Posts

Having improved/built on impacket internally at my work place, I wanted to take the next step in contributing to the library by way of new modules. I ended up landing on two: MS-NEGOEX, which remains a work in progress(updates soon) and the focus of this blog, MS-RAA. MS-RAA turned out to be a great first protocol to implement since the spececification is short(less than 50 pages), most of it maps cleanly onto structures within Impacket as well as there being plenty of RPC protocols to look towards and ultimately, the protocol itself answers a question that comes up constantly during an engagement: what can this principal actually access? ...

The Problem If you are like me, you have found yourself digging through Microsoft specifications and RFC documentation trying to wrangle with a new exploit or tooling to get DA faster than your peers. The biggest problem one may encounter is the specifications are meant for developers; they will tell you the song and dance in its entirety, but it never goes beyond in any way that may be useful for you to weaponize. Fixing that may potentially lay with using the Windows 2003 Source code. ...

The recent leak as well as it being brought to my attention by Ian from Packetlabs, made me super interested in the malware Ive been hearing so much about. The internet is always lit ablaze whenever these happen so it was pretty exciting to get the chance at getting hands on with the sample. Published openly by a group calling themselves TeamPCP, the repository last/most recent commit message “Shai-Hulud: A Gift From TeamPCP” is an aptly Dune reference to the great sandworm. Not sure how much of a gift that is but its a gift non the less…? ...

A few months ago I started what I thought was fairly straight forward piece of work: rewrite/fork Impacket internally for use at my current company. What I didn’t expect was that the project would end up dragging me into the deep end of Kerberos, NTLM, SPNEGO, SMB2/3, DCE/RPC and DCOM in a way that has changed the way I view offensive tooling, my mindset as an operator and finally my skillsets as a operator capable of emulating the stealthiest of adversaries. ...

Introduction: The Day My Toolbox Failed Me Picture this: You’re deep into an engagement, credentials in hand, ready to unleash your best, brightest ideas And then… nothing. Almost every single one of your tool throw the same error: {'desc': 'StrongerAuthRequired', 'result': 8, 'message': '...'} Welcome to my recent engagement, where I learned that modern AD hardening doesn’t just make exploitation harder but also can materially impact the tooling used for the job. In my case, the casualty list was pretty much every Python tool using the ldap3 library: ...

I was doing an internal engagement some time ago for a client and noticed that the CA was configured for constrained delegation with a system that looked like a Web Server. I first noticed this using nxc’s --find-delegation switch present in the LDAP module, but also confirmed it with BloodHound as follows: A side note: if you want to make the delegation check using the AD PowerShell module due to its ability to bypass AMSI/Defender since its Microsoft-signed, as well as being exempt from PowerShell’s constrained language mode/AppLocker (when using the DLL import method), then you can do that via: ...

During a recent penetration test I did against a critical infrastructure operator, I had achieved Domain Administrator through two independent routes; ADCS ESC4, and by combining an LMCompatibility value of 2 with LDAP signing disabled. With that out of the way, I had time to shift focus away from the AD and identity side of the organization and focus my attention to their edge devices, of which there were many. ...

Quick Intro As an electrical engineer with a passion for electronics, I have recently been reverse engineering and researching commonly deployed edge and IoT devices found in critical use environments. This research focuses on the Mozart FM Transmitter (web management interface version WEBMOZZI-00287), manufactured by DB Broadcast. I have discovered about 14 CVEs and likely more exist in the software as it is rather poorly made and its very concerning that the vendor supplies technology to major organizations like the United Nations, The BBC, CNBC and others. ...

While the core concepts aren’t new, I believe the use of ADCS for domain computer takeover through Virtual Account abuse is previously undocumented/unexplored route to achieving your goals. I would like to start off by giving credit to my coworker, Michael(https://www.linkedin.com/in/michael-mcin/) for exploring today’s abuse paths but also for setting up a home environment to develop PoC for the blog. Michael and I were both on a somewhat big internal penetration test (an assumed breach scenario) together and he had managed to get his hands on the credentials to the SA (System Administrator) account on one of the client’s MSSQL databases. Immediately the first thing checked for was the ability to execute commands and lo and behold, we could : ). ...

We all know the classic RID 500 administrator account, the one who’s able to use NTLM authentication even with “Protected user” membership and is your go to during delegation attacks but there’s a kink in this lateral movement free for all; The Domain Controller doesn’t actually work the that way. The Domain Controller functions differently to other computers in that the default local Administrator that exists on other systems by default is not enabled. The default local Administrator on the Domain Controller in fact plays a specific role that it doesn’t on other systems; Its used exclusively for disaster recover. ...