mantvydasb / redteaming-tactics-and-techniques Goto Github PK
View Code? Open in Web Editor NEWRed Teaming Tactics and Techniques
Home Page: http://ired.team
Red Teaming Tactics and Techniques
Home Page: http://ired.team
Hey, can you add an RSS/Atom feed to your blog? Would make subscribing to new posts easier :)
Hi, I think there's a typo on this Article. It says:
"Note that the NetNTLMv2 hashes can only be relayed to the same host they are originating from. You can, however, try cracking them offline and use them on the machine they originated from".
But the whole article shows how to relay an NetNTLMv2 hash to different host. I think you meant "NetNTLMv2 hashes cannot be relay to the same host they are originating from".
This was fixed with MS08-068 (https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html).
Hey,
I've just noticed that the hash function provided in the tutorial is not so good - I found at least two hash collision of different api function names. one of them is this:
I recommend the following one, written in c by me and inpired by this excellent paper: "The Last Stage of Delirium. Win32 Assembly Components"
DWORD getHashFromString(char* instring)
{
char* string = instring;
DWORD hash = 0xab10f29f;
while (*string) hash = ((hash << 5) | (hash >> 27)) + *string++;
//printf("%s: 0x%x\n", string, hash);
return hash;
}
Hi,
there is a bug in the following line of code (arguments for ReadFile()) for Reflective DLL injection.
LPVOID dllBytes = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dllSize); ReadFile(dll, dllBytes, dllSize, NULL, NULL);
the 3rd argument for ReadFile() cant be NULL if the 4th is already a NULL.
LPVOID dllBytes = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dllSize); DWORD outsize; ReadFile(dll, dllBytes, dllSize, &outsize, NULL);
In this page, it is stated that relocations may need to be fixed, and ntdll does not have any relocations to fix. However, ntdll does indeed have relocations (in fact, my version holds 7577 relocations), as can be seen if you open it in CFF Explorer. Indeed, this is because CreateFileMapping and MapViewOfFile already does the relocations for you. As such, no matter what DLL you use, this method should work to map it into memory without needing to solve for relocations (even the more complex ones such as kernel32.dll). In fact, if you implement your own mapping function (using things such as fopen
), you will see that the ImageBase observed is completely different from the ImageBase you get after using CreateFileMapping and MapViewOfFile
Im sorry to anyone who has an email notif as a result.
In NFS Exported shares you say
List NFS exported shares. If 'rw,no_root_squash' is present, upload and execute sid-shell
I'd like to get the code for sid-shell as the link https://github.com/mantvydasb/Offensive-Security-Cheatsheets/blob/master/sid-shell.c is dead.
where could i find this c code im not finding the proper CVE online.
Thanks, sorry for the burden.
At Pentesting Cheatsheets, the sid-shell url at the NFS Exported Shares paragraph is broken (404).
As you probably know,
using .gitignore file can prevent .vscode directory from being committing
for example:
.vscode/*
!.vscode/settings.json
!.vscode/tasks.json
!.vscode/launch.json
!.vscode/extensions.json
I learned a lot from your article, thank you for sharing, but several addresses have failed.
https://github.com/mantvydasb/Offensive-Security-Cheatsheets/blob/master/sid-shell.c
https://github.com/mantvydasb/Offensive-Security-Cheatsheets/blob/master/raptor/raptor.tar
https://github.com/mantvydasb/Offensive-Security-Cheatsheets/blob/master/raptor_udf2.c
Hello,
in
offensive-security/lateral-movement/lateral-movement-via-smb-relaying-by-abusing-lack-of-smb-signing
Microsoft network client: Digitally sign communications (always)
should be
Microsoft network server: Digitally sign communications (always)
Maybe this part can be simplified by using hashcat with --username
https://github.com/khast3x/Redcloud
May or may not be of interest.
On later versions of Windows 11 it is possible to enumerate versions of packages installed on a target using the native winget
command. Might be good to give some documentation on this as I imagine this might be useful for finding out installed software on a target and associated versions that one could use for further exploitation.
What is the license type for this repo? Having a snippet at the top of the readme
about cloning is non-enforceable.
Hey there, I'm going to translate this series of notes, I'm a security beginner and I found this notes are great, I'm going to follow this experiment and make the Chinese version of the notes, I've already done part of it!
This is my blog
But, technically, he's not a translator, so maybe he counts as my study record? Because I'm not strictly following your notes, or I'm doing a Chinese project on my own, I don't know if that's possible.
sir do you have any material(Script) regarding this. ShadowAttack(AutoShadow)tool.
refer link :- https://people.engr.tamu.edu/guofei/paper/ShadowAttacks_final-onecolumn.pdf
anyhelp is appreciated
Hi. I suggest to add a small trick under this section
https://ired.team/offensive-security-experiments/offensive-security-cheetsheets#creating-user-and-adding-to-local-administrators
Hide newly created local administrator
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /t REG_DWORD /v spotless /d 0 /f
At the page on AddressOfEntryPoint Code Injection without VirtualAllocEx RWX, this is not really done without using RWX. As shown in the first picture, the entrypoint memory page is already under RX permissions, and as shown here, the only reason this method works is because WriteProcessMemory is being nice and trying to change RX to RWX temporarily, which would end up creating an RWX page anyways, essentially making this technique still easily detectable by EDRs that look for RWX regions.
This is the only way I found to contact someone from https://www.ired.team/ I would love someone to teach me everything they know about all the different bypass methods on that site. how they learned the C++ for it. what tools they use. how they found the tools. I have been developing my own malware for a resume. it will be a program that makes fully undetectable meterpreter payloads if anyone can help me in my learning process please email me at: [email protected]
I also have discord: inviting_fawn_33780
please reach out; it would mean the world to me, This has been my goal for 3 years but no matter what I tried, I never got closer to it
PS: I can hire for $200 if needed
where is D/Invoke ?
Hi, I'm the developer of bloodyAD. If you're interested I can add to your guides bloodyAD command lines as a Windows/Linux alternative to Powerview.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.