So apparently Microsoft ninja-patched two things lately in KB5014692 (06/14/2022) 1. ShadowCoerce (auth coercion abusing MS-FSRVP) 2. Self-RBCD trick to bypass limitations of Kerberos Constrained Delegation without Protocol Transition
Identified this with @Geiseric4 and @mkolsek
That being said, the second scenario may be something they unintentionally broke, who knows. MS bulletin says KB patched CVE-2022-30154 but nothing on coercion/self-rbcd 🤷♂️
Any insight @tiraniddo@_dirkjan@SteveSyfuhs (we need to know 👀)
Apr 30, 2022 • 23 tweets • 6 min read
✨After 8 months of hard work with @Dramelac_ , now's the time ⏰ Exegol, a community-driven and fully-featured hacking environment, updates to v4.0
An opportunity to show you why you should probably drop your current pentesting env and get started with Exegol (10min read)
Exegol uses Docker. There are Exegol images that can be used to deploy Exegol containers.
This first concept allows its users to easily deploy environments that are separated from the host, that could be dedicated for some engagements tools, etc.
Feb 8, 2022 • 21 tweets • 9 min read
Here is one of my latest paths to Domain Admin 😈 it took ~2h30 (I was relying on network traffic that was not so present at the beginning)
This path was a bit long and involved NTLM, Kerberos, network protocols, credential dump, etc 👁️👅👁️
[12 steps detailed below 🧵]
1. LLMNR, NBT-NS and mDNS spoofing combined with WPAD spoofing to redirect some network traffic using @PythonResponder's Responder
[thread 🧵] lets all welcome the new kid in town 😈
✨ Kerberos sAMAccountName spoofing ✨ from regular user to domain admin, because Microsoft didn't care enough about it's $$$
thehacker.recipes/ad/movement/ke…
** CVE-2021-42278 - Name impersonation
Before patch, there was no validation process to make sure computer accounts names end with an "$"
Nov 17, 2021 • 6 tweets • 2 min read
🥇 new personal record for Domain Admin today 🥳
DA in ~150 seconds (≈ 3 guns per square seconds in 🇺🇸 units)
Last record was 23 minutes 😨
(not bragging here, the maturity was reaaaally low and path to DA really easy, but still what a blast I had! Just wanted to share the fun here 🤗)
Nov 16, 2021 • 4 tweets • 1 min read
Latest paths to DA 😈
- Kerberoast of a domain admin
- AD CS insecure configuration (ESC6)
- AD CS insecure web endpoints (ESC8)
[thread 🧵] Kerberos delegations. This meta-thread gathers three sub-threads, one for each delegation type. I’ll talk about Unconstrained, Constrained, Resource-Based Constrained (RBCD), S4U2self, S4U2proxy and abuse scenarios.
Kerberos delegations is a set of features included in the Kerberos authentication protocol. It allows services to access other services on behalf of domain users.
Oct 29, 2021 • 11 tweets • 2 min read
[thread 🧵] This is a sub-thread on Kerberos Unconstrained Delegations (KUD) and abuse scenarios
User granted with the SeEnableDelegationPrivilege right in the domain (really high priv ⚠️) can configure service accounts for delegation (unconstrained or constrained).
Oct 29, 2021 • 20 tweets • 5 min read
[thread 🧵] this is a sub-thread about Kerberos Constrained Delegation (KCD) and abuse scenarios.
Similarly to Unconstrained Delegations, service account configured for KCD can act on behalf of other principals on other services. The difference is that with KUD, it’s possible to delegate to any service whereas with KCD it’s possible to delegate to a specific set of services
Oct 29, 2021 • 11 tweets • 2 min read
[thread 🧵] this is a sub-thread about Kerberos Resource-Based Constrained (RBCD) and abuse scenarios.
While configuring accounts for Unconstrained and Constrained delegations requires high privileges in the domain, configuring RBCD is simpler. RBCD is configured on the service others delegate to.
Oct 22, 2021 • 23 tweets • 8 min read
[thread 🧵] Kerberos basics & (ab)use of Certificates within Active Directory (i.e. AD CS and PKINIT)
- Kerberos 101
- Pass-the-Certificate
- UnPAC-the-Hash
- Shadow Credentials
- AD CS escalation (ESC1 to ESC8)
(Links and credits at the end)
[Kerberos 101 ⬇️]
AD-DS offer two main auth protocols: NTLM and Kerberos. Kerberos works with tickets in order to authenticate a user.
A TGT (Ticket Granting Ticket) can be used to obtain a Service Ticket. A Service Ticket can be used to access a service. This is how it works.
Oct 21, 2021 • 14 tweets • 3 min read
[thread 🧵] ⚠️ nothing technical here, just sharing about my life
Since 2018, I’ve been creating or contributing to open-source projects, and I was wondering how many hours I spent of my personal time on this.
TL; DR: In 3 years, I squeezed in 1 year of additional free work.
Usually working from 7pm to 9pm almost every day, and from 1pm to 7pm almost every Saturday. This equals to, roughly, 2000+ hours.
I wasn’t very consistent and there were times I was doing 2h/week, some times 20h/week w/o lunch break.
Oct 19, 2021 • 4 tweets • 3 min read
Shouldn't we all agree that using a certificate to go through a PKINIT Kerberos pre-auth to obtain a TGT should be called Pass-the-Certificate? Or is there a reason we should avoid using that term?
Pass-the-Certificate is useful for the following attacks
- AD CS ESC8 NTLM relay cc/ @harmj0y@tifkin_@ExAndroidDev
- Shadow Credentials (ACE abuse on accounts' msDs-KeyCredentialLink attribute) cc/ @MGrafnetter@elad_shamir
- UnPAC-the-hash cc/ @_dirkjan@elad_shamir
Jul 22, 2021 • 12 tweets • 4 min read
[thread] A lot of people since this finding are looking for a bit knowledge around that bug. Below is list of links that will help better understand this (attackers-side)
1⃣ Brute mode: can be used with a user and password/hash to test (or list of those).
2⃣ Smart mode: given a valid AD account credentials, it fetches the users list and lockout policies to bruteforce wihtout locking accounts.
Apr 22, 2021 • 25 tweets • 5 min read
(infosec thread) one of my latest tweets was followed by some questions in my DMs. So let's answer those here and remind some concepts😈
I'll talk about pass-the-hash, pass-the-ticket, pass-the-key, overpass-the-hash, pass-the-cache, silver and golden tickets 👇
Pass-the-Hash (1/4) : NTLM (LM, LMv2, NTLM or NTLMv2 depending on the version) is an authentication protocol used by Windows and AD-DS. Users have passwords, which are stored in a hashed format (LM or NT hash depending on the security settings and version).
Apr 21, 2021 • 6 tweets • 2 min read
@podalirius_ and I made GPP Passwords great again. We wrote a Python script, using Impacket, to find and decrypt passwords in Group Policy Preferences, without having to mount the remote share 👇[a thread]
➡️ github.com/SecureAuthCorp…
The script can be directly added to Impacket's examples (like in the PR above) but it can also be run as a standalone tool (clone the repo below)