Discover and read the best of Twitter Threads about #PenTest

Most recents (20)

10 types of web vulnerabilities that are often missed

🐞 HTTP/2 Smuggling
🐛 XXE via Office Open XML Parsers
🐜 SSRF via XSS in PDF Generators
🕷 XSS via SVG Files
🦟 Blind XSS

#bugbounty #pentest #hacking

Thread 🧵👇

labs.detectify.com/2021/09/30/10-…
10 types of web vulnerabilities that are often missed

🪲 Web Cache Deception
🪳 Web Cache Poisoning
🐞 h2c Smuggling
🐛 Second Order Subdomain Takeovers
🕷 postMessage bugs

#cybersec #infosec #bugs

🧵 2/3
This @Detectify blog was created through #HackerContent! 📖✍️

If you’re interested in getting some #cybersecurity-focused content or social media management for your organization, DM us, or check hackercontent.com!

#blogs #cyberseccontent #content

🧵 3/3
Read 3 tweets
1️⃣ Professor Messer’s CompTIA N10-008 Network+ Course

🔗 professormesser.com/network-plus/n…
2️⃣ TCM Security Network Pentesting Course

🔗
Read 5 tweets
Bypass Linux Shell Restrictions { v1 }
#bugbounty #Infosec #pentest

Look the thread 🧵Below :👇
🏹Common Limitations Bypasses
#bugbounty #infosec

• Reverse Shell : 👇

• Short Rev shell : 👇
• Bypass Paths and forbidden words :🖼👇

• Bypass forbidden spaces : 🖼👇

• Bypass backslash and slash :🖼👇

• Bypass pipes : ↙

bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)
Read 3 tweets
🧵 (1/x) I know you love #pentest stories, so here’s one of those ⬇️

There’s a non-DC computer (Victim) that is a member of the Exchange Trusted Subsytem group and has DCSync privs. The WebClient is ON but the MAQ=0 and domain functional level is 2012 R2 which prevents us ⤵️
(2/x) from abusing Key Credentials. Relaying to AD CS HTTP is not possible either. Here’s when I decided to go for SPN-less RBCD (credits to @tiraniddo) on a prod domain 🤦🏻‍♂️

But first let’s add a DNS record pointing to the attacker’s machine to coerce Victim over WebDav ⤵️
(3/x) Now it’s all ready to go: Printer Bug + ntlmrelayx[.]py and we’re escalating a low privilege user (j.doe) to be trusted for delegation by Victim ⤵️
Read 9 tweets
Here's a list of free #PenetrationTesting and #RedTeam Labs you may set up in your own home to enhance your #hacking abilities :
1) Red Team Attack Lab
A simulated setting where red teams can practice exploiting #vulnerabilities in various operating systems.
lnkd.in/ernefQv8
2) Capsulecorp Pentest
#Capsulecorp is a lightweight virtual infrastructure operated using Vagrant and Ansible. One #Linux attacking system running #Xubuntu is included, along with four #Windows 2019 servers hosting a variety of #exploitable services.

lnkd.in/eYfGmNBe
Read 10 tweets
🧵Some tricks lead to Admin takeover🧵

While scanning some internal IPs I found that someone gives me 403 with a message :
"You can't access https://IP/"

So I passed the request to the proxy and changed the host header to:

Host: localhost

1/5 🧵

#bugbountytips #bugbounty
And an admin login panel appeared XDD

So I tried some of the default creds, but I got an error, so I analyzed the request and figured out that the Origin and Referer headers were set to the IP, so I changed them to localhost too, and forwarded the request

2/5 🧵
Then Finally, I got an error about the wrong username or password, so I started to test some default creds,
but I got nothing, then I discovered that there's no rate limit, so it's brute-force time, but brute-forcing with all usernames and passwords is such a mess

3/5 🧵
Read 5 tweets
🧶 (1/) Reproducing Masky Thread

So it’s a relaxing Friday evening to play with the new awesome #Masky tool by @_ZakSec. I’ll show you here how to reproduce its behavior with #CrackMapExec, #Impacket, #Sliver, #Certify and #Certipy.

Let’s go! ⤵️

#pentest #adcs
🧶 (2/) First things first, I shall enumerate AD CS environment with #CrackMapExec and qwinsta the Victim machine via newly introduced tstool[.]py from #Impacket (thx @nopernik!). For the purpose of this demo I’ll use a DA account to interact with the Victim but any LA will do 👨🏻‍💻
🧶 (3/) I shall now prepare my team server and generate an encrypted Sliver beacon to use it with DInjector 💉
Read 7 tweets
#Penetrationstests sind ein wichtiger Bestandteil eines #ISMS und helfen ein tiefgreifendes Verständnis des Sicherheitsniveaus der eigenen IT-Systeme zu erlangen.

lutrasecurity.com/services/penet…

Was ist das? Ein 🧵
Ein Penetrationstest (oder kurz #Pentest), beschreibt die Untersuchung eines oder mehrerer Assets, zum Beispiel einer Webanwendung oder einem ganzen Netzwerk. Dabei werden Schwachstellen gesucht und ausgenutzt, um möglichst tief in das betrachtete System einzudringen.

2/
Dies gibt einem Unternehmen nicht nur einen Überblick über die vorhandenen Schwachstellen, sondern auch eine Einschätzung, wie tief ein Angreifer in das System eindringen kann.

3/
Read 16 tweets
[#HackStory 🧵] (1/4) Here’s a generic case of reaching a locked-down PC from a firewalled segment in AD. The background is: 172.16.66.6 (the target) can talk to 192.168.1.11 (a PWNed server) but not vice versa and to no one else in the foreseeable network 👀

#ad #pentest
(2/4) Being a DA an adversary can create an evil GPO that will coerce Immediate Scheduled Task execution on the target. The task downloads and executes a PS cradle pointing to the PWNed server. Sure, there’re fancy (py|Sharp)GPOAbuse, etc… But when it’s a pentest, who cares 😒
(3/4) Meanwhile, some v4tov4 port proxies are configured on the pivot point by the adversary via netsh 😈
Read 5 tweets
🧵 How a misconfig let anyone view PII of Covid-19 patients and modify data related to Covid-19 sero survey (Of Haryana)

So, the Govt Of Haryana has 2 state projects under the @_DigitalIndia programme called :
1. Covid Sample Report Portal
2. Covid-19 Sero Survey Portal

(1/13)
According to official docs, the first portal is used to store COVID-19 testing details uploaded by all COVID-19 laboratories (public or private) for effective monitoring directly by @cmohry

Source : negd.gov.in/sites/default/…

(2/13)
#infosec #bugbounty #hacking
And the second portal is used to estimate and monitor the trends of sero-prevalence of SARS-CoV infection in the general population and high burden cities of Haryana.

Source : negd.gov.in/sites/default/…

(3/13)
#infosec #bugbounty #hacking
Read 14 tweets
Today I am starting to collect a list of Twitter accounts of Linux distribution creators for #osint, #hacking, #pentest, #cybersecurity.

In this thread🧵 I will tell you which project is behind each of the accounts on the list.

🧵🧵🧵⤵️⤵️⤵️
@muts Mati Aharoni
@dookie2000ca Devon Kearns

Kali Linux (@kalilinux )

#osint #cybersecurity Linux distribution creators🧵🧵⤵️⤵️⤴️
@comrumino James Stronz
@Cthulu201 Michael Henze

Arch Linux @ArchStrike

#osint #cybersecurity Linux distribution creators🧵🧵⤵️⤵️⤴️
Read 14 tweets
[#thread 🧵] For this third day of #CyberAdvent (3/24), I'll tell you a story. The story of how I gained root access to a server by leveraging a really fun feature in a web application. This #pentest #writeup will explain the complete process from recon to root. 🦋
[#thread 🧵(2/9)] In the recon phase of my pentest, as usual I was performing a port scan. In the output from nmap, I saw an uncommon port 86 with an HTTP server running "Micro Focus DSD 1.0.0":
[#thread 🧵(3/9)] When going on the page from a browser, surprise 🥳🎉 we have an unauthenticated access! This is cool, but I never saw this app before so I didn't know whether we could exploit it simply or not!
Read 11 tweets
Android Webview:
Android WebView is a system component powered by Chrome that allows Android apps to display web content.
There are many apps out there that are simply wrappers around web pages, or web content stored in the app.
Android Webview debugging:
In Android WebViews have a debugging feature, that allows you to use the ADB remote debugging extension for chrome to debug the contents of the WebView.
Read 13 tweets
Today I started compiling a list of twitter accounts of online media who write articles on #hacking, #cybersecurity, #pentest, #forensics, #osint etc

twitter.com/i/lists/144346…

In this thread🧵 I will tell you what project is behind each account on this list
@PenTestMag The online magazine devoted to penetration testing and IT security assessment pentestmag.com
@thehackersnews The most trusted, widely read, independent source for breaking news and tech coverage on #cybersecurity, #infosec, #hacking. thehackernews.com
@magcybersec Cybersecurity for everyone cybersecurity-magazine.com

@CyberSecurityM8 Source for cyber security news all around the globe cybersecuritymagazine.com
Read 15 tweets
#learn365 Day-29: Common Business Logic Issues (Part - 2)

(cont'd...)
5. Premium Feature Abuse
- Try forcefully browsing the areas or some particular endpoints which come under premium accounts.

#bugbountytips #AppSec #infosec #pentest

(1/n)
(2/n)
- Pay for a premium feature and cancel your subscription. If you get a refund but the feature is still usable, it's a monetary impact issue.
- Some applications use true-false request/response values to validate if a user is having access to premium features or not.
(3/n)
- Try using Burp's Match & Replace to see if you can replace these values whenever you browse the app & access the premium features.
- Always check cookies or local storage to see if any variable is checking if the user should have access to premium features or not.
Read 8 tweets
How many of you will agree that @PortSwigger @PortSwiggerRes @burpsuite is the best #Web #AppSec #bugbounty Tool available on the internet?

This thread includes some of the best Burp Extensions, which I personally love.

#pentest #security #infosec #bugbounty
Turbo Intruder

Turbo Intruder is a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results.
portswigger.net/bappstore/9aba…

#pentest #security #infosec #bugbounty
Retire.js
This extension integrates Burp with the Retire.js repository to find vulnerable JavaScript libraries.
portswigger.net/bappstore/3623…

#pentest #security #infosec #bugbounty
Read 20 tweets
I have seen a lot of #pentesters struggle with tunneling and port-forwarding concepts. All #hackers should definitely understand these concepts for successful tests.

This thread is dedicated to Tunneling/PortForwarding tricks.

#infosec #pentest #tunneling #security #bugbounty
Local Port2Port

Open new Port in SSH Server --> Other port

ssh -R 0.0.0.0:10521:127.0.0.1:1521 user@10.0.0.1 #Local port 1521 accessible in port 10521 from everywhere

ssh -R 0.0.0.0:10521:10.0.0.1:1521 user@10.0.0.1 #Remote port 1521 accessible in port 10521 from everywhere
Port2hostnet (proxychains)

Local Port --> Compromised host(SSH) --> Wherever

ssh -f -N -D <attacker_port> <username>@<ip_compromised>

#pentest #security #infosec #bugbounty
Read 13 tweets
Self promotion time - if you are testing a payment system or a shop, check the whitepaper that I had written and updated last year: nccgroup.trust/globalassets/o… 💰💰💰 #bugbountytip #pentest #Financial
I should also add this; when I joined @MDSecLabs , they had some of these as part of their web app training already because of the great work of Marcus Pinto!
Read 3 tweets
HTB: Kryptos.pdf
github.com/blaCCkHatHacEE…
HTB: Helpline.pdf
github.com/blaCCkHatHacEE…
HTB: Unattended.pdf
github.com/blaCCkHatHacEE…
HTB_ Hackback.pdf
github.com/blaCCkHatHacEE…
Keep Calm and Hack The Box - Devel.pdf
github.com/blaCCkHatHacEE…
#Hacking #BugBountytips
Hack The Box Write-up - Access.pdf
github.com/blaCCkHatHacEE…
Hack The Box Write-up - Active.pdf
github.com/blaCCkHatHacEE…
Hack The Box Write-up - Carrier.pdf
github.com/blaCCkHatHacEE…
Hack The Box Write-up - DevOops.pdf
github.com/blaCCkHatHacEE…
#BugBounty
Read 7 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!