BloodHound – Hacking Active Directory Trust Relationships


BloodHound is for hacking active directory trust relationships and it uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment.

BloodHound - Hacking Active Directory Trust Relationships


Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use it to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment.

It is a single page JavaScript web application, built on top of Linkurious, compiled with Electron, with a Neo4j database fed by a PowerShell ingestor.

BloodHound Hacking Active Directory Options

Enumeration Options

  • CollectionMethod – The collection method to use. This parameter accepts a comma separated list of values. Has the following potential values (Default: Default):
    • Default – Performs group membership collection, domain trust collection, local admin collection, and session collection
    • Group – Performs group membership collection
    • LocalAdmin – Performs local admin collection
    • RDP – Performs Remote Desktop Users collection
    • DCOM – Performs Distributed COM Users collection
    • GPOLocalGroup – Performs local admin collection using Group Policy Objects
    • Session – Performs session collection
    • ComputerOnly – Performs local admin, RDP, DCOM and session collection
    • LoggedOn – Performs privileged session collection (requires admin rights on target systems)
    • Trusts – Performs domain trust enumeration
    • ACL – Performs collection of ACLs
    • Container – Performs collection of Containers
    • ObjectProps – Collects object properties such as LastLogon and DisplayName
    • DcOnly – Performs collection using LDAP only. Includes Group, Trusts, ACL, ObjectProps, Container, and GPOLocalGroup.
    • All – Performs all Collection Methods except GPOLocalGroup
  • SearchForest – Search all the domains in the forest instead of just your current one
  • Domain – Search a particular domain. Uses your current domain if null (Default: null)
  • Stealth – Performs stealth collection methods. All stealth options are single threaded.
  • SkipGCDeconfliction – Skip Global Catalog deconfliction during session enumeration. This can speed up enumeration, but will result in possible inaccuracies in data.
  • ExcludeDc – Excludes domain controllers from enumeration (avoids Microsoft ATA flags :) )
  • ComputerFile – Specify a file to load computer names/IPs from
  • OU – Specify which OU to enumerate

Connection Options

  • DomainController – Specify which Domain Controller to connect to (Default: null)
  • LdapPort – Specify what port LDAP lives on (Default: 0)
  • SecureLdap – Connect to AD using Secure LDAP instead of regular LDAP. Will connect to port 636 by default.
  • IgnoreLdapCert – Ignores LDAP SSL certificate. Use if there’s a self-signed certificate for example
  • LDAPUser – Username to connect to LDAP with. Requires the LDAPPass parameter as well (Default: null)
  • LDAPPass – Password for the user to connect to LDAP with. Requires the LDAPUser parameter as well (Default: null)
  • DisableKerbSigning – Disables LDAP encryption. Not recommended.

Performance Options

  • Threads – Specify the number of threads to use (Default: 10)
  • PingTimeout – Specifies the timeout for ping requests in milliseconds (Default: 250)
  • SkipPing – Instructs Sharphound to skip ping requests to see if systems are up
  • LoopDelay – The number of seconds in between session loops (Default: 300)
  • MaxLoopTime – The amount of time to continue session looping. Format is 0d0h0m0s. Null will loop for two hours. (Default: 2h)
  • Throttle – Adds a delay after each request to a computer. Value is in milliseconds (Default: 0)
  • Jitter – Adds a percentage jitter to throttle. (Default: 0)

Output Options

  • JSONFolder – Folder in which to store JSON files (Default: .)
  • JSONPrefix – Prefix to add to your JSON files (Default: “”)
  • NoZip – Don’t compress JSON files to the zip file. Leaves JSON files on disk. (Default: false)
  • EncryptZip – Add a randomly generated password to the zip file.
  • ZipFileName – Specify the name of the zip file
  • RandomFilenames – Randomize output file names
  • PrettyJson – Outputs JSON with indentation on multiple lines to improve readability. Tradeoff is increased file size.

Cache Options

  • CacheFile – Filename for the Sharphound cache. (Default: BloodHound.bin)
  • NoSaveCache – Don’t save the cache file to disk. Without this flag, BloodHound.bin will be dropped to disk
  • Invalidate – Invalidate the cache file and build a new cache

Misc Options

  • StatusInterval – Interval to display progress during enumeration in milliseconds (Default: 30000)
  • Verbose – Enables verbose output

You can download BloodHound here:

Linux x64 – BloodHound-linux-x64.zip
Windows x64 – BloodHound-win32-x64.zip
Source – BloodHound-2.1.0.zip

Or read more here.


Topic: Hacking Tools

SecLists – Usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells


SecLists is the security tester’s companion. It’s a collection of multiple types of lists used during security assessments, collected in one place.

SecLists - Usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells


List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.

The goal is to enable a security tester to pull this repository onto a new testing box and have access to every type of list that may be needed.

Contents of SecLists

Each section has tonnes of content including the below:

  • Discovery lists (DNS, SNMP, Web content)
  • Fuzzing Payloads (Databases, LFI, SQLi, XSS)
  • Password lists (Common credentials, cracked hashes, honeypot captures, leaked lists)
  • Data Pattern lists
  • Payload files (Zip bombs, flash, images)
  • Username lists (Honeypot captures)
  • Web shells

Install SecLists

Zip

Git (Small)

Git (Complete)

You can access all the lists here:

https://github.com/danielmiessler/SecLists


Topic: Hacking Tools

DeepSound – Audio Steganography Tool


DeepSound is an audio steganography tool and audio converter that hides secret data into audio files, the application also enables you to extract secret files directly from audio files or audio CD tracks.

DeepSound - Audio Steganography Tool


This audio steganography tool can be used as copyright marking software for wave, flac, wma, ape, and audio CD.

DeepSound also support encrypting secret files using AES-256(Advanced Encryption Standard) to improve data protection. The application additionally contains an easy to use Audio Converter Module that can encode several audio formats (FLAC, MP3, WMA, WAV, APE) to others (FLAC, MP3, WAV, APE).

How to use DeepSound Audio Steganography Tool

To hide data into audio file, follow these steps:

  • Click to ‘Open carrier files (F2)’ or drag and drop audio file (flac, wav, wma, mp3, ape) to Carrier audio files list.
  • Click to ‘Add secret files (F3)’ or drag and drop secret files into the Secret files list on the bottom side of application.
  • Press F4 key or click to ‘Encode secret files’ button.
  • You can choose output audio format (wav, flac or ape). DeepSound does not support wma output format. If you want to hide data into wma, hide secret data into wav file and then use external software such as Windows Media Encoder for convert wav to wma lossless audio format.
  • In ‘Encode secret files’ dialog window you can turn on/off AES-256 encryption. Modified audio file will be copied to output directory. If you want to change output directory, click to Settings.
  • Click to ‘Encode secret files’ button to start hiding secret files into carrier audio file.

You can download DeepSound here:

DeepSoundSetup.msi

Or read more here.


Topic: Cryptography

What are the MOST Critical Web Vulnerabilities in 2019?


So what is wild on the web this year? Need to know about the most critical web vulnerabilities in 2019 to protect your organization?

What are the MOST Critical Web Vulnerabilities in 2019

Well luckily for you Acunetix compiles an annual web application vulnerability report which is a fairly hefty piece of analysis on data gathered from the previous year. This is compiled from the automated web and network perimeter scans run on the Acunetix Online platform, over a 12 month period, across more than 10,000 scan targets.

To be more specific:

  • 67,355 Network scans
  • 10,000 Scan targets
  • 76,686 Web scans

It was found that as many that almost half of the scanned websites contain high severity vulnerabilities with almost all containing medium severity vulnerabilities.

Although SQL Injection vulnerabilities are on the slight decline, XSS vulnerabilities, vulnerable JavaScript libraries, and WordPress related issues were found to each claim a significant 30% of the sampled targets.

2019 High Severity Vulnerabilities

What are the most critical web vulnerabilities in 2019?

The report gives you the low down on:

  • Which vulnerabilities are rising and falling in frequency
  • Current security concerns, such as the increasing complexity of new apps, the accelerating rate of new versions, and the problem of scale
  • Changes in threat landscape from both the client and server sides
  • The four major stages of vulnerability analysis
  • Vulnerability findings by type and severity
  • An analysis of each discovered vulnerability in terms of how it works, its statistical status and pointers for remediation.

So, top line message – keep yourself safe!

You can download the full report here:

Acunetix Web Application Vulnerability Report 2019


Topic: Advertorial
GoBuster - Directory/File & DNS Busting Tool in Go

GoBuster – Directory/File & DNS Busting Tool in Go

GoBuster is a Go-based tool used to brute-force URIs (directories and files) in web sites and DNS subdomains (with wildcard support) – essentially a directory/file & DNS busting tool. The author built YET ANOTHER directory and DNS brute forcing tool because he wanted.. … something that didn’t have a fat Java GUI (console FTW). … […]

Topic: Hacking Tools
BDFProxy - Patch Binaries via MITM - BackdoorFactory + mitmProxy

BDFProxy – Patch Binaries via MiTM – BackdoorFactory + mitmproxy

BDFProxy allows you to patch binaries via MiTM with The Backdoor Factory combined with mitmproxy enabling on the fly patching of binary downloads (software updates for example) from vendors that don’t validate data integrity. The Backdoor Factory allows you to patch binaries with shell-code so combining that with mitmproxy, which is a Python proxy-server that […]

Topic: Hacking Tools