Posts

2022 Common Active Directory Exploitation Paths

Image
Here are our common exploitation paths discovered during our internal penetration tests 2022. These paths are not overly complicated as you might find in CTF challenges but they are from real engagements. The purpose of this blog post is not to explain how the vulnerabilities work, there is plenty of documentation online. Instead we just want to share our most common exploitation paths that we have frequently used/abused in 2022.  We also like these exploitation paths because since they work more at the network level they are more likely to not be affected by local protections like antivirus, which typically block memory attacks such as dumping LSASS. Hope you find them interesting. From Unauthenticated To Authenticated Track 1 – SMB Null + Password Spray Use Nmap smb-enum-users or enum4linux-ng to find and enumerate users on systems that they allow SMB login via NULL session. $ python3 enum4linux-ng.py host1.domain.local [+] After merging user results we have 563 user(s) total: ...

How to Secure Active Directory: a Red Teamer Perspective

Image
Introduction Although a number of organisations are moving to cloud solutions, such as Azure AD, a large number of them still have an on-premise Active Directory environment or a hybrid environment built around standard Microsoft Active Directory. In recent years, there has been a large number of vulnerabilities being disclosed for Active Directory, as well as a number of exploitation tools being made easily available to everyone on the internet. This blog post wants to illustrate how to secure your Active Directory environment based on the most common vulnerabilities that Proelians identifies during red team engagements and internal penetration tests. Default Misconfigurations Due to its complexity, Active Directory has a number of misconfigurations which, in some cases, are actually present in its default configuration. Insecure Protocols Active Directory makes use of LLMNR and NBT-NS for the discovery of network resources. These protocols can be abused by attackers with a tool su...

Reconnaissance for Red Teamer Operators

Image
Intro to Reconnaissance The first step of every Red Team engagement is to perform an information gathering phase, (also known as reconnaissance phase), in which the Red Team operator will collect as much information as possible about their targets. This information should help the Red Team operator formulate an attack strategy with the ultimate goal of getting an initial foothold inside the organisation’s network. There are two main types of reconnaissance: Passive Reconnaissance : here the Red Team is trying to gather information without actively interacting with a system or service. Examples could be looking at open-source intelligence (OSINT) or any information available online. Active Reconnaissance : in this phase, the attacker is actually interacting with the identified targets, for example by performing a network port scan or by spidering the organisation’s websites. There are a number of techniques that can be used during the reconnaissance phase, as detailed in this blog post....