Category: <span>Pentesting</span>

Bypassing Okta MFA Credential Provider for Windows

I’ll state this upfront, so as not to confuse: This is a POST exploitation technique. This is mostly for when you have already gained admin on the system via other means and want to be able to RDP without needing MFA. Okta MFA Credential Provider for Windows enables strong authentication using MFA with Remote Desktop…


CactusCon 2023: BloodHound Unleashed

Here are the slides and video from my 2023 talk at CactusCon. The YouTube video currently is cut-off at the beginning, but if it gets fixed I’ll update with a new link. BloodHound Unleashed.pdf from n00py1


Exploiting Resource Based Constrained Delegation (RBCD) with Pure Metasploit

Metasploit recently released version 6.3.  With it came a whole lot of new features related to LDAP operations and using Kerberos authentication. In this blog I want to demonstrate how to perform a GenericWrite -> RBCD attack, which I find are very common. Often times a user will not have administrative access to a computer,…


Practical Attacks against NTLMv1

This blog is meant to serve as a guide for practical exploitation of systems that allow for the NTLMv1 authentication protocol. While NTLMv1 is hardly ever needed anymore, a surprising number of organizations still use it, perhaps unknowingly. There are however some VPN products that still currently instruct their users to downgrade NLTM authentication to…


Password Spraying RapidIdentity Logon Portal

In the past I had written a quick blog post on password spraying Dell SonicWALL Virtual Office.  While it wasn’t all that exciting of a post, a number of people did find it useful and having a blog for it helped people find it more easily than only being in a random Github repo or…


Manipulating User Passwords Without Mimikatz

There are two common reasons you may want to change a user’s password during a penetration test: You have their NT hash but not their plaintext password. Changing their password to a known plaintext value can allow you to access services in which Pass-the-Hash is not an option. You don’t have their NT hash or…


Unauthenticated Dumping of Usernames via Cisco Unified Call Manager (CUCM)

This blog is about something I found recently regarding Cisco Unified Call Manager (CUCM).  While playing around with SeeYouCM Thief, which is designed to download parse configuration files from Cisco phone systems, I noticed something interesting within a configuration file. There was an XML element in the configuration files named <secureUDSUsersAccessURL>.  The value pointed to…


Adding DCSync Permissions from Linux

Recently I came upon an attack path in BloodHound that looked like this: I had control of a computer object (an Exchange server) that effectively had WriteDacl over the domain. I had a few constraints as well: All systems were configured with EDR I only had the AES key of the computer account, not the…


Resetting an Expired Password Remotely

I’ve often found that while performing password guessing on a network, I’ll find valid credentials, but the password will be expired.  This presents a challenge, because the credentials are of limited use until they are reset. # crackmapexec smb 10.0.0.15 -u locked -p Password1 SMB         10.0.0.15       445    WIN-NDA9607EHKS  [*] Windows 10.0 Build 17763 x64 (name:WIN-NDA9607EHKS)…


Dumping Plaintext RDP credentials from svchost.exe

Recently I was browsing Twitter and came across a very interesting tweet: Umm- why can I find the password I used to connect to a remote desktop service in cleartext in memory of RDP service? First saw my microsoft accounts pwd- made new local account- same thing. For this user its: wtfmsnotcool pic.twitter.com/lRMhDCMJkH — Jonas…


The Dangers of Endpoint Discovery in VIPRE Endpoint Security

This post documents a security mis-configuation I observed in VIPRE Endpoint Security with Endpoint Discovery.  A few years ago, I published a blog post titled The Dangers of Client Probing on Palo Alto Firewalls, which detailed how client probing feature on Palo Alto firewalls can leak service account password hashes.  This issue is very similar…


Dumping LAPS Passwords from Linux

Following my previous posts on Managing Active Directory groups from Linux and Alternative ways to Pass the Hash (PtH), I want to cover ways to perform certain attacks or post-exploitation actions from Linux.  I’ve found that there are two parallel ways to operate on an internal network, one being through a compromised (typically Windows) host,…


Alternative ways to Pass the Hash (PtH)

Do you remember the first time you passed the hash?  It probably went a little something like this: msf > use exploit/windows/smb/psexec msf exploit(psexec) > set SMBPass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c SMBPass => e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c msf exploit(psexec) > exploit [*] Sending stage (719360 bytes) [*] Meterpreter session 1 opened (192.168.57.133:443 -> 192.168.57.131:1045) If you are unfamiliar, that is the…


Password Spraying Secure Logon for F5 Networks

Next in the series of password spraying posts, I’m going to discuss password spraying on the web based logon for F5.  Previously I had written how to password spray against Dell SonicWALL, which makes use of CSRF tokens.  F5 is a little different.  It does not use CSRF tokens, but it does rate limit you…


Extracting files from Burp Intruder Output

I recently found an Insecure Direct Object Reference (IDOR) vulnerability in a web application that I was testing. By incrementing or decrementing an ID value, I could download any file in the application, even though they were not listed for download in the user interface. A simple way to exploit this kind of attack is…


Exploiting LDAP Server NULL Bind

I was recently on a penetration test that was completely locked down, I was completely alone in my subnet, and almost all of my scope targets were firewalled off.  After running a bunch of port scans, I was left only with a few SSH services on port 22, and one Secure LDAP server on port…


Managing Active Directory groups from Linux

I recently came across a peculiar scenario that caused me to have to think a little outside the box. I was able to obtain credentials for an account that was part of the “Account Operators” group.  Here is Microsoft’s description of that group: The Account Operators group grants limited account creation privileges to a user….


Zero day vulnerabilities in Determine Selectica Contract Lifecycle Management (SCLM)

Recently I discovered multiple high severity vulnerabilities in Selectica Contract Lifecycle Management (SCLM) version 5.4.  Cross-site Scripting (XSS) There was no shortage of XSS in this app.  Here’s an example from a light scan with Burp Suite: This is pretty easy to leverage for account takeover, even more so because the HTTPOnly flag was not…


Password Spraying Dell SonicWALL Virtual Office

Today I came across a Dell SonicWALL virtual office login page.  Typically what I will do when I see something like this is I will perform a password spray against it based on usernames I have collected from Open Source Intelligence (OSINT) during the reconnaissance phase of my pentest.  Typically I will not try to…


Introducing Slackor, a Remote Access Tool Using Slack as a C2 Channel

As a penetration tester at Coalfire Labs, I frequently use exploitation frameworks such as Metasploit or PowerShell Empire to perform post-exploitation actions on compromised endpoints. While anti-virus (AV) bypass and detection avoidance is often trivial in all but the most mature environments, detections from AV have caused me to look toward custom tooling to mitigate…