - ICMP reverse shell in Python 3
• Practical VoIP Penetration Testing
• Awesome Anti-Forensics
• SharpHound
  • Of course, RustHound
• MS Red Teaming Strategy
• Docker Security Playground
• Qualys: Pwnkit: pkexec exploit
• mod_rootme: Ye olde root shell for ye olde httpd
• flAWS challenge: Cloud security CTF
• flAWS2 Challenge: Cloud security CTF
• Removing Kernel Callbacks Using Signed Drivers
• PPLKiller: Kernel-mode driver that disables LSA protection (Protected Process Light)
  • NOTE: Different repo than this PPLKiller
• Finding Evil in DNS Traffic
• Finding Pwned Passwords in Active Directory
• EvilClippy: Clippy now helps you create malicious docs
• Adversary Tactics: PowerShell
• A Little Guide to SMB Enumeration
• BeRoot: Linux privesc
• pupy: Cross-platform RAT/post-exploit tool (written mostly in Python!)
• CheckPoint Research: EternalBlue analysis
• Malware Analysis: syscalls
• Process Hollowing
• DDoS with WS-Discovery Protocol
• A Samba's horror story, CVE-2021-44142
  • There's also a POC here
• GOAD (Game of Active Directory)
  • AD lab
• Analysis of a Convoluted Attack Chain Involving Ngrok
• Fantastic Rootkits: And Where to Find Them (Part 1)
• Egress-Assess
  • Test egress data detection capabilities
• CVE-2019-16098 POC
  • The driver in Micro-Star MSI Afterburner 4.6.2.15658 (aka RTCore64.sys and RTCore32.sys) allows any authenticated user to read and write to arbitrary memory, I/O ports, and MSRs.
  • WARNING: Hardcoded Windows 10 x64 Version 1903 offsets!
• linux-magazin.de
• Intro to Quantum Computing