Posts

  • Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory

    Back in March 2018, I embarked on an arguably pointless crusade to prove that the TrustedToAuthForDelegation attribute was meaningless, and that “protocol transition” can be achieved without it. I believed that security wise, once constrained delegation was enabled (msDS-AllowedToDelegateTo was not null), it did not matter whether it was configured to use “Kerberos only” or “any authentication protocol”.

    I started the journey with Benjamin Delpy’s (@gentilkiwi) help modifying Kekeo to support a certain attack that involved invoking S4U2Proxy with a silver ticket without a PAC, and we had partial success, but the final TGS turned out to be unusable. Ever since then, I kept coming back to it, trying to solve the problem with different approaches but did not have much success. Until I finally accepted defeat, and ironically then the solution came up, along with several other interesting abuse cases and new attack techniques.

    Continue Reading
  • Shenanigans!

    Some of my colleagues and I decided to join forces and launch a new research team called Shenanigans Labs.

    We will occasionally write about our research projects in our new blog at shenaniganslabs.io, when we discover an interesting vulnerability or a new TTP, and if we are at liberty to publish them.

    We hope you find our posts valuable and enjoy reading them.

    I will cross-post my content in this blog and at shenaniganslabs.io.

  • Abusing Resource-based Constrained Delegation 101

    I recently collaborated with Will Schroeder (@harmj0y) to weaponise resource-based constrained delegation to abuse ACLs to take over computer objects in Active Directory.

    Will wrote an excellent post about it, which I highly recommend reading: https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/

    We later took it up a notch and abused it to the extreme. I will publish the details on 28/01/2019 or as soon as MSRC clears it.

  • Internal Monologue Attack - Retrieving NTLM Hashes without Touching LSASS

    Mimikatz is a well-regarded post-exploitation tool, which allows adversaries to extract plain text passwords, NTLM hashes and Kerberos tickets from memory, as well as perform attacks such as pass-the-hash, pass-the-ticket or build a golden ticket. Arguably, the primary use of Mimikatz is retrieving user credentials from LSASS process memory for use in post exploitation lateral movement.

    Recently, Microsoft has introduced Credential Guard in Windows 10 Enterprise and Windows Server 2016, which uses virtualization-based security to isolate secrets, and it is very effective in preventing Mimikatz from retrieving hashes directly from memory. Also, Mimikatz has become a prime target of most endpoint protection solutions, and they are very aggressive in their efforts to detect and prevent it. Although these efforts are bound to fail, they are increasingly becoming a nuisance.

    Continue Reading