Cube0x0 @cube0x0 - Twitter Profile

cube0x0 retweeted

about 1 year ago

I just published a blog post where I try to explain and demystify Kerberos relay attacks. I hope it’s a good and comprehensive starting point for anyone looking to learn more about this topic. ➡️https://t.co/OztMeuoU5L

2

351

149

223

20K

Cube0x0 @cube0x0

about 1 year ago

@ShitSecure Nice! Totally missed that one Thanks for sharing

1

2

0

724

Cube0x0 @cube0x0

about 1 year ago

If you wanna do it in c#, merge this with the og krbrelay https://github[.]com/CICADA8-Research/RemoteKrbRelay

Andrew Oliveau

@AndrewOliveau

about 1 year ago

RemoteMonologue - A Windows credential harvesting attack that leverages the Interactive User RunAs key and coerces NTLM authentications via DCOM. Remotely compromise users without moving laterally or touching LSASS. Hope you enjoy the blog & tool drop 🤟 https://t.co/ch9WuSP6bm

17

462

176

294

69K

1

58

4

31

7K

Cube0x0 @cube0x0

about 1 year ago

@passthehashbrwn Make it 8 and you'll qualify for hosting your training at defcon!

0

23

0

2K

Who to follow

S3cur3Th1sSh1t

@ShitSecure

Pentesting, scripting, pwning!

x86matthew

@x86matthew

system emulation / reverse-engineering / binary analysis. @the_secret_club

mr.d0x

@mrd0x

Security researcher | Co-founder https://t.co/QxBlzp9A8w | https://t.co/zqMXQRZjQN | https://t.co/Fq7WSqTBva | https://t.co/eKezFcO6nd

Cube0x0 @cube0x0

about 1 year ago

I asked myself, how difficult would it be to run a 0xC2 agent in a non-rooted Samsung phone, via an APK installation, and use it for lateral movement Turns out, not very difficult at all

cube0x0's tweet photo. I asked myself, how difficult would it be to run a 0xC2 agent in a non-rooted Samsung phone, via an APK installation, and use it for lateral movement

Turns out, not very difficult at all https://t.co/03vwpIU9Iw

6

109

7

27

8K

cube0x0 retweeted

Andrea P @decoder_it

over 1 year ago

M'm glad to release the tool I have been working hard on the last month: #KrbRelayEx A Kerberos relay & forwarder for MiTM attacks! >Relays Kerberos AP-REQ tickets >Manages multiple SMB consoles >Works on Win& Linux with .NET 8.0 >... GitHub: https://t.co/zoN2fX6Hsc

decoder_it's tweet photo. M'm glad to release the tool I have been working hard on the last month: #KrbRelayEx
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub: https://t.co/zoN2fX6Hsc https://t.co/ITR1hcNd7B

15

542

226

249

51K

Cube0x0 @cube0x0

over 1 year ago

@MarcOverIP @OutflankNL 🤝

0

3

0

479

Cube0x0 @cube0x0

over 1 year ago

@_RastaMouse it already existed when i wrote the convert script back in January @mcbroom_evan did a great job with https://t.co/PonkbD2Rd4

0

8

1

5

973

Cube0x0 @cube0x0

over 1 year ago

I have received a few questions about reusing existing open-source and in-house BOFs in 0xC2 so I am leaving it here for visibility. Yes the 0xC2 Windows agent has a backward-compatible layer so you can reuse your existing object file tools after converting the Sleep script to Lua. To help with that we have provided a script that translates your Sleep code to AST and then AST to Lua. It's not 1:1 but helps with 90+% of the work.

cube0x0's tweet photo. I have received a few questions about reusing existing open-source and in-house BOFs in 0xC2 so I am leaving it here for visibility.

Yes the 0xC2 Windows agent has a backward-compatible layer so you can reuse your existing object file tools after converting the Sleep script to Lua. To help with that we have provided a script that translates your Sleep code to AST and then AST to Lua. It's not 1:1 but helps with 90+% of the work.

1

70

7

22

9K

Cube0x0 @cube0x0

over 1 year ago

@redteamcore You can have concurrency(serve multiple connections) in your server without multi threading. Creating threads is only needed for coerce

0

420

Cube0x0 @cube0x0

over 1 year ago

Don't we all get to the point where all you want to do is capture and relay NTLM and Kerberos authentications in a BOF? It's just faster to write a capture & relaying framework in C for ntlm, kerberos, dcom, smb, http, mssql with native Windows support than fixing impacket. Available for 0xC2 clients in the coming update

cube0x0's tweet photo. Don't we all get to the point where all you want to do is capture and relay NTLM and Kerberos authentications in a BOF?

It's just faster to write a capture & relaying framework in C for ntlm, kerberos, dcom, smb, http, mssql with native Windows support than fixing impacket.
Available for 0xC2 clients in the coming update

5

278

44

128

23K

Cube0x0 @cube0x0

over 1 year ago

@Cyb3rMonk Lol no, that would have been weird. Everything happens inside the beacon process

1

7

0

1K

Cube0x0 @cube0x0

over 1 year ago

@ShitSecure @zeroSteiner That and the packets sent over the network from the impacket server and client scripts do not blend in very well

0

2

0

472

Cube0x0 @cube0x0

over 1 year ago

@filip_dragovic That's many cve's Gj man and gz!

0

1

0

370

Cube0x0 @cube0x0

over 1 year ago

@decoder_it @_RastaMouse @curi0usJack @tiraniddo nice!

0

1

0

362

cube0x0 retweeted

Andrea P @decoder_it

over 1 year ago

@_RastaMouse @curi0usJack @tiraniddo @cube0x0 https://t.co/Pi0sfpTbc7

3

22

10

9

6K

cube0x0 retweeted

Andrea P @decoder_it

over 1 year ago

Is Kerberos relaying so limited? I'd say no, thanks to @tiraniddo CredMarshalTargetInfo trick. In this case, I'm relaying SMB to HTTP (ADCS) with a modified version of @cube0x0 krbrelay using DFSCoerce and PetitPotam - classic ESC8 attack with Kerberos, no DCOM involved ;)