profile
viewpoint
If you are wondering where the data of this site comes from, please visit https://api.github.com/users/rmusser01/events. GitMemory does not store any data, but only uses NGINX to cache data for a period of time. The idea behind GitMemory is simply to give users a better reading experience.
Robert rmusser01 Someplace Someplace rmusser.net/docs Contact Me: contact@rmusser.net

ExploitHackathon/DCXX-Awesome 2

DCXX - Team Awesome

rmusser01/404 1

404 File not found C2 PoC

rmusser01/4K-Botnet 1

A simple and easy to use JS Botnet

rmusser01/ActiveReign 1

A Network Enumeration and Attack Toolset

rmusser01/alerting-detection-strategy-framework 1

A framework for developing alerting and detection strategies for incident response.

rmusser01/AllTheThings 1

Copy of Subtee's Repository That's Taken Down

rmusser01/android_notes 1

Wiki pages about Android internals

rmusser01/assessment-mindset 1

Security Mindmap that could be useful for the infosec community when doing pentest, bug bounty or red-team assessments.

rmusser01/awesome-cve-poc 1

✍️ A curated list of CVE PoCs.

pull request commentRhinoSecurityLabs/pacu

Eks enum

Roger that, let me know if there are any issues caused by that schema change. It only caused problems for me if I changed the schema after the initial run.

ie, I had to delete the database after every schema change.

bomjumaku

comment created time in 5 minutes

push eventRhinoSecurityLabs/pacu

David Fentz

commit sha c99278dd545d8f6b67a1036eab2f0736c82c3ff3

Eks enum (#252) * my module is now showing up when running Pacu! * saving state. Working on logging docker into aws ecr via the python sdk. * saving working state * pivoted from writing ecr_enum module to eks_enum module. * module now lists clusters in a subset of regions, fails to list regions which are listed after fips regions. * trying to store retrieved data in the database. * EKS data is being written to the database for clusters that are found. fips endpoints are being ignored. * pacu stopped working, saving work. * Abandoned the idea of kubernetes integration into this module for the moment. Added a verbose flag. Started grabbing more information about EKS like addons, fargate profiles, and identity provider settings. * working on adding cli flags for the less common resources in EKS. * niche eks information now requires explicit flags to be retrieved. * added an option to enable retrieval of all supported EKS resources. * added argument completion * removed settings.py from the root dir as it was alredy present in the ./pacu dir. Removed the verobse flag from the eks_enum module and made that behavior default. * Update pacu/modules/eks__enum/main.py Testing out github's feature of committing a suggestion directly from the PR. Co-authored-by: Ryan Gerstenkorn <me@ryanjarv.sh> * fixing what I think might be the trivial change that's generating 'churn'. Not sure. * moved the service_regions.json file in directly from master. * so close to finishing pagination. having an issue with identity_provider_config calls. * fixed that issue with the page iterator for identity_provider_configurations Co-authored-by: crtl_freq <crtl_freq@pop-os.localdomain> Co-authored-by: Ryan Gerstenkorn <me@ryanjarv.sh>

view details

push time in 9 minutes

PR merged RhinoSecurityLabs/pacu

Eks enum

A module to enumerate EKS resources.

+98 -0

1 comment

3 changed files

bomjumaku

pr closed time in 9 minutes

push eventRhinoSecurityLabs/pacu

Ryan Gerstenkorn

commit sha 67fa466afede3c0517465a246599f4cbef63a8e7

Add update to README.md with recent PyPi changes

view details

Ryan Gerstenkorn

commit sha a82f55c73a9a1ed06504e09c7fd0979fe3d658c5

Remove mention of install.sh from README.md

view details

berney

commit sha 2a0ce01f075541f7ccd9c44fcfc967cad994f9c9

Fix save() (#254)

view details

naikordian

commit sha 78b51be15ca89ba87bd483ba5f901eb45d11add5

fix iam__enum_permissions can't determine current user (#226) (#255) * fix iam__enum_permissions can't determine current user * Handle user paths in iam__enum_permissions User ARN's may have a path prefix after the `:user/` part of the ARN, this shouldn't be included in the user name. The API generally expects only the part after the last slash. Co-authored-by: Ryan Gerstenkorn <me@ryanjarv.sh>

view details

Ryan Gerstenkorn

commit sha 5141b709fc8c0923f224f793c34a3796b688bf44

Merge remote-tracking branch 'origin/master' into dev

view details

push time in 11 minutes

startedDrDonk/unlocker

started time in 15 minutes

pull request commentlgandx/Responder

Add ESS downgrade parameter

Ready to go. --lm was already doing it, but as discussed not everyone uses --lm and it's definitely worth having it on most recent default SMBv1 dialect. Thanks for your submission!

Hackndo

comment created time in 2 hours

issue closedRhinoSecurityLabs/pacu

iam__enum_permissions can't determine current user

Problem

When running iam__enum_permissions, the module often can't determine the current user and requires you to put it manually. Even when the current user is already known.

Example

Pacu (test:imported-test-user) > whoami
{
  "UserName": "test-user",
  "RoleName": null,
...
Pacu (test:import-test-user) > run iam__pivot
  Running module iam__pivot...
[pivot]   Running module iam__enum_permissions...
[iam__enum_permissions] Failed to discover the current users username, enter it now or Ctrl+C to exit the module

Fixes

Unsure why Pacu thinks the user isn't currently known, but if we can get that info from the same source as the whoami output it likely makes sense to do that.

Besides that there's many ways to determine the current user via the API, think we could handle this better as well as make the functionality available via an imported function or PacuMain.

closed time in 2 hours

RyanJarv

issue commentRhinoSecurityLabs/pacu

iam__enum_permissions can't determine current user

This should be resolved with the PR above, sts get-caller-identity is generally available even when other permissions aren't.

RyanJarv

comment created time in 2 hours

push eventlgandx/Responder

pixis

commit sha baf80aa4f0e1aaf9ee81ffe6b0b5089d39f42516

Add ESS downgrade parameter

view details

Pixis

commit sha 51f8ab43682973df32534ca97c99fb1318a0c77d

Add ESS disabling information

view details

Pixis

commit sha dcb80d992e385a0f0fdd3f724a0b040a42439306

Add --lm switch for ESS downgrade

view details

lgandx

commit sha 3fe574683bd90524ede52b0994e0714e65c4dacc

Merge pull request #163 from Hackndo/master Add ESS downgrade parameter

view details

push time in 2 hours

PR merged lgandx/Responder

Add ESS downgrade parameter

Description

This is a PoC PR that adds a --disable-ess parameter to unset an NTLM negotiation flag..

As per MS documentation (thank you @cnotin for pointing me to the right direction), this information is provided:

Unlike plain NTLMv1 or NTLMv2, NTLMv1 w/ ESS is actually negotiated between a client and a server (NTLMv1 and NTLMv2 are configured using security key LmCompatibilityLevel). It is negotiated by setting a bit in NegotiateFlags, called P bit (MS-NLMP, section 2.2.2.5). Another name for this field is NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY. Yet another name for this flag that I found is “Negotiate NTLM2 Key”.

Adding --disable-ess to Responder CLI will unset the Negotiate Extended Security flag.

image

When this flag is not set, and lmcompatibilitylevel is set to 0, 1 or 2, then ESS won't be used, and NTLMv1 hash will be crackable using https://crack.sh

image

Example

Without using this flag

image

WITH this flag

image

This hash can be uploaded to crack.sh to find corresponding NT hash.

image

image

I know I leaked some hashes, it doesn't matter, it's on my lab

+8 -4

3 comments

5 changed files

Hackndo

pr closed time in 2 hours

push eventRhinoSecurityLabs/pacu

naikordian

commit sha 78b51be15ca89ba87bd483ba5f901eb45d11add5

fix iam__enum_permissions can't determine current user (#226) (#255) * fix iam__enum_permissions can't determine current user * Handle user paths in iam__enum_permissions User ARN's may have a path prefix after the `:user/` part of the ARN, this shouldn't be included in the user name. The API generally expects only the part after the last slash. Co-authored-by: Ryan Gerstenkorn <me@ryanjarv.sh>

view details

push time in 2 hours

PR merged RhinoSecurityLabs/pacu

fix iam__enum_permissions can't determine current user (#226)

iam__enum_permissions used GetUser API to get a username, but sometime the user doesn't have a GetUser permission

            client = pacu_main.get_boto3_client('iam')
            try:
                user = client.get_user()
                active_aws_key.update(
                    pacu_main.database,
                    user_name=user['User']['UserName'],
                    arn=identity['Arn'],
                    user_id=identity['UserId'],
                    account_id=identity['Account']
                )

This pull request will extract username from user's ARN

+10 -29

1 comment

1 changed file

naikordian

pr closed time in 2 hours

Pull request review commentRhinoSecurityLabs/pacu

fix iam__enum_permissions can't determine current user (#226)

 def main(args, pacu_main: 'Main'):          if re.match(r'arn:aws:iam::\d{12}:user/', identity['Arn']) is not None:             is_user = True-            client = pacu_main.get_boto3_client('iam')-            try:-                user = client.get_user()-                active_aws_key.update(-                    pacu_main.database,-                    user_name=user['User']['UserName'],-                    arn=identity['Arn'],-                    user_id=identity['UserId'],-                    account_id=identity['Account']-                )-            except botocore.exceptions.ClientError:-                username = input('Failed to discover the current users username, enter it now or Ctrl+C to exit the module: ').strip()-                if username:-                    active_aws_key.update(-                        pacu_main.database,-                        user_name=username,-                        arn=identity['Arn'],-                        user_id=identity['UserId'],-                        account_id=identity['Account']-                    )-                else:-                    # Update the information from get_caller_identity and exit-                    active_aws_key.update(-                        pacu_main.database,-                        arn=identity['Arn'],-                        user_id=identity['UserId'],-                        account_id=identity['Account']-                    )-                    return False+            # GetCallerIdentity away return user's ARN like this if it was a user+            # arn:aws:iam::123456789012:user/username+            username = identity['Arn'].split(':user/')[1]+            active_aws_key.update(+                pacu_main.database,+                user_name=username,

Looks good

naikordian

comment created time in 2 hours

startedelastic/detection-rules

started time in 2 hours

fork ASkyeye/KernelForge

Bringing kernel level Windows payloads to post HVCI era

fork in 3 hours

push eventcarlospolop/hacktricks

CPol

commit sha 0bf986c68a30e3428c9767f2e59cfb8b055e8fb4

GitBook: [master] one page and 5 assets modified

view details

push time in 3 hours

startedavboy1337/CVE-2021-31166

started time in 3 hours

PR opened danielmiessler/SecLists

Update default-passwords.csv

2240 SeedDMS admin admin https://www.seeddms.org/index.php?id=2

POC: https://demo.seeddms.org/out/out.Login.php User ID: admin Password: admin

+1 -0

0 comment

1 changed file

pr created time in 4 hours

Pull request review commentRhinoSecurityLabs/pacu

fix iam__enum_permissions can't determine current user (#226)

 def main(args, pacu_main: 'Main'):          if re.match(r'arn:aws:iam::\d{12}:user/', identity['Arn']) is not None:             is_user = True-            client = pacu_main.get_boto3_client('iam')-            try:-                user = client.get_user()-                active_aws_key.update(-                    pacu_main.database,-                    user_name=user['User']['UserName'],-                    arn=identity['Arn'],-                    user_id=identity['UserId'],-                    account_id=identity['Account']-                )-            except botocore.exceptions.ClientError:-                username = input('Failed to discover the current users username, enter it now or Ctrl+C to exit the module: ').strip()-                if username:-                    active_aws_key.update(-                        pacu_main.database,-                        user_name=username,-                        arn=identity['Arn'],-                        user_id=identity['UserId'],-                        account_id=identity['Account']-                    )-                else:-                    # Update the information from get_caller_identity and exit-                    active_aws_key.update(-                        pacu_main.database,-                        arn=identity['Arn'],-                        user_id=identity['UserId'],-                        account_id=identity['Account']-                    )-                    return False+            # GetCallerIdentity away return user's ARN like this if it was a user+            # arn:aws:iam::123456789012:user/username+            username = identity['Arn'].split(':user/')[1]+            active_aws_key.update(+                pacu_main.database,+                user_name=username,

We'll need to verify this works but thinking something like this:

                user_name=username.split('/')[-1],
naikordian

comment created time in 4 hours

startedrmusser01/Infosec_Reference

started time in 4 hours

release gentilkiwi/mimikatz

2.2.0-20210517

released time in 4 hours

PR opened wekan/wekan

Fix typos

Fix a few typos in docker-compose.yml

+5 -5

0 comment

1 changed file

pr created time in 5 hours

issue openedMISP/misp-galaxy

Please add HackBoss

https://decoded.avast.io/romanalinkeova/hackboss-a-cryptocurrency-stealing-malware-distributed-through-telegram/

created time in 5 hours

push eventnomi-sec/PoC-in-GitHub

motikan2010-bot

commit sha 70538ad6ec112c5b375aecb0f2586a88202f98d6

Auto Update 2021/05/18 06:11:34

view details

push time in 5 hours

fork TheWover/Koppeling

Adaptive DLL hijacking / dynamic export forwarding

fork in 5 hours

PR opened redcanaryco/atomic-red-team

adds additional lsass dump test

Details: In some cases, lsass.exe minidump files are signatured by AV and deleted. It's not unusual for the binary that initiated the lsass dump to be left on disk and not treated as malicious.

The dll loaded into this bin for minidumping (dgbhelp) writes the minidump to disk, but before this binary closes the file handle to the minidump, it re-reads the contents into memory. It then closes the file handle and immediately deletes the minidump.

There may exist a race between the binary deleting the minidump file after a close(handle) and with AV detecting and deleting the minidump. In either case, the output is safe in memory and passed to a xor function which then re-writes the xor'd data to disk, where it can be safely copied off.

Testing: This tests for both the use of imported debugging DLLs and for brittle detections that rely on signatured lsass minidumps.

Associated Issues: N/A

+35 -0

0 comment

1 changed file

pr created time in 5 hours

issue commentswisskyrepo/PayloadsAllTheThings

Tornado template injection payload

Could you create a pull request, thanks?

akashmethani

comment created time in 6 hours

startedTheWover/CertStealer

started time in 6 hours

PR opened redcanaryco/atomic-red-team

Fix file path for PowerDump Import

Details: seemed to download the module to $Env:Temp then run from ., so I changed both to $Env:Temp

Testing: Ran in Win 10, successfully got usernames & hashes!

Associated Issues: n/a

+1 -1

0 comment

1 changed file

pr created time in 7 hours

push eventcarlospolop/hacktricks

CPol

commit sha 3926f377c29df1bda7535d109ee708ce02f02113

GitBook: [master] 4 pages modified

view details

push time in 7 hours