#ad #ASREPRoast #kerberos

CVE-2022-33679 Windows Kerberos Elevation of Privilege

DOC

POC

@NetPentesters

We have been asked questions about what questions will be asked in the interview or what it will look like, (although each company will ask questions according to their own needs or tell you what to do) I decided to dedicate a post to "interview questions". If you have participated in the interviews so far, you can contact us through the robot ID that I will provide for recruitment to complete this post, so that we can help these dear ones and have a comprehensive source of interview questions. If you network Penetration testing or network security, you can contact us.

@ChatNPTbot

​​Determining AD domain name via NTLM Auth

If you have nmap (http-ntlm-info) unable to determine the FQND of an Active Directory domain via OWA, for example due to Citrix NetScaler or other SSO solutions, do it manually!

1. curl -I -k -X POST -H 'Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAKANc6AAAADw==' -H 'Content-Length: 0' https://autodiscover.exmaple.com/ews

2. echo 'TlRMTVNTUAACAAAADAAMAD...' | python2 ./ntlmdecoder.py

https://gist.github.com/aseering/829a2270b72345a1dc42

#ntlm #auth #sso
#tricks #pentest
@netpentesters

#impacket

More examples using the Impacket library designed for learning purposes.

● dll_proxy_exec.py
● dump_ntds_creds.py
● remote_ssp_dump.py
● wmi_reg_exec.py

https://github.com/icyguider/MoreImpacketExamples
@Netpentesters

#ad #enum

[ SilentHound ] 
Quietly enumerate an Active Directory Domain via LDAP parsing users, admins, groups, etc.

https://github.com/layer8secure/SilentHound

@NetPenTesters

​​Negoexrelayx

Negoex relaying tool

Toolkit for abusing #Kerberos PKU2U and NegoEx. Requires impacket It is recommended to install impacket from git directly to have the latest version available.

https://github.com/morRubin/NegoExRelay

@NetPentesters

#ad #relay #rpc #adcs

[ Relaying to AD Certificate Services over RPC ]


https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/
#AD
@NetPentesters

Abusing container mount points on MikroTik's RouterOS

https://nns.ee/blog/2022/08/05/routeros-container-rce.html

#Mikrotik
@NetPentesters

🥳 ​​Happy New Year 🥂 🍾 🍻 🍷

Bypasses most Kerberoast Detections
https://github.com/trustedsec/orpheus
#ad #kerberoast #redteam
@NetPentesters

Reaction is activated

These KQL queries are designed to find use of the abuses in the #BloodHound BARK toolkit in #Azure AD

https://github.com/reprise99/Sentinel-Queries/tree/main/Azure%20AD%20Abuse%20Detection

#ad
@NetPentesters

FarsightAD

A #PowerShell noscript that aim to help uncovering (eventual) persistence mechanisms deployed by a threat actor following an Active Directory domain compromise.

The noscript produces CSV / JSON file exports of various objects and their attributes, enriched with timestamps from replication metadata. Additionally, if executed with replication privileges, the Directory Replication Service (DRS) protocol is leveraged to detect fully or partially hidden objects.

https://github.com/Qazeer/FarsightAD
#ad
@NetPentesters

ntlm_theft

A tool for generating multiple types of NTLMv2 hash theft files.
ntlm_theft is an Open Source Python3 Tool that generates 21 different types of hash theft documents. These can be used for phishing when either the target allows smb traffic outside their network, or if you are already inside the internal network.

https://github.com/Greenwolf/ntlm_theft
#NTML
@Netpentesters

​​Sandman

Sandman is a backdoor that meant to work on hardened networks during red team engagements.

Sandman works as a stager and leverages NTP (protocol to sync time & date) to download an arbitrary shellcode from a pre defined server.

Since NTP is a protocol that is overlooked by many defenders resulting wide network accessability.

https://github.com/Idov31/Sandman
#redteam
@Netpentesters

​​Warbird Hook

Using Microsoft WARBIRD to automatically unpack and execute encrypted shellcode in ClipSp.sys without triggering PatchGuard.

https://github.com/KiFilterFiberContext/warbird-hook
@Netpentesters

⭐️ Privileger

Privilger allows you to work with privileges in Windows as easily as possible. There are three modes:

— Add privileges to an account;
— Start a process by adding a specific privilege to its token;
— Remove privilege from the user.

Thanks to:
@Michaelzhm

https://github.com/MzHmO/Privileger

#ad #windows #privilege #lsa
@netpentesters

Friends, if you have an idea to improve the channel, share it with us.
@ChatNPTbot

​​Clouditor Community Edition

Clouditor is a tool which supports continuous cloud assurance. Its main goal is to continuously evaluate if a cloud-based application (built using, e.g., Amazon Web Services (AWS) or Microsoft Azure) is configured in a secure way and thus complies with security requirements defined by, e.g., Cloud Computing Compliance Controls Catalogue (C5) issued by the German Office for Information Security (BSI) or the Cloud Control Matrix (CCM) published by the Cloud Security Alliance (CSA).

https://github.com/clouditor/clouditor
#azure #aws
@netpentesters

​​Masky

A python library providing an alternative way to remotely dump domain users' credentials thanks to an ADCS. A command line tool has been built on top of this library in order to easily gather PFX, NT hashes and TGT on a larger scope.

This tool does not exploit any new vulnerability and does not work by dumping the LSASS process memory. Indeed, it only takes advantage of legitimate Windows and Active Directory features (token impersonation, certificate authentication via kerberos & NT hashes retrieval via PKINIT).

A blog post was published to detail the implemented technics and how Masky works.

https://github.com/Z4kSec/Masky

#ad #adcs #lsass #redteam
@Netpentesters