Share this page!

Charlie Bromberg (Shutdown) Profile picture
Twitter logo
Jul 2 3 tweets 1 min read
Oh by the way, here are some cypher queries for #Bloodhound to find all kinds of Kerberos delegations
// Unconstrained Delegation
MATCH (c {unconstraineddelegation:true}) return c

// Constrained Delegation (with Protocol Transition)
MATCH (c) WHERE NOT c.allowedtodelegate IS NULL AND c.trustedtoauth=true return c
// Constrained Delegation (without Protocol Transition)
MATCH (c) WHERE NOT c.allowedtodelegate IS NULL AND c.trustedtoauth=false return c

// Resource-Based Constrained Delegation
MATCH p=(u)-[:AllowedToAct]->(c) RETURN p

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Charlie Bromberg (Shutdown)

Charlie Bromberg (Shutdown) Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @_nwodtuhs

Charlie Bromberg (Shutdown) Profile picture
Apr 30
✨After 8 months of hard work with @Dramelac_ , now's the time ⏰ Exegol, a community-driven and fully-featured hacking environment, updates to v4.0

An opportunity to show you why you should probably drop your current pentesting env and get started with Exegol (10min read)
Exegol uses Docker. There are Exegol images that can be used to deploy Exegol containers.
This first concept allows its users to easily deploy environments that are separated from the host, that could be dedicated for some engagements tools, etc.
While we, as pentesters, help companies secure their infrastructure, our community itself has a lot of room for improvement when it comes to our tools and our practices 🤔 Having a unique, solid, environment for each client/engagement is a starter. Exegol allows that.
Read 23 tweets
Charlie Bromberg (Shutdown) Profile picture
Feb 8
Here is one of my latest paths to Domain Admin 😈 it took ~2h30 (I was relying on network traffic that was not so present at the beginning)

This path was a bit long and involved NTLM, Kerberos, network protocols, credential dump, etc 👁️👅👁️

[12 steps detailed below 🧵]
1. LLMNR, NBT-NS and mDNS spoofing combined with WPAD spoofing to redirect some network traffic using @PythonResponder's Responder

➡️ LLMNR, NBT-BS mDNS: thehacker.recipes/ad/movement/mi…

➡️ WPAD spoofing: thehacker.recipes/ad/movement/mi…
2. DHCPv6 spoofing combined with DNS spoofing to redirect more traffic 😈 using @_dirkjan's mitm6

➡️ DHCPv6 spoofing: thehacker.recipes/ad/movement/mi…

➡️ DNS spoofing: thehacker.recipes/ad/movement/mi…
Read 21 tweets
Charlie Bromberg (Shutdown) Profile picture
Dec 10, 2021
[thread 🧵] lets all welcome the new kid in town 😈
✨ Kerberos sAMAccountName spoofing ✨ from regular user to domain admin, because Microsoft didn't care enough about it's $$$

thehacker.recipes/ad/movement/ke…
** CVE-2021-42278 - Name impersonation
Before patch, there was no validation process to make sure computer accounts names end with an "$"
** CVE-2021-42287 - KDC bamboozling
Before patch, there was a weird behavior on the KDC. When requesting a service ticket, if the KDC wasn't able to find the user behind the TGT, it would make another lookup, but this time with an "$" at the end of the name
Read 10 tweets
Charlie Bromberg (Shutdown) Profile picture
Nov 17, 2021
🥇 new personal record for Domain Admin today 🥳

DA in ~150 seconds (≈ 3 guns per square seconds in 🇺🇸 units)

Last record was 23 minutes 😨
(not bragging here, the maturity was reaaaally low and path to DA really easy, but still what a blast I had! Just wanted to share the fun here 🤗)
Okay so here was the path

1. Authentication coercion with an MS-EFSR abuse (PetitPotam) against a Domain Controller
thehacker.recipes/ad/movement/mi…
Read 6 tweets
Charlie Bromberg (Shutdown) Profile picture
Nov 16, 2021
Latest paths to DA 😈
- Kerberoast of a domain admin
- AD CS insecure configuration (ESC6)
- AD CS insecure web endpoints (ESC8)

[more info below ⬇️ ]
Kerberoasting thehacker.recipes/ad/movement/ke…
AD CS insecure CA configuration (User Specified SAN) thehacker.recipes/ad/movement/ad…
Read 4 tweets
Charlie Bromberg (Shutdown) Profile picture
Oct 29, 2021
[thread 🧵] Kerberos delegations. This meta-thread gathers three sub-threads, one for each delegation type. I’ll talk about Unconstrained, Constrained, Resource-Based Constrained (RBCD), S4U2self, S4U2proxy and abuse scenarios.
Kerberos delegations is a set of features included in the Kerberos authentication protocol. It allows services to access other services on behalf of domain users.
3 types of delegations exist
- Unconstrained: service can access any other service on behalf of any user
- Constrained: service can access a set of services on bhalf of any user
- Resource-Based Constrained (RBCD): service grants that « impersonating access » to a set of services
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(