I’m bringing relaying back: A comprehensive guide on relaying anno 2022

For years now, Internal Penetration Testing teams have been successful in obtaining a foothold or even compromising entire domains through a technique called NTLM relaying. The earliest, most descriptive relaying blog post I could find dates all the way back to 2017 written by Marcello, better known as byt3bl33d3r:https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html At the time of writing this…

The post I’m bringing relaying back: A comprehensive guide on relaying anno 2022 appeared first on TrustedSec.

Continue reading I’m bringing relaying back: A comprehensive guide on relaying anno 2022

Recovering Randomly Generated Passwords

TL;DR – Use the following hashcat mask files when attempting to crack randomly generated passwords. 8 Character Passwords masks_8.hcmask 9 Character Passwords masks_9.hcmask 10 Character Passwords masks_10.hcmask When testing a client’s security posture, TrustedSec will sometimes conduct a password audit. This involves attempting to recover the plaintext password by extracting and cracking the NTLM hashes…

The post Recovering Randomly Generated Passwords appeared first on TrustedSec.

Continue reading Recovering Randomly Generated Passwords

SeeYouCM-Thief: Exploiting common misconfigurations in Cisco phone systems

1.1      Intro I spent my early IT career working for a Cisco partner that specialized in Cisco phone systems. My work wasn’t directly with the phone systems, but it was usually in an adjacent field like route/switch and security. I did, however, get to see my share of networks that used Cisco phone systems. Today,…

The post SeeYouCM-Thief: Exploiting common misconfigurations in Cisco phone systems appeared first on TrustedSec.

Continue reading SeeYouCM-Thief: Exploiting common misconfigurations in Cisco phone systems

Persistence Through Service Workers-Part 3: Easy JavaScript Payload Deployment

In “Persistence Through Service Workers—PART 2: C2 Setup and Use,” we demonstrated setting up the Shadow Workers C2 server and how to add both the service worker JavaScript and what Shadow Workers calls the “XSS Payload” JavaScript to the target application. In the example, we didn’t load the “XSS Payload” through a cross-site scripting vulnerability….

The post Persistence Through Service Workers-Part 3: Easy JavaScript Payload Deployment appeared first on TrustedSec.

Continue reading Persistence Through Service Workers-Part 3: Easy JavaScript Payload Deployment

Creating a Malicious Azure AD OAuth2 Application

THIS POST WAS WRITTEN BY @NYXGEEK I decided to write this blog because I’ve seen a lot of articles mentioning that attackers will use a malicious OAuth web app with Azure AD, but I hadn’t actually seen much in the way of good examples of doing so. I’m sure I will find a dozen fantastic examples…

The post Creating a Malicious Azure AD OAuth2 Application appeared first on TrustedSec.

Continue reading Creating a Malicious Azure AD OAuth2 Application

Persistence Through Service Workers—Part 2: C2 Setup and Use

In Part 1 of this 2-part blog, we provided an overview of service workers and created an appropriate target application to exploit using Shadow Workers. In this blog post we’ll build our C2 server in Digital Ocean and use Shadow Workers to exploit the target application. It is highly recommended to read Part 1 prior…

The post Persistence Through Service Workers—Part 2: C2 Setup and Use appeared first on TrustedSec.

Continue reading Persistence Through Service Workers—Part 2: C2 Setup and Use

Persistence Through Service Workers—Part 1: Introduction and Target Application Setup

During a recent discussion about achieving persistence on a web server, someone suggested that I explore using browser service workers. As I began reading about what service workers do, the possibilities for Red Team applications seemed intriguing. But first, I had to find out…what exactly is a service worker? In their efforts to make web…

The post Persistence Through Service Workers—Part 1: Introduction and Target Application Setup appeared first on TrustedSec.

Continue reading Persistence Through Service Workers—Part 1: Introduction and Target Application Setup

Obsidian, Taming a Collective Consciousness

The Problem On August 05, 2021, a member of the Conti ransomware group leaked some of the group’s internal playbooks and technical documentation. Irrespective of any details surrounding the leak or its contents, the event itself prompted a more widespread examination of how teams’ maintain their operational playbooks and documentation. A tweet by Mubix came…

The post Obsidian, Taming a Collective Consciousness appeared first on TrustedSec.

Continue reading Obsidian, Taming a Collective Consciousness

Oh, Behave! Figuring Out User Behavior

One topic that has always been of interest to me is how users actually use their computers. While TrustedSec does have the ability to understand a system when we encounter it, there are still mysteries around normal user behavior. Understanding user behavior becomes even more important when attempting to defeat next generation of EDRs that…

The post Oh, Behave! Figuring Out User Behavior appeared first on TrustedSec.

Continue reading Oh, Behave! Figuring Out User Behavior

Simple Data Exfiltration Through XSS

During a recent engagement, I found a cross-site scripting (XSS) vulnerability in a legal document management application and created a quick and dirty document exfiltration payload. Unfortunately, this discovery and coding happened on the final day of the engagement (*cough* reporting bonus hacking day), and I didn’t have a chance to actually put the exfiltrated…

The post Simple Data Exfiltration Through XSS appeared first on TrustedSec.

Continue reading Simple Data Exfiltration Through XSS