HackTheBox-Penetration-Testing-Methodology

HackTheBox Penetration Testing Methodology by 9mmpterodacty...

CVE-2019-15701

components/Modals/HelpModal.jsx in BloodHound 2.2.0 allows remote attackers to execute arbitrary OS commands by spawning a child process as the current user on the victim's machine when the search function's autocomplete feature is used. The victim must import data from an Active Directory with a...

Hacktivist Group Twelve Targets Russian Entities with Destructive Cyber Attacks

A hacktivist group known as Twelve has been observed using an arsenal of publicly available tools to conduct destructive cyber attacks against Russian targets. "Rather than demand a ransom for decrypting data, Twelve prefers to encrypt victims' data and then destroy their infrastructure with a...

Living off the land with native SSH and split tunnelling

TL;DR Attackers can use Microsoft native SSH client to forward out internal network traffic Windows native SSH is common The attack only needs minimal set-up and commands Quicker and more cost effective for an attacker than using C2 infrastructure Reduces likelihood of Blue team detection...

BloodHound - Six Degrees Of Domain Admin

BloodHound is a monolithic web application composed of an embedded React frontend with Sigma.js and a Go based REST API backend. It is deployed with a Postgresql application database and a Neo4j graph database, and is fed by the SharpHound and AzureHound data collectors. BloodHound uses graph...

Phobos Ransomware Aggressively Targeting U.S. Critical Infrastructure

U.S. cybersecurity and intelligence agencies have warned of Phobos ransomware attacks targeting government and critical infrastructure entities, outlining the various tactics and techniques the threat actors have adopted to deploy the file-encrypting malware. "Structured as a ransomware as a...

ADCSync - Use ESC1 To Perform A Makeshift DCSync And Dump Hashes

This is a tool I whipped up together quickly to DCSync utilizing ESC1. It is quite slow but otherwise an effective means of performing a makeshift DCSync attack without utilizing DRSUAPI or Volume Shadow Copy. This is the first version of the tool and essentially just automates the process of...

FalconHound - A Blue Team Multi-Tool. It Allows You To Utilize And Enhance The Power Of Blo odHound In A More Automated Fashion

FalconHound is a blue team multi-tool. It allows you to utilize and enhance the power of BloodHound in a more automated fashion. It is designed to be used in conjunction with a SIEM or other log aggregation tool. One of the challenging aspects of BloodHound is that it is a snapshot in time...

KnowsMore - A Swiss Army Knife Tool For Pentesting Microsoft Active Directory (NTLM Hashes, BloodHound, NTDS And DCSync)

KnowsMore officially supports Python 3.8+. Main features Import NTLM Hashes from .ntds output txt file generated by CrackMapExec or secretsdump.py Import NTLM Hashes from NTDS.dit and SYSTEM Import Cracked NTLM hashes from hashcat output file Import BloodHound ZIP or JSON file BloodHound importer...

ShadowSpray - A Tool To Spray Shadow Credentials Across An Entire Domain In Hopes Of Abusing Long Forgotten GenericWrite/GenericAll DACLs Over Other Objects In The Domain

A tool to spray Shadow Credentials across an entire domain in hopes of abusing long forgotten GenericWrite/GenericAll DACLs over other objects in the domain. Why this tool In a lot of engagements I see in BloodHound that the group "Everyone" / "Authenticated Users" / "Domain Users" or some other...

Cypherhound - Terminal Application That Contains 260+ Neo4j Cyphers For BloodHound Data Sets

A Python3 terminal application that contains 260+ Neo4j cyphers for BloodHound data sets. Why? BloodHound is a staple tool for every red teamer. However, there are some negative side effects based on its design. I will cover the biggest pain points I've experienced and what this tool aims to...

Autobloody - Tool To Automatically Exploit Active Directory Privilege Escalation Paths Shown By BloodHound

autobloody is a tool to automatically exploit Active Directory privilege escalation paths shown by BloodHound. Description This tool automates the AD privesc between two AD objects, the source the one we own and the target the one we want if a privesc path exists in BloodHound database. The...

AzureHound - Azure Data Exporter For BloodHound

The BloodHound data collector for Microsoft Azure Get AzureHound Release Binaries Download the appropriate binary for your platform from one of our Releases. Rolling Release The rolling release contains pre-built binaries that are automatically kept up-to-date with the main branch and can be...

Aced - Tool to parse and resolve a single targeted Active Directory principal's DACL

Aced is a tool to parse and resolve a single targeted Active Directory principal's DACL. Aced will identify interesting inbound access allowed privileges against the targeted account, resolve the SIDS of the inbound permissions, and present that data to the operator. Additionally, the logging...

Offensive-Azure - Collection Of Offensive Tools Targeting Microsoft Azure

Collection of offensive tools targeting Microsoft Azure written in Python to be platform agnostic. The current list of tools can be found below with a brief description of their functionality. ./DeviceCode/devicecodeeasymode.py Generates a code to be entered by the target user Can be used for...

linWinPwn - A Bash Script That Automates A Number Of Active Directory Enumeration And Vulnerability Checks

linWinPwn is a bash script that automates a number of Active Directory Enumeration and Vulnerability checks. The script leverages and is dependent of a number of tools including: impacket, bloodhound, crackmapexec, ldapdomaindump, lsassy, smbmap, kerbrute, adidnsdump. Setup Git clone the reposito...

ADExplorerSnapshot.py - An AD Explorer Snapshot Parser. It Is Made As An Ingestor For BloodHound, And Also Supports Full-Object Dumping To NDJSON

ADExplorerSnapshot.py is an AD Explorer snapshot parser. It is made as an ingestor for BloodHound, and also supports full-object dumping to NDJSON. AD Explorer allows you to connect to a DC and browse LDAP data. It can also create snapshots of the server you are currently attached to. This tool...

GoodHound - Uses Sharphound, Bloodhound And Neo4j To Produce An Actionable List Of Attack Paths For Targeted Remediation

Attackers think in graphs, defenders think in actions, management think in charts. GoodHound operationalises Bloodhound by determining the busiest paths to high value targets and creating actionable output to prioritise remediation of attack paths. Usage Quick Start For a very quick start with mo...

LACheck - Multithreaded C# .NET Assembly Local Administrative Privilege Enumeration

Multithreaded C .NET Assembly Local Administrative Privilege Enumeration Arguments domain controller to query if not ran on a domain-joined host /domain - specify domain name if not ran on a domain-joined host /edr - check host for EDR requires smb, rpc, or winrm /logons - return logged on users ...

GitOops - All Paths Lead To Clouds

GitOops is a tool to help attackers and defenders identify lateral movement and privilege escalation paths in GitHub organizations by abusing CI/CD pipelines and GitHub access controls. It works by mapping relationships between a GitHub organization and its CI/CD jobs and environment variables...