Posts

Introduction: The Day My Toolbox Failed Me Picture this: You’re deep into an engagement, credentials in hand, ready to unleash your best, brightest ideas And then… nothing. Almost every single one of your tool throw the same error: {'desc': 'StrongerAuthRequired', 'result': 8, 'message': '...'} Welcome to my recent engagement, where I learned that modern AD hardening doesn’t just make exploitation harder but also can materially impact the tooling used for the job. In my case, the casualty list was pretty much every Python tool using the ldap3 library: ...

I was doing an internal engagement some time ago for a client and noticed that the CA was configured for constrained delegation with a system that looked like a Web Server. I first noticed this using nxc’s --find-delegation switch present in the LDAP module, but also confirmed it with BloodHound as follows: A side note: if you want to make the delegation check using the AD PowerShell module due to its ability to bypass AMSI/Defender since its Microsoft-signed, as well as being exempt from PowerShell’s constrained language mode/AppLocker (when using the DLL import method), then you can do that via: ...

During a recent penetration test I did against a critical infrastructure operator, I had achieved Domain Administrator through two independent routes; ADCS ESC4, and by combining an LMCompatibility value of 2 with LDAP signing disabled. With that out of the way, I had time to shift focus away from the AD and identity side of the organization and focus my attention to their edge devices, of which there were many. ...

Quick Intro As an electrical engineer with a passion for electronics, I have recently been reverse engineering and researching commonly deployed edge and IoT devices found in critical use environments. This research focuses on the Mozart FM Transmitter (web management interface version WEBMOZZI-00287), manufactured by DB Broadcast. I have discovered about 14 CVEs and likely more exist in the software as it is rather poorly made and its very concerning that the vendor supplies technology to major organizations like the United Nations, The BBC, CNBC and others. ...

While the core concepts aren’t new, I believe the use of ADCS for domain computer takeover through Virtual Account abuse is previously undocumented/unexplored route to achieving your goals. I would like to start off by giving credit to my coworker, Michael(https://www.linkedin.com/in/michael-mcin/) for exploring today’s abuse paths but also for setting up a home environment to develop PoC for the blog. Michael and I were both on a somewhat big internal penetration test (an assumed breach scenario) together and he had managed to get his hands on the credentials to the SA (System Administrator) account on one of the client’s MSSQL databases. Immediately the first thing checked for was the ability to execute commands and lo and behold, we could : ). ...

We all know the classic RID 500 administrator account, the one who’s able to use NTLM authentication even with “Protected user” membership and is your go to during delegation attacks but there’s a kink in this lateral movement free for all; The Domain Controller doesn’t actually work the that way. The Domain Controller functions differently to other computers in that the default local Administrator that exists on other systems by default is not enabled. The default local Administrator on the Domain Controller in fact plays a specific role that it doesn’t on other systems; Its used exclusively for disaster recover. ...