Showing Posts About

Active Directory

Performing and Preventing Attacks on Azure Cloud Environments through Azure DevOps

This article explores potential attack paths in Azure DevOps by demonstrating how an unprivileged user can compromise cloud environments. The attack scenario involves phishing a Personal Access Token (PAT) to gain access to Azure DevOps repositories and pipelines. By manipulating pipeline code, an attacker can exfiltrate Service Principal credentials and gain unauthorized access to Azure cloud resources.

  • 6 Nov 2019

OU having a laugh?

A novel attack technique exploits Group Policy Object (GPO) processing in Active Directory by manipulating the gpLink attribute. An attacker with OU modification rights can redirect GPO resolution to a rogue domain controller, potentially compromising computers and users within that OU. The attack leverages default Active Directory configurations and can be executed with minimal domain user permissions.

Enumerating remote access policies through GPO

This article details techniques for enumerating remote access policies in Windows environments through Group Policy Objects. It explores how User Account Control (UAC) and User Rights Assignment (URA) settings impact remote authentication and lateral movement opportunities. PowerView extensions were introduced to help map computer objects with specific remote authentication configurations.

Trust? Years to earn, seconds to break

An Active Directory security vulnerability involves the TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (T2A4D) User-Account-Control flag. The vulnerability can allow attackers to exploit Kerberos protocol extensions and potentially compromise domain controllers through dangerous authentication delegation attacks. Mitigation strategies include carefully managing account delegation settings and protecting sensitive user accounts.

Visualising Organisational Charts from Active Directory

This article demonstrates techniques for extracting and visualizing organizational hierarchies from Active Directory using tools like Metasploit, SQLite, and Neo4j. The methods enable mapping of reporting structures and relationships within an organization by converting Active Directory data into a graph database. Complex queries about organizational relationships can be performed dynamically, revealing management chains and reporting structures.

Offline SQL Querying of Active Directory

ADOffline is a tool that converts Active Directory LDAP data into a SQLite database for offline analysis. It enables cybersecurity professionals to perform detailed reconnaissance by querying domain users, groups, and computers without maintaining a live connection to the domain controller. The tool supports complex SQL queries and provides intuitive views to explore Active Directory information.

Active Directory: Users in Nested Groups Reconnaissance

The article discusses a technique for efficiently discovering users in nested Active Directory groups using the LDAP_MATCHING_RULE_IN_CHAIN OID. New Metasploit commands were introduced to perform comprehensive Active Directory user and group reconnaissance, allowing identification of users in complex nested group structures. The method enables penetration testers to quickly identify users with administrative privileges across nested group hierarchies.

Memory Allocation: How injecting into your own tools might help you compromise a Windows domain

ADEGrab is a memory injection tool designed to extract search results from Sysinternals' AD Explorer by directly accessing the application's memory. The tool allows penetration testers to copy search results from Active Directory exploration tools that do not natively support result export. It uses Windows API calls to read and manipulate memory within the AD Explorer process, enabling users to capture and save search results.

How to own any Windows network with group policy hijacking attacks

Group policy hijacking attacks can compromise Windows networks by intercepting and manipulating group policy traffic. The attacks exploit vulnerabilities in SMB signing and Kerberos authentication to gain SYSTEM-level access on domain-joined systems. Multiple attack vectors allow attackers to modify group policy settings and execute arbitrary code on target networks.

Practically Exploiting MS15-014 and MS15-011

The article details two Microsoft vulnerabilities (MS15-011 and MS15-014) that enable remote code execution on domain-joined Windows systems. These vulnerabilities can be exploited through a two-stage attack method to gain SYSTEM-level access by manipulating group policy and SMB signing configurations. A video demonstration shows how these vulnerabilities can be chained together to compromise hardened domain environments.

Digging into MS14-068, Exploitation and Defence

MS14-068 is a critical Windows vulnerability in Kerberos authentication that allows any authenticated domain user to forge a Privilege Attribute Certificate (PAC) and escalate privileges to domain administrator. The vulnerability enables an attacker to manipulate PAC signatures and bypass authentication controls on domain controllers running Windows 2008 and earlier. Exploitation requires only a standard domain user account and can be performed using tools like PyKEK and Impacket.

  • 13 Mar 2009

Have you got bad timing?

Timing attacks exploit variations in system response times to extract sensitive information. A specific example involving Citrix Access Gateway revealed that authentication attempts with valid Active Directory usernames took slightly longer to return failed login messages. This timing difference could potentially allow attackers to identify valid usernames and assist in password guessing attempts.