Rich Warren

@buffaloverflow

Red Team // Cyber Team Hunter on

Vrijeme pridruživanja: svibanj 2011.
142 fotografije ili videozapisa Fotografije i videozapisi

Tweetovi

Blokirali ste korisnika/cu @buffaloverflow

Jeste li sigurni da želite vidjeti te tweetove? Time nećete deblokirati korisnika/cu @buffaloverflow

  1. 14. sij

    Notes on how NetScaler passwords are hashed. (But don't use my crappy rule now has added support 😊)

    1 reply 8 proslijeđenih tweetova 15 korisnika označava da im se sviđa
    Poništi
  2. 14. sij

    Ok AES-256 encrypted LDAP passwords in ns.conf in ADC/NetScaler have been broken. You need to change those too.

    Odgovor korisnicima @buffaloverflow @n0x08
    just looked at that, the new key is right there too :) just switched to aes256-cbc , see
    53 proslijeđena tweeta 80 korisnika označava da im se sviđa
    Poništi
  3. proslijedio/la je Tweet
    14. sij
    Odgovor korisnicima

    This is how is used to be done, IIRC theyve changed it since 10.5 at some point. Easier way is to copy the encrypted value into your own local Netscaler and just set it to auth against a ncat listener or something

    2 proslijeđena tweeta 7 korisnika označava da im se sviđa
    Poništi
  4. 13. sij

    If you see the attacker reading /var/nstmp/sess_* then they just stole authenticated cookies which can be re-used

    1 reply 22 proslijeđena tweeta 80 korisnika označava da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  5. 13. sij

    CVE-2019-19781 post-exploitation notes: If you are seeing attackers reading your /flash/nsconfig/ns.conf file then you need to change all passwords. The SHA512 passwords are easily crackable with hashcat.

    10 replies 196 proslijeđenih tweetova 461 korisnik označava da mu se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  6. 13. sij

    Dear followers, please can someone with a known vulnerable NetScaler run this check for me? Make the following request against the VIP (not management interface): POST /vpns/portal/scripts/newbm.pl

    Odd thing about some of the Citrix ADC/NetScaler exploits/scanners.. the ones written in python use the requests module, which normalizes the path so /vpn/../vpns/ => /vpns/ Does that mean people are getting false negatives on the vuln check, or that /../ is really not needed?
    1 reply 6 proslijeđenih tweetova 11 korisnika označava da im se sviđa
    Poništi
  7. 12. sij

    Odd thing about some of the Citrix ADC/NetScaler exploits/scanners.. the ones written in python use the requests module, which normalizes the path so /vpn/../vpns/ => /vpns/ Does that mean people are getting false negatives on the vuln check, or that /../ is really not needed?

    5 replies 14 proslijeđenih tweetova 40 korisnika označava da im se sviđa
    Poništi
  8. 11. sij

    And (I cant believe anyone would do this, but) if you expose your management interface to the internet, don't bother looking for ../ in the request path. It can be exploited without traversal. Just apply the mitigation and go enjoy your weekend 😉

    RE: CVE-2019-19781 detections (Citrix NetScaler/ADC RCE) Although the vulnerable code mandates the the first request *must* be a POST request - the second request can be a HEAD or even a PUT and will still get processed by the template engine.
    11 proslijeđenih tweetova 37 korisnika označava da im se sviđa
    Poništi
  9. 11. sij

    RE: CVE-2019-19781 detections (Citrix NetScaler/ADC RCE) Although the vulnerable code mandates the the first request *must* be a POST request - the second request can be a HEAD or even a PUT and will still get processed by the template engine.

    1 reply 42 proslijeđena tweeta 99 korisnika označava da im se sviđa
    Poništi
  10. proslijedio/la je Tweet
    11. sij

    Multiple exploits were released overnight for CVE-2019-19781 in Citrix ADC/Netscaler - we should all prepare for mass exploitation by a variety of actors as we saw with the various VPN issues last year - details here:

    1 reply 39 proslijeđenih tweetova 53 korisnika označavaju da im se sviđa
    Poništi
  11. 10. sij

    Been running a honeypot for this bug for a few days now. Last 24 hours there has been an increase in internet wide scanning

    Exploit for Citrix NetScaler CVE-2019-19781. Very interesting bug(s)! 'touch /tmp/CVE-2019-19781' because I'm lazy/busy 😉
    3 proslijeđena tweeta 16 korisnika označava da im se sviđa
    Poništi
  12. 10. sij

    Detection: Exploited with 1 POST + 1 GET reqest. As mentioned before, you can look for "/vpns/" in the path, but also "../" in header values for the POST. Probably shouldn't say *which* header at this point. This will be followed by a GET request for a file ending in ".xml".

    Exploit for Citrix NetScaler CVE-2019-19781. Very interesting bug(s)! 'touch /tmp/CVE-2019-19781' because I'm lazy/busy 😉
    20 proslijeđenih tweetova 80 korisnika označava da im se sviđa
    Poništi
  13. 10. sij

    Exploit for Citrix NetScaler CVE-2019-19781. Very interesting bug(s)! 'touch /tmp/CVE-2019-19781' because I'm lazy/busy 😉

    32 proslijeđena tweeta 131 korisnik označava da mu se sviđa
    Poništi
  14. 1. sij

    Legit just got my first "happy 50th birthday" email. Happy birthday y'all 😅🥳

    1 proslijeđeni tweet 12 korisnika označava da im se sviđa
    Poništi
  15. 30. lis 2019.

    Really enjoyed the livestream coverage that I got to see. Hoping to catch up when I have some free time.

    1 proslijeđeni tweet 1 korisnik označava da mu se sviđa
    Poništi
  16. 30. lis 2019.

    Thanks Humbled 🙏 I always dreamed about what it would be like to maybe win one of these someday! Imma let you finish.. but, Nick shares the spiciest tweets of all time! 🏆🌶

    1 reply 1 proslijeđeni tweet 10 korisnika označava da im se sviđa
    Poništi
  17. 26. lis 2019.

    Who did this

    5 korisnika označava da im se sviđa
    Poništi
  18. 14. lis 2019.

    Saw some peeps saying this doesn't work anymore... it does! Maybe you are just getting tripped up by Defender emulation (Foretype anyone? 🙃). All I can say is, make sure you've checked out 's truly excellent Defender research 👍

    Was surprised this HTA delivery method never gained major traction in the wild. Embeds encrypted HTA content in .HTML files which is decrypted in the browser and executed without being a child process of mshta.exe.
    11 proslijeđenih tweetova 28 korisnika označava da im se sviđa
    Poništi
  19. proslijedio/la je Tweet
    7. lis 2019.

    Just merged PR into master. Nice feature, thanks a lot Rich!

    Added support for SMB2 snapshot listing/browsing/downloading to impacket. Cool feature for dumping NTDS etc. over pure SMB
    1 reply 29 proslijeđenih tweetova 60 korisnika označava da im se sviđa
    Poništi
  20. 30. ruj 2019.

    Added support for SMB2 snapshot listing/browsing/downloading to impacket. Cool feature for dumping NTDS etc. over pure SMB

    1 reply 117 proslijeđenih tweetova 257 korisnika označava da im se sviđa
    Poništi

@buffaloverflow još nije objavio nijedan Tweet.

Čini se da učitavanje traje već neko vrijeme.

Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

    Možda bi vam se svidjelo i ovo:

    ·