Microsoft Windows 10.0.17134.648 HTTP -> SMB NTLM Reflection Leads to Privilege Elevation Exploit

Exploit for windows platform in category local exploits Microsoft Windows 10.0.17134.648 - HTTP - SMB NTLM Reflection Leads to Privilege Elevation Exploit VULNERABILITY DETAILS It's possible to use the NTLM reflection attack to escape a browser sandbox in the case where the sandboxed process is...

Microsoft Windows 10.0.17134.648 - HTTP - SMB NTLM Reflection Leads to Privilege Elevation

Microsoft Windows 10.0.17134.648 - HTTP - SMB NTLM Reflection Leads to Privilege Elevation VULNERABILITY DETAILS It's possible to use the NTLM reflection attack to escape a browser sandbox in the case where the sandboxed process is allowed to create TCP sockets. In particular, I was able to combi...

Microsoft Windows 10.0.17134.648 - HTTP -> SMB NTLM Reflection Leads to Privilege Elevation

VULNERABILITY DETAILS It's possible to use the NTLM reflection attack to escape a browser sandbox in the case where the sandboxed process is allowed to create TCP sockets. In particular, I was able to combine the issues mentioned below with a bug in Chromium to escape its sandbox. HTTP - SMB NTLM...

Exploit for CVE-2019-1040

CVE-2019-1040-dcpwn Great writeup! Exploiting CVE-2019-1040...

Exploit for CVE-2019-1040

CVE-2019-1040 Great writeup! Exploiting CVE-2019-1040 - Comb...

Microsoft Windows Remote Desktop - BlueKeep Denial of Service Exploit

import socket, sys, struct from OpenSSL import SSL from impacket.structure import Structure I'm not responsible for what you use this to accomplish and should only be used for education purposes Could clean these up since I don't even use them class TPKTStructure: commonHdr = 'Version','B=3',...

Microsoft Windows Remote Desktop - BlueKeep Denial of Service

Microsoft Windows Remote Desktop - BlueKeep Denial of Service import socket, sys, struct from OpenSSL import SSL from impacket.structure import Structure I'm not responsible for what you use this to accomplish and should only be used for education purposes Could clean these up since I don't even...

Microsoft Windows Remote Desktop - 'BlueKeep' Denial of Service

import socket, sys, struct from OpenSSL import SSL from impacket.structure import Structure I'm not responsible for what you use this to accomplish and should only be used for education purposes Could clean these up since I don't even use them class TPKTStructure: commonHdr = 'Version','B=3',...

Adidnsdump - Active Directory Integrated DNS Dumping By Any Authenticated User

By default any user in Active Directory can enumerate all DNS records in the Domain or Forest DNS zones, similar to a zone transfer. This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks. For more info, read the associated blog post...

Scavenger - Is A Multi-Threaded Post-Exploitation Scanning Tool For Scavenging Systems, Finding Most Frequently Used Files And Folders As Well As "Interesting" Files Containing Sensitive Information

scavenger : is a multi-threaded post-exploitation scanning tool for scavenging systems, finding most frequently used files and folders as well as "interesting" files containing sensitive information. Problem Definition: Scavenger confronts a challenging issue typically faced by Penetration Testin...

NtlmRelayToEWS - Ntlm Relay Attack To Exchange Web Services

ntlmRelayToEWS is a tool for performing ntlm relay attacks on Exchange Web Services EWS. It spawns an SMBListener on port 445 and an HTTPListener on port 80, waiting for incoming connection from the victim. Once the victim connects to one of the listeners, an NTLM negociation occurs and is relaye...

OWA for hackers: ExchangeRelayX

ExchangeRelayX is a PoC tools to demonstrate the ability of an attacker to perform an SMB or HTTP based NTLM relay attack to the EWS endpoint on an on-premise Microsoft Exchange server to compromise the mailbox of the victim. This tool provides the attacker with an OWA looking interface, with...

Universal Media Server 7.1.0 - SSDP Processing XML External Entity Injection

Universal Media Server 7.1.0 - SSDP Processing XML External Entity Injection Issue: Out-of-Band XXE in Universal Media Server's SSDP Processing Reserved CVE: CVE-2018-13416 Vulnerability Overview The XML parsing engine for Universal Media Server's SSDP/UPNP functionality is vulnerable to an XML...

Universal Media Server 7.1.0 - SSDP Processing XML External Entity Injection Vulnerability

Exploit for jsp platform in category web applications Issue: Out-of-Band XXE in Universal Media Server's SSDP Processing Reserved CVE: CVE-2018-13416 Vulnerability Overview The XML parsing engine for Universal Media Server's SSDP/UPNP functionality is vulnerable to an XML External Entity Processi...

Universal Media Server 7.1.0 - SSDP Processing XML External Entity Injection

Issue: Out-of-Band XXE in Universal Media Server's SSDP Processing Reserved CVE: CVE-2018-13416 Vulnerability Overview The XML parsing engine for Universal Media Server's SSDP/UPNP functionality is vulnerable to an XML External Entity Processing XXE attack. Unauthenticated attackers on the same L...

Universal Media Server 7.1.0 XML Injection

Issue: Out-of-Band XXE in Universal Media Server's SSDP Processing Reserved CVE: CVE-2018-13416 Vulnerability Overview The XML parsing engine for Universal Media Server's SSDP/UPNP functionality is vulnerable to an XML External Entity Processing XXE attack. Unauthenticated attackers on the same L...

Ridrelay - Quick And Easy Way To Get Domain Usernames While On An Internal Network

Enumerate usernames on a domain where you have no creds by using SMB Relay with low priv. Quick and easy way to get domain usernames while on an internal network. How it works RidRelay combines the SMB Relay attack, common lsarpc based queries and RID cycling to get a list of domain usernames. It...

Impacket - Collection Of Python Classes For Working With Network Protocols

Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols e.g. SMB1-3 and MSRPC the protocol implementation itself. Packets can be constructed from scratch, as well as parsed...

WMI Exec

A similar approach to psexec but executing commands through WMI. !/usr/bin/env python3 Copyright c 2003-2018 CORE Security Technologies This software is provided under under a slightly modified version of the Apache Software License. See the accompanying LICENSE file for more information. import...

DCOM Exec

A similar approach to psexec but executing commands through DCOM. You can select different objects to be used to execute the commands. !/usr/bin/env python3 Copyright c 2003-2018 CORE Security Technologies This software is provided under under a slightly modified version of the Apache Software...