Clément Notin Pentester / Security researcher
I share with you my discoveries around pentesting and security research.

Tools

Here is the list of the tools I had the occasion to create and publish.

Risks of Microsoft Teams and Microsoft 365 Groups

Microsoft Teams has become even more popular in the current context (blah blah pandemic, blah blah work from home). It allows users to collaborate using Groups that they create and manage themselves. Groups can be public or private (on invitation), but many group owners use the public option, even though it allows anyone in the organization to access their chats, shared files and more! 😮 We will also see that even private Groups disclose their title, description, and members to anyone, and sometimes this alone is enough to disclose restricted information. 🕵️

m365_groups_enum on GitHub

Read post

NTLM relay of ADWS (WCF) connections with Impacket

The NTLM relay feature of Impacket’s ntlmrelayx.py used to offer only two servers, HTTP and SMB, for incoming NTLM authenticated connections using those two protocols. Which can then be relayed to more protocols: HTTP, SMB, LDAP, SMTP, etc. I had a situation where the incoming NTLM authenticated connection used ADWS (built upon NetTcpBinding WCF) so I implemented this new server protocol in Impacket 😉

wcfrelayserver.py on GitHub

Read post

"Twitter likes" Python tool

This small Python 3 project allows to fetch from Twitter API all the tweets you (or even another account) liked, to save them (for backup) and display them as a nice HTML page.

twitter_likes on GitHub

Read post

"Google Drive uploader" Python tool

This Python 3 script allows to archive a local folder, as a ZIP file, and upload it to a Google Drive folder. It allows to easily backup a folder from a server for example.

gdrive-uploader on GitHub

Read post

Splunk Universal Forwarder Hijacking 2: SplunkWhisperer2

You may have deployed Splunk Universal Forwarders on your systems to forward to your SIEM, but what if they are not properly secured and could be hijacked? Attackers could leverage them to remotely execute code (RCE)!

I share two new tools to demonstrate this technique.

SplunkWhisperer2 on GitHub

Read post

Burp extension "Scan manual insertion point"

The “Scan manual insertion point” Burp extension lets the user select a region of a request (typically a parameter value), and via the context menu do an active scan of just the insertion point defined by that selection. It is similar with the “actively scan defined insertion points” feature in the context menu of the Intruder, without the burden of having to send the request to the Intruder.

Just select your insertion point within a request, right click and select “Scan manual insertion point”.

burp-scan-manual-insertion-point on GitHub

Read post