HackDig : Dig high-quality web security articles for hackers

StreamDivert: Relaying (specific) network connections

Author: Jelle Vergeer The first part of this blog will be the story of how this tool found its way into existence, the problems we faced and the thought process followed. The second part will be a more technical deep dive into the tool itself, how to use it, and how it works. Storytime About 1½ half years ago I did an awesome Red Team like project.
Publish At:2020-09-10 15:25 | Read:131 | Comments:0 | Tags:audits Blog pentest Uncategorized

New Deepfakes using GAN stirs up questions about digital fakery

Subversive deepfake campaigns that enter the party unannounced, do their thing, then slink off into the night without anybody noticing are where it’s at. Easily debunked clips of Donald Trump yelling THE NUKES ARE UP or something similarly ludicrous are not a major concern. We’ve already dug into why that’s the case. What we’ve also explored are the peopl
Publish At:2020-07-23 11:20 | Read:225 | Comments:0 | Tags:Social engineering AI article blog deepfake deepfakes deepfa

Website misconfigurations and other errors to avoid

Website owners, listen up: There are lots of things you shouldn’t do with your site, and many more you should avoid with the domains you’re responsible for. Insider malice, bad luck, and the stars aligning in impossible ways can all give your online portfolio a bad hair day. However, if you want to tempt fate, you can bring on the mayhem with website misconf
Publish At:2020-07-15 11:33 | Read:229 | Comments:0 | Tags:How-tos bank banking blog CMS dns hijack redirect website

WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group

Authors: Nikolaos Pantazopoulos, Stefano Antenucci (@Antelox) and Michael Sandee 1. Introduction WastedLocker is a new ransomware locker we’ve detected being used since May 2020. We believe it has been in development for a number of months prior to this and was started in conjunction with a number of other changes we have seen originate from the
Publish At:2020-06-23 09:25 | Read:295 | Comments:0 | Tags:Blog Cobalt Strike Threat Intelligence evilcorp ransomware w

LDAPFragger: Command and Control over LDAP attributes

  Introduction A while back during a penetration test of an internal network, we encountered physically segmented networks. These networks contained workstations joined to the same Active Directory domain, however only one network segment could connect to the internet. To control workstations in both segments remotely with Cobalt Strike, we built a tool
Publish At:2020-03-19 06:53 | Read:747 | Comments:0 | Tags:audits Blog Cobalt Strike pentest Uncategorized

Phishing – Ask and ye shall receive

During penetration tests, our primary goal is to identify the difference in paths that can be used to obtain the goal(s) as agreed upon with our customers. This often succeeds due to insufficient hardening, lack of awareness or poor password hygiene. Sometimes we do get access to a resource, but do not have access to the username or password of the user that
Publish At:2019-09-19 23:30 | Read:1141 | Comments:0 | Tags:audits Blog pentest Uncategorized

Your trust, our signature

Written and researched by Mark Bregman and Rindert Kramer Sending signed phishing emails Every organisation, whatever its size, will encounter phishing emails sooner or later. While the number of phishing attacks is increasing every day, the way in which phishing is used within a cyber-attack has not changed: an attacker comes up with a scenario which looks
Publish At:2019-09-19 23:30 | Read:1380 | Comments:0 | Tags:audits Blog pentest Uncategorized email hacking phishing

Getting in the Zone: dumping Active Directory DNS using adidnsdump

Zone transfers are a classical way of performing reconnaissance in networks (or even from the internet). They require an insecurely configured DNS server that allows anonymous users to transfer all records and gather information about host in the network. What not many people know however is that if Active Directory integrated DNS is used, any user can query
Publish At:2019-09-19 23:30 | Read:1316 | Comments:0 | Tags:Blog

Export corrupts Windows Event Log files

Exported .evtx files may contain corrupted data – Check interpretation of forensic tools. Author: Jeffrey Wassenaar Introduction As forensic investigators, we truly love log files. During the investigation of a system with a Microsoft Windows operating system, Windows Event Log files (.evtx) can be very useful. System events (such as logons) are logged
Publish At:2019-09-19 23:30 | Read:1284 | Comments:0 | Tags:Blog

Syncing yourself to Global Administrator in Azure Active Directory

This blog describes a vulnerability discovered by Fox-IT last year in Azure AD Connect, which would allow anyone with account creation privileges in the on-premise Active Directory directory to modify the password of any cloud-only account in Azure AD. Because of the way accounts are commonly configured, this could often enable an attacker to take over the h
Publish At:2019-09-19 23:30 | Read:1257 | Comments:0 | Tags:Blog pentest

Using Anomaly Detection to find malicious domains

Applying unsupervised machine learning to find ‘randomly generated domains. Authors: Ruud van Luijk and Anne Postma At Fox-IT we perform a variety of research and investigation projects to detect malicious activity to improve the service of  our Security Operations Center. One of these areas is applying data science techniques to real world data in real worl
Publish At:2019-09-19 23:30 | Read:1165 | Comments:0 | Tags:Blog

Office 365: prone to security breaches?

Author: Willem Zeeman “Office 365 again?”. At the Forensics and Incident Response department of Fox-IT, this is heard often.  Office 365 breach investigations are common at our department. You’ll find that this blog post actually doesn’t make a case for Office 365 being inherently insecure – rather, it discusses some of the predictability of Offi
Publish At:2019-09-19 23:30 | Read:1148 | Comments:0 | Tags:Blog

SetUID program exploitation: Crafting shared object files without a compiler

In this post we look at an alternative to compiling shared object files when exploiting vulnerable setUID programs on Linux. At a high level we’re just going to copy the binary and insert some shellcode. First we take a look the circumstances that might lead you to use this option. Also check out this previous post on setUID exploitation. A hacker chal
Publish At:2019-09-19 17:35 | Read:1128 | Comments:0 | Tags:Blog analysis exploit root UNIX

An offensive introduction to Active Directory on UNIX

By way of an introduction to our talk at Black Hat Europe, Security Advisory EMEAR would like to share the background on our recent research into some common Active Directory integration solutions. Just as with Windows, these solutions can be utilized to join UNIX infrastructure to enterprises’ Active Directory forests. Background to Active Directory i
Publish At:2019-09-19 17:35 | Read:1291 | Comments:0 | Tags:Blog analysis auditing Black Hat Europe blue team conference

Reverse port forwarding SOCKS proxy via HTTP proxy (part 1)

In the context of a Red Team assessment, in this post I’ll look at some options for using SOCKS to gain external access to an internal network. I’ll cover the obvious methods and why I’m overlooking them, a crude method using standard tools (this post) and a more refined approach using modified tools (in part 2). I recently spent quite a lo
Publish At:2019-09-19 17:35 | Read:1574 | Comments:0 | Tags:Blog RDP red team Windows

Tools

Tag Cloud