So apparently Microsoft ninja-patched two things lately in KB5014692 (06/14/2022)
1. ShadowCoerce (auth coercion abusing MS-FSRVP)
2. Self-RBCD trick to bypass limitations of Kerberos Constrained Delegation without Protocol Transition
Identified this with @Geiseric4 and @mkolsek That being said, the second scenario may be something they unintentionally broke, who knows. MS bulletin says KB patched CVE-2022-30154 but nothing on coercion/self-rbcd 🤷‍♂️
Any insight @tiraniddo @_dirkjan @SteveSyfuhs (we need to know 👀)

✨After 8 months of hard work with @Dramelac_ , now's the time ⏰ Exegol, a community-driven and fully-featured hacking environment, updates to v4.0

An opportunity to show you why you should probably drop your current pentesting env and get started with Exegol (10min read) Exegol uses Docker. There are Exegol images that can be used to deploy Exegol containers.
This first concept allows its users to easily deploy environments that are separated from the host, that could be dedicated for some engagements tools, etc.

Here is one of my latest paths to Domain Admin 😈 it took ~2h30 (I was relying on network traffic that was not so present at the beginning)

This path was a bit long and involved NTLM, Kerberos, network protocols, credential dump, etc 👁️👅👁️

[12 steps detailed below 🧵] 1. LLMNR, NBT-NS and mDNS spoofing combined with WPAD spoofing to redirect some network traffic using @PythonResponder's Responder

➡️ LLMNR, NBT-BS mDNS: thehacker.recipes/ad/movement/mi…

➡️ WPAD spoofing: thehacker.recipes/ad/movement/mi…

[thread 🧵] lets all welcome the new kid in town 😈
✨ Kerberos sAMAccountName spoofing ✨ from regular user to domain admin, because Microsoft didn't care enough about it's $$$

thehacker.recipes/ad/movement/ke… ** CVE-2021-42278 - Name impersonation
Before patch, there was no validation process to make sure computer accounts names end with an "$"

🥇 new personal record for Domain Admin today 🥳

DA in ~150 seconds (≈ 3 guns per square seconds in 🇺🇸 units)

Last record was 23 minutes 😨 (not bragging here, the maturity was reaaaally low and path to DA really easy, but still what a blast I had! Just wanted to share the fun here 🤗)

Latest paths to DA 😈
- Kerberoast of a domain admin
- AD CS insecure configuration (ESC6)
- AD CS insecure web endpoints (ESC8)

[more info below ⬇️ ] Kerberoasting thehacker.recipes/ad/movement/ke…

[thread 🧵] Kerberos delegations. This meta-thread gathers three sub-threads, one for each delegation type. I’ll talk about Unconstrained, Constrained, Resource-Based Constrained (RBCD), S4U2self, S4U2proxy and abuse scenarios. Kerberos delegations is a set of features included in the Kerberos authentication protocol. It allows services to access other services on behalf of domain users.

[thread 🧵] This is a sub-thread on Kerberos Unconstrained Delegations (KUD) and abuse scenarios User granted with the SeEnableDelegationPrivilege right in the domain (really high priv ⚠️) can configure service accounts for delegation (unconstrained or constrained).

[thread 🧵] this is a sub-thread about Kerberos Constrained Delegation (KCD) and abuse scenarios. Similarly to Unconstrained Delegations, service account configured for KCD can act on behalf of other principals on other services. The difference is that with KUD, it’s possible to delegate to any service whereas with KCD it’s possible to delegate to a specific set of services

[thread 🧵] this is a sub-thread about Kerberos Resource-Based Constrained (RBCD) and abuse scenarios. While configuring accounts for Unconstrained and Constrained delegations requires high privileges in the domain, configuring RBCD is simpler. RBCD is configured on the service others delegate to.

[thread 🧵] Kerberos basics & (ab)use of Certificates within Active Directory (i.e. AD CS and PKINIT)

- Kerberos 101
- Pass-the-Certificate
- UnPAC-the-Hash
- Shadow Credentials
- AD CS escalation (ESC1 to ESC8)

(Links and credits at the end) [Kerberos 101 ⬇️]

AD-DS offer two main auth protocols: NTLM and Kerberos. Kerberos works with tickets in order to authenticate a user.

A TGT (Ticket Granting Ticket) can be used to obtain a Service Ticket. A Service Ticket can be used to access a service. This is how it works.

[thread 🧵] ⚠️ nothing technical here, just sharing about my life

Since 2018, I’ve been creating or contributing to open-source projects, and I was wondering how many hours I spent of my personal time on this.

TL; DR: In 3 years, I squeezed in 1 year of additional free work. Usually working from 7pm to 9pm almost every day, and from 1pm to 7pm almost every Saturday. This equals to, roughly, 2000+ hours.

I wasn’t very consistent and there were times I was doing 2h/week, some times 20h/week w/o lunch break.

Shouldn't we all agree that using a certificate to go through a PKINIT Kerberos pre-auth to obtain a TGT should be called Pass-the-Certificate? Or is there a reason we should avoid using that term? Pass-the-Certificate is useful for the following attacks
- AD CS ESC8 NTLM relay cc/ @harmj0y @tifkin_ @ExAndroidDev
- Shadow Credentials (ACE abuse on accounts' msDs-KeyCredentialLink attribute) cc/ @MGrafnetter @elad_shamir
- UnPAC-the-hash cc/ @_dirkjan @elad_shamir

[thread] A lot of people since this finding are looking for a bit knowledge around that bug. Below is list of links that will help better understand this (attackers-side)

https://twitter.com/topotam77/status/1416833996923809793

PetitPotam’s MS-EFSR abuse is the equivalent (even better) of the PrinterBug’s MS-RPRN abuse that’s been here for a while now

1️⃣ PrinterBug: thehacker.recipes/active-directo…
2️⃣ PetitPotam: thehacker.recipes/active-directo…

[thread] Hi hackers! @podalirius_ and I present to you this new tool 🌟🎀 𝖘𝖒𝖆𝖗𝖙𝖇𝖗𝖚𝖙𝖊 🎀🌟

This tool allows for bruteforcing NTLM and Kerberos in Active Directory domains (there are A LOT of features, detailed in the thread below).

➡️ github.com/ShutdownRepo/s… This tool offers two modes: smart and brute.

1⃣ Brute mode: can be used with a user and password/hash to test (or list of those).

2⃣ Smart mode: given a valid AD account credentials, it fetches the users list and lockout policies to bruteforce wihtout locking accounts.

(infosec thread) one of my latest tweets was followed by some questions in my DMs. So let's answer those here and remind some concepts😈

I'll talk about pass-the-hash, pass-the-ticket, pass-the-key, overpass-the-hash, pass-the-cache, silver and golden tickets 👇 Pass-the-Hash (1/4) : NTLM (LM, LMv2, NTLM or NTLMv2 depending on the version) is an authentication protocol used by Windows and AD-DS. Users have passwords, which are stored in a hashed format (LM or NT hash depending on the security settings and version).

@podalirius_ and I made GPP Passwords great again. We wrote a Python script, using Impacket, to find and decrypt passwords in Group Policy Preferences, without having to mount the remote share 👇[a thread]

➡️ github.com/SecureAuthCorp… The script can be directly added to Impacket's examples (like in the PR above) but it can also be run as a standalone tool (clone the repo below)

github.com/ShutdownRepo/G…