Windows渗透测试资源

Windows渗透测试资源

目录导航

翻译版本

Windows渗透测试资源:

在AD环境中使用LDAP,Kerberos(和MSRPC)的乐趣

https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments

从XML外部实体到NTLM域哈希

From XML External Entity to NTLM Domain Hashes
Windows特权升级指南 https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/ Windows oneliners下载远程有效负载并执行任意代码 https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/amp/ 通过本机RDP客户端(mstsc.exe)传递哈希 https://michael-eder.net/post/2018/native_rdp_pass_the_hash/ 在Active Directory中使用ACL升级特权 https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/ 原子红队自动化框架 https://github.com/redcanaryco/atomic-red-team/blob/master/Automation/readme.md 跳过裂化响应器哈希并中继它们 http://threat.tevora.com/quick-tip-skip-cracking-responder-hashes-and-replay-them/amp/?__twitter_impression=true Exchange-AD-Privesc。Exchange特权升级到Active Directory的存储库 该存储库提供了一些有关Microsoft Exchange部署对Active Directory安全性影响的技术和脚本。 https://github.com/gdedrouas/Exchange-AD-Privesc WMIC.EXE白名单绕过-破坏样式,样式表 https://subt0x11.blogspot.com.br/2018/04/wmicexe-whitelisting-bypass-hacking.html 隐藏Metasploit Shellcode以逃避Windows Defender https://blog.rapid7.com/2018/05/03/hiding-metasploit-shellcode-to-evade-windows-defender/ 非官方Mimikatz指南和命令参考
Mimikatz
使用Active Directory PowerShell模块收集AD数据
Gathering AD Data with the Active Directory PowerShell Module
在Windows 10上检测虚拟机监控程序的存在
Detecting Hypervisor Presence on Windows 10
域用户枚举工具 https://github.com/sensepost/UserEnum/blob/master/README.md 死亡蓝云:红色团队合作Azure https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1 响动+3恶意软件:几招 http://www.blackstormsecurity.com/docs/BSIDES_2018_RELEASE.pdf Kerberos派对技巧:武器化Kerberos协议缺陷 http://www.exumbraops.com/blog/2016/6/1/kerberos-party-tricks-weaponizing-kerberos-protocol-flaws 执行命令并使用PowerShell诊断脚本绕过AppLocker https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts Windows Vista中引入的Microsoft用户帐户控制功能已引起安全社区中许多人的关注。由于UAC旨在强制用户批准管理行为,因此攻击者(和红色团队)几乎在每次接触时都会遇到UAC。结果,尽管缺乏正式指定作为安全边界,但是绕过此控制是参与者通常必须克服的任务。本演讲重点介绍UAC是什么,其他人之前的工作,研究方法,并详细介绍作者开发的几种技术性UAC绕过技术。 https://youtu.be/c8LgqtATAnE Windows Userland持久性基础 http://www.fuzzysecurity.com/tutorials/19.html 通过URL文件进行DLL劫持 https://insert-script.blogspot.com.br/2018/05/dll-hijacking-via-url-files.html 通过URL文件进行DLL劫持 https://insert-script.blogspot.com.br/2018/05/dll-hijacking-via-url-files.html 通过GPO枚举远程访问策略 https://labs.mwrinfosecurity.com/blog/enumerating-remote-access-policies-through-gpo/ https://github.com/dafthack/MailSniper DomainPasswordSpray DomainPasswordSpray是用PowerShell编写的工具,用于对域用户执行密码喷雾攻击。默认情况下,它将自动从域中生成用户列表。 https://github.com/dafthack/DomainPasswordSpray 查找运行域管理进程的系统的5种方法
5 Ways to Find Systems Running Domain Admin Processes
如何绕过Powershell使用的GPO策略限制 https://github.com/p3nt4/PowerShdll ADAPE-Active Directory评估和特权升级脚本 https://github.com/hausec/ADAPE-脚本 使用Kerberoasting,利用未打补丁的系统– Red Teamer的一天 http://niiconsulting.com/checkmate/2018/05/kerberoasting-exploiting-unpatched-systems-a-day-in-the-life-of-a-red-teamer/ 了解和规避Get-InjectedThread https://blog.xpnsec.com/undersanding-and-evading-get-injectedthread/ PowerLessShell依靠MSBuild.exe远程执行PowerShell脚本和命令,而不会生成powershell.exe。您也可以使用相同的方法执行原始Shellcode。 https://github.com/Mr-Un1k0d3r/PowerLessShell 转储明文凭证 Dumping Clear-Text Credentials Office365 ActiveSync用户名枚举 https://www.sec-1.com/blog/2017/office365-activesync-username-enumeration 他的脚本将尝试为具有该属性的用户列出并获取TGT 设置了“不需要Kerberos预身份验证”(UF_DONT_REQUIRE_PREAUTH)。 对于具有这种配置的用户,将生成John The Ripper输出,因此 您可以发送它进行破解。 https://github.com/CoreSecurity/impacket/commit/bada8a719f8ed7be4633514eea94bc768dbaf019 NBNS欺骗 NBNS Spoofing NTLMv1多功能工具 此工具会修改NTLMv1 / NTLMv1-ESS / MSCHAPv2哈希,以便可以使用哈希猫中的DES模式14000对其进行破解 https://github.com/evilmog/ntlmv1-multi/ Invoke-Phant0分钟 该脚本遍历事件日志服务进程(专用svchost.exe)的线程堆栈,并标识事件日志线程以杀死事件日志服务线程。因此,系统将无法收集日志,同时事件日志服务似乎正在运行。 https://artofpwn.com/phant0m-killing-windows-event-log.html https://github.com/hlldz/Invoke-Phant0m 使用PowerUpSQL转储Active Directory域信息!
Dumping Active Directory Domain Info – with PowerUpSQL!
绕过PowerShell执行策略的15种方法
15 Ways to Bypass the PowerShell Execution Policy
提升,UAC绕过,持久性,特权升级,dll劫持技术 https://github.com/rootm0s/WinPwnage 滥用DCOM进行另一种横向移动技术 Abusing DCOM For Yet Another Lateral Movement Technique 调用WMILM 这是PoC脚本,用于通过WMI来实现经过身份验证的远程代码执行的各种方法,而无需(至少直接使用)Win32_Process类。技术的类型由“类型”(Type)参数确定。 https://github.com/Cyber​​eason/Invoke-WMILM/blob/master/README.md [内核开发] 7:任意覆盖(Win7 x86) https://www.abatchy.com/2018/01/kernel-exploitation-7 Active Directory作为C2(命令和控制) https://akijosberryblog.wordpress.com/2018/03/17/active-directory-as-a-c2-command-control .NET程序集编译方法绕过Device Guard http://www.exploit-monday.com/2017/07/bypassing-device-guard-with-dotnet-methods.html DiskShadow:VSS规避,持久性和Active Directory数据库提取的返回 https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ 使用RDP进行网络隔离 https://rastamouse.me/2017/08/jumping-network-segregation-with-rdp/ Win 10(v1803)上的PowerShell Shellcode注入 https://blog.cobaltstrike.com/2018/05/24/powershell-shellcode-injection-on-win-10-v1803/ 推出了Empire Web v2,这是Powershell帝国的Web界面。 https://github.com/interference-security/empire-web 隐藏的管理帐户:抢救的猎犬 https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/ 使用Kerberoasting提取服务帐户密码 https://blog.stealthbits.com/extracting-service-account-passwords-with-kerberoasting/ MSDAT(Microsoft SQL数据库攻击工具)是一种开源渗透测试工具,可以远程测试Microsoft SQL数据库的安全性。 https://github.com/quentinhardy/msdat 强力猫 Netcat:Powershell版本。 https://github.com/besimorhino/powercat 渗透测试人员的Windows特权升级方法
Windows Privilege Escalation Methods for Pentesters
使用Kerberos无约束委派获取域管理员 http://www.labofapenetrationtester.com/2016/02/getting-domain-admin-with-kerberos-unconstrained-delegation.html 扫描Active Directory特权和特权帐户
Scanning for Active Directory Privileges & Privileged Accounts
使用Invoke-ADLabDeployer进行自动化的AD和Windows测试实验室部署
Automated AD and Windows test lab deployments with Invoke-ADLabDeployer
简化密码喷涂 https://www.trustwave.com/Resources/SpiderLabs-Blog/Simplifying-Password-Spraying/ Active Directory凭据的密码喷涂工具 https://github.com/SpiderLabs/Spray 滥用SeLoadDriverPrivilege进行特权升级 https://www.tarlogic.com/cn/blog/abusing-seloaddriverprivilege-for-privilege-escalation/ 探索PowerShell AMSI和记录逃避 https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/ 进行代码执行的Weaponizing .SettingContent-ms扩展 https://www.trustedsec.com/2018/06/weaponizing-settingcontent WMImplant开发后-简介 https://www.fortynorthsecurity.com/wmimplant-post-exploitation-an-introduction WMImplant开发后-简介 https://www.fortynorthsecurity.com/wmimplant-post-exploitation-an-introduction PowerShell:如何获取远程计算机上所有已安装软件的列表 https://sid-500.com/2018/04/02/powershell-how-to-get-a-list-of-all-installed-software-on-remote-computers Tokenvator:使用Windows令牌提升特权的工具
Tokenvator: A Tool to Elevate Privilege using Windows Tokens
使用一个简单的技巧在JScript中禁用AMSI https://tyranidslair.blogspot.com/2018/06/disabling-amsi-in-jscript-with-one.html Inveigh是PowerShell LLMNR / mDNS / NBNS欺骗者和中间人工具,旨在帮助发现自己仅限于Windows系统的渗透测试人员/红色团队合作者。 https://github.com/Kevin-Robertson/Inveigh/blob/master/README.md 一种多线程工具,旨在通过SMB大规模地识别凭证在网络中是有效,无效还是本地管理员有效凭证,现在还可以与用户猎人一起使用 https://github.com/Raikia/CredNinja PSScriptAnalyzer是Windows PowerShell模块和脚本的静态代码检查器。PSScriptAnalyzer通过运行一组规则来检查Windows PowerShell代码的质量。规则基于PowerShell团队和社区确定的PowerShell最佳做法。它生成DiagnosticResults(错误和警告),以告知用户潜在的代码缺陷,并提出可能的改进方案。 https://github.com/PowerShell/PSScriptAnalyzer 绕过SQL Server登录触发器限制
Bypassing SQL Server Logon Trigger Restrictions
欺骗性SSDP会针对网络上的NTLM哈希回复网络钓鱼。创建一个伪造的UPNP设备,诱使用户访问恶意网页仿冒页面。 https://gitlab.com/initstring/evil-ssdp https://twitter.com/subTee/status/1012657434702123008?s=19 丧失能力的Windows Defender
Incapacitating Windows Defender
红队故事0x01:从MSSQL到RCE https://www.tarlogic.com/cn/blog/red-team-tales-0x01 LethalHTA-使用DCOM和HTA的新横向移动技术 https://codewhitesec.blogspot.com/2018/07/lethalhta.html 是什么使Microsoft可执行文件成为Microsoft可执行文件?攻击者和防御者的观点 https://posts.specterops.io/what-is-it-that-makes-a-microsoft-executable-a-microsoft-executable-b43ac612195e Powershell脚本,用于枚举启用了自动提升的可执行文件,方便进行特权升级。 https://gist.github.com/Evilcry/71e03a969689b8fd1297a1803aa4d7cf 使用SCF文件收集哈希 Using a SCF file to Gather Hashes 攻击域信任的指南
A Guide to Attacking Domain Trusts
RE:在Windows 10上规避自动运行PoC https://medium.com/@KyleHanslovan/re-evading-autoruns-pocs-on-windows-10-dd810d7e8a3f 功能,而不是错误:DNSAdmin可以DC折衷 https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 超越LLMNR / NBNS欺骗–利用Active Directory集成的DNS
Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS
https://github.com/Kevin-Robertson/Powermad/blob/master/README.md 域NC磁头上具有写访问权限的域访问
Elevating AD Domain Access With Write Access on the Domain NC Head
使用Mimikatz DCSync提取用户密码数据 https://blog.stealthbits.com/extracting-user-password-data-with-mimikatz-dcsync/ 将哈希传递给NTLM身份验证的Web应用程序 https://labs.mwrinfosecurity.com/blog/pth-attacks-against-ntlm-authenticated-web-applications/ winrm.vbs中的应用程序白名单绕过和任意无符号代码执行技术 https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404 面纱有效载荷和面纱军械 https://www.fortynorthsecurity.com/veil-payloads-and-veil-ordnance/ 清除Linux / Windows服务器中的所有日志 https://github.com/Rizer0/Log-killer 如果可以的话,请捕获我:用Cobalt Strike和石像鬼绕过内存扫描仪 https://labs.mwrinfosecurity.com/blog/experimenting-bypassing-memory-scanners-with-cobalt-strike-and-gargoyle 用于检查Windows二进制文件(EXE / DLL)是否已通过ASLR,DEP,SafeSEH,StrongNaming和Authenticode编译的PowerShell模块。 https://github.com/NetSPI/PESecurity 利用Windows 10 PagedPool一次性关闭溢出(WCTF 2018) https://j00ru.vexillium.org/2018/07/exploiting-a-windows-10-pagedpool-off-by-one/ 匿名枚举Azure文件资源
Anonymously Enumerating Azure File Resources
通过将SettingContent-ms嵌入PDF来武器化PDF。 https://github.com/DidierStevens/DidierStevensSuite/blob/master/make-pdf-embedded.py 在图像文件执行选项中使用GlobalFlags的持久性–从Autoruns.exe隐藏 https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe 破坏Azure Windows 2008 R2 SP1 VM https://guptaashish.com/2018/07/04/compromising-a-azure-windows-2008-r2-sp1-vm Microsoft LAPS安全性和Active Directory LAPS配置侦听
Microsoft LAPS Security & Active Directory LAPS Configuration Recon
PowerShell绝对是C#的“网关药物”-GhostPack是新安全工具(当前为C#)的集合,摆脱了Powershell监控的关注 https://github.com/GhostPack 通过Kerberos传递哈希 https://malicious.link/post/2018/pass-the-hash-with-kerberos/ 幽灵包 https://posts.specterops.io/ghostpack-d835018c5fc4 域名善良–我如何学习爱AD Explorer
Domain Goodness – How I Learned to LOVE AD Explorer
进入系统外壳的另一种方法-辅助技术 Another way to get to a system shell – Assistive Technology Robber:一种开放源代码工具,用于查找易于发生DLL劫持的可执行文件 https://github.com/MojtabaTajik/Robber safetyKatz:@gentilkiwi的Mimikatz项目和@subtee的.NET PE Loader的略微修改版本的组合。 https://github.com/GhostPack/SafetyKatz 在公司网络中安装Windows后,到处都可以找到存储的密码 http://blog.win-fu.com/2017/08/stored-passwords-found-all-over-place.html 安全性乐趣:猎犬,MS16-072和GPO可发现性
Security Fun: Bloodhound, MS16-072 and GPO Discoverability
Netsh DLL帮助器 http://liberty-shell.com/sec/2018/07/28/netshlep/ 使用WMIC(系统命令)进行后期开发
Post Exploitation Using WMIC (System Command)
2018年更新的PoC Mimikatz装载机 PoC:https://gist.github.com/caseysmithrc/87f6572547f633f13a8482a0c91fb7b7 一线式:https://gist.github.com/xillwillx/96e2c5011577d8583635ad7bf6d4fb58 Windows特权升级注意事项 http://memorycorruption.org/windows/2018/07/29/Notes-On-Windows-Privilege-Escalation.html 域渗透测试:使用BloodHound,Crackmapexec和Mimikatz获取域管理员 https://hausec.com/2017/10/21/domain-penetration-testing-using-bloodhound-crackmapexec-mimikatz-to-get-domain-admin 最终的AppLocker绕过列表:此存储库的目的是记录绕过AppLocker的最常用技术。 https://github.com/api0cradle/UltimateAppLockerByPassList/tree/Dev LDAP注入备忘单,攻击示例和防护 https://www.checkmarx.com/knowledge/knowledgebase/LDAP 允许暂停\取消暂停Win32 / 64 exe的PowerShell脚本 https://github.com/besimorhino/Pause-Process ASP.NET资源文件(.RESX)和反序列化问题 https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/august/aspnet-resource-files-resx-and-deserialisation-issues/ 利用IIS / .NET中的XXE漏洞 https://pen-testing.sans.org/blog/2017/12/08/entity-inception-exploiting-iis-net-with-xxe-vulnerabilities 当“ ASLR”不是真正的ASLR时-错误假设和错误默认值的情况 https://insights.sei.cmu.edu/cert/2018/08/when-aslr-is-not-really-aslr---the-case-of-incorrect-assumptions-and-bad-defaults.html 使用Office [DOT] XML文档捕获NetNTLM哈希 https://bohops.com/2018/08/04/capturing-netntlm-hashes-with-office-dot-xml-documents 外壳混淆
pOWershell obFUsCation
通过WMI和PowerShell复制文件 https://www.fortynorthsecurity.com/copying-files-via-wmi-and-powershell 通过Meterpreter使用WinRM https://www.trustedsec.com/2017/09/using-winrm-meterpreter TBAL:本地用户的(偶然的?)DPAPI后门
TBAL: an (accidental?) DPAPI Backdoor for local users
PoC: https://youtu.be/NIPKMSV-KTw P0wnedShell: PowerShell Runspace发布后利用工具包 https://github.com/Cn33liz/p0wnedShell mimiDbg: PowerShell oneliner从内存中检索最糟糕的密码 https://github.com/giMini/mimiDbg 针对AD集成的SSO提供者的金票攻击执行 https://www.fractalindustries.com/newsroom/blog/gt-attacks-and-sso Windows特权升级基础 http://www.fuzzysecurity.com/tutorials/16.html 使用一个简单的技巧在JScript中禁用AMSI https://tyranidslair.blogspot.com/2018/06/disabling-amsi-in-jscript-with-one.html 不可阻挡的服务: 一种在C#中具有不可停止属性的C#自安装Windows服务的模式。 https://github.com/malcomvetter/UnstoppableService 驱动程序加载器,用于绕过Windows x64驱动程序签名实施 https://github.com/hfiref0x/TDL 颠覆Sysmon: 形式化安全产品规避方法的应用 码: https://github.com/mattifestation/BHUSA2018_Sysmon/tree/master/Code 幻灯片: https://github.com/mattifestation/BHUSA2018_Sysmon/blob/master/Slides_Subverting_Sysmon.pdf 白皮书: https://github.com/mattifestation/BHUSA2018_Sysmon/blob/master/Whitepaper_Subverting_Sysmon.pdf PSExec在C#中的实现 https://github.com/malcomvetter/CSExec SMBetray:后门和破坏性签名 https://quickbreach.io/2018/08/12/smbetray-backdooring-and-breaking-signatures https://github.com/QuickBreach/SMBetray.git ADRecon:Active Directory Recon Blackhat Arsenal 2018 https://www.slideshare.net/mobile/prashant3535/adrecon-bh-usa-2018-arsenal-and-def-con-26-demo-labs-presentation https://github.com/sense-of-security/adrecon PS1jacker: 用于生成COM劫持有效负载的工具。 https://github.com/darkw1z/Ps1jacker DEF CON 26(2018)–利用Active Directory管理员的不安全因素 https://adsecurity.org/wp-content/uploads/2018/08/2018-DEFCON-ExploitingADAdministratorInsecurities-Metcalf.pdf 从工作站到域管理员:为什么安全管理不安全以及如何解决 https://adsecurity.org/wp-content/uploads/2018/08/us-18-Metcalf-From-Workstation-To-Domain-Admin-Why-Secure-Administration-Isnt-Secure-Final.pdf 用于检测Windows Defender的mpengine.dll的工具 https://github.com/0xAlexei/WindowsDefenderTools 反检测的艺术1 – AV和检测技术简介
Art of Anti Detection 1 – Introduction to AV & Detection Techniques
Ridrelay:通过使用具有低priv的SMB中继来枚举您没有信誉的域上的用户名。 https://github.com/skorov/ridrelay 远程枚举防病毒配置 https://www.fortynorthsecurity.com/remotely-enumerate-anti-virus-configurations 多汁的土豆(滥用黄金特权) https://decoder.cloud/2018/08/10/juicy-potato 多汁的土豆(滥用黄金特权) https://ohpe.github.io/juicy-potato 黑客攻击HTA文件 http://blog.sevagas.com/?Hacking-around-HTA-files Koadic C3 COM命令和控制-JScript RAT https://github.com/zerosum0x0/koadic 网络钓鱼-询问并获得 https://blog.fox-it.com/2018/08/14/phishing-ask-and-ye-shall-receive Windows开发技巧:利用任意对象目录创建本地特权提升 https://googleprojectzero.blogspot.com/2018/08/windows-exploitation-tricks-exploiting.html 绕过Microsoft AD FS多重身份验证协议(CVE-2018-8340): 多因素混合:谁又是你? https://www.okta.com/security-blog/2018/08/multi-factor-authentication-microsoft-adfs-vulnerability 协调器:C#目标攻击一致性工具 https://github.com/stufus/reconerator DCShadow-最小权限,Active Directory欺骗,Shadowception等 http://www.labofapenetrationtester.com/2018/04/dcshadow.html 万能钥匙攻击 https://pentestlab.blog/2018/04/10/skeleton-key Microsoft.Workflow.Compiler.exe中的任意无符号代码执行向量 https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb SANS网络广播:用于PenTesting的PowerShell https://www.youtube.com/watch?v=a8_DqEVFwO8 Microsoft.Workflow.Compiler.exe Mimikatz运行程序。 https://gist.github.com/caseysmithrc/b1190e023cd29c1910c01a164675a22e 列表-RDP-连接历史 使用powershell列出已登录用户或所有用户的RDP连接历史记录 https://github.com/3gstudent/List-RDP-Connections-History 通用Windows Bootkit 对MBR引导程序(称为“ HDRoot”)的分析 http://williamshowalter.com/a-universal-windows-bootkit 广播名称解析中毒/ WPAD攻击向量 https://p16.praetorian.com/blog/broadcast-name-resolution-poisoning-wpad-attack-vector .NET反序列化为NTLM哈希 https://www.digitalinterruption.com/single-post/2018/04/22/NET-Deserialization-to-NTLM-hashhes 使用Python工具将虚假更新注入未加密的WSUS流量 https://github.com/pdjstone/wsuspect-proxy 远程修改防病毒配置 https://www.fortynorthsecurity.com/remotely-modify-anti-virus-configurations 制作完美的注射器:滥用Windows地址清理和CoW
Making the Perfect Injector: Abusing Windows Address Sanitization and CoW
通过.URL或desktop.ini文件泄漏Windows资源管理器中的环境变量 https://insert-script.blogspot.com/2018/08/leaking-environment-variables-in_20.html 从Windows 10 ssh-agent提取SSH私钥 https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent 午餐前我在内部网络上获得域管理员的五种方式(2018年版) https://medium.com/@adam.toscher/top-five-way-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa CVE-2018-0952:Windows Standard Collector服务中的特权升级漏洞 https://www.atredis.com/blog/cve-2018-0952-privilege-escalation-vulnerability-in-windows-standard-collector-service 攻击性用户DPAPI滥用的操作指南 https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107 Kerberoasting和SharpRoast输出解析! https://grumpy-sec.blogspot.com/2018/08/kerberoasting-and-sharproast-output.html whitelist_bypass_server 通过提供对诸如软件限制策略和applocker之类的解决方案的绕过,该模块旨在成为测试端点应用程序白名单有效性的平台。 https://github.com/rapid7/metasploit-framework/pull/8783 客户端开发-交易技巧0x01-Sharpshooter + SquibblyTwo https://0x00sec.org/t/clientside-exploitation-tricks-of-the-trade-0x01-sharpshooter-squibblytwo/8178 权限提升和开发后文件 https://rmusser.net/docs/权限升级和Post-Exploitation.html 任务计划程序ALPC漏洞利用(未修补)和&PoC by SandboxEscaper https://github.com/SandboxEscaper/randomrepo/blob/master/PoC-LPE.rar 通过Windows端口445上的meterpreter进行远程NTLM中继 https://diablohorn.com/2018/08/25/remote-ntlm-relaying-through-meterpreter-on-windows-port-445 Microsoft.Workflow.Compiler.exe,Veil和Cobalt Strike https://www.fortynorthsecurity.com/microsoft-workflow-compiler-exe-veil-and-cobalt-strike 绕过工作流保护机制-SharePoint上的远程执行代码 https://www.nccgroup.trust/uk/our-research/technical-advisory-bypassing-workflows-protection-mechanisms-remote-code-execution-on-sharepoint 在Microsoft Word中玩ActiveX控件 https://www.blackhillsinfosec.com/having-fun-with-activex-controls-in-microsoft-word Invoke-AtomicTest-与Atomic Red Team自动化MITER ATT&CK http://subt0x11.blogspot.com/2018/08/invoke-atomictest-automating-mitre-att.html AppLocker绕过-CMSTP https://pentestlab.blog/2018/05/10/applocker-bypass-cmstp 使用AdminSDHolder和SDProp的持久性 https://blog.stealthbits.com/persistence-using-adminsdholder-and-sdprop Red Teaming Microsoft:第1部分–通过Azure进行Active Directory泄漏 https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure 演练Mimikatz sekurlsa模块 https://jetsecurity.github.io/post/mimikatz/walk-through_sekurlsa Windows-privesc-check-独立的可执行文件,用于检查Windows系统上的简单权限提升向量 https://github.com/pentestmonkey/windows-privesc-check 了解DLL劫持的工作方式 https://astr0baby.wordpress.com/2018/09/08/understanding-how-dll-hijacking-works 玩中继凭证 https://www.coresecurity.com/blog/playing-relayed-credentials DDE下载器,Excel滥用和PowerShell后门 http://rinseandrepeatanalysis.blogspot.com/2018/09/dde-downloaders-excel-abuse-and.html CVE-2018-8120的详细技术说明 https://xiaodaozhi.com/exploit/156.html Windows零日特权esc的PowerShell示例 https://github.com/OneLogicalMyth/zeroday-powershell/blob/master/README.md 你不能遏制我!::分析和利用Docker for Windows中的特权提升漏洞 https://srcincite.io/blog/2018/08/31/you-cant-contain-me-analyzing-and-exploiting-an-elevation-of-privilege-in-docker-for-windows.html CVE-2018-8420-通过Web浏览器PoC的Microsoft XML核心服务MSXML RCE https://github.com/Theropord/CVE-2018-8420 绕过AppLocker自定义规则 https://0x09al.github.io/security/applocker/bypass/custom/rules/windows/2018/09/13/applocker-custom-rules-bypass.html 0x09AL安全博客 绕过AppLocker自定义规则 介绍 乔纳森(Jonhnathan)乔纳森(Jonhnathan) w0rk3r的Windows黑客库 使用SeCreateTokenPrivilege利用STOPzilla AntiMalware任意写入漏洞
Exploiting STOPzilla AntiMalware Arbitrary Write Vulnerability using SeCreateTokenPrivilege
乔纳森(Jonhnathan)乔纳森(Jonhnathan) w0rk3r的Windows黑客库 如何在Mimikatz中添加模块? https://littlesecurityprince.com/security/2018/03/18/ModuleMimikatz.html 使用Metasploit绕过UAC的多种方法
Multiple Ways to Bypass UAC using Metasploit
乔纳森(Jonhnathan)乔纳森(Jonhnathan) w0rk3r的Windows黑客库 从OSINT到内部:从外围获得域管理员 https://www.coalfire.com/The-Coalfire-Blog/Sept-2018/From-OSINT-to-Internal-Gaining-Domain-Admin 从JSP Shell使用Mimikatz https://blog.securitycompass.com/whiteboard-wednesday-using-mimikatz-from-a-jsp-shell-54f8a21693cc 随身携带2个lsass保护选项 https://medium.com/red-teaming-with-a-blue-team-mentaility/poking-around-with-2-lsass-protection-options-880590a72b1a SharpSploit简介:AC#开发后库 https://posts.specterops.io/introducing-sharpsploit-ac-post-exploitation-library-5c7be5f16c51 使用LDAP加快域升级
Faster Domain Escalation using LDAP
.NET Framework版本中的一课 https://rastamouse.me/2018/09/a-lesson-in-.net-framework-versions 使用Active Directory进行命令和控制
Command and Control Using Active Directory
L1TF(Foreshadow)VM来宾到主机的内存读取PoC https://github.com/gregvish/l1tf-poc MS Outlook中的SMB哈希劫持和用户跟踪 https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/smb-hash-hijacking-and-user-tracking-in-ms-outlook SharpBox是C#工具,用于使用DropBox API将数据压缩,加密和渗漏到DropBox中 https://github.com/P1CKLES/SharpBox 从Kekeo到Rubeus https://posts.specterops.io/from-kekeo-to-rubeus-86d2ec501c14 Tokenvator:版本2
Tokenvator: Release 2
通过COM的AppLocker CLM旁路 https://www.mdsec.co.uk/2018/09/applocker-clm-bypass-via-com Injdrv是概念验证的Windows驱动程序,用于使用APC将DLL注入用户模式进程 https://github.com/wbenny/injdrv 响应者和第2层枢轴 https://ijustwannared.team/2017/05/27/responder-and-layer-2-pivots PowerShell:通过在所有域计算机上运行systeminfo记录环境 https://sid-500.com/2017/08/09/powershell-documenting-your-environment-by-running-systeminfo-on-all-domain-computers 备用操作员的力量 https://decoder.cloud/2018/02/12/the-power-of-backup-operatos 滥用Windows库文件以实现持久性 https://www.countercept.com/blog/abusing-windows-library-files-for-persistence 域控制打印服务器+不受约束的Kerberos委派=拥有的Active Directory林
Domain Controller Print Server + Unconstrained Kerberos Delegation = Pwned Active Directory Forest
Powershell的invoke-Confusion .NET远程攻击者 https://homjxi0e.wordpress.com/2018/10/02/invoke-confusion-attack-of-powershell 使用DCShadow创建持久性 https://blog.stealthbits.com/creating-persistence-with-dcshadow 时间旅行调试:发现Windows GDI缺陷
Time Travel Debugging: finding Windows GDI flaws
恶意使用Microsoft“本地管理员密码解决方案” http://archive.hack.lu/2017/HackLU_2017_Malicious_use_LAPS_Clementz_Goichot.pdf Tokenvator Wiki https://github.com/0xbadjuju/Tokenvator/wiki ServiceFu:远程收集服务帐户凭据 https://www.securifera.com/blog/2018/10/07/servicefu 对Sysmon进攻 https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon 利用Regedit:看不见的持久性和二进制存储 https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf PoC: https://github.com/ewhitehats/InvisiblePersistence/tree/master/InvisibleKeys 使用PowerShell攻击Azure环境 https://youtu.be/IdORwgxDpkw MicroBurst:一组用于评估Microsoft Azure安全性的脚本 https://github.com/NetSPI/MicroBurst Icebreaker.py:通过一个命令在Active Directory中立足 SaintCon的Dan McInerney https://youtu.be/1LR5u8uKO8I [工具]破冰船: 如果您位于内部网络上但不在AD环境中,则获取纯文本Active Directory凭据 https://github.com/DanMcInerney/icebreaker 利用WSUS –第一部分 https://ijustwannared.team/2018/10/15/leveraging-wsus-part-one 使用Invoke-PowerCloud通过DNS进行Powershell有效负载交付 https://how.ired.team/offensive-security-experiments/payload-delivery-via-dns-using-invoke-powercloud SharpAttack:用于执行某些安全评估任务的控制台。它利用.NET和Windows API来执行其工作(和cobbr_io SharpSploit)。它包含用于域枚举,代码执行和其他有趣功能的命令。 https://github.com/jaredhaight/SharpAttack 在陆地上生活 https://liberty-shell.com/sec/2018/10/20/living-off-the-land

原文

Windows Pentesting Resources  :

Fun with LDAP, Kerberos (and MSRPC) in AD Environments

https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments

From XML External Entity to NTLM Domain Hashes

From XML External Entity to NTLM Domain Hashes
Windows Privilege Escalation Guide https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/ Windows oneliners to download remote payload and execute arbitrary code https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/amp/ Passing the hash with native RDP client (mstsc.exe) https://michael-eder.net/post/2018/native_rdp_pass_the_hash/ Escalating privileges with ACLs in Active Directory https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/ Automation Framework for the Atomic Red Team https://github.com/redcanaryco/atomic-red-team/blob/master/Automation/readme.md Skip Cracking Responder Hashes and Relay Them http://threat.tevora.com/quick-tip-skip-cracking-responder-hashes-and-replay-them/amp/?__twitter_impression=true Exchange-AD-Privesc. Repository of Exchange privilege escalations to Active Directory This repository provides a few techniques and scripts regarding the impact of Microsoft Exchange deployment on Active Directory security. https://github.com/gdedrouas/Exchange-AD-Privesc WMIC.EXE Whitelisting Bypass - Hacking with Style, Stylesheets https://subt0x11.blogspot.com.br/2018/04/wmicexe-whitelisting-bypass-hacking.html Hiding Metasploit Shellcode to Evade Windows Defender https://blog.rapid7.com/2018/05/03/hiding-metasploit-shellcode-to-evade-windows-defender/ Unofficial Guide to Mimikatz & Command Reference
Mimikatz
Gathering AD Data with the Active Directory PowerShell Module
Gathering AD Data with the Active Directory PowerShell Module
Detecting hypervisor presence on windows 10
Detecting Hypervisor Presence on Windows 10
Domain user Enumeration Tool https://github.com/sensepost/UserEnum/blob/master/README.md Blue Cloud of Death: Red Teaming Azure https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1 Ring +3 Malwares: Few tricks http://www.blackstormsecurity.com/docs/BSIDES_2018_RELEASE.pdf Kerberos Party Tricks: Weaponizing Kerberos Protocol Flaws http://www.exumbraops.com/blog/2016/6/1/kerberos-party-tricks-weaponizing-kerberos-protocol-flaws Executing Commands and Bypassing AppLocker with PowerShell Diagnostic Scripts https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts Microsoft's User Account Control feature, introduced in Windows Vista, has been a topic of interest to many in the security community. Since UAC was designed to force user approval for administrative actions, attackers (and red teamers) encounter UAC on nearly every engagement. As a result, bypassing this control is a task that an actor often has to overcome, despite its lack of formal designation as a security boundary. This talk highlights what UAC is, previous work by others, research methodology, and details several technical UAC bypasses developed by the author. https://youtu.be/c8LgqtATAnE Windows Userland Persistence Fundamentals http://www.fuzzysecurity.com/tutorials/19.html DLL Hijacking via URL files https://insert-script.blogspot.com.br/2018/05/dll-hijacking-via-url-files.html DLL Hijacking via URL files https://insert-script.blogspot.com.br/2018/05/dll-hijacking-via-url-files.html Enumerating remote access policies through GPO https://labs.mwrinfosecurity.com/blog/enumerating-remote-access-policies-through-gpo/ https://github.com/dafthack/MailSniper DomainPasswordSpray DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain. https://github.com/dafthack/DomainPasswordSpray 5 Ways to Find Systems Running Domain Admin Processes
5 Ways to Find Systems Running Domain Admin Processes
How to bypass GPO Policy restriction for Powershell usage https://github.com/p3nt4/PowerShdll ADAPE - Active Directory Assessment and Privilege Escalation Script https://github.com/hausec/ADAPE-Script Kerberoasting, exploiting unpatched systems – a day in the life of a Red Teamer http://niiconsulting.com/checkmate/2018/05/kerberoasting-exploiting-unpatched-systems-a-day-in-the-life-of-a-red-teamer/ Understanding and Evading Get-InjectedThread https://blog.xpnsec.com/undersanding-and-evading-get-injectedthread/ PowerLessShell rely on MSBuild.exe to remotely execute PowerShell scripts and commands without spawning powershell.exe. You can also execute raw shellcode using the same approach. https://github.com/Mr-Un1k0d3r/PowerLessShell Dumping Clear-Text Credentials Dumping Clear-Text Credentials Office365 ActiveSync Username Enumeration https://www.sec-1.com/blog/2017/office365-activesync-username-enumeration his script will attempt to list and get TGTs for those users that have the property 'Do not require Kerberos preauthentication' set (UF_DONT_REQUIRE_PREAUTH). For those users with such configuration, a John The Ripper output will be generated so you can send it for cracking. https://github.com/CoreSecurity/impacket/commit/bada8a719f8ed7be4633514eea94bc768dbaf019 NBNS Spoofing NBNS Spoofing NTLMv1 Multitool This tool modifies NTLMv1/NTLMv1-ESS/MSCHAPv2 hashes so they can be cracked with DES Mode 14000 in hashcat https://github.com/evilmog/ntlmv1-multi/ Invoke-Phant0m This script walks thread stacks of Event Log Service process (spesific svchost.exe) and identify Event Log Threads to kill Event Log Service Threads. So the system will not be able to collect logs and at the same time the Event Log Service will appear to be running. https://artofpwn.com/phant0m-killing-windows-event-log.html https://github.com/hlldz/Invoke-Phant0m Dumping Active Directory Domain Info – with PowerUpSQL!
Dumping Active Directory Domain Info – with PowerUpSQL!
15 Ways to Bypass the PowerShell Execution Policy
15 Ways to Bypass the PowerShell Execution Policy
Elevate, UAC bypass, persistence, privilege escalation, dll hijack techniques https://github.com/rootm0s/WinPwnage Abusing DCOM For Yet Another Lateral Movement Technique Abusing DCOM For Yet Another Lateral Movement Technique Invoke-WMILM This is a PoC script for various methods to acheive authenticated remote code execution via WMI, without (at least directly) using the Win32_Process class. The type of technique is determined by the "Type" parameter. https://github.com/Cybereason/Invoke-WMILM/blob/master/README.md [Kernel Exploitation] 7: Arbitrary Overwrite (Win7 x86) https://www.abatchy.com/2018/01/kernel-exploitation-7 Active Directory as a C2 (Command & Control) https://akijosberryblog.wordpress.com/2018/03/17/active-directory-as-a-c2-command-control Bypassing Device Guard with .NET Assembly Compilation Methods http://www.exploit-monday.com/2017/07/bypassing-device-guard-with-dotnet-methods.html DiskShadow: The Return of VSS Evasion, Persistence, and Active Directory Database Extraction https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ Jumping Network Segregation with RDP https://rastamouse.me/2017/08/jumping-network-segregation-with-rdp/ PowerShell Shellcode Injection on Win 10 (v1803) https://blog.cobaltstrike.com/2018/05/24/powershell-shellcode-injection-on-win-10-v1803/ Empire Web v2 Launched, A Web Interface to Powershell empire. https://github.com/interference-security/empire-web Hidden Administrative Accounts: BloodHound to the Rescue https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/ Extracting Service Account Passwords with Kerberoasting https://blog.stealthbits.com/extracting-service-account-passwords-with-kerberoasting/ MSDAT (Microsoft SQL Database Attacking Tool) is an open source penetration testing tool that tests the security of Microsoft SQL Databases remotely. https://github.com/quentinhardy/msdat Powercat Netcat: The powershell version. https://github.com/besimorhino/powercat Windows Privilege Escalation Methods for Pentesters
Windows Privilege Escalation Methods for Pentesters
Getting Domain Admin with Kerberos Unconstrained Delegation http://www.labofapenetrationtester.com/2016/02/getting-domain-admin-with-kerberos-unconstrained-delegation.html Scanning for Active Directory Privileges & Privileged Accounts
Scanning for Active Directory Privileges & Privileged Accounts
Automated AD and Windows test lab deployments with Invoke-ADLabDeployer
Automated AD and Windows test lab deployments with Invoke-ADLabDeployer
Simplifying Password Spraying https://www.trustwave.com/Resources/SpiderLabs-Blog/Simplifying-Password-Spraying/ A Password Spraying tool for Active Directory Credentials https://github.com/SpiderLabs/Spray Abusing SeLoadDriverPrivilege for privilege escalation https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/ Exploring PowerShell AMSI and Logging Evasion https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/ Weaponizing .SettingContent-ms Extensions for Code Execution https://www.trustedsec.com/2018/06/weaponizing-settingcontent WMImplant Post-Exploitation – An Introduction https://www.fortynorthsecurity.com/wmimplant-post-exploitation-an-introduction WMImplant Post-Exploitation – An Introduction https://www.fortynorthsecurity.com/wmimplant-post-exploitation-an-introduction PowerShell: How to get a list of all installed Software on Remote Computers https://sid-500.com/2018/04/02/powershell-how-to-get-a-list-of-all-installed-software-on-remote-computers Tokenvator: A Tool to Elevate Privilege using Windows Tokens
Tokenvator: A Tool to Elevate Privilege using Windows Tokens
Disabling AMSI in JScript with One Simple Trick https://tyranidslair.blogspot.com/2018/06/disabling-amsi-in-jscript-with-one.html Inveigh is a PowerShell LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system. https://github.com/Kevin-Robertson/Inveigh/blob/master/README.md A multithreaded tool designed to identify if credentials are valid, invalid, or local admin valid credentials within a network at-scale via SMB, plus now with a user hunter https://github.com/Raikia/CredNinja PSScriptAnalyzer is a static code checker for Windows PowerShell modules and scripts. PSScriptAnalyzer checks the quality of Windows PowerShell code by running a set of rules. The rules are based on PowerShell best practices identified by PowerShell Team and the community. It generates DiagnosticResults (errors and warnings) to inform users about potential code defects and suggests possible solutions for improvements. https://github.com/PowerShell/PSScriptAnalyzer Bypassing SQL Server Logon Trigger Restrictions
Bypassing SQL Server Logon Trigger Restrictions
Spoof SSDP replies to phish for NTLM hashes on a network. Creates a fake UPNP device, tricking users into visiting a malicious phishing page. https://gitlab.com/initstring/evil-ssdp https://twitter.com/subTee/status/1012657434702123008?s=19 Incapacitating Windows Defender
Incapacitating Windows Defender
Red Team Tales 0x01: From MSSQL to RCE https://www.tarlogic.com/en/blog/red-team-tales-0x01 LethalHTA - A new lateral movement technique using DCOM and HTA https://codewhitesec.blogspot.com/2018/07/lethalhta.html What is it that Makes a Microsoft Executable a Microsoft Executable? An Attacker’s and a Defender’s Perspective https://posts.specterops.io/what-is-it-that-makes-a-microsoft-executable-a-microsoft-executable-b43ac612195e Powershell script to Enumerate executables with auto-elevation enabled, handy for privilege escalation purposes. https://gist.github.com/Evilcry/71e03a969689b8fd1297a1803aa4d7cf Using a SCF File to gather Hashes Using a SCF file to Gather Hashes A Guide to Attacking Domain Trusts
A Guide to Attacking Domain Trusts
RE: Evading Autoruns PoCs on Windows 10 https://medium.com/@KyleHanslovan/re-evading-autoruns-pocs-on-windows-10-dd810d7e8a3f Feature, not bug: DNSAdmin to DC compromise in one line https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS
Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS
https://github.com/Kevin-Robertson/Powermad/blob/master/README.md Domain Access With Write Access on the Domain NC Head
Elevating AD Domain Access With Write Access on the Domain NC Head
Extracting User Password Data with Mimikatz DCSync https://blog.stealthbits.com/extracting-user-password-data-with-mimikatz-dcsync/ Passing-the-Hash to NTLM Authenticated Web Applications https://labs.mwrinfosecurity.com/blog/pth-attacks-against-ntlm-authenticated-web-applications/ Application Whitelisting Bypass and Arbitrary Unsigned Code Execution Technique in winrm.vbs https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404 Veil Payloads and Veil-Ordnance https://www.fortynorthsecurity.com/veil-payloads-and-veil-ordnance/ Clear all your logs in linux/windows servers https://github.com/Rizer0/Log-killer Catch me if u can: Bypassing Memory Scanners with Cobalt Strike and Gargoyle https://labs.mwrinfosecurity.com/blog/experimenting-bypassing-memory-scanners-with-cobalt-strike-and-gargoyle PowerShell module to check if a Windows binary (EXE/DLL) has been compiled with ASLR, DEP, SafeSEH, StrongNaming, and Authenticode. https://github.com/NetSPI/PESecurity Exploiting a Windows 10 PagedPool off-by-one overflow (WCTF 2018) https://j00ru.vexillium.org/2018/07/exploiting-a-windows-10-pagedpool-off-by-one/ Anonymously Enumerating Azure File Resources
Anonymously Enumerating Azure File Resources
Weaponize PDF with embedding SettingContent-ms inside PDF. https://github.com/DidierStevens/DidierStevensSuite/blob/master/make-pdf-embedded.py Persistence using GlobalFlags in Image File Execution Options – Hidden from Autoruns.exe https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe Compromising a Azure Windows 2008 R2 SP1 VM https://guptaashish.com/2018/07/04/compromising-a-azure-windows-2008-r2-sp1-vm Microsoft LAPS Security & Active Directory LAPS Configuration Recon
Microsoft LAPS Security & Active Directory LAPS Configuration Recon
PowerShell is definitely a "gateway drug" to C# - GhostPack is a collection of new security tools (currently C#), getting rid of the attention that powershell monitoring is getting https://github.com/GhostPack Pass the Hash with Kerberos https://malicious.link/post/2018/pass-the-hash-with-kerberos/ GhostPack https://posts.specterops.io/ghostpack-d835018c5fc4 Domain Goodness – How I Learned to LOVE AD Explorer
Domain Goodness – How I Learned to LOVE AD Explorer
Another way to get to a system shell – Assistive Technology Another way to get to a system shell – Assistive Technology Robber : An open source tool for finding executables prone to DLL hijacking https://github.com/MojtabaTajik/Robber safetyKatz: a combination of slightly modified version of @gentilkiwi's Mimikatz project and @subtee's .NET PE Loader. https://github.com/GhostPack/SafetyKatz Stored passwords found all over the place after installing Windows in company networks http://blog.win-fu.com/2017/08/stored-passwords-found-all-over-place.html Security Fun: Bloodhound, MS16-072 and GPO Discoverability
Security Fun: Bloodhound, MS16-072 and GPO Discoverability
Netsh DLL Helpers http://liberty-shell.com/sec/2018/07/28/netshlep/ Post Exploitation Using WMIC (System Command)
Post Exploitation Using WMIC (System Command)
Updated PoC Mimikatz Loader for 2018 PoC: https://gist.github.com/caseysmithrc/87f6572547f633f13a8482a0c91fb7b7 One-Liner: https://gist.github.com/xillwillx/96e2c5011577d8583635ad7bf6d4fb58 Notes on Windows Privilege Escalation http://memorycorruption.org/windows/2018/07/29/Notes-On-Windows-Privilege-Escalation.html Domain Penetration Testing: Using BloodHound, Crackmapexec, & Mimikatz to get Domain Admin https://hausec.com/2017/10/21/domain-penetration-testing-using-bloodhound-crackmapexec-mimikatz-to-get-domain-admin Ultimate AppLocker ByPass List: The goal of this repository is to document the most common techniques to bypass AppLocker. https://github.com/api0cradle/UltimateAppLockerByPassList/tree/Dev LDAP Injection Cheat Sheet, Attack Examples & Protection https://www.checkmarx.com/knowledge/knowledgebase/LDAP PowerShell script which allows pausing\unpausing Win32/64 exes https://github.com/besimorhino/Pause-Process ASP.NET resource files (.RESX) and deserialisation issues https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/august/aspnet-resource-files-resx-and-deserialisation-issues/ Exploiting XXE Vulnerabilities in IIS/.NET https://pen-testing.sans.org/blog/2017/12/08/entity-inception-exploiting-iis-net-with-xxe-vulnerabilities When "ASLR" Is Not Really ASLR - The Case of Incorrect Assumptions and Bad Defaults https://insights.sei.cmu.edu/cert/2018/08/when-aslr-is-not-really-aslr---the-case-of-incorrect-assumptions-and-bad-defaults.html Capturing NetNTLM Hashes with Office [DOT] XML Documents https://bohops.com/2018/08/04/capturing-netntlm-hashes-with-office-dot-xml-documents pOWershell obFUsCation
pOWershell obFUsCation
Copying Files via WMI and PowerShell https://www.fortynorthsecurity.com/copying-files-via-wmi-and-powershell Using WinRM Through Meterpreter https://www.trustedsec.com/2017/09/using-winrm-meterpreter TBAL: an (accidental?) DPAPI Backdoor for local users
TBAL: an (accidental?) DPAPI Backdoor for local users
PoC: https://youtu.be/NIPKMSV-KTw P0wnedShell: PowerShell Runspace Post Exploitation Toolkit https://github.com/Cn33liz/p0wnedShell mimiDbg: PowerShell oneliner to retrieve wdigest passwords from the memory https://github.com/giMini/mimiDbg Golden Ticket Attack Execution Against AD-Integrated SSO providers https://www.fractalindustries.com/newsroom/blog/gt-attacks-and-sso Windows Privilege Escalation Fundamentals http://www.fuzzysecurity.com/tutorials/16.html Disabling AMSI in JScript with One Simple Trick https://tyranidslair.blogspot.com/2018/06/disabling-amsi-in-jscript-with-one.html Unstoppable Service: A pattern for a self-installing Windows service in C# with the unstoppable attributes in C#. https://github.com/malcomvetter/UnstoppableService Driver loader for bypassing Windows x64 Driver Signature Enforcement https://github.com/hfiref0x/TDL Subverting Sysmon: Application of a Formalized Security Product Evasion Methodology Code: https://github.com/mattifestation/BHUSA2018_Sysmon/tree/master/Code Slides: https://github.com/mattifestation/BHUSA2018_Sysmon/blob/master/Slides_Subverting_Sysmon.pdf Whitepaper: https://github.com/mattifestation/BHUSA2018_Sysmon/blob/master/Whitepaper_Subverting_Sysmon.pdf An implementation of PSExec in C# https://github.com/malcomvetter/CSExec SMBetray: Backdooring and Breaking Signatures https://quickbreach.io/2018/08/12/smbetray-backdooring-and-breaking-signatures https://github.com/QuickBreach/SMBetray.git ADRecon: Active Directory Recon Blackhat Arsenal 2018 https://www.slideshare.net/mobile/prashant3535/adrecon-bh-usa-2018-arsenal-and-def-con-26-demo-labs-presentation https://github.com/sense-of-security/adrecon Ps1jacker: A tool for generating COM Hijacking payload. https://github.com/darkw1z/Ps1jacker DEF CON 26 (2018) – Exploiting Active Directory Administrator Insecurities https://adsecurity.org/wp-content/uploads/2018/08/2018-DEFCON-ExploitingADAdministratorInsecurities-Metcalf.pdf From Workstation to Domain Admin: Why Secure Administration isn’t Secure and How to Fix it https://adsecurity.org/wp-content/uploads/2018/08/us-18-Metcalf-From-Workstation-To-Domain-Admin-Why-Secure-Administration-Isnt-Secure-Final.pdf Tools for instrumenting Windows Defender's mpengine.dll https://github.com/0xAlexei/WindowsDefenderTools Art of Anti Detection 1 – Introduction to AV & Detection Techniques
Art of Anti Detection 1 – Introduction to AV & Detection Techniques
Ridrelay: Enumerate usernames on a domain where you have no creds by using SMB Relay with low priv. https://github.com/skorov/ridrelay Remotely Enumerate Anti-Virus Configurations https://www.fortynorthsecurity.com/remotely-enumerate-anti-virus-configurations Juicy Potato (abusing the golden privileges) https://decoder.cloud/2018/08/10/juicy-potato Juicy Potato (abusing the golden privileges) https://ohpe.github.io/juicy-potato Hacking around HTA files http://blog.sevagas.com/?Hacking-around-HTA-files Koadic C3 COM Command & Control - JScript RAT https://github.com/zerosum0x0/koadic Phishing – Ask and ye shall receive https://blog.fox-it.com/2018/08/14/phishing-ask-and-ye-shall-receive Windows Exploitation Tricks: Exploiting Arbitrary Object Directory Creation for Local Elevation of Privilege https://googleprojectzero.blogspot.com/2018/08/windows-exploitation-tricks-exploiting.html Bypass in Microsoft AD FS Multi-Factor Authentication protocol (CVE-2018-8340): Multi-Factor Mixup: Who Were You Again? https://www.okta.com/security-blog/2018/08/multi-factor-authentication-microsoft-adfs-vulnerability Reconerator: C# Targeted Attack Reconnissance Tools https://github.com/stufus/reconerator DCShadow - Minimal permissions, Active Directory Deception, Shadowception and more http://www.labofapenetrationtester.com/2018/04/dcshadow.html Skeleton Key Attack https://pentestlab.blog/2018/04/10/skeleton-key Arbitrary, Unsigned Code Execution Vector in Microsoft.Workflow.Compiler.exe https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb SANS Webcast: PowerShell for PenTesting https://www.youtube.com/watch?v=a8_DqEVFwO8 Microsoft.Workflow.Compiler.exe Mimikatz Runner. https://gist.github.com/caseysmithrc/b1190e023cd29c1910c01a164675a22e List-RDP-Connections-History Use powershell to list the RDP Connections History of logged-in users or all users https://github.com/3gstudent/List-RDP-Connections-History A Universal Windows Bootkit An analysis of the MBR bootkit referred to as “HDRoot" http://williamshowalter.com/a-universal-windows-bootkit Broadcast Name Resolution Poisoning / WPAD Attack Vector https://p16.praetorian.com/blog/broadcast-name-resolution-poisoning-wpad-attack-vector .NET Deserialization To NTLM Hashes https://www.digitalinterruption.com/single-post/2018/04/22/NET-Deserialization-to-NTLM-hashes Python tool to inject fake updates into unencrypted WSUS traffic https://github.com/pdjstone/wsuspect-proxy Remotely Modify Anti-Virus Configurations https://www.fortynorthsecurity.com/remotely-modify-anti-virus-configurations Making The Perfect Injector: Abusing Windows Address Sanitization And CoW
Making the Perfect Injector: Abusing Windows Address Sanitization and CoW
Leaking Environment Variables in Windows Explorer via .URL or desktop.ini files https://insert-script.blogspot.com/2018/08/leaking-environment-variables-in_20.html Extracting SSH Private Keys from Windows 10 ssh-agent https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa CVE-2018-0952: Privilege Escalation Vulnerability in Windows Standard Collector Service https://www.atredis.com/blog/cve-2018-0952-privilege-escalation-vulnerability-in-windows-standard-collector-service Operational Guidance for Offensive User DPAPI Abuse https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107 Kerberoasting and SharpRoast output parsing! https://grumpy-sec.blogspot.com/2018/08/kerberoasting-and-sharproast-output.html whitelist_bypass_server This module is designed to be a platform to test an endpoints application whitelisting effectiveness by providing bypasses to solutions such as software restriction policies and applocker. https://github.com/rapid7/metasploit-framework/pull/8783 Clientside Exploitation - Tricks of the Trade 0x01 - Sharpshooter + SquibblyTwo https://0x00sec.org/t/clientside-exploitation-tricks-of-the-trade-0x01-sharpshooter-squibblytwo/8178 Privilege Escalation & Post-Exploitation Docs https://rmusser.net/docs/Privilege Escalation & Post-Exploitation.html Task Scheduler ALPC exploit (unpatched) && PoC by SandboxEscaper https://github.com/SandboxEscaper/randomrepo/blob/master/PoC-LPE.rar Remote NTLM relaying through meterpreter on Windows port 445 https://diablohorn.com/2018/08/25/remote-ntlm-relaying-through-meterpreter-on-windows-port-445 Microsoft.Workflow.Compiler.exe, Veil, and Cobalt Strike https://www.fortynorthsecurity.com/microsoft-workflow-compiler-exe-veil-and-cobalt-strike Bypassing Workflows Protection Mechanisms - Remote Code Execution on SharePoint https://www.nccgroup.trust/uk/our-research/technical-advisory-bypassing-workflows-protection-mechanisms-remote-code-execution-on-sharepoint Having Fun with ActiveX Controls in Microsoft Word https://www.blackhillsinfosec.com/having-fun-with-activex-controls-in-microsoft-word Invoke-AtomicTest - Automating MITRE ATT&CK with Atomic Red Team http://subt0x11.blogspot.com/2018/08/invoke-atomictest-automating-mitre-att.html AppLocker Bypass - CMSTP https://pentestlab.blog/2018/05/10/applocker-bypass-cmstp Persistence using AdminSDHolder and SDProp https://blog.stealthbits.com/persistence-using-adminsdholder-and-sdprop Red Teaming Microsoft: Part 1 – Active Directory Leaks via Azure https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure Walk-through Mimikatz sekurlsa module https://jetsecurity.github.io/post/mimikatz/walk-through_sekurlsa windows-privesc-check - Standalone Executable to Check for Simple Privilege Escalation Vectors on Windows Systems https://github.com/pentestmonkey/windows-privesc-check Understanding how DLL Hijacking works https://astr0baby.wordpress.com/2018/09/08/understanding-how-dll-hijacking-works Playing with Relayed Credentials https://www.coresecurity.com/blog/playing-relayed-credentials DDE Downloaders, Excel Abuse, and a PowerShell Backdoor http://rinseandrepeatanalysis.blogspot.com/2018/09/dde-downloaders-excel-abuse-and.html A detailed technical explanation of CVE-2018-8120 https://xiaodaozhi.com/exploit/156.html A PowerShell example of the Windows zero day priv esc https://github.com/OneLogicalMyth/zeroday-powershell/blob/master/README.md You can't contain me! :: Analyzing and Exploiting an Elevation of Privilege Vulnerability in Docker for Windows https://srcincite.io/blog/2018/08/31/you-cant-contain-me-analyzing-and-exploiting-an-elevation-of-privilege-in-docker-for-windows.html CVE-2018-8420 - Microsoft XML Core Services MSXML RCE through web browser PoC https://github.com/Theropord/CVE-2018-8420 Bypassing AppLocker Custom Rules https://0x09al.github.io/security/applocker/bypass/custom/rules/windows/2018/09/13/applocker-custom-rules-bypass.html 0x09AL Security blog Bypassing AppLocker Custom Rules Introduction Jonhnathan Jonhnathan Jonhnathan w0rk3r's Windows Hacking Library Exploiting STOPzilla AntiMalware Arbitrary Write Vulnerability using SeCreateTokenPrivilege
Exploiting STOPzilla AntiMalware Arbitrary Write Vulnerability using SeCreateTokenPrivilege
Jonhnathan Jonhnathan Jonhnathan w0rk3r's Windows Hacking Library How to add a module in Mimikatz? https://littlesecurityprince.com/security/2018/03/18/ModuleMimikatz.html Multiple Ways to Bypass UAC using Metasploit
Multiple Ways to Bypass UAC using Metasploit
Jonhnathan Jonhnathan Jonhnathan w0rk3r's Windows Hacking Library From OSINT to Internal: Gaining Domain Admin from Outside the Perimeter https://www.coalfire.com/The-Coalfire-Blog/Sept-2018/From-OSINT-to-Internal-Gaining-Domain-Admin Using Mimikatz From a JSP shell https://blog.securitycompass.com/whiteboard-wednesday-using-mimikatz-from-a-jsp-shell-54f8a21693cc Poking Around With 2 lsass Protection Options https://medium.com/red-teaming-with-a-blue-team-mentaility/poking-around-with-2-lsass-protection-options-880590a72b1a Introducing SharpSploit: A C# Post-Exploitation Library https://posts.specterops.io/introducing-sharpsploit-a-c-post-exploitation-library-5c7be5f16c51 Faster Domain Escalation using LDAP
Faster Domain Escalation using LDAP
A Lesson in .NET Framework Versions https://rastamouse.me/2018/09/a-lesson-in-.net-framework-versions Command and Control Using Active Directory
Command and Control Using Active Directory
L1TF (Foreshadow) VM guest to host memory read PoC https://github.com/gregvish/l1tf-poc SMB hash hijacking & user tracking in MS Outlook https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/smb-hash-hijacking-and-user-tracking-in-ms-outlook SharpBox is a C# tool for compressing, encrypting, and exfiltrating data to DropBox using the DropBox API https://github.com/P1CKLES/SharpBox From Kekeo to Rubeus https://posts.specterops.io/from-kekeo-to-rubeus-86d2ec501c14 Tokenvator: Release 2
Tokenvator: Release 2
AppLocker CLM Bypass via COM https://www.mdsec.co.uk/2018/09/applocker-clm-bypass-via-com Injdrv is a proof-of-concept Windows Driver for injecting DLL into user-mode processes using APC https://github.com/wbenny/injdrv Responder and Layer 2 Pivots https://ijustwannared.team/2017/05/27/responder-and-layer-2-pivots PowerShell: Documenting your environment by running systeminfo on all Domain-Computers https://sid-500.com/2017/08/09/powershell-documenting-your-environment-by-running-systeminfo-on-all-domain-computers The power of backup operators https://decoder.cloud/2018/02/12/the-power-of-backup-operatos Abusing Windows Library Files for Persistence https://www.countercept.com/blog/abusing-windows-library-files-for-persistence Domain Controlller Print Server + Unconstrained Kerberos Delegation = Pwned Active Directory Forest
Domain Controller Print Server + Unconstrained Kerberos Delegation = Pwned Active Directory Forest
invoke-Confusion .NET attacker of Powershell Remotely https://homjxi0e.wordpress.com/2018/10/02/invoke-confusion-attack-of-powershell Creating Persistence with DCShadow https://blog.stealthbits.com/creating-persistence-with-dcshadow Time Travel Debugging: finding Windows GDI flaws
Time Travel Debugging: finding Windows GDI flaws
Malicious use of Microsoft “Local Administrator Password Solution” http://archive.hack.lu/2017/HackLU_2017_Malicious_use_LAPS_Clementz_Goichot.pdf Tokenvator Wiki https://github.com/0xbadjuju/Tokenvator/wiki ServiceFu: Harvesting Service Account Credentials Remotely https://www.securifera.com/blog/2018/10/07/servicefu Operating Offensively Against Sysmon https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon Exploiting Regedit: Invisible Persistence & Binary Storage https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf PoC: https://github.com/ewhitehats/InvisiblePersistence/tree/master/InvisibleKeys Attacking Azure Environments with PowerShell https://youtu.be/IdORwgxDpkw MicroBurst: A collection of scripts for assessing Microsoft Azure security https://github.com/NetSPI/MicroBurst Icebreaker.py: Gaining a foothold in Active Directory in one command Dan McInerney at SaintCon https://youtu.be/1LR5u8uKO8I [Tool] Icebreaker: Gets plaintext Active Directory credentials if you're on the internal network but outside the AD environment https://github.com/DanMcInerney/icebreaker Leveraging WSUS – Part One https://ijustwannared.team/2018/10/15/leveraging-wsus-part-one Powershell Payload Delivery via DNS using Invoke-PowerCloud https://how.ired.team/offensive-security-experiments/payload-delivery-via-dns-using-invoke-powercloud SharpAttack: A console for certain tasks on security assessments. It leverages .NET and the Windows API to perform its work( and cobbr_io SharpSploit). It contains commands for domain enumeration, code execution, and other fun things. https://github.com/jaredhaight/SharpAttack Living Off the Land https://liberty-shell.com/sec/2018/10/20/living-off-the-land

from