Microsoft Teams has become even more popular in the current context (blah blah pandemic, blah blah work from home). It allows users to collaborate using Groups that they create and manage themselves. Groups can be public or private (on invitation), but many group owners use the public option, even though it allows anyone in the organization to access their chats, shared files and more! 😮 We will also see that even private Groups disclose their title, description, and members to anyone, and sometimes this alone is enough to disclose restricted information. 🕵️m365_groups_enum on GitHub
The NTLM relay feature of Impacket’s
ntlmrelayx.py used to offer only two servers, HTTP and SMB, for incoming NTLM authenticated connections using those two protocols. Which can then be relayed to more protocols: HTTP, SMB, LDAP, SMTP, etc. I had a situation where the incoming NTLM authenticated connection used ADWS (built upon NetTcpBinding WCF) so I implemented this new server protocol in Impacket 😉
You may have deployed Splunk Universal Forwarders on your systems to forward to your SIEM, but what if they are not properly secured and could be hijacked? Attackers could leverage them to remotely execute code (RCE)!
I share two new tools to demonstrate this technique.SplunkWhisperer2 on GitHub
The “Scan manual insertion point” Burp extension lets the user select a region of a request (typically a parameter value), and via the context menu do an active scan of just the insertion point defined by that selection. It is similar with the “actively scan defined insertion points” feature in the context menu of the Intruder, without the burden of having to send the request to the Intruder.
Just select your insertion point within a request, right click and select “Scan manual insertion point”.burp-scan-manual-insertion-point on GitHub