Nimrod Levy

Did you ever wonder how you can move laterally through internal networks? or interact with remote machines without alerting EDRs?
Let's assume that we have a valid credentials, or an active session with access to a remote machine, but we are without an option for executing a process remotely in a known, expected or a highly-monitored method (i.e. WMI, Task Scheduler, WinRM, PowerShell Remoting).

For these scenarios, the DVS framework comes to the rescue.

The DVS framework is a… רוצה לראות יותר

Did you ever wonder how you can move laterally through internal networks? or interact with remote machines without alerting EDRs?
Let's assume that we have a valid credentials, or an active session with access to a remote machine, but we are without an option for executing a process remotely in a known, expected or a highly-monitored method (i.e. WMI, Task Scheduler, WinRM, PowerShell Remoting).

For these scenarios, the DVS framework comes to the rescue.

The DVS framework is a swiss army knife which allows you to enumerate vulnerable functions of remote DCOM objects, launch them and even launch attacks using them.

The framework is being developed with a "Red Team" mindset and uses stealth methods to compromise remote machines.

The DVS framework contains various ways to bypass remote hardening against DCOM by re-enableing DCOM access remotely and automatically grant the required permissions to the attacking user.

The framework can also revert changes on the remote machine to their original state, prior to the attack - hiding these changes from defenders.

Our main insight is that the tool can also execute commands using non-vulnerable DCOM objects through an awesome technique (Read below about Invoke-RegisterRemoteSchema)

Compatible with PowerShell 2.0 and up

Youtube Video PoC: https://www.youtube.com/watch?v=FAjwybmFJAA&feature=youtu.be
רוצה לראות פחות

XSSPosed-releases is tool that extracts latest XSS vulnerabilities published via XSSPosed.org that display a full disclosure about the malicious payload on the infected website

Google Chrome is probably the most secure browser on the internet. However, the product’s
ability to be secure is not maximized in its default settings.
Iron Chrome, is a combination of the best tested, verified security & privacy extensions to make a high-privacy and high-security for the end-user in Chrome browser that's not contain espionage code of Google.

When performing a security testing on a Windows environment, or any environment for that matter, one of the things you’ll need to check is if you can escalate your privileges from a low privilege user to a high privileged user. No matter what environment you are testing there are going to be a range or roles with varying privileges. For the most part, on a local windows environment there going to be three roles / privileged users.

Sandworm exploit vulnerability found in windows Object Linking and Embedding (OLE) allowing arbitrary code execution. Platforms such as Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable. This script intended to identify if office file is infected with sandworm vector.

Keylogger is a type of surveillance software (considered to be either software or spyware) that has the capability to record every keystroke you make to a log file, usually encrypted. A keylogger recorder can record instant messages, e-mail, and any information you type at any time using your keyboard. The log file created by the keylogger can then be sent to a specified receiver. Some keylogger programs will also record any e-mail addresses you use and Web site URLs you visit. Keyloggers, as a… רוצה לראות יותר

Keylogger is a type of surveillance software (considered to be either software or spyware) that has the capability to record every keystroke you make to a log file, usually encrypted. A keylogger recorder can record instant messages, e-mail, and any information you type at any time using your keyboard. The log file created by the keylogger can then be sent to a specified receiver. Some keylogger programs will also record any e-mail addresses you use and Web site URLs you visit. Keyloggers, as a surveillance tool, are often used by employers to ensureemployees use work computers for business purposes only. this keylogger captures the screen when the screen was a significant change, and save the keyboards רוצה לראות פחות

AutoBrowser is a tool written in python for penetration testers. The purpose of this tool is to create report(Json file) and screenshots of http/s based ports on the network. you can choose between analyze Nmap report(XML file -oX) or scan with Nmap, then the tool automaticly Check the results with http/s request on each host using headless web browser, then it would take a screenshot of the response page content.

This tool is designed for IT professionals to perform penetration… רוצה לראות יותר

AutoBrowser is a tool written in python for penetration testers. The purpose of this tool is to create report(Json file) and screenshots of http/s based ports on the network. you can choose between analyze Nmap report(XML file -oX) or scan with Nmap, then the tool automaticly Check the results with http/s request on each host using headless web browser, then it would take a screenshot of the response page content.

This tool is designed for IT professionals to perform penetration testing.
Proof of concept video from AutoBrowser 4.0:
https://youtu.be/wYLr9QavBKQ רוצה לראות פחות

The SMTP Fuzzer will connect to a given mail server and use a wordlist to enumerate users that are present on the remote system.

MSSqlPwner is an advanced and versatile pentesting tool designed to seamlessly interact with MSSQL servers and based on Impacket. The MSSqlPwner tool empowers ethical hackers and security professionals to conduct comprehensive security assessments on MSSQL environments.
With MSSqlPwner, users can execute custom commands through various methods, including custom assembly, xp_cmdshell, and sp_oacreate(Ole Automation Procedures) and much… רוצה לראות יותר

MSSqlPwner is an advanced and versatile pentesting tool designed to seamlessly interact with MSSQL servers and based on Impacket. The MSSqlPwner tool empowers ethical hackers and security professionals to conduct comprehensive security assessments on MSSQL environments.
With MSSqlPwner, users can execute custom commands through various methods, including custom assembly, xp_cmdshell, and sp_oacreate(Ole Automation Procedures) and much more.

https://github.com/ScorpionesLabs/MSSqlPwner/tree/main רוצה לראות פחות

The "SubDomain Analyzer" tool written in Python language.
The purpose of "SubDomain Analyzer" getting full detailed information of selected domain.
The "SubDomain Analyzer" gets data from domain by following steps:

1. Trying to get the zone tranfer file.
2. Gathers all information from DNS records.
3. Analyzing the DNS records (Analyzing all IP's addresses from DNS records and test class C range from IP address (For example: 127.0.0.1/24) and getting all data that containing… רוצה לראות יותר

The "SubDomain Analyzer" tool written in Python language.
The purpose of "SubDomain Analyzer" getting full detailed information of selected domain.
The "SubDomain Analyzer" gets data from domain by following steps:

1. Trying to get the zone tranfer file.
2. Gathers all information from DNS records.
3. Analyzing the DNS records (Analyzing all IP's addresses from DNS records and test class C range from IP address (For example: 127.0.0.1/24) and getting all data that containing the domain being analyzed).
4. Tests subdomains by dictionary attack.
The Subdomain Analyzer can keep new addresses which found on DNS records or IP's analyzer. The Subdomain Analyzer can brings a very qualitative information about the domain being analyzed, additionally, he shows a designed report with all the data. רוצה לראות פחות

This PoC script relies of a vulnerability in WordPress systems been available from version 3.5 to version 4.0 (included) that allow a brute force attacks through xmlrpc.php file A malicious attacker might to hack a WordPress users using this vulnerability