Sign in to follow this
Followers
0
Exploits Tor Browser 7.x NoScript Bypass
By
1337day-Exploits, in Updated Exploits
-
Similar Content
-
By itsMe
Hidden Content
Give reaction to this post to see the hidden content. Evasor
The Evasor is an automated security assessment tool which locates existing executables on the Windows operating system that can be used to bypass any Application Control rules. It is very easy to use, quick, saves time, and fully automated which generates for you a report including description, screenshots and mitigations suggestions, suites for both blue and red teams in the assessment of a post-exploitation phase.
Usage instructions
Download the Evasor project and compile it. Verify to exclude from the project the App.config file from the reference tree.
Hidden Content
Give reaction to this post to see the hidden content.
-
By itsMe
Hidden Content
Give reaction to this post to see the hidden content. ScareCrow
ScareCrow is a payload creation framework for generating loaders for the use of side loading (not injection) into a legitimate Windows process (bypassing Application Whitelisting controls). Once the DLL loader is loaded into memory, utilizing a technique to flush an EDR’s hook out the system DLLs running in the process’s memory. This works because we know the EDR’s hooks are placed when a process is spawned. ScareCrow can target these DLLs and manipulate them in memory by using the API function VirtualProtect, which changes a section of a process’ memory permissions to a different value, specifically from Execute–Read to Read-Write-Execute.
When executed, ScareCrow will copy the bytes of the system DLLs stored on disk in C:\Windows\System32\. These DLLs are stored on disk “clean” of EDR hooks because they are used by the system to load an unaltered copy into a new process when it’s spawned. Since EDR’s only hook these processes in memory, they remain unaltered. ScareCrow does not copy the entire DLL file, instead only focuses on the .text section of the DLLs. This section of a DLL contains the executable assembly, and by doing this ScareCrow helps reduce the likelihood of detection as re-reading entire files can cause an EDR to detect that there is a modification to a system resource. The data is then copied into the right region of memory by using each function’s offset. Each function has an offset which denotes the exact number of bytes from the base address where they reside, providing the function’s location on the stack. In order to do this, ScareCrow changes the permissions of the .text region of memory using VirtualProtect. Even though this is a system DLL, since it has been loaded into our process (that we control), we can change the memory permissions without requiring elevated privileges.
Once these the hooks are removed, ScareCrow then utilizes custom System Calls to load and run shellcode in memory. ScareCrow does this even after the EDR hooks are removed to help avoid being detected by non-userland hooked-based telemetry gathering tools such as Event Tracing for Windows (ETW) or other event logging mechanisms. These custom system calls are also used to perform the VirtualProtect call to remove the hooks placed by EDRs, described above, to avoid being detected an any EDR’s anti-tamper controls. This is done by calling a custom version of the VirtualProtect syscall, NtProtectVirtualMemory. ScareCrow utilizes Golang to generate these loaders and then assembly for these custom syscall functions.
ScareCrow loads the shellcode into memory by first decrypting the shellcode, which is encrypted by default using AES encryption with a decryption and initialisation vector key. Once decrypted and loaded, the shellcode is then executed. Depending on the loader options specified ScareCrow will set up different export functions for the DLL. The loaded DLL also does not contain the standard DLLmain function which all DLLs typically need to operate. The DLL will still execute without an issue because the process we load into will look for those export functions and not worry about DLLMain being there.
During the creation process of the loader, ScareCrow utilizes a library for blending into the background after a beacon calls home. This library does two things:
Code signs the Loader: Files that are signed with code signing certificates are often put under less scrutiny, making it easier to be executed without being challenged, as files signed by a trusted name are often less suspicious than others. Most antimalware products don’t have the time to validate and verify these certificates (now some do but typically the common vendor names are included in a whitelist) ScareCrow creates these certificates by using a go package version of the tool limelighter to create a pfx12 file. This package takes an inputted domain name, specified by the user, to create a code signing certificate for that domain. If needed, you can also use your own code signing certificate if you have one, using the valid command-line option.
Spoof the attributes of the loader: This is done by using syso files which are a form of embedded resource files that when compiled along with our loader, will modify the attribute portions of our compiled code. Prior to generating a syso file, ScareCrow will generate a random file name (based on the loader type) to use. Once chosen this file name will map to the associated attributes for that file name, ensuring that the right values are assigned.
Changelog v1.5
Bug fixes
Fixed error with delivery commands ‘htaandbits` that prevented the one-line command from displaying.
Added in additional controls to allow certain types of loaders to be used with certain delivery commands (to prevent incompatibilities)
Updated help menu & README to indicate which delivery commands work well with what loaders
Hidden Content
Give reaction to this post to see the hidden content. -
By itsMe
Hidden Content
Give reaction to this post to see the hidden content. The all-in-one Red Team browser extension for Web Pentesters
HackTools, is a web extension facilitating your web application penetration tests, it includes cheat sheets as well as all the tools used during a test such as XSS payloads, Reverse shells and much more.
With the extension you no longer need to search for payloads in different websites or in your local storage space, most of the tools are accessible in one click. HackTools is accessible either in pop up mode or in a whole tab in the Devtools part of the browser with F12.
Current functions:
Dynamic Reverse Shell generator (PHP, Bash, Ruby, Python, Perl, Netcat)
Shell Spawning (TTY Shell Spawning)
XSS Payloads
Basic SQLi payloads
Local file inclusion payloads (LFI)
Base64 Encoder / Decoder
Hash Generator (MD5, SHA1, SHA256, SHA512)
Useful Linux commands (Port Forwarding, SUID)
Changelog v0.3.3
Adding persistence on the app (When you close the app it will now open at the same place)
URL Decoder
Hidden Content
Give reaction to this post to see the hidden content. -
By itsMe
Hidden Content
Give reaction to this post to see the hidden content. This program is a browser extension that can perform targeted keylogging on certain sites, as well as general keylogging.
By default, inside the "manifest.json" file, the "matches" key (inside of "content_scripts") is set to "<all_urls>" ... this, however, can be changed to any URL.
For example, putting in "*://roblox.com/login" instead of "<all_urls>" will only target that site.
Furthermore, the script execution can be changed to a background process for general keylogging, which will allow the script to collect keys even when not on a specific URL.
This is not necessary, and is probably more likely to increase "spam" text, but it will not delete unsent text when going to a new URL.
Overall, the more you decrease the send time (down to 1), the more text the program will grab per site. It will be messy and not well formatted, however.
Bot names are random numbers between 0 and 1, and keep track of users on a site (standard) or stay constant for an entire user session (background process).
The visible function of the extension will reside in "popup.html" and this file can be changed to create better trojans.
Only use this for testing purposes.
Hidden Content
Give reaction to this post to see the hidden content. -
By dEEpEst
HOW TO BYPASS OTP ON ALMOST ANY SITE!
This method is used by many pentester to exploit the vulnerabilities of a website with OTP functionality. Also, nowadays, unacademy's OTP vulnerability is exposed.
This mainly requires a tool burp suite available for free, which can help you change the response of the OTP verification from the client-side.
We have also attached a page where these vulnerabilities are explained very precisely.
Hidden Content
Give reaction to this post to see the hidden content.
-