PowerShell Obfuscation Ups the Ante on Antivirus

The development fits a trend that sees threat actors turning to well-known, commodity malware, overcoming its easy detection with ever-better obfuscation methods.

Link: https://threatpost.com/powershell-obfuscation-ups-the-ante-on-antivirus/137403/

iBombShell: A Dynamic Post-Exploitation Remote Shell

PenTestIT RSS Feed
Consider you have a shell on a system and other post-exploitation do not work for you as they are being caught by a security solution on the system. Worry not as we now have iBombShell, a dynamic remote shell that can be run on any system that supports PowerShell. The reason this is called dynamicRead more about iBombShell: A Dynamic Post-Exploitation Remote Shell
The post iBombShell: A Dynamic Post-Exploitation Remote Shell appeared first on PenTestIT.

Link: http://pentestit.com/ibombshell-dynamic-post-exploitation-remote-shell/

Leaked? – A Checking Tool For Hash Codes And Passwords Leaked

Leaked? is A Checking tool for Hash codes and Passwords leaked, use API from @webtobesocial.Leaked? can work in any OS if they have support Python 3FeaturesCheck passwords leakedCheck hash code leakedExitAbout AuthorInstall and Run in Linuxsudo apt update && apt install python3 python3-pipgit clone https://github.com/GitHackTools/Leakedcd Leakedpip3 install requestspython3 leaked.pyInstall and Run in WindowsDownload and run Python 3 setup file from Python.org. In Install Python 3 , enable Add Python 3.7 to PATH and For all usersDownload and run Git setup file from Git-scm.com, choose Use Git from Windows Command Propmt.Afther that, Run Command Propmt or PowerShell and enter this commands:git clone https://github.com/GitHackTools/Leakedcd Leakedpip install requestspython leaked.pyUpdate Leaked?: git pull -fNotesLeaked? uses API from lea.kz of @webtobesocial Let follow his Twitter account!ScreenshotsContact to AuthorWebsite: GitHackTools.blogspot.comTwitter: @SecureGFFacebook: @GitHackToolsGoogle Plus: +TVT618Download Leaked

Link: http://feedproxy.google.com/~r/PentestTools/~3/GCUfckClIqk/leaked-checking-tool-for-hash-codes-and.html

A Quick Look Into the Oracle WebLogic Attacks

For awhile these attacks contained code that pointed to a webserver was down. Seems they changed servers and everything is up and running again. The POST shows the PowerShell script inside of the soap envelope. Extracting then base64-decoding the script … Continue reading →

Link: http://www.kahusecurity.com/2018/05/a-quick-look-into-the-oracle-weblogic-attacks/

Remote Desktop Caching – Tool To Recover Old RDP (mstsc) Session Information In The Form Of Broken PNG Files

This tool allows one to recover old RDP (mstsc) session information in the form of broken PNG files. These PNG files allows Red Team member to extract juicy information such as LAPS passwords or any sensitive information on the screen. Blue Team member can reconstruct PNG files to see what an attacker did on a compromised host. It is extremely useful for a forensics team to extract timestamps after an attack on a host to collect evidences and perform further analysis.ScreenshotsOn the first run of the Remote-Desktop-Caching using python.exe remotecache.py user will get options as below: Using Option 1 and Option 2 user can know the current session execution policy and set it to Bypass which executes the rdpcache.ps1 PowerShell script. USing Option 3 user can list the cached binary files which is going to be used to reconstruct PNG files.Choosing Option 4: Starts analyzing cache files and reconstruction process. This option creates a folder in user C drive with a name of Recovered_RDP_SessionsSensitive information is recovered from these binary files in the form of broken PNG images. Managed to recover LAPS password, Attacker IP address and malicious file names. It also reveals some of the crucial information about attacker activities on a compromised host. For forensics team timestamp is revealed in most of these recovered images.How do I use this?- git clone https://github.com/Viralmaniar/Remote-Desktop-Caching-.git- python.exe remotecache.pyQuestions?Twitter: https://twitter.com/maniarviral LinkedIn: https://au.linkedin.com/in/viralmaniarDownload Remote-Desktop-Caching

Link: http://feedproxy.google.com/~r/PentestTools/~3/VmAcD0fasMY/remote-desktop-caching-tool-to-recover.html

Win-PortFwd – Powershell Script To Setup Windows Port Forwarding Using Native Netsh Client

Powershell script to setup windows port forwarding using native netsh client.Install:git clone https://github.com/deepzec/Win-PortFwd.gitUsage:.\win-portfwd.ps1orpowershell.exe -noprofile -executionpolicy bypass -file .\win-portfwd.ps1Note: This script require admin privileges to run, this script will automatically try to elevate the privilges if you are running this script under normal user privileges.Download Win-PortFwd

Link: http://feedproxy.google.com/~r/PentestTools/~3/SoNwYOjrkQE/win-portfwd-powershell-script-to-setup.html

Venmo, Oracle, & Linux – Application Security Weekly #25

Venmo caught publishing all transactions publicly, Oracle releases critical patches, Microsoft releases PowerShell Core for Linux, Health insurers are vacuuming up details about you, changing your screen to Grayscale can help fight phone addiction, when to ‘purchase’ a solution to your cybersecurity problem, & more on this episode of Application Security Weekly! Bugs, Breaches, and […]
The post Venmo, Oracle, & Linux – Application Security Weekly #25 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/Hj0R0MfkEGo/

Venmo, Oracle, & Linux – Application Security Weekly #25

Venmo caught publishing all transactions publicly, Oracle releases critical patches, Microsoft releases PowerShell Core for Linux, Health insurers are vacuuming up details about you, changing your screen to Grayscale can help fight phone addiction, when to ‘purchase’ a solution to your cybersecurity problem, & more on this episode of Application Security Weekly! Bugs, Breaches, and […]
The post Venmo, Oracle, & Linux – Application Security Weekly #25 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/Hj0R0MfkEGo/

sRDI – Shellcode Implementation Of Reflective DLL Injection

sRDI allows for the conversion of DLL files to position independent shellcode.Functionality is accomplished via two components:C project which compiles a PE loader implementation (RDI) to shellcodeConversion code which attaches the DLL, RDI, and user data together with a bootstrapThis project is comprised of the following elements:ShellcodeRDI: Compiles shellcode for the DLL loaderNativeLoader: Converts DLL to shellcode if neccesarry, then injects into memoryDotNetLoader: C# implementation of NativeLoaderPython\ConvertToShellcode.py: Convert DLL to shellcode in placePython\EncodeBlobs.py: Encodes compiled sRDI blobs for static embeddingPowerShell\ConvertTo-Shellcode.ps1: Convert DLL to shellcode in placeFunctionTest: Imports sRDI C function for debug testingTestDLL: Example DLL that includes two exported functions for call on Load and afterThe DLL does not need to be compiled with RDI, however the technique is cross compatiable.Use Cases / ExamplesBefore use, is recommend to you become familiar with Reflective DLL Injection and it’s purpose.Convert DLL to shellcode using pythonfrom ShellcodeRDI import *dll = open(“TestDLL_x86.dll", ‘rb’).read()shellcode = ConvertToShellcode(dll)Load DLL into memory using C# loaderDotNetLoader.exe TestDLL_x64.dllConvert DLL with python script and load with Native EXEpython ConvertToShellcode.py TestDLL_x64.dllNativeLoader.exe TestDLL_x64.binConvert DLL with powershell and load with Invoke-ShellcodeImport-Module .\Invoke-Shellcode.ps1Import-Module .\ConvertTo-Shellcode.ps1Invoke-Shellcode -Shellcode (ConvertTo-Shellcode -File TestDLL_x64.dll)Stealth ConsiderationsThere are many ways to detect memory injection. The loader function implements two stealth improvments on traditional RDI:Proper Permissions: When relocating sections, memory permissions are set based on the section characteristics rather than a massive RWX blob.PE Header Cleaning (Optional): The DOS Header and DOS Stub for the target DLL are completley wiped with null bytes on load (Except for e_lfanew). This can be toggled with 0x1 in the flags argument for C/C#, or via command line args in Python/Powershell.BuildingThis project is built using Visual Studio 2015 (v140) and Windows SDK 8.1. The python script is written using Python 3.The Python and Powershell scripts are located at:Python\ConvertToShellcode.pyPowerShell\ConvertTo-Shellcode.ps1After building the project, the other binaries will be located at:bin\NativeLoader.exebin\DotNetLoader.exebin\TestDLL_.dllbin\ShellcodeRDI_.binDownload sRDI

Link: http://feedproxy.google.com/~r/PentestTools/~3/L7k0Is7EfEY/srdi-shellcode-implementation-of.html

Venmo, Oracle, & Linux – Application Security Weekly #25

Venmo caught publishing all transactions publicly, Oracle releases critical patches, Microsoft releases PowerShell Core for Linux, Health insurers are vacuuming up details about you, changing your screen to Grayscale can help fight phone addiction, when to ‘purchase’ a solution to your cybersecurity problem, & more on this episode of Application Security Weekly! Bugs, Breaches, and […]
The post Venmo, Oracle, & Linux – Application Security Weekly #25 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/MA6OLXd0dO4/