Posts

Hash Spraying Attack

Hello folks, A couple of weeks ago I put together a Medium Story about the Hash Spraying Attack . Enjoy it!

Microsoft Office 365 user enumeration and Burp Suite: a how to guide

Hello folks, I've put together a quick how to guide on how to perform user enumeration on Microsoft Office 365. Enjoy it here !

Google Cloud Security - Enumeration using curl

Hello folks, It is been a while since my last post. Recently the GitLab Red Team published a pretty comprehensive material about privilege escalation and post exploitation tactics on the Google Cloud Platform (GCP). I've made a fork of their enumeration tool and added a few enumerations to it. Aside of it, I've also created a second enumeration tool which is totally independent on the Google Cloud SDK being installed on the target machine, requiring only curl. Check it out here !

MS17-010 executable exploit for local/remote privilege escalation

Hi there, Few months ago I modified a version of the Worawit Wang: GitHub zzz_exploit for MS17-010. The new version implements a few options such as username/password specification and an arbitrary command to be executed. It does not change anything related to the SMB exploitation This is a bundle with an executable and dependencies and DOES NOT require any python install. This is very suitable for scenarios where one has low privilege access to a vulnerable Windows but does not have any Python available nor Metasploit for proper exploitation. I hope you enjoy it. Here it goes: MS17-010 exploit .

Various SSRF conditions on KeyCDN tools

Image
Hi There, It is common to find websites/tools on the internet which performs speed test, loading third party images, load external JavaScript files etc. to be vulnerable to Server Side Request Forgery. I've found a couple of them, reported but some of them did not take it seriously. I've recently ran into KeyCDN tools website , a site owned and operated by KeyCDN , a CDN company and reported to be one of the best solution according to the TechRadar info . After looking at some functionalities presented on the web site I've found a few SSRF conditions. Here it goes: 1) Using the Trace Route utility to discovery some Internal IP Address When I used the Trace Route functionality there was an internal IP address 10.0.10.1 (which seems  no longer there) belonging to the Frankfurt POP. 2) Using the Ping utility to confirm the above finding (and maybe Brute Force some hosts?) I will discuss the FQDN you are seeing there soon! 3) Using the Performance Test  utility

Make-HtDigest - a tool to audit password files for WildFly / JBOSS / Apache

Hi there, I've created a tool called Make-HtDigest which is able to generate username + password combination based on a word-list for HTTP Digest Authentication. This can be used to compare output with real password files such as mgmt-users.properties from WildFly and .digest_pw from Apache. I hope it is useful and you enjoy it.