Yet another Slowloris implementation as a tiny script. Maybe a rewrite in GO could be interesting in the near future.
Invincibility lies in the defence; the possibility of victory in the attack - Sun Tzu
AWS Connection Tracking
Let’s have some fun with AWS Security Groups and a feature which could also be a bug. Sources: Official AWS SG Connection Tracking Documentation
OpenShift - Golden Snitch
Ever wondered who is eating your headers, requests or responses, or even thought about snitching an application? With this tiny tool you can simply achieve this.
AWS Guard-OffDuty
Let’s assume that we have found and successfully validated some AWS credentials during an engagement. Then it might be a good idea to modify the threat detection services like GuardDuty to reduce the likelihood of triggering an alert. Therefore we need to modify the GuardDuty configuration to stay cloaked. Deleting or modifying key attributes of GuardDuty might have a less likely chance to raise alerts. The actions we can do depend on the compromised permissions available. The GuardDuty architecture and the presence of higher level controls like Service Control Policies can give us options.
Pennywise EDR evasion
Wanna have a balloon? This Tiny script helps to hide your payload (like Mimikatz.exe) by inflating the Binary like a red ballon. Most EDR Tools only transfer the first 25 MB to the Server, so why not filling up the payload with some garbage and play some mind tricks? This change of the file size will keep the binary as it is but busts the file size. TIme to get evil …
SSHBruteForcer
Tiny and simple SSH brute force tool written in Python3 that can return a meterpreter reverse shell. Edit the source code below for your hostname, username, password, and MSF reverse shell details. There is also functionality to automatically download /etc/passwd
and /etc/shadow
from the host. This as you might have already figured out is only working if the host has enough access.
Crafting a HorriblePDF
Transform a normal PDF file into malicious and steal Net-NTLM Hashes from crappy windows machines. This vulnerability should be fixed but it’s still nice to remember it.
C2 - Puppet Master
Tighten the strings and have some fun with your puppets. This Docker image is build on top of a minimal base install of the latest version of the Kali Linux Rolling Distribution and enriched with additional capabilities to transform it into a C2 Server to aid during Pentesting engagements, CTFs or for other sakes. The baseline was described by me in my Pensieve before.
Benji's reverse shell cheat sheet
Yes we Scan
Want to perform a NMAP scan and have a tiny automated workflow around it? The GitHub Action uses vulnersCom/nmap-vulners as a Vulnerability Scanner and get`s feed by adding the targets into scan.txt to scan multiple targets with only one change.
Kerberos Attack Cheatsheet
A cheatsheet with commands that can be used to perform kerberos attacks
Boxed Kali
This tool focusses on a dockerized version of Kali that can be accessed over NoVNC in your Browser. The main usage for this way is an additional isolation by the containerization approach. Personally I use this container to perform analysis of potential malicious files and penetration tests within the AWS Cloud and Active Directory.
DLL Proxying for Persistence - A Stealthy Technique
Unlocking a loophole in Windows’ DLL search order by using DLL Proxying to stealthily intercepts and redirects calls to forge persistence without raising suspicion. Exploiting this you as an attacker can nest malicious content within seemingly innocent DLLs. This tutorial shows you in depth how things are working out.
Offensive PowerShell
Tiny collection of the offensive Side of PowerShell. Some parts of this collection can also be used for Blue Team duties.
HID Attack - Crafting a cheap Evil USB Stick
HID attacks are using USB devices that are programmed with malicious software. During this attack the malicious USB stick emulates a keyboard to send harmful keystrokes to a target machine. This article explores the creation of such a USB stick.
ProcMon - A Red Teamer's Arsenal for Process Monitoring and Evasion
As Red Teamers, staying ahead of the game involves mastering the art of process monitoring and evasion. The ability to navigate through the intricacies of defender tools and EDR (Endpoint Detection and Response) processes is crucial for executing successful operations. In this blog post, we introduce ProcMon, a Python utility tailored for Red Teamers that not only monitors processes but also provides insights into defender tools and EDR activities.
Keylogger with sneaky features
This Python script is an example of a keylogger, a type of surveillance technology used to monitor and record each keystroke typed on a specific computer’s keyboard. This script was created to satisfy my curiosity about possibilities of a key logger in less lines of Python code. To get the maximum, it helps to create a binary out of the code using pyinstaller
.
Code Obfuscation in Python to cloak scripts
There are a number of code obfuscation tools for Python that you can use to protect your code from being reverse-engineered by a defender or accessed by EDR/AV.
Breaking ETW (Event Tracing for Windows) and EDR
As described in my Blog post for defenders: Windows ETW (Event Tracing for Windows) - ETW is a crucial system component for EDR/XDR to identify malicious behavior on Windows. Since the post is going into the depth, I recommend to read this post first before you go down the rabbit hole in this post.
Short journey and exploitation of RTLO
Right-to-Left Override (RTLO) attacks exploit users’ trust in text files by disguising malicious executables with innocuous .txt
extensions. By leveraging invisible Unicode characters to alter file names, attackers deceive users into executing harmful code unknowingly. These attacks often bypass email security measures, making them a potent tool for cyber criminals aiming to deliver malware payloads via phishing tactics.