0prrr/All-Red-Teaming.md

Last active August 28, 2024 00:17

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/0prrr/b5e343097a046eac2cc469864aa30513.js"></script>
Save 0prrr/b5e343097a046eac2cc469864aa30513 to your computer and use it in GitHub Desktop.

Download ZIP

Red Team Reading...

Raw

All-Red-Teaming.md

AAD
Active Directory
Cloud
Cobalt Strike / Aggressor Scripts
Recon
UAC
Metasploit
Infrastructure
SMB
VBA
Browser
Phishing
Third-party Identity Providers
Documentation

Azure Active Directory

AAD Internals
https://aadinternals.com/ [-]
Entra Roles Allowing To Abuse Entra ID Federation for Persistence and Privilege Escalation
https://medium.com/tenable-techblog/roles-allowing-to-abuse-entra-id-federation-for-persistence-and-privilege-escalation-df9ca6e58360 [-]
Azure AD Kerberos Tickets: Pivoting to the Cloud
https://trustedsec.com/blog/azure-ad-kerberos-tickets-pivoting-to-the-cloud [-]

Active Directory

AD CS - New Ways to Abuse ManageCA Permissions
https://whoamianony.top/posts/ad-cs-new-ways-to-abuse-manageca-permissions/
What is old is new again: The Relay Attack
https://www.secureauth.com/blog/what-is-old-is-new-again-the-relay-attack/
SOCKS Proxy Relaying
https://tw1sm.github.io/2021-02-15-socks-relay/
Playing with Relayed Credentials
https://www.secureauth.com/blog/playing-with-relayed-credentials/
We Love Relaying Credentials: A Technical Guide to Relaying Credentials Everywhere
https://www.secureauth.com/blog/we-love-relaying-credentials-a-technical-guide-to-relaying-credentials-everywhere/
Operational Guidance for Offensive User DPAPI Abuse
https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107
howto ~ credential manager saved credentials
https://github.com/gentilkiwi/mimikatz/wiki/howto-~-credential-manager-saved-credentials
Decrypting DPAPI data
https://elie.net/static/files/reversing-dpapi-and-stealing-windows-secrets-offline/reversing-dpapi-and-stealing-windows-secrets-offline-slides.pdf
A Guide to Attacking Domain Trusts
https://harmj0y.medium.com/a-guide-to-attacking-domain-trusts-ef5f8992bb9d
SID filter as security boundary between domains? (Part 1-7)
https://improsec.com/tech-blog/o83i79jgzk65bbwn1fwib1ela0rl2d
Exploring S4U Kerberos Extensions in Windows Server 2003
https://learn.microsoft.com/en-us/archive/msdn-magazine/2003/april/exploring-s4u-kerberos-extensions-in-windows-server-2003
Attacking Kerberos: Constrained Delegation
https://www.notsoshant.io/blog/attacking-kerberos-constrained-delegation/
Attacking Kerberos: Resource Based Constrained Delegation
https://www.notsoshant.io/blog/attacking-kerberos-resource-based-constrained-delegation/
NTLM relaying to AD CS - On certificates, printers and a little hippo
https://dirkjanm.io/ntlm-relaying-to-ad-certificate-services/
The worst of both worlds: Combining NTLM Relaying and Kerberos delegation
https://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation/
mitm6 – compromising IPv4 networks via IPv6
https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/
Workstation-Takeover.md
https://gist.github.com/gladiatx0r/1ffe59031d42c08603a3bde0ff678feb
Finding Buried Treasure in Server Message Block (SMB)
https://www.blackhillsinfosec.com/finding-buried-treasure-in-server-message-block-smb/
NTLM Relay
https://www.thehacker.recipes/ad/movement/ntlm/relay
BHIS | Coercions and Relays – The First Cred is the Deepest with Gabriel Prud'homme | 1.5 Hours
https://www.youtube.com/watch?v=b0lLxLJKaRs&t=480s ***
NTLM Relay
https://en.hackndo.com/ntlm-relay *****
Pass the Hash
https://en.hackndo.com/pass-the-hash *****
Service Principal Name (SPN)
https://en.hackndo.com/service-principal-name-spn/ *****
The Path To DA - Part 1: SysAdmins Love Generic Passwords
https://shorsec.io/blog/the-path-to-da-part-1-sysadmins-love-generic-passwords/
Tools: https://github.com/Kevin-Robertson/Invoke-TheHash
The Path To DA - Part 2: (Relaying) To The Internet And Back
https://shorsec.io/blog/the-path-to-da-part-2-relaying-to-the-internet-and-back/
Tools: https://github.com/c3c/ADExplorerSnapshot.py
https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py
https://github.com/Dec0ne/DavRelayUp
https://github.com/zyn3rgy/LdapRelayScan
Getting in the Zone: dumping Active Directory DNS using adidnsdump
https://dirkjanm.io/getting-in-the-zone-dumping-active-directory-dns-with-adidnsdump/
https://github.com/dirkjanm/adidnsdump
Exploiting RBCD Using a Normal User Account*
https://www.tiraniddo.dev/2022/05/exploiting-rbcd-using-normal-user.html

Cloud

Identity Providers for RedTeamers
https://blog.xpnsec.com/identity-providers-redteamers/

Cobalt Strike / Aggressor Scripts

Advanced Threat Tactics – Course and Notes
https://www.cobaltstrike.com/blog/advanced-threat-tactics-course-and-notes/
malleable_c2_profiles_09272021
https://gist.github.com/MHaggis/921a4a47de1adab7eec938b4597f0be3
Talk to your children about Payload Staging
https://www.cobaltstrike.com/blog/talk-to-your-children-about-payload-staging/
Staged Payloads – What Pen Testers Should Know
https://www.cobaltstrike.com/blog/staged-payloads-what-pen-testers-should-know/
DNS Command and Control Added to Cobalt Strike
https://www.cobaltstrike.com/blog/dns-command-and-control-added-to-cobalt-strike/
https://github.com/RedSiege/C2concealer
Customizing C2Concealer - Part 1
https://fortynorthsecurity.com/blog/customizing-c2concealer/
Customizing C2Concealer - Part 2
https://fortynorthsecurity.com/blog/customizing-c2concealer-part-ii/
Registry-Recon
https://github.com/optiv/Registry-Recon

Recon

Windows RDP client, show login page
https://digi.ninja/blog/rdp_show_login_page.php

UAC

BYPASSING UAC USING APP PATHS
https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/

Metasploit

HTTP Communication
https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-http-communication.html
Ins and Outs in Meterpreter and Metasploit Stagers
https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/the-ins-and-outs-of-http-and-https-communications-in-meterpreter-and-metasploit-stagers.html
Deep Dive Into Stageless Meterpreter Payloads
https://www.rapid7.com/blog/post/2015/03/25/stageless-meterpreter-payloads/

Infrastructure

Maelstrom Series
https://pre.empt.blog/2023/maelstrom-1-an-introduction

SMB

Vulnerability Reproduction: CVE-2020-0796 POC
https://blog.zecops.com/research/vulnerability-reproduction-cve-2020-0796-poc/
SMBleedingGhost Writeup: Chaining SMBleed (CVE-2020-1206) with SMBGhost
https://blog.zecops.com/research/smbleedingghost-writeup-chaining-smbleed-cve-2020-1206-with-smbghost/

VBA

Purgalicious VBA: Macro Obfuscation With VBA Purging
https://www.mandiant.com/resources/blog/purgalicious-vba-macro-obfuscation-with-vba-purging

Phishing

How to Phish for User Passwords with PowerShell
https://www.blackhillsinfosec.com/how-to-phish-for-user-passwords-with-powershell/

Browser

Breaking The Browser – A tale of IPC, credentials and backdoors
https://www.mdsec.co.uk/2021/01/breaking-the-browser-a-tale-of-ipc-credentials-and-backdoors/

Third-party Identity Providers

Okta for Red Teamers
https://blog.xpnsec.com/okta-for-redteamers/ [-]
Oktajacking
https://pushsecurity.com/blog/oktajacking/ [-]
YOU DOWN WITH IDP? IMPERSONATE ME!
https://permiso.io/blog/s/down-with-idp-impersonate-me/ [-]

Documentation

https://github.com/GhostPack/Rubeus

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment