The demos and slides of my Defcon 31 talk are now publicly available.. 🧵 1/3
This first video demonstrates impersonating Satan (spoofing an email from satan
@churchofsatan
.com). This was the inspiration for the title of the talk 😛
Wrote a scanner for PrintNightmare (CVE-2021-34527). Allows you to scan entire subnets and gives you a CSV report. Supports both MS-RPRN and MS-PAR checks. Haven't tested in a prod environment yet (just my lab). Feel free to send a PR if you see FPs.
Had no clue about this, as of Python 3.5 you can bundle an entire application into a ZipFile (with a .pyz extension) and execute it directly. This is the equivalent of Java .jar files for Python
Just open-sourced the SprayingToolkit!
A collection of Python scripts to take the headache out of performing password spraying attacks against OWA & S4B/Lync. Ever wanted to perform real time sprays while scraping LinkedIn profiles from Google? ;)
Fucking priceless. Do an image search on google for “MITRE EDR evaluation results”. You’ll find a graph which links to a blog post on *EVERY* single EDR vendors website saying “we’re the best EDR”.
Just made the OffensiveNim repository public. This is a couple of weeks worth of notes and research into using Nim for general offensive operations. If you don't want to write your implants in C/C++, Nim is the way to go IMHO. Feedback welcom
I made a bunch of Ansible playbooks the other day in order to streamline/automate my workflow during engagements. Specifically i wanted to install a bunch of tools from Git and have them all setup in separate Python virtualenvs.
Sydney Sweeney reveals in an interview that she has strong opinions about the EDR industry.
“I think EDRs all fucking pieces of shit”
She adds, “CrowdStrike needs to stop smoking crack and making action figures out of APTs. it’s cringe af”
W00t! CrackMapExec now has binaries! You don't need to install it anymore! Just grab the binaries under the latest build under the action tab! Go forth and pwn!
Thank you everyone for coming to my
@Derbycon
talk!
Just released v0.4.0 of SILENTTRINITY! Biggest update yet, ton of new modules thanks to
@nicolas_dbresse
, upload/download functionality and the new and improved minidump module which integrates pypykatz!
Hot off the presses: part 2 of making C2 less painful. Modernizing the CIA's approach to offensive Infrastructure by using mesh VPN networks, micro-services and hybrid-cloud deployments. Get your buzzword bingo cards ready.
#seo
Just noticed that apparently Win Defender just alerts on any PowerShell process touching lsass. The SILENTTRINITY Mimikatz module runs just fine if executed from cmd.exe. However, If running from Powershell it runs but Defender kills the process
Super excited to finally release SILENTTRINITY v0.3.0 which has been in the works for a long time: The tool now supports multi-user collaboration and has a client/server architecture. Check out the readme for a list of the new features, hope its useful!
CrackMapExec v4.1 (ҪФԠЯДDЄ ԐDЇҐЇФЍ) is almost done! Will be making the changes public after my
@BlackHatEvents
Asia Arsenal demo next week! The entire C2/plugin system has been overhauled, details soon 😎
I'm excited to be releasing the new DeathStar. Complete re-write of the original script, supports AD networks with multiple domains/forests, has a plugin system and "Active Monitoring": so adapts it's attack path based on real-time changes in the network.
Really glad to finally get a blogpost out about this. Hopefully this is useful and gives Red Teamers ideas on how to use the BYOI concept in their own payloads. If anyone is interested in a few more follow up posts about this will gladly oblige :)
For anyone wondering, yes it’s written in C# and yes I will be totally adding it as a SILENTTRINITY module if I can get the source code (a few changes need to be made in order for it to run in memory).
#makemalwarefunagain
...computers used by water plant personnel ... used the 32-bit version of the Windows 7... all computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection... 🤷🏻♂️
Just pushed a somewhat big update to SILENTTRINITY with a lot of forward compatibility fixes for Python 3.8 and made the PowerShell "stageless" stager public. Plus more modules and bug fixes
Pssst! Hey you! SEP got you down during a pentest ? TIL of smc -stop and smc -disable -ntp. Works like a charm, the latter doesn't even require admin rights
Just released my slides for my talk at
@hackinparis
2018 The Past, Present & Future of Enterprise Security the 'Golden Age' of Attack Automation
#HIP18
Xmas came early for me. Load .NET assemblies from memory using x-compiled Nim executable in 5 lines:
import winim/clr
var myassembly: array[4608, byte] = [ byte 0x4d, 0x5a... ]
var loadedasm = load(myassembly)
var instance = loadedasm .new("MyNamespace.Program")
instance.Main()
CrackMapExec v5.1.1 is now available on Pypi. Thanks to
@mpgn_x64
its stable enough for me to finally get rid of the old version. You can now install the latest version of CME with a `pip install crackmapexec`.
Happy Pwnage.
Holy shit, this actually solves an incredible amount of packaging problems, you can put all dependencies into a single portable zip file! No more virtualenvs! All the end user needs is the python interpreter and everything else is self contained!
Had no clue about this, as of Python 3.5 you can bundle an entire application into a ZipFile (with a .pyz extension) and execute it directly. This is the equivalent of Java .jar files for Python
Just pushed a pretty huge update to WitnessMe. It now supports parsing .Nessus files, URL files, has a database search CLI tool and a lot more. Still a WIP but its getting there slowly.
We should ban PsExec, net.exe, group policy and most of the features in windows as they’re being used by ransomware gangs. Also we need to ban teamviewer and any remote administration tool as they have the potential of being abused. Also need to ban the internet
Just FYI, the python3 branch of CrackMapExec was merged into master as of a few minutes ago. Also
@mpgn_x64
(the mad man who ported it over to Python 3) is now an official collaborator.
On today’s episode of weird windows shit, apparently if you rename a .exe to a .pif windows will still execute it just fine. On top of that, the file icon and type in explorer changes to “Shortcut to MS-DOS program”. Looks a lot less evil.
Here’s a recent discovery that changed my life: tired of manually creating Python virtual environments for every single Python tool ? Turns out Pipx is the solution
Bonus: ever wanted to actually exploit those Java deserialization bugs you find ? Check out
@coalfirelabs
awesome exploit collection ! Pushed an exploit for JBoss just last night!
Status update after 3-4 months of basically not writing a single line of code for any my open source tools: my health has improved, I’ve never been this well rested in my entire life and i don’t feel like a zombie every day. Question now is, why should I even go back to OSS dev?
📣 Ok peeps, have an announcement: all future tools and updates I release will be Sponsorware. Only people who have sponsored me on Github at a specific tier will get access to them initially. Finally, they will be made publicly available only after I reach a target n of sponsors
We’re hiring interns at
@BHinfoSecurity
for a bunch of R&D projects! (All internships are payed & remote). Applicants must of some basic C# and Python knowledge. If you’re interested send me your resume and we’ll talk! (DMs are open)
I’ll tell you a secret :) giving me a tip on Patreon will automatically trigger a CI/CD pipeline which will push a freshly compiled & *obfuscated* SILENTTRINITY C# exe/dll stager to the public repository. For when you really need bypass all the things.
I've released the new WitnessMe update early in order to help people identify F5 BIG-IP devices vulnerable to CVE-2020-5902. Updated the Readme with a quick start for this specific use case, less then 5 min install and start scanning.
Excited to announce the release of Kukulkan to the OffensiveDLR repo!
This is essentially a slimmed down version of SILENTTRINITY! Also the C2 comms (including the initial stage) are completely encrypted! And you can use it with CobaltStrike 🐍😈
Just pushed a Internal Monologue module for SILENTTRINITY! Cause touching LSASS is overrated ;)
If you're not familiar with this attack it's pretty dope, check it out here
Just pushed an enormous update to Red Baron! Highlights include Ansible support and dynamic SSH autocompletion of created infrastructure! If you find bugs (which you probably will) let me know !
Was playing with Impacket yesterday and accidently (re)discovered a bug that allows you to silently crash the Event Log Service over RPC. Apparently this was already reported to MSRC but didn't meet the bar to be serviced cause it requires Admin privs
Just pushed another snippet to OffensiveNim implementing the token sandboxing technique discovered by
@gabriellandau
. gr33tz to
@0xpwnisher
for the C++ PoC.
I’m starting to get really sick of this industry. I feel like no progress is being made and everything that’s applauded as progress is smoke and mirrors and doesn’t have any actual value outside of making a few people wealthy.
In other news, I managed to embed Python (CPython) within Nim. Few things to work out to make it 100% OPSEC safe but it works. You can think of it as a mini PyInstaller Bootloader written in Nim. Can even pull down Python directly from the Python[.]org website :)
Working on a new project 🤟 i think this might be a game changer for red teams. It's the best of both worlds and more. Ever wanted a postex agent that can access all of .NET and dynamically compile C# without going through powershell ?
Happy to announce
@coalfirelabs
just released Red Baron: a red team infrastructure automation tool! Ever wanted to create a C2 server and redirector with 8 lines of code? I got you covered.
The Coalfire Labs R&D team on it's one week anniversary is open-sourcing Red Baron: Automate creating resilient, disposable, secure and agile infrastructure for Red Teams!
Every time I speak with anyone in the Infosec community I'm just constantly blown away by how passionate and smart people are. I think a lot of us take this for granted. This is an extremely unique and privileged job.
Really excited to be speaking at
@defcon
this year!
My talk is titled "SpamChannel: Spoofing Emails from +2M Domains and Virtually becoming Satan"
Love/hate Email security? Want your phishing campaigns to be a whole lot easier ? you should def come to my talk! 😈
#defcon31
Added 2 more PoC scripts to the OffensiveDLR repo. One of which embeds the SSharp Compiler within a Posh script (Can be easily embedded from within any .NET language.)
SSharp code compilation does not call csc.exe :)
I just had an EDR vendor straight up tell my client they had to “re-calibrate their AI engine” to detect a Python Reverse HTTPS meterpreter....... PORCA MADONNA.
Will be dropping the new SILENTTRINITY update later today or tomorrow just in time for my BlackHat Arsenal and Defcon Demo Labs presentations. This is a big one. Stay tuned :)
Been working on some PoC C# code which would allow you to dynamically invoke native Win32 API's from JScript using ClearScript's ExtendedHosts functions ()
Creds to
@subTee
for the Emit code
Just published some research and scripts that allow you to do DLL sideloading/proxy loading with Nim DLLs.
Also, by accident figured out how to remove the NimMain function from the export table :)
Donald Trump on computer hacking: "Nobody gets hacked. To get hacked you need somebody with 197 IQ and he needs about 15 percent of your password."
[video]
Yearly reminder to remove PowerShell V2 EVERYWHERE. Doesn’t matter what EDR , logging, witchcraft you have in place. If an attacker has access to the Posh V2 runtime, they can automatically bypass it all.
If every major pentest/RT shop gave something back to the Responder project as supposed to just leeching off of it for profit, we wouldn’t have to rely on 1 goddamn person to maintain a tool that EVERYONE fucking uses. The entire system is broken.