Yet another Slowloris implementation as a tiny script. Maybe a rewrite in GO could be interesting in the near future.

Let’s have some fun with AWS Security Groups and a feature which could also be a bug. Sources: Official AWS SG Connection Tracking Documentation

Ever wondered who is eating your headers, requests or responses, or even thought about snitching an application? With this tiny tool you can simply achieve this.

Let’s assume that we have found and successfully validated some AWS credentials during an engagement. Then it might be a good idea to modify the threat detection services like GuardDuty to reduce the likelihood of triggering an alert. Therefore we need to modify the GuardDuty configuration to stay cloaked. Deleting or modifying key attributes of GuardDuty might have a less likely chance to raise alerts. The actions we can do depend on the compromised permissions available. The GuardDuty architecture and the presence of higher level controls like Service Control Policies can give us options.

Wanna have a balloon? This Tiny script helps to hide your payload (like Mimikatz.exe) by inflating the Binary like a red ballon. Most EDR Tools only transfer the first 25 MB to the Server, so why not filling up the payload with some garbage and play some mind tricks? This change of the file size will keep the binary as it is but busts the file size. TIme to get evil …

Tiny and simple SSH brute force tool written in Python3 that can return a meterpreter reverse shell. Edit the source code below for your hostname, username, password, and MSF reverse shell details. There is also functionality to automatically download /etc/passwd and /etc/shadow from the host. This as you might have already figured out is only working if the host has enough access.

Transform a normal PDF file into malicious and steal Net-NTLM Hashes from crappy windows machines. This vulnerability should be fixed but it’s still nice to remember it.

Tighten the strings and have some fun with your puppets. This Docker image is build on top of a minimal base install of the latest version of the Kali Linux Rolling Distribution and enriched with additional capabilities to transform it into a C2 Server to aid during Pentesting engagements, CTFs or for other sakes. The baseline was described by me in my Pensieve before.

Want to perform a NMAP scan and have a tiny automated workflow around it? The GitHub Action uses vulnersCom/nmap-vulners as a Vulnerability Scanner and get`s feed by adding the targets into scan.txt to scan multiple targets with only one change.

A cheatsheet with commands that can be used to perform kerberos attacks

This tool focusses on a dockerized version of Kali that can be accessed over NoVNC in your Browser. The main usage for this way is an additional isolation by the containerization approach. Personally I use this container to perform analysis of potential malicious files and penetration tests within the AWS Cloud and Active Directory.

Unlocking a loophole in Windows’ DLL search order by using DLL Proxying to stealthily intercepts and redirects calls to forge persistence without raising suspicion. Exploiting this you as an attacker can nest malicious content within seemingly innocent DLLs. This tutorial shows you in depth how things are working out.

Tiny collection of the offensive Side of PowerShell. Some parts of this collection can also be used for Blue Team duties.

HID attacks are using USB devices that are programmed with malicious software. During this attack the malicious USB stick emulates a keyboard to send harmful keystrokes to a target machine. This article explores the creation of such a USB stick.

As Red Teamers, staying ahead of the game involves mastering the art of process monitoring and evasion. The ability to navigate through the intricacies of defender tools and EDR (Endpoint Detection and Response) processes is crucial for executing successful operations. In this blog post, we introduce ProcMon, a Python utility tailored for Red Teamers that not only monitors processes but also provides insights into defender tools and EDR activities.

This Python script is an example of a keylogger, a type of surveillance technology used to monitor and record each keystroke typed on a specific computer’s keyboard. This script was created to satisfy my curiosity about possibilities of a key logger in less lines of Python code. To get the maximum, it helps to create a binary out of the code using pyinstaller.

There are a number of code obfuscation tools for Python that you can use to protect your code from being reverse-engineered by a defender or accessed by EDR/AV.

As described in my Blog post for defenders: Windows ETW (Event Tracing for Windows) - ETW is a crucial system component for EDR/XDR to identify malicious behavior on Windows. Since the post is going into the depth, I recommend to read this post first before you go down the rabbit hole in this post.

Right-to-Left Override (RTLO) attacks exploit users’ trust in text files by disguising malicious executables with innocuous .txt extensions. By leveraging invisible Unicode characters to alter file names, attackers deceive users into executing harmful code unknowingly. These attacks often bypass email security measures, making them a potent tool for cyber criminals aiming to deliver malware payloads via phishing tactics.

Sliver, an open-source cross-platform adversary emulation and red team framework, enables organizations of all sizes to conduct security testing. Sliver implants support various communication channels, including Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS. These implants are dynamically compiled and possess unique X.509 certificates signed by a per-instance certificate authority generated upon initial binary execution. Both Sliver server and client applications run on macOS, Windows, and Linux. Implant compatibility extends to these same operating systems.

Compilation of the main Windows APIs for use in PenTest, Red Team operations and Malware Analysis. These APIs and snippets are mainly part from some investigations and learnings, mostly related to casual “malware combos”. The code is meant for educational purposes only and form a baseline for further studying of the Windows API.

A short intro into DYLIB injection, a technique that attackers can use to compromise MacOS applications. The presented script tries in an automated way to find vulnerable apps and exploit over dylib injection if possible. The script itself is not entirely hardened against errors and very likely will be busted by EDRs solutions based on the nature of this script. Also this is meant to be used for educational purposes only.

The techniques described below are intended to detect if a debugger is present, based on how debuggers behave when the CPU executes a certain instruction. The main focus here lays on Windows but most of the techniques can easily be adopted for *nix based operating systems with ease. Most of the techniques here also require some additional obfuscation and hardening in order to decrease the likelihood of getting fast reversed by a forensic guy.

In this article you can learn how malware detection is working in a traditional approach used by Antivirus Software. Next I will guide you into the functionality of modern EDR software solutions and perform a deep dive into the way how EDR hooks are working before we start to find ways how to attack an EDR solution based on a threat model.

This guide, based on techniques learned from SANS SEC565, covers key tunneling and proxying methods for penetration testing. It includes SSH port forwarding, Double Pivoting, SSHuttle VPN-like tunnels, Chisel and ligolo-ng for fast TCP/UDP tunneling, and BurpSuite’s proxy setup. Each tool is explained with practical examples to efficiently forward and manipulate traffic through secure tunnels.