Discover and read the best of Twitter Threads about #impacket
Most recents (8)
Disclosed today at @Disobey_fi - psexec from #impacket expose the target system for authenticated command execution as SYSTEM. That means any user that can authenticate over the network (usually Domain Users) can run code as SYSTEM over the network. 
@Disobey_fi If your psexec session is disrupted before clean-up, the service remains and will expose the target until it is restarted.
🧵 (1/) Bypassing IDS DCSync Signature for #secretsdump
I’ve been asked lately to bypass a private IDS rule for #impacket’s DCSync operation and I’ve immediately remembered this Charlie’s question ⬇️
I’ve been asked lately to bypass a private IDS rule for #impacket’s DCSync operation and I’ve immediately remembered this Charlie’s question ⬇️
🧵 (2/) The rule triggers when a bunch of SMB requests are followed by all this DRSUAPI stuff. Unlike #mimikatz or #DSInternals DCSync, the sequence of SMB+DRSUAPI traffic is unique for secretsdump[.]py attack, thus it becomes an IOC and can be fingerprinted ⬇️
🧵 (3/) The second series of the SMB requests is related to the RemoteOperations.connectSamr() call in the NTDSHashes class which is only needed to verify that’s out target is actually a DC, so it can be excluded from the attack with no consequences ⬇️
🧵 (1/x) I know you love #pentest stories, so here’s one of those ⬇️
There’s a non-DC computer (Victim) that is a member of the Exchange Trusted Subsytem group and has DCSync privs. The WebClient is ON but the MAQ=0 and domain functional level is 2012 R2 which prevents us ⤵️
There’s a non-DC computer (Victim) that is a member of the Exchange Trusted Subsytem group and has DCSync privs. The WebClient is ON but the MAQ=0 and domain functional level is 2012 R2 which prevents us ⤵️
(2/x) from abusing Key Credentials. Relaying to AD CS HTTP is not possible either. Here’s when I decided to go for SPN-less RBCD (credits to @tiraniddo) on a prod domain 🤦🏻♂️
But first let’s add a DNS record pointing to the attacker’s machine to coerce Victim over WebDav ⤵️
But first let’s add a DNS record pointing to the attacker’s machine to coerce Victim over WebDav ⤵️
(3/x) Now it’s all ready to go: Printer Bug + ntlmrelayx[.]py and we’re escalating a low privilege user (j.doe) to be trusted for delegation by Victim ⤵️
🧵 (1/) Forged Tickets Thread
Golden 🔑 tickets are no longer in fashion, so here’s a short memo on using Diamond 💎 (@exploitph) and Sapphire (@_nwodtuhs) tickets with ticketer[.]py from #Impacket. At first let’s recap what we already know about Golden tickets ⤵️
#ad #kerberos
Golden 🔑 tickets are no longer in fashion, so here’s a short memo on using Diamond 💎 (@exploitph) and Sapphire (@_nwodtuhs) tickets with ticketer[.]py from #Impacket. At first let’s recap what we already know about Golden tickets ⤵️
#ad #kerberos
🧵 (2/) Golden tickets are forged privileged TGTs that’re crafted completely offline. Having got krbtgt RC4 (NT hash) or AES key, a TA can specify some params (e.g., group membership, user’s RID, ticket validity period) to create and sign a fake PAC embedded inside the TGT ⤵️
🧵 (3/) Thus, the TA can provide the forged TGT to request an ST to any resource in the domain which will contain a copy of the fake PAC signed by the target service account. Since recently, we cannot use a non-existent account name as a result of CVE-2021-42287 mitigations ⤵️
[#HackTip ⚒️] (1/3) There’re a couple of ways to become a local admin on a box when you possess only the corresponding machine account NT hash. The first one being the well known Silver ticket technique that can be performed via ticketer[.]py from #Impacket ⬇️
(2/3) But a stealthier and cleaner way of impersonating a privileged account against the target machine is to use Delegate 2 Thyself technique which abuses #S4U2self phase of #S4U with an SPN alt name. It can be achieved via the -self & -altname options of getST[.]py ⬇️
(3/3) Credits to @elad_shamir, @exploitph and @_nwodtuhs for their tools and blogs:
shenaniganslabs.io/2019/01/28/Wag…
exploit.ph/revisiting-del…
github.com/SecureAuthCorp…
shenaniganslabs.io/2019/01/28/Wag…
exploit.ph/revisiting-del…
github.com/SecureAuthCorp…
🧶 (1/) Reproducing Masky Thread
So it’s a relaxing Friday evening to play with the new awesome #Masky tool by @_ZakSec. I’ll show you here how to reproduce its behavior with #CrackMapExec, #Impacket, #Sliver, #Certify and #Certipy.
Let’s go! ⤵️
#pentest #adcs
So it’s a relaxing Friday evening to play with the new awesome #Masky tool by @_ZakSec. I’ll show you here how to reproduce its behavior with #CrackMapExec, #Impacket, #Sliver, #Certify and #Certipy.
Let’s go! ⤵️
#pentest #adcs
🧶 (2/) First things first, I shall enumerate AD CS environment with #CrackMapExec and qwinsta the Victim machine via newly introduced tstool[.]py from #Impacket (thx @nopernik!). For the purpose of this demo I’ll use a DA account to interact with the Victim but any LA will do 👨🏻💻
🧶 (3/) I shall now prepare my team server and generate an encrypted Sliver beacon to use it with DInjector 💉
🧵(1/3) I get so excited every time I contribute to #impacket 🤗 Anyways, here’s an upcoming update to secretsdump[.]py ↪️ There’s now this -ldapfilter option that allows an attacker to #DCSync a bunch of user with a single shot 🧨
github.com/SecureAuthCorp…
github.com/SecureAuthCorp…
🧵 (2/3) Based on an LDAP query you can grab all the DAs, users from a particular OU, all those adminCount=1 accounts, etc. For me that happens to be extremely useful when you’ve exploited a critical low-hanging vulnerability
🧵 (3/3) which has instantly given you replication rights and you don’t even know yet whose hashes you wanna DCSync for persistence 😅
Thanks a lot to @0xdeaddood and @MartinGalloAr for the review. Will be merged soon 💪🏻
Thanks a lot to @0xdeaddood and @MartinGalloAr for the review. Will be merged soon 💪🏻
I'm going to <semi> live tweet this Internal Penetration Test. Calling the company Acme
Important notes:
Assumed Breach (Already have a Debian based image, no creds, but solely for the sake of having tools locally)
Landing in the SWIFT gateway network
Flags: DA/SWIFT 1/x
Important notes:
Assumed Breach (Already have a Debian based image, no creds, but solely for the sake of having tools locally)
Landing in the SWIFT gateway network
Flags: DA/SWIFT 1/x
Non-Evasive (we can sound alarms, they're only monitoring and validating our actions, this is not a purple team assessment to fill gaps in their NIPS)
Crystal/Glass/Full-Disclosure whatever your org calls "we'll give you any info you need to progress in terms of network topology"
Crystal/Glass/Full-Disclosure whatever your org calls "we'll give you any info you need to progress in terms of network topology"
