Continuing with the entries related to MSSQL exploitation, we will now explore how to exploit linked databases and the possibility of deploying a “portable” SSH server through an MSSQL database with the “xp_cmdshell” function enabled and using a service user. Configuración de bases de datos enlazadas We will use the Continue Reading
RT – Lateral movement through MSSQL – Part 1
It is quite common to identify MSSQL instances in Active Directory environments, due to the easy integration with LDAP and respective authentication mechanisms, so these deployed instances can provide an attacker with different ways to obtain information or some way to compromise internal servers. In this post I will explain Continue Reading
RT – NTLM Relay and Coerce authentication, practical scenarios
I have come across many times, in real scenarios, certain configurations in the domain that allow an attacker to gain control over certain computers and servers under the following conditions: The last two points are not under the attacker’s control, they are configurations that are already defined in a domain Continue Reading
RT/BT – Active Directory enumeration and ACL exploitation for privilege escalation – Part 2
It’s been a while since I last posted, I’ve been busy with personal things, but I want to retake sharing things I know about Active Directory exploitation. We’ll continue adding misconfigurations to our Active Directory environment, to further explore ACL exploitation paths. We’ll add a new domain user, max.power in Continue Reading
RT/BT – Active Directory enumeration and ACL exploitation for privilege escalation – Part 1
In this post we will use different tools to analyze an Active Directory environment, both from Linux and Windows. This post is useful for both Pentesters and Blue Team members, as it identifies possible attack vectors and insecure configurations on a domain. Both to exploit from the attacker’s side, and Continue Reading
RT – Known Kerberos attacks – Part 2
In this entry, we continue with some known attacks on Active Directory environments using Kerberos, mainly lateral movement and persistence. One of the oldest and most known ways of lateral movement is Pass the hash, where we use a user’s NTLM hash to gain access to resources or computers where Continue Reading
RT – Kerberos known attacks – Part 1
An important part of the authentication mechanisms and protocols used by Active Directory is Kerberos, which in short, establishes a secure authentication channel between trusted hosts on an untrusted network. Some of the objectives of a Kerberos authentication process are listed in the following section As an attacker, we can Continue Reading
RT – Active Directory basic scenario
Continuation of the previous post, where we’ll start configuring a vulnerable environment to learn how to escalate privileges within an Active Directory scenario abusing insecure configurations. REQUIREMENTS: We’ll start our scenario configuration by adding new local administrator accounts for the two Windows hosts “ATENCION01” and “TECNOLOGIA01”. We login with an Continue Reading
Laboratory – Creating our first Active Directory test enviroment.
In this location, I’ll be showcasing the step by step procedure I usually follow whenever I need to deploy an Active Directory environment, whether it’s for pentesting/red team tests or to try out forensic tools/SOC capabilities or similar (Blue team). To deploy our environment we’ll need a host, dedicated one Continue Reading