nccgroup/Change-Lockscreen

Stars
138
Rank 264,508 (Top 6 %)
Language
C#
License
GNU Affero Genera...
Created over 5 years ago
Updated almost 3 years ago

nccgroup/Change-Lockscreen

nccgroup

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Offensive tool to trigger network authentications as SYSTEM

Change-Lockscreen

Change-Lockscreen is a tool to trigger network authentications as SYSTEM by changing the Windows lock screen image from the command line to perform privilege escalation attacks such as the one described in the post linked below:

https://research.nccgroup.com/2019/08/20/kerberos-resource-based-constrained-delegation-when-an-image-change-leads-to-a-privilege-escalation

Features

By default, Windows 10 has a feature called Windows Spotlight. It downloads and displays lock screen images automatically.

When this feature is enabled, Change-Lockscreen will disable it and establish the image specified in the arguments
Otherwise if the user has a custom lock screen image, Change-Lockscreen will be in charge to run a backup of it, trigger the network authentication, and establish it again

Note: while the PowerShell version of the tool works reliably, the C# version sometimes fails to restore the original image.

Usage

Change-Lockscreen -FullPath \\[imageserver]@[port]\[fakePath]\[image.jpg]
Change-Lockscreen -Webdav \\[imageserver]@[port]\

Authors

Simone Salucci
Daniel López Jiménez

Acknowledgements

ScoutSuite

Multi-Cloud Security Auditing Tool

Scout2

Security auditing tool for AWS environments

sobelow

Security-focused static analysis for the Phoenix Framework

Winpayloads

Undetectable Windows Payload Generation

demiguise

HTA encryption tool for RedTeams

house

A runtime mobile application analysis toolkit with a Web GUI, powered by Frida, written in Python.

PMapper

A tool for quickly evaluating IAM permissions in AWS.

redsnarf

RedSnarf is a pen-testing / red-teaming tool for Windows environments

featherduster

An automated, modular cryptanalysis tool; i.e., a Weapon of Math Destruction

SocksOverRDP

Socks5/4/4a Proxy support for Remote Desktop Protocol / Terminal Services / Citrix / XenApp / XenDesktop

singularity

A DNS rebinding attack framework.

exploit_mitigations

Knowledge base of exploit mitigations available across numerous operating systems, architectures and applications and versions.

AutoRepeater

Automated HTTP Request Repeating With Burp Suite

fuzzowski

the Network Protocol Fuzzer that we will want to use.

aws-inventory

Discover resources created in an AWS account.

BurpSuiteHTTPSmuggler

A Burp Suite extension to help pentesters to bypass WAFs or test their effectiveness using a number of techniques

Sniffle

A sniffer for Bluetooth 5 and 4.x LE

sadcloud

A tool for standing up (and tearing down!) purposefully insecure cloud infrastructure

TriforceAFL

AFL/QEMU fuzzing with full-system emulation.

nmap-nse-vulnerability-scripts

NMAP Vulnerability Scanning Scripts

LoggerPlusPlus

Advanced Burp Suite Logging Extension

nccfsas

Information released publicly by NCC Group's Full Spectrum Attack Simulation (FSAS) team.

freddy

Automatically identify deserialisation issues in Java and .NET applications by using active and passive scans

phantap

Phantom Tap (PhanTap) - an ‘invisible’ network tap aimed at red teams

azucar

Security auditing tool for Azure environments

tracy

A tool designed to assist with finding all sinks and sources of a web application and display these results in a digestible manner.

VCG

VisualCodeGrepper - Code security scanning tool.

Visual Basic .NET

Cyber-Defence

Information released publicly by NCC Group's Cyber Incident Response Team

scrying

A tool for collecting RDP, web and VNC screenshots all in one place

autochrome

This tool downloads, installs, and configures a shiny new copy of Chromium.

wssip

Application for capturing, modifying and sending custom WebSocket data from client to server and vice versa.

blackboxprotobuf

Blackbox protobuf is a Burp Suite extension for decoding and modifying arbitrary protobuf messages without the protobuf type definition.

idahunt

idahunt is a framework to analyze binaries with IDA Pro and hunt for things in IDA Pro

autopwn

Specify targets and run sets of tools against them

CrossSiteContentHijacking

Content hijacking proof-of-concept using Flash, PDF and Silverlight

Solitude

Solitude is a privacy analysis tool that enables anyone to conduct their own privacy investigations. Whether a curious novice or a more advanced researcher, Solitude makes the process of evaluating user privacy within an app accessible for everyone.

vlan-hopping---frogger

Easy 802.1Q VLAN Hopping

shocker

A tool to find and exploit servers vulnerable to Shellshock

DriverBuddy

DriverBuddy is an IDA Python script to assist with the reverse engineering of Windows kernel drivers.

WMIcmd

A command shell wrapper using only WMI for Microsoft Windows

acCOMplice

Tools for discovery and abuse of COM hijacks

SusanRTTI

Another RTTI Parsing IDA plugin

umap

The USB host security assessment tool

metasploitavevasion

Metasploit AV Evasion Tool

keimpx

Check for valid credentials across a network over SMB

umap2

Umap2 is the second revision of NCC Group's python based USB host security assessment tool.

depthcharge

A U-Boot hacking toolkit for security researchers and tinkerers

UPnP-Pentest-Toolkit

UPnP Pentest Toolkit for Windows

GTFOBLookup

Offline command line lookup utility for GTFOBins (https://github.com/GTFOBins/GTFOBins.github.io), LOLBAS (https://github.com/LOLBAS-Project/LOLBAS), WADComs (https://wadcoms.github.io), and HijackLibs (https://hijacklibs.net/).

G-Scout

Google Cloud Platform Security Tool

asatools

Main repository to pull all NCC Group Cisco ASA-related tool projects.

cisco-SNMP-enumeration

Automated Cisco SNMP Enumeration, Brute Force, Configuration Download and Password Cracking

thetick

A simple embedded Linux backdoor.

AWS-recipes

A number of Recipes for AWS

kube-auto-analyzer

Kubernetes Auto Analyzer

TPMGenie

TPM Genie is an I2C bus interposer for discrete Trusted Platform Modules

BinProxy

BinProxy is a proxy for arbitrary TCP connections. You can define custom message formats using the BinData gem.

TriforceLinuxSyscallFuzzer

A linux system call fuzzer using TriforceAFL

DetectWindowsCopyOnWriteForAPI

Enumerate various traits from Windows processes as an aid to threat hunting

pybeacon

A collection of scripts for dealing with Cobalt Strike beacons in Python

BKScan

BlueKeep scanner supporting NLA

typofinder

A finder of domain typos showing country of IP address

BLESuite

BLESuite is a Python package that provides an easier way to test Bluetooth Low Energy (BLE) device

SteppingStones

A Red Team Activity Hub

libslub

tcpprox

A small command-line TCP proxy utility written in Python

requests-racer

Small Python library that makes it easy to exploit race conditions in web apps with Requests.

LazyDroid

bash script to facilitate some aspects of an Android application assessment

chuckle

An automated SMB relay exploitation script.

whalescan

Whalescan is a vulnerability scanner for Windows containers, which performs several benchmark checks, as well as checking for CVEs/vulnerable packages on the container

gitpwnd

GitPwnd is a network penetration tool that lets you use a git repo for command and control of compromised machines

Carnivore

Tool for assessing on-premises Microsoft servers authentication such as ADFS, Skype, Exchange, and RDWeb

CollaboratorPlusPlus

Decoder-Improved

Improved decoder for Burp Suite

OutlookLeakTest

The Outlook HTML Leak Test Project

Wubes

Qubes containerization on Windows

port-scan-automation

Automate NMAP Scans and Generate Custom Nessus Policies Automatically

Hodor

Hodor! Fuzzer..

Zulu

The Zulu fuzzer

WinShareEnum

Windows Share Enumerator

memscan

Searches for strings, regex, credit card numbers of magnetic stripe card tracks in a Windows process's memory space

ebpf

eBPF - extended Berkeley Packet Filter tooling

argumentinjectionhammer

A Burp Extension designed to identify argument injection vulnerabilities.

cq

DroppedConnection

SCOMDecrypt

SCOMDecrypt is a tool to decrypt stored RunAs credentials from SCOM servers

GOATCasino

This is an intentionally vulnerable smart contract truffle deployment aimed at allowing those interested in smart contract security to exploit a wide variety of issues in a safe environment.

OneLogicalMyth_Shell

A HTA shell to assist with breakout assessments.

BLE-Replay

BLE-Replay is a Bluetooth Low Energy (BLE) peripheral assessment tool

cloud_ip_ranges

Identify IP addresses owned by public cloud providers

web3-decoder

ccs

WindowsDACLEnumProject

A collection of tools to enumerate and analyse Windows DACLs

raccoon

Salesforce object access auditor

DIBF

Windows NT ioctl bruteforcer and modular fuzzer

go-pillage-registries

Pentester-focused Docker registry tool to enumerate and pull images

DatajackProxy

Datajack Proxy allows you to intercept TLS traffic in native x86 applications across platforms

pcap-burp

Pcap importer for Burp

jwt-reauth

Berserko

Burp Suite extension to perform Kerberos authentication