I’ll state this upfront, so as not to confuse: This is a POST exploitation technique. This is mostly for when you have already gained admin on the system via other means and want to be able to RDP without needing MFA. Okta MFA Credential Provider for Windows enables strong authentication using MFA with Remote Desktop…
Exploiting Resource Based Constrained Delegation (RBCD) with Pure Metasploit
Metasploit recently released version 6.3. With it came a whole lot of new features related to LDAP operations and using Kerberos authentication. In this blog I want to demonstrate how to perform a GenericWrite -> RBCD attack, which I find are very common. Often times a user will not have administrative access to a computer,…
Manipulating User Passwords Without Mimikatz
There are two common reasons you may want to change a user’s password during a penetration test: You have their NT hash but not their plaintext password. Changing their password to a known plaintext value can allow you to access services in which Pass-the-Hash is not an option. You don’t have their NT hash or…
Adding DCSync Permissions from Linux
Recently I came upon an attack path in BloodHound that looked like this: I had control of a computer object (an Exchange server) that effectively had WriteDacl over the domain. I had a few constraints as well: All systems were configured with EDR I only had the AES key of the computer account, not the…
Dumping Plaintext RDP credentials from svchost.exe
Recently I was browsing Twitter and came across a very interesting tweet: Umm- why can I find the password I used to connect to a remote desktop service in cleartext in memory of RDP service? First saw my microsoft accounts pwd- made new local account- same thing. For this user its: wtfmsnotcool pic.twitter.com/lRMhDCMJkH — Jonas…
Alternative ways to Pass the Hash (PtH)
Do you remember the first time you passed the hash? It probably went a little something like this: msf > use exploit/windows/smb/psexec msf exploit(psexec) > set SMBPass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c SMBPass => e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c msf exploit(psexec) > exploit [*] Sending stage (719360 bytes) [*] Meterpreter session 1 opened (192.168.57.133:443 -> 192.168.57.131:1045) If you are unfamiliar, that is the…
Managing Active Directory groups from Linux
I recently came across a peculiar scenario that caused me to have to think a little outside the box. I was able to obtain credentials for an account that was part of the “Account Operators” group. Here is Microsoft’s description of that group: The Account Operators group grants limited account creation privileges to a user….
Introducing Slackor, a Remote Access Tool Using Slack as a C2 Channel
As a penetration tester at Coalfire Labs, I frequently use exploitation frameworks such as Metasploit or PowerShell Empire to perform post-exploitation actions on compromised endpoints. While anti-virus (AV) bypass and detection avoidance is often trivial in all but the most mature environments, detections from AV have caused me to look toward custom tooling to mitigate…
Popping shells on Splunk
Every now and then when testing networks, I run into Splunk. Splunk is a software platform to search, analyze and visualize data. It is super useful for all sorts of purposes. As a pentester, it can be useful as it often contains all sorts of data, some of which may be sensitive. Gaining access to…
Bypassing Duo Two-Factor Authentication (Fail Open)
Often times while performing penetration tests it may be helpful to connect to a system via the Remote Desktop Protocol (RDP). I typically use rdesktop or xfreerdp to connect to host once I have obtained credentials to do all sorts of things such as use Active Directory Users and Computers or SQL Management Studio. One…
Bsides Puerto Rico 2017-2018 Presentation
Here are the slides and video from my presentation at Bsides Puerto Rico 2017-2018. Bsides Puerto Rico 2017-2018 from Esteban Rodriguez
Raining shells on Linux environments with Hwacha
If you’ve read previous posts on here you know that I am a big fan of CrackMapExec. One of the things that makes it particularly useful is I can run a payload against multiple targets at once. A variety of payloads exist, though my favorites are “mimikatz” and “met_inject”, which executes Meterpreter shellcode on a…
Exploiting an unsecured Dell Foglight server
Dell Foglight for Virtualization is an infrastructure performance monitoring tool that can also be used to manage systems as well. It comes configured with a default username and password of “foglight”. It is possible to execute code on the host itself through an integrated scripting console. By browsing to Homes -> Administration And then…
Squeezing the juice out of a compromised WordPress server
During the course of a penetration test, you may stumble upon a web server running WordPress. WordPress is a highly popular CMS. It runs on PHP, and is typically ran on top of a LAMP stack. While most WordPress servers on the web are configured with strong passwords and security plugins, rarely is this the…
Compromising Jenkins and extracting credentials
Jenkins is an open-source continuous integration software tool written in the Java programming language. While useful to developers, it can also be useful to attackers. Often times developers will leave Jenkins consoles in an insecure state, especially within development environments. Jenkins has a scripting console available which can be used to run…
Using email for persistence on OS X
In this post we will cover how we can use Mail.app on OS X to persist. I was inspired by similar tools which are designed to work with Microsoft Outlook. I first stumbled upon this article from MWR InfoSecurity, and then this blog post from Silent Break Security. While rules in Mail.app will not replicate…
Privilege escalation on OS X – without exploits
This blog post is about ways to escalate privilege on OS X without the usage of exploits. While exploits are always nice to have, there are other ways in which you can gain root privileges on your target. By using misconfigurations with a little bit of social engineering you can get your victim to escalate…
Categories
n00py Blog
- The SOCKS We Have at Home
- Bypassing Amazon Kids+ Parental Controls
- Bypassing Okta MFA Credential Provider for Windows
- CactusCon 2023: BloodHound Unleashed
- Exploiting Resource Based Constrained Delegation (RBCD) with Pure Metasploit
- Practical Attacks against NTLMv1
- Password Spraying RapidIdentity Logon Portal
- Manipulating User Passwords Without Mimikatz
- Unauthenticated Dumping of Usernames via Cisco Unified Call Manager (CUCM)
- Adding DCSync Permissions from Linux
December 2024 M T W T F S S 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Archives
- January 2024
- April 2023
- February 2023
- January 2023
- October 2022
- March 2022
- January 2022
- September 2021
- May 2021
- December 2020
- August 2020
- May 2020
- February 2020
- January 2020
- December 2019
- June 2019
- March 2019
- October 2018
- August 2018
- June 2018
- April 2018
- March 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- August 2017
- June 2017
- April 2017
- March 2017
- January 2017
- October 2016