sn🥶vvcr💥sh Profile picture
Jul 26, 2022 3 tweets 2 min read Read on X
🧵(1/3) I get so excited every time I contribute to #impacket 🤗 Anyways, here’s an upcoming update to secretsdump[.]py ↪️ There’s now this -ldapfilter option that allows an attacker to #DCSync a bunch of user with a single shot 🧨

github.com/SecureAuthCorp… Image
🧵 (2/3) Based on an LDAP query you can grab all the DAs, users from a particular OU, all those adminCount=1 accounts, etc. For me that happens to be extremely useful when you’ve exploited a critical low-hanging vulnerability
🧵 (3/3) which has instantly given you replication rights and you don’t even know yet whose hashes you wanna DCSync for persistence 😅

Thanks a lot to @0xdeaddood and @MartinGalloAr for the review. Will be merged soon 💪🏻

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with sn🥶vvcr💥sh

sn🥶vvcr💥sh Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @snovvcrash

Jul 9, 2023
🧶 (1/5) Given an unmanaged offensive binary, I will show how easily it can be adopted for in-memory execution with CSExec[.]py and bin2pwsh without a mature C2. As an example I will take the recent fork of @D1rkMtr’s TakeMyRDP keylogger PoC from NoceraLabs - TakeMyRDP2.0 ⤵️
🧶 (2/5) Firstly, I will clone the project and amend a tiny patch: switch the runtime library from /MD to /MT, get rid of hidden window creation and bring the ability of specifying the log file path on target via a CLI argument ⤵️

🧶 (3/5) Now, as a 1st demo, we can use bin2pwsh manually to create a non-blocking PowerShell loader that can be invoked within CSExec’s agent unmanaged PS runspace. Thus, I’ll spawn an new keylogger thread without resorting to fork-and-run concept (no new process is created) ⤵️
Read 5 tweets
Mar 6, 2023
🧵 (1/7) Sponsorship Thread

I've been getting a lot of DMs asking to share #DInjector after I moved it to a private repo, so I’ve finally decided to give sponsorship a try ⤵️

boosty.to/snovvcrash
🧵 (2/7) For me it’s more of a way to keep some of my projects hidden from prying eyes while still leaving them somewhat public. I do not claim to have super l33t code there, so no 0-days for sure 🤪 At the same time, I got too uncomfortable giving personal links to ppl in DMs ⤵️
🧵 (3/7) Currently there’re two (poorly coded) tools that I’d want to share with sponsors: DInjector and bin2pwsh ⤵️
Read 8 tweets
Feb 6, 2023
🧵 (1/) Bypassing IDS DCSync Signature for #secretsdump

I’ve been asked lately to bypass a private IDS rule for #impacket’s DCSync operation and I’ve immediately remembered this Charlie’s question ⬇️
🧵 (2/) The rule triggers when a bunch of SMB requests are followed by all this DRSUAPI stuff. Unlike #mimikatz or #DSInternals DCSync, the sequence of SMB+DRSUAPI traffic is unique for secretsdump[.]py attack, thus it becomes an IOC and can be fingerprinted ⬇️ Image
🧵 (3/) The second series of the SMB requests is related to the RemoteOperations.connectSamr() call in the NTDSHashes class which is only needed to verify that’s out target is actually a DC, so it can be excluded from the attack with no consequences ⬇️ ImageImage
Read 6 tweets
Nov 24, 2022
🧵 (1/x) I know you love #pentest stories, so here’s one of those ⬇️

There’s a non-DC computer (Victim) that is a member of the Exchange Trusted Subsytem group and has DCSync privs. The WebClient is ON but the MAQ=0 and domain functional level is 2012 R2 which prevents us ⤵️
(2/x) from abusing Key Credentials. Relaying to AD CS HTTP is not possible either. Here’s when I decided to go for SPN-less RBCD (credits to @tiraniddo) on a prod domain 🤦🏻‍♂️

But first let’s add a DNS record pointing to the attacker’s machine to coerce Victim over WebDav ⤵️
(3/x) Now it’s all ready to go: Printer Bug + ntlmrelayx[.]py and we’re escalating a low privilege user (j.doe) to be trusted for delegation by Victim ⤵️
Read 9 tweets
Oct 2, 2022
🧵 (1/) Forged Tickets Thread

Golden 🔑 tickets are no longer in fashion, so here’s a short memo on using Diamond 💎 (@exploitph) and Sapphire (@_nwodtuhs) tickets with ticketer[.]py from #Impacket. At first let’s recap what we already know about Golden tickets ⤵️

#ad #kerberos
🧵 (2/) Golden tickets are forged privileged TGTs that’re crafted completely offline. Having got krbtgt RC4 (NT hash) or AES key, a TA can specify some params (e.g., group membership, user’s RID, ticket validity period) to create and sign a fake PAC embedded inside the TGT ⤵️
🧵 (3/) Thus, the TA can provide the forged TGT to request an ST to any resource in the domain which will contain a copy of the fake PAC signed by the target service account. Since recently, we cannot use a non-existent account name as a result of CVE-2021-42287 mitigations ⤵️
Read 9 tweets
Aug 26, 2022
🧶 (1/) Reproducing Masky Thread

So it’s a relaxing Friday evening to play with the new awesome #Masky tool by @_ZakSec. I’ll show you here how to reproduce its behavior with #CrackMapExec, #Impacket, #Sliver, #Certify and #Certipy.

Let’s go! ⤵️

#pentest #adcs
🧶 (2/) First things first, I shall enumerate AD CS environment with #CrackMapExec and qwinsta the Victim machine via newly introduced tstool[.]py from #Impacket (thx @nopernik!). For the purpose of this demo I’ll use a DA account to interact with the Victim but any LA will do 👨🏻‍💻
🧶 (3/) I shall now prepare my team server and generate an encrypted Sliver beacon to use it with DInjector 💉
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(