Posts by Tag

Active Directory

Passing the Hash for Fun and Profit

Windows is cool because the hashes of passwords can actually be directly used to authenticate to services. That’s right, an adversary does not need to crack the hashes of passwords offline with an expensive password cracking rig, they can just directly authenticate using the hash. This technique is often called passing-the-hash, and we will explore a few methods you can use to perform this lateral movement technique.

Getting Started Spraying Microsoft Services

Password spraying is the process of brute-force guessing passwords against a list of accounts either externally or internally. Adversaries use this tactic to attempt to establish initial access within an organization and/or laterally move to alternate identities within a network. The process of getting started password spraying is surprisingly easy. This is in part thanks to the prevalence of remote-work solutions that have created the need to allow users to authenticate from pretty much anywhere. Cloud services such as Office365 actually assist the password spraying process, by providing a reliable, centralized location that can be used to attempt to breach a company’s accounts.

An Introduction to Active Directory Enumeration

Active Directory is a platform that has received plenty of attention from adversaries and operators over the years. It has a rich history of exploitaiton methodologies, and new abuse mechanisms and regularly released by security researchs. Combine these factors with the prevalence that it is encountered within organizations, and you can quickly see why it’s a favorite target for attackers. There are a plethora of toolsets, cheatsheets, and enumeration options for Microsoft’s flagship directory service. Let’s outline a few of our favorite tools (hint: BloodHound) one can use to begin enumerating an Active Directory environment.

An Introduction to Kerberoasting

Kerberoasting is the attack that keeps on giving for adversaries and penesters alike. First documented in 2014 by Tim Medin, Kerberoasting is a tactic that can be used after an intial compromise to gain access to alternate accounts in an Active Directory domain. It has proven to be extremely potent in environments across the globe, and there’s a reason why it’s still worth talking about eight years after it’s initial (public) discovery. I’ll walk through an attack path that closely resembles ones I’ve used in the wild.

Harnessing the Power of LinkedIn and Talon for Password Spraying

I’ll talk through how one can use LinkedIn to gather listings of usernames and email addresses that can be combined with password spraying tactics. For demonstration of password spraying, we’ll target internal Active Directory services with the Talon toolset written by Tylous. I’ll also document some of the extra functionality I added to the tool that is now included in the main version.

Back to Top ↑

VulnHub

FristiLeaks 1.3 Writeup - VulnHub

FristiLeaks 1.3 is a VulnHub box that I used to prepare for the OSCP exam. It’s by far one of my favorite VulnHub boxes I’ve done, as it involves some fun and simple reversing/code analysis. It also involves practice hopping around and enumerating a Linux environment from the perspective of multiple users, and requires some creative thinking.The challenge begins by using some simple guesswork to find a login portal. The source code of this login portal cotains an HTML comment that leaks a base64 encoded image. After decoding the image, we are able to gather the password used to login to web application. We exploit the web application’s upload functionality to upload a PHP reverse shell and get a reverse shell. Privilege escalation involves abusing a cronjob, reversing a simple python cryptography algorithm, reusing passwords, and a sudo misconfiguration to finally gather root.

Kioptrix Level 1.3 (#4) Writeup - VulnHub

Kioptrix Level 1.3 is the fourth iteration of the Kioptrix VulnHub challenges. It involves taking advantage of a SQL injection vulnerablility to login to a simple web application that leaks user credentials. Using these credentials we can connect to the box via SSH. Unfortunately, our SSH sessions spawn a restricted shell with very limited command availability. We use echo to spawn a full bash shell and escape these confines, from which we enumerate the box and find MySQL credentials. MySQL is running as root and we are able to use sys_exec to set the setuid bit on /bin/bash. From here we can simply execute the binary and receieve a root shell.

Kioptrix Level 1.2 (#3) Writeup - VulnHub

Kioptrix Level 1.2 continues the Kioptrix VulnHub series, and provides great experience with reusing credentials, attacking common web applications, and cracking hashed passwords. We start by exploiting LotusCMS to get a shell as www-data. From there, we find MySQL credentials that we use to login to phpMyAdmin and dump hashed user passwords. Finally, after cracking and logging in using these credentials, we exploit a sudo misconfiguration that allows us to privilege escalate using the ht text editor.

Kioptrix Level 1.1 (#2) Writeup - VulnHub

Kioptrix Level 1.1 is the next box in the series of Kioptrix VulnHub boxes. This box ups the ante from its predecessor, beginning with a simple SQL injection exploit to gain access to a web console. The web console can be bypassed to execute code, which we use to get a simple reverse shell. Finally, we successfully privilege escalate to root using a kernel exploit. As with the entire Kioptrix series, this challengs is pretty outdated, and the real-world applicability is questionable, but it’s great OSCP prep and learning material.

Back to Top ↑

Networks

Passing the Hash for Fun and Profit

Windows is cool because the hashes of passwords can actually be directly used to authenticate to services. That’s right, an adversary does not need to crack the hashes of passwords offline with an expensive password cracking rig, they can just directly authenticate using the hash. This technique is often called passing-the-hash, and we will explore a few methods you can use to perform this lateral movement technique.

An Introduction to Active Directory Enumeration

Active Directory is a platform that has received plenty of attention from adversaries and operators over the years. It has a rich history of exploitaiton methodologies, and new abuse mechanisms and regularly released by security researchs. Combine these factors with the prevalence that it is encountered within organizations, and you can quickly see why it’s a favorite target for attackers. There are a plethora of toolsets, cheatsheets, and enumeration options for Microsoft’s flagship directory service. Let’s outline a few of our favorite tools (hint: BloodHound) one can use to begin enumerating an Active Directory environment.

An Introduction to Kerberoasting

Kerberoasting is the attack that keeps on giving for adversaries and penesters alike. First documented in 2014 by Tim Medin, Kerberoasting is a tactic that can be used after an intial compromise to gain access to alternate accounts in an Active Directory domain. It has proven to be extremely potent in environments across the globe, and there’s a reason why it’s still worth talking about eight years after it’s initial (public) discovery. I’ll walk through an attack path that closely resembles ones I’ve used in the wild.

Harnessing the Power of LinkedIn and Talon for Password Spraying

I’ll talk through how one can use LinkedIn to gather listings of usernames and email addresses that can be combined with password spraying tactics. For demonstration of password spraying, we’ll target internal Active Directory services with the Talon toolset written by Tylous. I’ll also document some of the extra functionality I added to the tool that is now included in the main version.

Back to Top ↑

OSINT

Using cloud_enum to Find S3 Buckets and More

S3, first introduced in 2006, is one of Amazon Web Services’ most popular services. This simple and fast cloud object solution has undoubtely made development, file sharing, content-delivery, and much more seamless for its users across the years. However, this flexibiltiy and arguably confusing design has led to some of the biggest data breaches ever seen. With this in mind, let’s walk through why I like using cloud_enum to find S3 buckets and other goodies.

Getting Started Spraying Microsoft Services

Password spraying is the process of brute-force guessing passwords against a list of accounts either externally or internally. Adversaries use this tactic to attempt to establish initial access within an organization and/or laterally move to alternate identities within a network. The process of getting started password spraying is surprisingly easy. This is in part thanks to the prevalence of remote-work solutions that have created the need to allow users to authenticate from pretty much anywhere. Cloud services such as Office365 actually assist the password spraying process, by providing a reliable, centralized location that can be used to attempt to breach a company’s accounts.

Farming Breached Password Data with Dehashed

Every year countless data breaches occur. From 700 Million LinkedIn users’ information getting leaked sometime between 2020 and 2021, to at least 500 million Yahoo accounts information being breached in 2014, to the notable 2017 Equifax data breach which impacted millions of individuals, it’s safe to say that breaches are a part of the everyday news cycle in the present day. These breaches contain a wide variety of data that has a variety of use cases. Social security numbers and credit card information can lead to fraud, age information and phone numbers can lead to targeted phishing attacks, and usernames and passwords can lead to… what exactly?

Harnessing the Power of LinkedIn and Talon for Password Spraying

I’ll talk through how one can use LinkedIn to gather listings of usernames and email addresses that can be combined with password spraying tactics. For demonstration of password spraying, we’ll target internal Active Directory services with the Talon toolset written by Tylous. I’ll also document some of the extra functionality I added to the tool that is now included in the main version.

Back to Top ↑

AWS

Using cloud_enum to Find S3 Buckets and More

S3, first introduced in 2006, is one of Amazon Web Services’ most popular services. This simple and fast cloud object solution has undoubtely made development, file sharing, content-delivery, and much more seamless for its users across the years. However, this flexibiltiy and arguably confusing design has led to some of the biggest data breaches ever seen. With this in mind, let’s walk through why I like using cloud_enum to find S3 buckets and other goodies.

I Love ScoutSuite and You Should Too

ScoutSuite is a multi-cloud security auditing tool written by the wonderful folks over at NCC group. I use it heavily, so I wanted to do a quick guide on getting it configured and running it in your own environment. The data and reports it generates is extremely useful from both an offensive and defensive perspective, and I trust that you’ll feel the same way after using it in your own platform.

Attacking the AWS Metadata Service

“Since it first launched over 10 years ago, the Amazon EC2 Instance Metadata Service (IMDS) has helped customers build secure and scalable applications. The IMDS solved a big security headache for cloud users by providing access to temporary, frequently rotated credentials, removing the need to hardcode or distribute sensitive credentials to instances manually or programatically. “ However, as you may have noticed, the Metadata service possesses one unique characteristic that is useful to attackers. Along with providing information access to the given instance, it also provides credentials. Why does this matter?

Back to Top ↑

Cloud

Using cloud_enum to Find S3 Buckets and More

S3, first introduced in 2006, is one of Amazon Web Services’ most popular services. This simple and fast cloud object solution has undoubtely made development, file sharing, content-delivery, and much more seamless for its users across the years. However, this flexibiltiy and arguably confusing design has led to some of the biggest data breaches ever seen. With this in mind, let’s walk through why I like using cloud_enum to find S3 buckets and other goodies.

I Love ScoutSuite and You Should Too

ScoutSuite is a multi-cloud security auditing tool written by the wonderful folks over at NCC group. I use it heavily, so I wanted to do a quick guide on getting it configured and running it in your own environment. The data and reports it generates is extremely useful from both an offensive and defensive perspective, and I trust that you’ll feel the same way after using it in your own platform.

Attacking the AWS Metadata Service

“Since it first launched over 10 years ago, the Amazon EC2 Instance Metadata Service (IMDS) has helped customers build secure and scalable applications. The IMDS solved a big security headache for cloud users by providing access to temporary, frequently rotated credentials, removing the need to hardcode or distribute sensitive credentials to instances manually or programatically. “ However, as you may have noticed, the Metadata service possesses one unique characteristic that is useful to attackers. Along with providing information access to the given instance, it also provides credentials. Why does this matter?

Back to Top ↑

ffuf

Kioptrix Level 1.3 (#4) Writeup - VulnHub

Kioptrix Level 1.3 is the fourth iteration of the Kioptrix VulnHub challenges. It involves taking advantage of a SQL injection vulnerablility to login to a simple web application that leaks user credentials. Using these credentials we can connect to the box via SSH. Unfortunately, our SSH sessions spawn a restricted shell with very limited command availability. We use echo to spawn a full bash shell and escape these confines, from which we enumerate the box and find MySQL credentials. MySQL is running as root and we are able to use sys_exec to set the setuid bit on /bin/bash. From here we can simply execute the binary and receieve a root shell.

Back to Top ↑

SQL Injection

Kioptrix Level 1.3 (#4) Writeup - VulnHub

Kioptrix Level 1.3 is the fourth iteration of the Kioptrix VulnHub challenges. It involves taking advantage of a SQL injection vulnerablility to login to a simple web application that leaks user credentials. Using these credentials we can connect to the box via SSH. Unfortunately, our SSH sessions spawn a restricted shell with very limited command availability. We use echo to spawn a full bash shell and escape these confines, from which we enumerate the box and find MySQL credentials. MySQL is running as root and we are able to use sys_exec to set the setuid bit on /bin/bash. From here we can simply execute the binary and receieve a root shell.

Kioptrix Level 1.1 (#2) Writeup - VulnHub

Kioptrix Level 1.1 is the next box in the series of Kioptrix VulnHub boxes. This box ups the ante from its predecessor, beginning with a simple SQL injection exploit to gain access to a web console. The web console can be bypassed to execute code, which we use to get a simple reverse shell. Finally, we successfully privilege escalate to root using a kernel exploit. As with the entire Kioptrix series, this challengs is pretty outdated, and the real-world applicability is questionable, but it’s great OSCP prep and learning material.

Back to Top ↑

Password Spraying

Getting Started Spraying Microsoft Services

Password spraying is the process of brute-force guessing passwords against a list of accounts either externally or internally. Adversaries use this tactic to attempt to establish initial access within an organization and/or laterally move to alternate identities within a network. The process of getting started password spraying is surprisingly easy. This is in part thanks to the prevalence of remote-work solutions that have created the need to allow users to authenticate from pretty much anywhere. Cloud services such as Office365 actually assist the password spraying process, by providing a reliable, centralized location that can be used to attempt to breach a company’s accounts.

Harnessing the Power of LinkedIn and Talon for Password Spraying

I’ll talk through how one can use LinkedIn to gather listings of usernames and email addresses that can be combined with password spraying tactics. For demonstration of password spraying, we’ll target internal Active Directory services with the Talon toolset written by Tylous. I’ll also document some of the extra functionality I added to the tool that is now included in the main version.

Back to Top ↑

Impacket

An Introduction to Active Directory Enumeration

Active Directory is a platform that has received plenty of attention from adversaries and operators over the years. It has a rich history of exploitaiton methodologies, and new abuse mechanisms and regularly released by security researchs. Combine these factors with the prevalence that it is encountered within organizations, and you can quickly see why it’s a favorite target for attackers. There are a plethora of toolsets, cheatsheets, and enumeration options for Microsoft’s flagship directory service. Let’s outline a few of our favorite tools (hint: BloodHound) one can use to begin enumerating an Active Directory environment.

An Introduction to Kerberoasting

Kerberoasting is the attack that keeps on giving for adversaries and penesters alike. First documented in 2014 by Tim Medin, Kerberoasting is a tactic that can be used after an intial compromise to gain access to alternate accounts in an Active Directory domain. It has proven to be extremely potent in environments across the globe, and there’s a reason why it’s still worth talking about eight years after it’s initial (public) discovery. I’ll walk through an attack path that closely resembles ones I’ve used in the wild.

Back to Top ↑

smbclient

Back to Top ↑

MRTG

Back to Top ↑

Samba

Back to Top ↑

Command Injection

Kioptrix Level 1.1 (#2) Writeup - VulnHub

Kioptrix Level 1.1 is the next box in the series of Kioptrix VulnHub boxes. This box ups the ante from its predecessor, beginning with a simple SQL injection exploit to gain access to a web console. The web console can be bypassed to execute code, which we use to get a simple reverse shell. Finally, we successfully privilege escalate to root using a kernel exploit. As with the entire Kioptrix series, this challengs is pretty outdated, and the real-world applicability is questionable, but it’s great OSCP prep and learning material.

Back to Top ↑

Kernel Exploits

Kioptrix Level 1.1 (#2) Writeup - VulnHub

Kioptrix Level 1.1 is the next box in the series of Kioptrix VulnHub boxes. This box ups the ante from its predecessor, beginning with a simple SQL injection exploit to gain access to a web console. The web console can be bypassed to execute code, which we use to get a simple reverse shell. Finally, we successfully privilege escalate to root using a kernel exploit. As with the entire Kioptrix series, this challengs is pretty outdated, and the real-world applicability is questionable, but it’s great OSCP prep and learning material.

Back to Top ↑

LotusCMS

Kioptrix Level 1.2 (#3) Writeup - VulnHub

Kioptrix Level 1.2 continues the Kioptrix VulnHub series, and provides great experience with reusing credentials, attacking common web applications, and cracking hashed passwords. We start by exploiting LotusCMS to get a shell as www-data. From there, we find MySQL credentials that we use to login to phpMyAdmin and dump hashed user passwords. Finally, after cracking and logging in using these credentials, we exploit a sudo misconfiguration that allows us to privilege escalate using the ht text editor.

Back to Top ↑

Metasploit

Kioptrix Level 1.2 (#3) Writeup - VulnHub

Kioptrix Level 1.2 continues the Kioptrix VulnHub series, and provides great experience with reusing credentials, attacking common web applications, and cracking hashed passwords. We start by exploiting LotusCMS to get a shell as www-data. From there, we find MySQL credentials that we use to login to phpMyAdmin and dump hashed user passwords. Finally, after cracking and logging in using these credentials, we exploit a sudo misconfiguration that allows us to privilege escalate using the ht text editor.

Back to Top ↑

phpMyAdmin

Kioptrix Level 1.2 (#3) Writeup - VulnHub

Kioptrix Level 1.2 continues the Kioptrix VulnHub series, and provides great experience with reusing credentials, attacking common web applications, and cracking hashed passwords. We start by exploiting LotusCMS to get a shell as www-data. From there, we find MySQL credentials that we use to login to phpMyAdmin and dump hashed user passwords. Finally, after cracking and logging in using these credentials, we exploit a sudo misconfiguration that allows us to privilege escalate using the ht text editor.

Back to Top ↑

John

Kioptrix Level 1.2 (#3) Writeup - VulnHub

Kioptrix Level 1.2 continues the Kioptrix VulnHub series, and provides great experience with reusing credentials, attacking common web applications, and cracking hashed passwords. We start by exploiting LotusCMS to get a shell as www-data. From there, we find MySQL credentials that we use to login to phpMyAdmin and dump hashed user passwords. Finally, after cracking and logging in using these credentials, we exploit a sudo misconfiguration that allows us to privilege escalate using the ht text editor.

Back to Top ↑

MD5

Kioptrix Level 1.2 (#3) Writeup - VulnHub

Kioptrix Level 1.2 continues the Kioptrix VulnHub series, and provides great experience with reusing credentials, attacking common web applications, and cracking hashed passwords. We start by exploiting LotusCMS to get a shell as www-data. From there, we find MySQL credentials that we use to login to phpMyAdmin and dump hashed user passwords. Finally, after cracking and logging in using these credentials, we exploit a sudo misconfiguration that allows us to privilege escalate using the ht text editor.

Back to Top ↑

sudo

Kioptrix Level 1.2 (#3) Writeup - VulnHub

Kioptrix Level 1.2 continues the Kioptrix VulnHub series, and provides great experience with reusing credentials, attacking common web applications, and cracking hashed passwords. We start by exploiting LotusCMS to get a shell as www-data. From there, we find MySQL credentials that we use to login to phpMyAdmin and dump hashed user passwords. Finally, after cracking and logging in using these credentials, we exploit a sudo misconfiguration that allows us to privilege escalate using the ht text editor.

Back to Top ↑

enum4linux

Kioptrix Level 1.3 (#4) Writeup - VulnHub

Kioptrix Level 1.3 is the fourth iteration of the Kioptrix VulnHub challenges. It involves taking advantage of a SQL injection vulnerablility to login to a simple web application that leaks user credentials. Using these credentials we can connect to the box via SSH. Unfortunately, our SSH sessions spawn a restricted shell with very limited command availability. We use echo to spawn a full bash shell and escape these confines, from which we enumerate the box and find MySQL credentials. MySQL is running as root and we are able to use sys_exec to set the setuid bit on /bin/bash. From here we can simply execute the binary and receieve a root shell.

Back to Top ↑

Restricted Shell Escapes

Kioptrix Level 1.3 (#4) Writeup - VulnHub

Kioptrix Level 1.3 is the fourth iteration of the Kioptrix VulnHub challenges. It involves taking advantage of a SQL injection vulnerablility to login to a simple web application that leaks user credentials. Using these credentials we can connect to the box via SSH. Unfortunately, our SSH sessions spawn a restricted shell with very limited command availability. We use echo to spawn a full bash shell and escape these confines, from which we enumerate the box and find MySQL credentials. MySQL is running as root and we are able to use sys_exec to set the setuid bit on /bin/bash. From here we can simply execute the binary and receieve a root shell.

Back to Top ↑

setuid

Kioptrix Level 1.3 (#4) Writeup - VulnHub

Kioptrix Level 1.3 is the fourth iteration of the Kioptrix VulnHub challenges. It involves taking advantage of a SQL injection vulnerablility to login to a simple web application that leaks user credentials. Using these credentials we can connect to the box via SSH. Unfortunately, our SSH sessions spawn a restricted shell with very limited command availability. We use echo to spawn a full bash shell and escape these confines, from which we enumerate the box and find MySQL credentials. MySQL is running as root and we are able to use sys_exec to set the setuid bit on /bin/bash. From here we can simply execute the binary and receieve a root shell.

Back to Top ↑

FristiLeaks

FristiLeaks 1.3 Writeup - VulnHub

FristiLeaks 1.3 is a VulnHub box that I used to prepare for the OSCP exam. It’s by far one of my favorite VulnHub boxes I’ve done, as it involves some fun and simple reversing/code analysis. It also involves practice hopping around and enumerating a Linux environment from the perspective of multiple users, and requires some creative thinking.The challenge begins by using some simple guesswork to find a login portal. The source code of this login portal cotains an HTML comment that leaks a base64 encoded image. After decoding the image, we are able to gather the password used to login to web application. We exploit the web application’s upload functionality to upload a PHP reverse shell and get a reverse shell. Privilege escalation involves abusing a cronjob, reversing a simple python cryptography algorithm, reusing passwords, and a sudo misconfiguration to finally gather root.

Back to Top ↑

Nikto

FristiLeaks 1.3 Writeup - VulnHub

FristiLeaks 1.3 is a VulnHub box that I used to prepare for the OSCP exam. It’s by far one of my favorite VulnHub boxes I’ve done, as it involves some fun and simple reversing/code analysis. It also involves practice hopping around and enumerating a Linux environment from the perspective of multiple users, and requires some creative thinking.The challenge begins by using some simple guesswork to find a login portal. The source code of this login portal cotains an HTML comment that leaks a base64 encoded image. After decoding the image, we are able to gather the password used to login to web application. We exploit the web application’s upload functionality to upload a PHP reverse shell and get a reverse shell. Privilege escalation involves abusing a cronjob, reversing a simple python cryptography algorithm, reusing passwords, and a sudo misconfiguration to finally gather root.

Back to Top ↑

Webshells

FristiLeaks 1.3 Writeup - VulnHub

FristiLeaks 1.3 is a VulnHub box that I used to prepare for the OSCP exam. It’s by far one of my favorite VulnHub boxes I’ve done, as it involves some fun and simple reversing/code analysis. It also involves practice hopping around and enumerating a Linux environment from the perspective of multiple users, and requires some creative thinking.The challenge begins by using some simple guesswork to find a login portal. The source code of this login portal cotains an HTML comment that leaks a base64 encoded image. After decoding the image, we are able to gather the password used to login to web application. We exploit the web application’s upload functionality to upload a PHP reverse shell and get a reverse shell. Privilege escalation involves abusing a cronjob, reversing a simple python cryptography algorithm, reusing passwords, and a sudo misconfiguration to finally gather root.

Back to Top ↑

Reversing

FristiLeaks 1.3 Writeup - VulnHub

FristiLeaks 1.3 is a VulnHub box that I used to prepare for the OSCP exam. It’s by far one of my favorite VulnHub boxes I’ve done, as it involves some fun and simple reversing/code analysis. It also involves practice hopping around and enumerating a Linux environment from the perspective of multiple users, and requires some creative thinking.The challenge begins by using some simple guesswork to find a login portal. The source code of this login portal cotains an HTML comment that leaks a base64 encoded image. After decoding the image, we are able to gather the password used to login to web application. We exploit the web application’s upload functionality to upload a PHP reverse shell and get a reverse shell. Privilege escalation involves abusing a cronjob, reversing a simple python cryptography algorithm, reusing passwords, and a sudo misconfiguration to finally gather root.

Back to Top ↑

Sudo

FristiLeaks 1.3 Writeup - VulnHub

FristiLeaks 1.3 is a VulnHub box that I used to prepare for the OSCP exam. It’s by far one of my favorite VulnHub boxes I’ve done, as it involves some fun and simple reversing/code analysis. It also involves practice hopping around and enumerating a Linux environment from the perspective of multiple users, and requires some creative thinking.The challenge begins by using some simple guesswork to find a login portal. The source code of this login portal cotains an HTML comment that leaks a base64 encoded image. After decoding the image, we are able to gather the password used to login to web application. We exploit the web application’s upload functionality to upload a PHP reverse shell and get a reverse shell. Privilege escalation involves abusing a cronjob, reversing a simple python cryptography algorithm, reusing passwords, and a sudo misconfiguration to finally gather root.

Back to Top ↑

Python

Back to Top ↑

API

Back to Top ↑

Google Maps

Back to Top ↑

Google Places

Back to Top ↑

Google APIs

Back to Top ↑

Automation

Back to Top ↑

Cobalt Strike

Back to Top ↑

Certifications

Back to Top ↑

Kerberos

An Introduction to Kerberoasting

Kerberoasting is the attack that keeps on giving for adversaries and penesters alike. First documented in 2014 by Tim Medin, Kerberoasting is a tactic that can be used after an intial compromise to gain access to alternate accounts in an Active Directory domain. It has proven to be extremely potent in environments across the globe, and there’s a reason why it’s still worth talking about eight years after it’s initial (public) discovery. I’ll walk through an attack path that closely resembles ones I’ve used in the wild.

Back to Top ↑

BloodHound

An Introduction to Active Directory Enumeration

Active Directory is a platform that has received plenty of attention from adversaries and operators over the years. It has a rich history of exploitaiton methodologies, and new abuse mechanisms and regularly released by security researchs. Combine these factors with the prevalence that it is encountered within organizations, and you can quickly see why it’s a favorite target for attackers. There are a plethora of toolsets, cheatsheets, and enumeration options for Microsoft’s flagship directory service. Let’s outline a few of our favorite tools (hint: BloodHound) one can use to begin enumerating an Active Directory environment.

Back to Top ↑

LDAP

An Introduction to Active Directory Enumeration

Active Directory is a platform that has received plenty of attention from adversaries and operators over the years. It has a rich history of exploitaiton methodologies, and new abuse mechanisms and regularly released by security researchs. Combine these factors with the prevalence that it is encountered within organizations, and you can quickly see why it’s a favorite target for attackers. There are a plethora of toolsets, cheatsheets, and enumeration options for Microsoft’s flagship directory service. Let’s outline a few of our favorite tools (hint: BloodHound) one can use to begin enumerating an Active Directory environment.

Back to Top ↑

SSRF

Attacking the AWS Metadata Service

“Since it first launched over 10 years ago, the Amazon EC2 Instance Metadata Service (IMDS) has helped customers build secure and scalable applications. The IMDS solved a big security headache for cloud users by providing access to temporary, frequently rotated credentials, removing the need to hardcode or distribute sensitive credentials to instances manually or programatically. “ However, as you may have noticed, the Metadata service possesses one unique characteristic that is useful to attackers. Along with providing information access to the given instance, it also provides credentials. Why does this matter?

Back to Top ↑

Password Breaches

Farming Breached Password Data with Dehashed

Every year countless data breaches occur. From 700 Million LinkedIn users’ information getting leaked sometime between 2020 and 2021, to at least 500 million Yahoo accounts information being breached in 2014, to the notable 2017 Equifax data breach which impacted millions of individuals, it’s safe to say that breaches are a part of the everyday news cycle in the present day. These breaches contain a wide variety of data that has a variety of use cases. Social security numbers and credit card information can lead to fraud, age information and phone numbers can lead to targeted phishing attacks, and usernames and passwords can lead to… what exactly?

Back to Top ↑

Office365

Getting Started Spraying Microsoft Services

Password spraying is the process of brute-force guessing passwords against a list of accounts either externally or internally. Adversaries use this tactic to attempt to establish initial access within an organization and/or laterally move to alternate identities within a network. The process of getting started password spraying is surprisingly easy. This is in part thanks to the prevalence of remote-work solutions that have created the need to allow users to authenticate from pretty much anywhere. Cloud services such as Office365 actually assist the password spraying process, by providing a reliable, centralized location that can be used to attempt to breach a company’s accounts.

Back to Top ↑

Azure

I Love ScoutSuite and You Should Too

ScoutSuite is a multi-cloud security auditing tool written by the wonderful folks over at NCC group. I use it heavily, so I wanted to do a quick guide on getting it configured and running it in your own environment. The data and reports it generates is extremely useful from both an offensive and defensive perspective, and I trust that you’ll feel the same way after using it in your own platform.

Back to Top ↑

GCP

I Love ScoutSuite and You Should Too

ScoutSuite is a multi-cloud security auditing tool written by the wonderful folks over at NCC group. I use it heavily, so I wanted to do a quick guide on getting it configured and running it in your own environment. The data and reports it generates is extremely useful from both an offensive and defensive perspective, and I trust that you’ll feel the same way after using it in your own platform.

Back to Top ↑

Windows

Passing the Hash for Fun and Profit

Windows is cool because the hashes of passwords can actually be directly used to authenticate to services. That’s right, an adversary does not need to crack the hashes of passwords offline with an expensive password cracking rig, they can just directly authenticate using the hash. This technique is often called passing-the-hash, and we will explore a few methods you can use to perform this lateral movement technique.

Back to Top ↑

NTLM

Passing the Hash for Fun and Profit

Windows is cool because the hashes of passwords can actually be directly used to authenticate to services. That’s right, an adversary does not need to crack the hashes of passwords offline with an expensive password cracking rig, they can just directly authenticate using the hash. This technique is often called passing-the-hash, and we will explore a few methods you can use to perform this lateral movement technique.

Back to Top ↑

Pass the hash

Passing the Hash for Fun and Profit

Windows is cool because the hashes of passwords can actually be directly used to authenticate to services. That’s right, an adversary does not need to crack the hashes of passwords offline with an expensive password cracking rig, they can just directly authenticate using the hash. This technique is often called passing-the-hash, and we will explore a few methods you can use to perform this lateral movement technique.

Back to Top ↑

S3

Using cloud_enum to Find S3 Buckets and More

S3, first introduced in 2006, is one of Amazon Web Services’ most popular services. This simple and fast cloud object solution has undoubtely made development, file sharing, content-delivery, and much more seamless for its users across the years. However, this flexibiltiy and arguably confusing design has led to some of the biggest data breaches ever seen. With this in mind, let’s walk through why I like using cloud_enum to find S3 buckets and other goodies.

Back to Top ↑