Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.py is a tool that interacts with BloodHound to identify and exploit ACL based privilege escalation paths.
It takes a starting and ending point and will use Neo4j pathfinding algorithms to find the most efficient ACL based privilege escalation path.
Features of Aclpwn.Py Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.Py currently has the following features:
- Direct integration with BloodHound and the Neo4j graph database (fast pathfinding)
- Supports any reversible ACL based attack chain (no support for resetting user passwords right now)
- Advanced pathfinding (Dijkstra) to find the most efficient paths
- Support for exploitation with NTLM hashes (pass-the-hash)
- Saves restore state, easy rollback of changes
- Can be run via a SOCKS tunnel
- Written in Python (2.7 and 3.5+), so OS independent
Installation of Aclpwn.py ACL Based Privilege Escalation
Aclpwn.py is compatible with both Python 2.7 and 3.5+. It requires the neo4j-driver, impacket and ldap3 libraries. You can install aclpwn.py via pip: pip install aclpwn. For Python 3, you will need the python36 branch of impacket since the master branch (and versions published on PyPI) are Python 2 only at this point.
This tool does not exploit any vulnerabilities, but relies on misconfigured (often because of delegated privileges) or insecure default ACLs. To solve these issues, it is important to identify potentially dangerous ACLs in your Active Directory environment with BloodHound. For detection, Windows Event Logs can be used.
You can download Aclpwn.py here:
Or read more here.
Topic: Hacking Tools
Vulhub – Pre-Built Vulnerable Docker Environments For Learning To Hack
Vulhub is an open-source collection of pre-built vulnerable docker environments for learning to hack. No pre-existing knowledge of docker is required, just execute two simple commands and you have a vulnerable environment.
Features of Vulhub Pre-Built Vulnerable Docker Environments For Learning To Hack
Vulhub contains many frameworks, databases, applications, programming languages and more such as:
- Drupal
- ffmpeg
- CouchDB
- ActiveMQ
- Glassfish
- Joombla
- JBoss
- Kibana
- Laravel
- Rails
- Python
- Tomcat
And many, many more.
To use Vulhub Pre-Built Vulnerable Docker Environments For Learning To Hack
Install the docker/docker-compose on Ubuntu 20.04:
|
1 2 3 4 5 6 7 8 9 10 11 |
# Install pip curl -s https://bootstrap.pypa.io/get-pip.py | python3 # Install the latest version docker curl -s https://get.docker.com/ | sh # Run docker service systemctl start docker # Install docker compose pip install docker-compose |
It is recommended to use a VPS of at least 1GB memory to build a vulnerability environment. The your-ip mentioned in the documentation refers to the IP address of your VPS. If you are using a virtual machine, it refers to your virtual machine IP, not the IP inside the docker container.
You can download Vulhub by:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# Download project wget https://github.com/vulhub/vulhub/archive/master.zip -O vulhub-master.zip unzip vulhub-master.zip cd vulhub-master # Enter the directory of vulnerability/environment cd flask/ssti # Compile environment docker-compose build # Run environment docker-compose up -d |
Or read more here.
Topic: Exploits/Vulnerabilities
LibInjection – Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS)
LibInjection is a C library to Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) through lexical analysis of real-world Attacks.
SQLi and other injection attacks remain the top OWASP and CERT vulnerability. Current detection attempts frequently involve a myriad of regular expressions which are not only brittle and error-prone but also proven by Hanson and Patterson at Black Hat 2005 to never be a complete solution. LibInjection is a new open-source C library that detects SQLi using lexical analysis. With little upfront knowledge of what SQLi is, the algorithm has been trained on tens of thousands of real SQLi attacks and hundreds of millions of user inputs taken from a Top 50 website for high precision and accuracy.
In addition, the algorithm categorizes SQLi attacks and provides templates for new attacks or new fuzzing algorithms.
LibInjection currently supports:
- C and C++
- PHP
- Python
- Lua
- Java (external port)
- [LuaJIT/FFI]
LibInjection is available for integration into applications, web application firewalls, or porting to other programming languages.
You can download LibInjection here:
Or read more here.
Topic: Countermeasures
Grype – Vulnerability Scanner For Container Images & Filesystems
Grype is a vulnerability scanner for container images and filesystems with an easy to install binary that supports the packages for most major *nix based operating systems.
Features of Grype Vulnerability Scanner For Container Images & Filesystems
Scan the contents of a container image or filesystem to find known vulnerabilities and find vulnerabilities for major operating system packages in:
- Alpine
- BusyBox
- CentOS / Red Hat
- Debian
- Ubuntu
Find vulnerabilities for language-specific packages:
- Ruby (Bundler)
- Java (JARs, etc)
- JavaScript (NPM/Yarn)
- Python (Egg/Wheel)
- Python pip/requirements.txt/setup.py listings
Supports Docker and OCI image formats
Using Grype Vulnerability Scanner For Container Images & Filesystems
To scan for vulnerabilities in an image:
|
1 |
grype <image> |
Grype can scan a variety of sources beyond those found in Docker.
|
1 2 3 4 5 |
# scan a container image archive (from the result of `docker image save ...`, `podman save ...`, or `skopeo copy` commands) grype path/to/image.tar # scan a directory grype dir:path/to/dir |
The output format for Grype is configurable as well:
|
1 |
grype <image> -o <format> |
Where the formats available are:
- json: Use this to get as much information out of Grype as possible!
- cyclonedx: An XML report conforming to the CycloneDX 1.2 specification.
- table: A columnar summary (default).
You can download Grype here:
Or read more here.
Topic: Security Software
APT-Hunter – Threat Hunting Tool via Windows Event Log
APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs. This will help you to decrease the time to uncover suspicious activity and the tool will make good use of the windows […]
Topic: Security Software
GitLab Watchman – Audit Gitlab For Sensitive Data & Credentials
GitLab Watchman is an application that uses the GitLab API to audit GitLab for sensitive data and credentials exposed internally – this includes code, commits, wiki pages and more. GitLab Watchman searches GitLab for internally shared projects and looks at: Code Commits Wiki pages Issues Merge requests Milestones For the following data: GCP keys and […]
Topic: Countermeasures