[ Know Your AD Vulnerability: CVE-2022-26923 ]

An article with a detailed analysis of the CVE-2022-26923 vulnerability

https://www.semperis.com/blog/ad-vulnerability-cve-2022-26923/
#CVE
#AD
@NetPentesters

LDAP shell


https://github.com/PShlyundin/ldap_shell


#ldap
#shell
@NetPentesters

A VMWare Workspace ONE Access Remote Code Execution Exploit

https://github.com/sourceincite/hekate
#vmware
#one
#cve
#poc
@NetPentesters

[ Concealed code execution: Techniques and detection ]

https://www.huntandhackett.com/blog/concealed-code-execution-techniques-and-detection

@NetPentesters

EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections
and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.

https://github.com/wavestone-cdt/EDRSandblast/tree/DefCon30Release
#edr
#bypass
@NetPentesters

PrintNightmare exploit With the following features:
- Ability to target multiple hosts.
- Built-in SMB server for payload delivery, removing the need for open file shares.
- Exploit includes both MS-RPRN & MS-PAR protocols (define in CMD args).
- Implements UNC bypass technique.

https://github.com/m8sec/CVE-2021-34527
@NetPentesters

A basic emulation of an "RPC Backdoor"

https://github.com/eladshamir/RPC-Backdoor

#rpc
#backdoor
@NetPentesters

​​dc-sonar

Analyzing AD domains for security risks related to user accounts

https://github.com/ST1LLY/dc-sonar

#ad
#redteam
@NetPentesters

Best Practices for Securing Active Directory
https://docs.microsoft.com/en-gb/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory

#ad
#blueteam
@NetPentesters

​​RPCRecon

Tool in Bash to carry out a basic enumeration and extract the most relevant information from an Active Directory via rpcclient.

This utility will allow us to obtain the following information from a Domain:

▫️ Domain Users
▫️ Domain Users with their denoscription
▫️ Domain Admin Users
▫️ Domain Groups
▫️ Domains within the network

https://github.com/m4lal0/RPCrecon
#AD
@NetPentesters

​​SilentHound

Quietly enumerate an Active Directory Domain via LDAP parsing users, admins, groups, etc.

This will create an isolated virtual environment with dependencies needed for the project. To use the project you can either open a shell in the virtualenv with pipenv shell or run commands directly with pipenv run.

https://github.com/layer8secure/SilentHound

#ad
@NetPentesters

​​AzurePolicyTestFramework

A CLI tool to test Azure Policy relying on Terraform + Golang

https://github.com/microsoft/AzurePolicyTestFramework
#Azure
@NetPentesters

MSSQL Analysis Services - Coerced Authentication
A technique to coerce a Windows SQL Server to authenticate on an arbitrary machine.

https://github.com/p0dalirius/MSSQL-Analysis-Coerce
#mssql
#ntlm
@NetPentesters

​​DNS Reaper

Sub-domain takeover tool, but with an emphasis on accuracy, speed and the number of signatures in our arsenal!

We can scan around 50 subdomains per second, testing each one with over 50 takeover signatures. This means most organisations can scan their entire DNS estate in less than 10 seconds.

https://github.com/punk-security/dnsReaper
#tools
@NetPentesters

​​evilginx2

A man-in-the-middle attack framework used for phishing login credentials along with session cookies, which in turn allows to bypass 2-factor authentication protection.

This tool is a successor to Evilginx, released in 2017, which used a custom version of nginx HTTP server to provide man-in-the-middle functionality to act as a proxy between a browser and phished website. Present version is fully written in GO as a standalone application, which implements its own HTTP and DNS server, making it extremely easy to set up and use.

https://github.com/kgretzky/evilginx2
#MITM
@NetPentesters

​​ADenum

ADEnum.py is a pentesting tool that allows to find misconfiguration through the protocol LDAP and exploit some of those weaknesses with Kerberos.

LDAP:

▫️ Enum Domain Admin users
▫️ Enum Domain Controllers
▫️ Enum Domain users with Password Not Expire
▫️ Enum Domain users with old password
▫️ Enum Domain users with interesting denoscription
▫️ Enum Domain users with not the default encryption
▫️ Enum Domain users with Protecting Privileged Domain Accounts

Kerberos:

▫️ AS-REP Roastable
▫️ Kerberoastable
▫️ Password cracking with john (krb5tgs and krb5asrep)

https://github.com/SecuProject/ADenum

#ad
#redteam
@NetPentesters

SilentHound
Quietly enumerate an Active Directory Domain via LDAP parsing users, admins, groups, etc.

https://github.com/layer8secure/SilentHound
#ad
#enum
@NetPentesters

​​BARK

BARK stands for BloodHound Attack Research Kit. It is a PowerShell noscript built to assist the BloodHound Enterprise team with researching and continuously validating abuse primitives. BARK currently focuses on Microsoft's Azure suite of products and services.

BARK requires no third party dependencies. BARK's functions are designed to be as simple and maintainable as possible. Most functions are very simple wrappers for making requests to various REST API endpoints. BARK's basic functions do not even require each other - you can pull almost any BARK function out of BARK and it will work perfectly as a standalone function in your own noscripts.

https://github.com/BloodHoundAD/BARK
#AD
@NetPentesters

Friends, if you have any questions about network penetration testing, contact us with the following bot:
@ChatNPTbot

Active Directory Certificate Services Abuse

https://rayrt.gitlab.io/posts/Active-Directory-Certificate-Services-Abuse/
#ad
#adcs
@NetPentesters

Autobloody

Automatically exploit Active Directory privilege escalation paths shown by BloodHound combining pathgen.py and autobloody.py.

Here is the list of the BloodHound edges currently supported for automatic exploitation:

MemberOf
ForceChangePassword
AddMembers
AddSelf
DCSync
GetChanges/GetChangesAll
GenericAll
WriteDacl
GenericWrite
WriteOwner
Owns
Contains
AllExtendedRights



https://github.com/CravateRouge/autobloody
#ad
#bloodhound
@NetPentesters