Stop testing in prod (even someone else's)! Are you tired of installing Active Directory on your test VMs for the 100th time? Ever YOLO a binary off GitHub into prod because your testing setup is tedious? I've built a solution:
(1/5)
The xz package tar's were backdoored. Only discovered because the backdoor slowed down sshd enough for Andres Freund to investigate.
Consider the case where the backdoor didn't cause perf issues... How long would this have gone undetected?
Dropped a new tool at DEF CON 32! Loot SCCM Distribution points via HTTP with
We've found credentials, certificates, custom apps, keystores, etc. What will you find?
The most requested feature for 🏟️ Ludus is here:
GOAD support!
Follow the guide to deploy the amazing Game of Active Directory environment from
@M4yFly
on Ludus!
It's here! Fully automated🔒Elastic Security server and agents for your Ludus labs.
@__ar0d__
and I have made this one as easy as adding the roles to your config.
Comes with:
-ELK+Fleet+Detection engine
-Auto agent install+registration
-Detection rules
It's happened. Unauthenticated OpenSSH RCE 🤯. It's a race condition so it takes ~10,000 attempts to get execution (hours to days under default config), so fail2ban etc should mitigate, but update ASAP. Qualys always impresses with these writeups.
The level of sophistication to get this backdoor into the xz repo unnoticed is pretty incredible. See for yourself. Which of these commits added the backdoor?
Spoiler, it was hidden in binary test files:
The DownloadFile() addition to BOF[.]NET allows for better opsec. First lsass dumps without touching disk (CredBandit -
@anthemtotheego
), and now SharpHound without any json or zip written to disk.
Want to test out the new ADCS ESC13 attack path by
@Jonas_B_K
? We've made it easy to do in 🏟️Ludus.
Get 7 ADCS attack paths set up in minutes with the new Ansible role by
@__ar0d__
and myself. This is the power of !
You've seen the XZ backdoor, but have you gotten hands on with it?
With just a config edit and a deploy, the backdoor and xzbot tool is setup for you - thats the power of 🏟️ Ludus!
New Flare VM, REMnux, and Commando VM roles/templates dropped too!
The future of NTLM relaying (
@_EthicalChaos_
), Windows updates for hackers (
@bitsadmin
), Syscall malware analysis (
@m0rv4i
), fighting EDRs in the kernel (
@cerbersec
), Living Off Trusted Sites (LOTS) Project (
@mrd0x
), and more!
I published a blog article detailing a phishing technique I called Browser in the Browser (BITB) Attack. It's very simple but can be very effective. I also published templates on my Github feel free to test them out.
Censorship or restrictive networks blocking your browsing or C2 traffic? Try domain hiding! Available as a replacement for crypto/tls in Go or as a standalone proxy, you can try it today. You can hide behind any Cloudflare DNS hosted domain (26MM+).
PoCs for CAP_SYS_ADMIN bug (CVE-2022-0185) and the polkit (pwnkit) bug (CVE-2021-4034) are both out. User to root LPEs in lots of Linux distros and versions. Patch now!
VMware (Broadcom) just officially killed free vShpere (ESXi).
Sounds like a perfect time to try out Proxmox and why not automate it with the free and open source 👀
JS-Tap by
@hoodoer
is my favorite new tool in the past few months. Very polished, and brings new capability to an often ignored vulnerability (XSS). Red teamers, now is the time to leverage those XSS vulns to further your objectives! (1/2)
The latest in a long line of LSASS dumpers. Besides the (now) standard direct syscalls and in-memory only features it also ignores DLLs you don’t need to reduce the download size dramatically. This is the current state of the art in LSASS dumping.
Windows LPE (
@chompie1337
), TPM Bitlocker deepdive, unhooking effects (
@dazzyddos
), CastGuard, Apple OTA -> kernel hack (
@patch1t
), FalconHound (
@olafhartong
), GraphRunner (
@dafthack
), and more!
Nearly didn't make it by the end of Tuesday 🥵
"Jia Tan's" commits to xz started 2022-02-06. Perhaps the account was compromised, but this looks like trust building with the maintainers before the backdoor commits.
4 commands to get 18 VM templates with zero manual interaction.
Set up a new instance today and it's still a neat experience to have complex things that used to take tons of manual effort just work 😊
Luckily that was caught in Debian "sid" the unstable testing distro, so the blast radius should be small?
If your SSHD seems a bit slower, its a good idea to figure out why! Stay safe out there!
Great day to set up a new 🏟️Ludus host!
This is a GMKTec NucBox K8 (AMD Ryzen 7 8845HS), 96 GB of 5600MHz RAM, and 2x 2TB PCIe 4.0 NVMe (will RAID 0 for max speed). Should be 🔥
What are you running Ludus on?
If you've been 👀 SCCM tradecraft from the sidelines there is now an easy way to set up a fully custom SCCM env thanks to
@synzack21
. It's so cool to see Ludus making advanced, customized setups as easy as a few commands and a config edit! 🥳 Guide:
Been playing with lab automation with Ansible & and released my recent project. If you are looking for a customizable SCCM home lab to practice tradecraft, check out the corresponding blog and repository!
This is cool for two reasons:
1️⃣ The two step injection and use of InlineShapes is pretty nifty.
2️⃣ The automation interop between C# and Word can be used as a basis for your own maldoc pipelines for red teaming.
Trying to get into .NET lately I ended up putting together a new project as a result.
LittleCorporal is an automated Maldoc generator that leverages VBA, Donut, and thread hijacking to load a user specified shellcod blob into a remote process.
Project:
No AI, no content automation (besides an RSS reader), 100% human curated cybersecurity content by myself and
@__ar0d__
. Published weekly to the web with no Javascript, via email, or RSS. It's the blog I wish existed before I started it. Don't sleep on it!
Achievement unlocked: Appear in the background of a
@LiveOverflow
video. I checked, and the first LiveOverflow video I watched was 8 years ago (First Exploit. Buffer Overflow with Shellcode - Bin 0x0E). Really cool to meet Fabian in person and have a table next to
@hextreeio
!
Great minds think alike! More SCCM tooling from
@croco_byte
that shares some elements with our recently released tool while also having unique features. Cheers to parallel discovery! 🍻
In our latest blogpost,
@croco_byte
explores the inner workings of SCCM policies and introduces , a tool targeting secret policies in order to exploit misconfigurations, harvest credentials, and pivot across collections by impersonating legitimate clients.
User readable /sys/kernel/notes exposed the address of xen_startup, effectively breaking kernel address space layout randomization (KASLR) for local privilege escalation exploits (or any exploit with file read ability) for the entire history of KASLR… 😬
Get 257 (and counting) vulnerable services in Ludus with one config edit. Test popular vulnerabilities against products like Confluence or Apache Airflow. It's easy with the badsectorlabs.ludus_vulhub role!
The xz package, starting from version 5.6.0 to 5.6.1, was found to contain a backdoor. The impact of this vulnerability affected Kali between March 26th to March 29th. If you updated your Kali installation on or after March 26th, it is crucial to apply the latest updates today.
Ever wanted to use Splunk or Osquery as your C2?
@__ar0d__
and my talk at
@BSidesAugusta
shows you how. If you aren't thinking about using
#traitorware
on your next engagement or how to defend against it in your environment, check out the slides and code:
I've been a
@RumbleDiscovery
user since it was in beta. It has replaced every masscan + nmap + other tool script for enumeration because it's that good. Red team tip: if you aren't worried about network detection, the offline rumble scanner is so good once inside a network.
Want more epic Linux hack content? This was my go to for "real APT on Linux content" posted in 2021 and the author hasn't posted since...
@IgorBog61650384
you ok?
Instantly level up your Cobalt Strike game with these amazing BOFs, now with support for the latest Windows 10 versions thanks to SysWhispers2. Probably the set of BOFs I reach for more often than any other (except maybe BOF[.]NET).
Late to the party, but thrilled to have my BOFs in the Community Kit. I've just updated the injectors (NtCreateThreadEx and NtQueueApcThread variations) and process dumping BOF to SysWhispers2 so they're ready to roll with 21H1+.
🥳 200th Last Week in Security! 🥳
I remember talking to
@riskybusiness
early in 2020, offering to partner on a more technical subsection of risky biz. He (wisely) said, "Let's wait and see, this is a lot of work." He was right, but I'm still at it!
I feel seen by this post
@HackingLZ
. So many blogs focus on *a* bug or *a* tool, not many on the adversary simulation exercise and what it encompasses. I once spent a full week planning, mocking up, and rehearsing a path - went from 🎣 to DA in 23 minutes.
Unmanaged VMs (think EDR appliances, IoT devices, other systems that don't support qemu-guest-agent) are now supported in Ludus 1.2.0! Just add `unmanaged: true` to your ludus range config for the VM.
🏟️Ludus 1.4.0 is out!
New features:
✨set `always_blocked_networks` to protect LAN or other networks
✨ set timezone via the config for all VMs
1.4.0 includes lots of improvements and "testing mode" has been totally refactored. Check it out!
Back from summer break with a big post! Tons of great content for red teamers, bug bounty hunters, exploit devs, defenders, and anyone else in the security space!
My first ever blog post: Anatomy of an Exploit: RCE CVE-2020-1350
#SIGRed
. RCE PoC included, for research purposes. This was my first userland Windows heap exploit and I hope a deep dive into the process will help others. Patch or apply the workaround.
Now in
#mimikatz
🥝,
#mstsc
credentials (passwords / PIN codes) for RDP / Remote Desktop Client
- ts::mstsc - on client credentials
- ts::logonpasswords - on server credentials
Does not rely on previously injected hook/library, useful on jumping servers
>
@mrd0x
I made a nice landing page for a free and open source tool, and I’ve shared it and gotten some “lol is this a sales pitch?” People are primed to reject anything that looks too good.
As EDR gets better, tools are harder to come by as well. You’re one of few sharing access tools.
Step 1: Look cool 😎
🏟️Ludus has a brand new installer powered by
@charmcli
!
1.5.0 also allows for `depends_on` when using roles - opening up complex server/client roles to be deployed in any order!
Install docs have been simplified too - now is the best time to try Ludus!
Kernel Samepage Merging (KSM) is pure magic 🪄. The Linux kernel can scan memory and deduplicate pages that store the same info. Huge savings for hypervisors (). Here I am running 92 VMs (23x router, DC, Win 11, Kali) on a NUC 🤯