Clik here to view.
Week of Continuous Intrusion Tools - Day 1 - Jenkins
Continuous Integration (CI) tools are used to frequently integrate commits by developers. Integration result in execution of builds and tests. CI tools are used by development, build management and...
View ArticleClik here to view.
Week of Continuous Intrusion Tools - Day 2 - TeamCity
Welcome to the Day 2 of the Week of Continuous Intrusion Tools. I am doing a series of posts which explore the attack surface of CI Tools.To read posts of other days refer the table below:Day 1 -...
View ArticleClik here to view.
Week of Continuous Intrusion tools : Day 3 - Go and CruiseControl
Welcome to the Day 3 of the Week of Continuous Intrusion Tools. We are having a look at the attack surface and abuse of Continuous Integration (CI) tools.To read posts of other days refer the table...
View ArticleClik here to view.
Week of Continuous Intrusion Tools - Day 4 - Common Abuse Set, Lateral...
Welcome to Day 4 of Week of Continuous Intrusion tools. We are discussing security of Continuous Integration (CI) tools in this series of blog posts. Day 1 - Jenkins (and Hudson) (Click Here)Day 2 -...
View ArticleClik here to view.
Stream a target's Desktop using MJPEG and PowerShell
Recently, I have been working on an interesting concept. I wanted to use MJPEG to stream images in real time from a target desktop to be able to see the activity of a target user. I literally spent...
View ArticleClik here to view.
Hacking with Human Interface Devices - Easy Reverse Shells
Kautilya has the ability to do interesting and useful stuff using a Human Interface Device. But sometimes, nothing beats a simple reverse shell. Recently, I added some new payloads to Kautilya which...
View ArticleClik here to view.
Getting Domain Admin with Kerberos Unconstrained Delegation
A recent penetration test was one of the rare ones where it was not possible to locate a domain admin credential (password/hash/ticket) using the usual methods. I already had Administrator access to...
View ArticleClik here to view.
Practical use of JavaScript and COM Scriptlets for Penetration Testing
I have been following Casey Smith's brilliant work on JavaScript and COM Scriptlets. After looking at his work, I started playing with the code. I was interested in developing easy and customizable...
View ArticleClik here to view.
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
Last month I gave a talk about Microsoft's AntiMalware Scan Interface (AMSI) at Black Hat USA. The talk and this post details my experiments with AMSI.I first encountered AMSI while using some of the...
View ArticleClik here to view.
Exfiltration of User Credentials using WLAN SSID
I was playing with Windows Hosted Network feature couple of days back. A hopefully useful idea which came to my mind was using the name of the hosted SSID for exfiltration. Since, SSID names support...
View ArticleClik here to view.
Using SQL Server for attacking a Forest Trust
Recently I started playing with the awesome PowerUpSQL tool by guys at NetSPI. I was interested in the ability to attack an Active Directory (AD) environment using access to a SQL Server, that is, not...
View ArticleClik here to view.
Abusing DNSAdmins privilege for escalation in Active Directory
Yesterday, I read this awesome post by Shay Ber here which details a feature abuse in Windows Active Directory (AD) environment. I rely heavily on feature abuse during my red team engagements and...
View ArticleClik here to view.
Week of Evading Microsoft ATA - Announcement and Day 1
I have been playing with Microsoft Advanced Threat Analytics (ATA) for past few months. I found it useful for Blue Teams and scary as a Red Teamer as it detects many Active Directory (AD) tools and...
View ArticleClik here to view.
Week of Evading Microsoft ATA - Day 2
Welcome to Day 2 of Week of Evading Microsoft ATA. The week has been split in the following days:Day 1 - Introduction, detection and bypassing/avoiding Recon and Brute-force detectionDay 2 - Detection...
View ArticleClik here to view.
Week of Evading Microsoft ATA - Day 3 - Constrained Delegation, Attacks...
Welcome to Day 3 of Week of Evading Microsoft ATA. The week has been split in the following days:Day 1 - Introduction, detection and bypassing/avoiding Recon and Brute-force detectionDay 2 - Detection...
View ArticleClik here to view.
Week of Evading Microsoft ATA - Day 4 - Silver ticket, Kerberoast and SQL...
This is Day 4 of Week of Evading Microsoft ATA. The week has been split in the following days:Day 1 - Introduction, detection and bypassing/avoiding Recon and Brute-force detectionDay 2 - Detection and...
View ArticleClik here to view.
Week of Evading Microsoft ATA - Day 5 - Attacking ATA, Closing thoughts and...
This is Day 5 of Week of Evading Microsoft ATA. The week has been split in the following days:Day 1 - Introduction, detection and bypassing/avoiding Recon and Brute-force detectionDay 2 - Detection and...
View ArticleClik here to view.
A Critique of Logging Capabilities in PowerShell v6
PowerShell 6 was released couple of days back. PowerShell v6 is the core version, that is, it is open source, cross platform and it is NOT Windows PowerShell which continues to be the default one on...
View ArticleClik here to view.
DCShadow - Minimal permissions, Active Directory Deception, Shadowception and...
DCShadow is an awesome persistence technique introduced by Vincent and Benjamin at BluteHat IL and it can be executed with the help of mimikatz. In very simplified terms, DCShadow alters active...
View ArticleClik here to view.
Silently turn off Active Directory Auditing using DCShadow
My fascination with DCShadow continues, thanks to Vincent and Benjamin. I blogged about it previously as well.One very interesting thing which I recently discovered is the ability to DCShadow to modify...
View ArticleClik here to view.
Forging Trusts for Deception in Active Directory
Deception has always been of interest to me. As a student of military history, I have always been fascinated by its implementation in warfare and looked at deception as something which is effective and...
View ArticleClik here to view.
Using ActiveDirectory module for Domain Enumeration from PowerShell...
This is a quick post to make notes of something which I have been using and teaching for sometime.We can use Micorosft's PowerShell ActiveDirectory module without RSAT and administrative privileges. I...
View ArticleClik here to view.
How NOT to use the PAM trust - Leveraging Shadow Principals for Cross Forest...
I did a super interesting AD security assessment for a client recently. They are re-deploying their infrastructure and upgrading their forest(s) to Server 2016 Functional Level. There are so many...
View ArticleClik here to view.
RACE - Minimal Rights and ACE for Active Directory Dominance
I recently spoke at DEF CON 27 on abusing Security Descriptors and ACLs i.e. permissions on Windows machines. You can find the slides here (also at the end of the post with minor updates). The demo...
View ArticleClik here to view.
Bypassing UAC with PowerShell
Recently during a Red Team engagement, I got shell access to some user machines using Client Side Attacks. In many cases, the users had administrative privileges but I was stuck into non-elevated...
View Article