Lars Karlslund - mucking around with your AD
@lkarlslund
Followers
4,574
Following
1,363
Media
2,371
Statuses
11,676
Curious security octopus | Adalanche | Sarcasm level 11 | Fond of LEGO | 8.7B hashes | All thoughts, no leadership | I'm here for Justin
Danmark
Joined February 2010
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
jaemin
• 386688 Tweets
Norawit with L'Oreal Paris
• 233469 Tweets
Will Still
• 116792 Tweets
PP is WORTH IT
• 67424 Tweets
プロフェッショナル
• 43245 Tweets
Tina
• 33326 Tweets
SDカード
• 26809 Tweets
YOASOBI
• 25307 Tweets
高利貸し
• 24593 Tweets
GW後半戦
• 24492 Tweets
カメムシ
• 22593 Tweets
金利60
• 21275 Tweets
中条きよし参院議員
• 20704 Tweets
#素のまんま
• 18926 Tweets
出資法違反の疑い
• 18587 Tweets
Princess Charlotte
• 16741 Tweets
物語シリーズ
• 15120 Tweets
ウマチュン
• 14035 Tweets
外国人嫌い
• 14004 Tweets
東京地検特捜部
• 13139 Tweets
#モニタリング
• 12900 Tweets
FORCE LOVE SEALECT
• 11380 Tweets
排外主義的
• 10918 Tweets
#びりーぶ
• 10624 Tweets
This is why your NVidia driver download is 670MB: they silently fix a *ton* of problems in games, so customers are happy. It's the same in Windows - here's the system wide shim db from Windows 11 23H2 with workarounds for "After Dark 4.0" with flying toasters released in 1996.
48
395
5K
Do you want to go from NTLM hash to plaintext password in an instant? I made a freely accessible service contains 8.7B hashes, no sign up required, free to use.
38
479
2K
Stuck on a network with no credentials? No worry, you can anonymously bruteforce Active Directory controllers for usernames over LDAP Pings (cLDAP) using my new tool - with parallelization I get 10K usernames/sec
31
482
2K
Don't lose trust! "The trust relationship between this workstation and the primary domain failed." Have this ever happened to you? I'll show you how to fix it, and (more interestingly) how it works behind the scenes 1/🧵
47
367
2K
Did you know that you can mass upgrade a lot of Windows 10/11 3rd party software with a free tool from Microsoft? It's like Linux's "apt" or "yum" ... Patching some of your vulnerable software is now free and easy, as I'll show you here 1/5
39
457
2K
Small companies aren't capable of proper security due to their size, and big companies aren't capable of proper security due to their size
What separates large organizations vs small organizations when it comes to security?
49
1
32
11
144
1K
Unbelievably cool Active Directory lab for you (and me!) to play with. Has parent/child domains, ADCS, different servers, lots of misconfigurations etc. You provision it with Vagrant and Ansible. The Game of Thrones naming is a bonus!
17
318
1K
Flying Toasters on Windows 11. My life is complete, so I'm going to bed now.
12
49
757
This is my new Teams background
19
54
693
When the Linux kernel is about to run out of entropy, it could just check the current licensing terms for Microsoft products, as they are always changing in a random way. Problem solved, next please!
The paper details how requests for random numbers never fail in Windows, which is something the Linux kernel developers have never been able to successfully implement. Hopefully they can use this paper for ideas. 🤞
20
30
236
4
94
654
LAPSUS is threatening to release 1TB of stolen data from NVIDIA, which is the equivalent of the last three driver updates I downloaded for my graphics card
[ALERT] LAPSUS ransomware gang leaked the credentials of NVIDIA employees. And announced that it would soon release 1TB of stolen data.
20
154
428
12
89
653
Using WSUS to patch your Domain Controllers? :-) That makes your WSUS server .... Tier 0! Anyway, here's a tool to pwn every machine that pulls updates from WSUS.
6
198
612
Today I did some dorking on
@shodanhq
, looking for Active Directory controllers exposed directly on the internet. Results after searching for "ldap GSS-SPNEGO" yielded a whopping 52K servers. Mind blowing!
13
137
597
The Active Directory group "Account Operators" is a bastard, and should be kept empty. Why? Because it undermines your *entire* delegation structure in the AD. Here are the details, and it shows why you should stay clear of this group 1/n
8
173
575
The "Backup Operators" group in your Active Directory can remote in to your Domain Controllers, and extract the ntds.dit file holding your entire AD along with hashes of all accounts.
Here's the rundown on how you exploit this ...
6
163
522
You should definitely not download the maybe-abandonware After Dark 4.0 ISO from the internet and install it on your Windows 11 PC. On the other hand, if you *do*, it will really mess up the app usage metrics that your computer ships to Microsoft.
4
21
461
You get what you pay for, and then some
10
70
425
Have you ever wondered where the SIDs for isolated Windows service come from? S-1-5-80-..... they're not in the registry, and not on the disk ... that's because they're *calculated* based on the service name ...
3
70
401
Do domain/DNS recon using Azure and AADInternals PowerShell module against any organization that uses Azure ... this is Microsoft (you get loooong of domains)
8
98
370
@krlntpd
@SwiftOnSecurity
Wonderful comparison ... it's all fun and games until some virus finds an exploit in your obsolete DNA
2
3
352
Fellow Active Directory infosec researchers here in Denmark have figured out how to cross domains in the same direction as a trust - yes, the opposite of what is normal 1/🧵
5
131
348
So I'm diving head first into Azure AD, and I think it's a f*cking can of worms. Most large orgs do a TWO WAY sync of their on prem AD with AAD (users, groups, passwords). The attack surface is just horrible.
21
51
345
Deploy GOAD (the wonderful vulnerable Active Directory experimental lab from Orange Cyberdefense) - a quick guide. You'll need a spare PC with at least 4 cores, 16GB RAM and 256GB SSD. Script included, so it's easy even if you're not Linux savvy! 1/🧵
9
92
317
Your Azure AD Connect server ... it's a Tier 0 asset. Why? Because the Azure AD account it contains can probably compromise your entire tenant. If you use inbound password sync, the AD account it uses can potentially cost you your AD too. 1/7
4
103
316
This ThinkPad X220 is waving goodbye to Intel ME and wherever stuff Lenovo put in there. Thanks to
@coreboot_org
8
85
294
SMB auditing: if you want to find/audit SMB shares there's SMBeagle as an option. It doesn't look at content, just exposed files, but is a nifty addition to the arsenal
4
80
295
Cool LDAP utility for Red Teamers! Easy to do simple lookups and some modifications - it has great potential and I'm sure more features will come. I had a similar tool planned, but never found the time to do it - fortunately
@synzack21
did!
1
82
283
Do you have privileges? Sure you do, every Windows user has them. See them with "whoami /priv", and check out this GitHub repository for how to help yourself to even more rights (aka privesc!). It's a list of privileges and how to use them creatively.
4
81
274
You can now do a plaintext password lookup in the 8.7B password database. This is done by converting it to NT hash internally, then looking that up. Controversially the site stores that hash of any unmatched passwords, just like if you did a hash lookup.
5
56
264
FastSync is released!
It's my rsync alternative for Linux, because I needed to sync 100TB in several billion files that were also hardlinked together (and rsync was slow and kept failing)
Maybe useful for others ... maybe not. But here it is:
5
55
259
The infosec shortage problem has been solved
9
30
248
Then launch an elevated Windows Terminal, and get ready to patch some stuff. You simply type "winget upgrade" - this shows you all the stuff you have installed (not necessarily using winget - also manually!) which can be upgraded. 3/5
5
34
240
This is NOTEPAD.EXE on my Windws 11 machine that has SYSTEM.INI with comments about 16-bit support while it has multiple TABS open ... my mind is melting here. If you've ever configured the Novell Netware login on Windows 3.11 in the SYSTEM.INI file manually this is wild.
8
10
236
If you're a browser tab abuser like me, this setting is a must have - new tabs open next to the current, not 200+ tabs away.
8
50
222
OK, diving in. SYSTEM.INI ... I forgot it even existed! It's *STILL* there on my Windows 11 machine .... along with entries from a bitmap font.
2
7
220
Microsoft Defender goes nuts over open source reverse proxy. Claims I'm under ransomware attack (active??). It's an executable on the D:\ drive, it's benign and it's not running. Sigh.
14
30
211
Not this **** again. AV blaming an open source tool to be virus or malware. Sigh! It's a tunneling tool, you why not just flag SSH too? Fortunately this is written in Go, so I'll show you how to do an obfuscated build of it, which has almost no AV detections at all 1/🧵
4
48
209
WHAT!?!? More than 30 downloads PER DAY. I had no clue this was popular - based on GitHub stars it's not.
Spend 3 days making an attack tool: 9K downloads, spend 3 years making a defensive tool: 5K downloads.
No wonder everyone gets hacked.
1
13
195
This could be your Active Directory
11
9
189
@MalwareTechBlog
No, but I did successfully nuke Emotet from a large international company when 2 other companies failed, then deployed our EDR software and prevented a ransomware attack 9 months later. The thanks was they cancelled our software because it was too "noisy" in their alert mailbox.
6
3
186
Congrats, you're local admin. Now sync the password using PowerShell - provide an AD account that has the power to "Reset Password" on the machine account. That's it, problem solved! If you're in the mood for some history, read on ... 6/🧵
5
19
180
Getting pwned twice: first by ransomware, then by not reporting it and the feds finding evidence of it on the ransomware servers
Further, now any companies that paid ransoms and didn’t do required disclosures are just going to get burned now.
Strong argument for future incidents, we have proof it does not work. And SEC is out for CISO blood…
17
99
638
2
28
181
If you're a sysadmin, you might consider adding this into an automated flow. If you're only pushing Microsoft updates at the moment, this is way better than nothing! You can also deploy software with winget ... and it's open source. What's not to like? 5/5
4
21
172
If you feel like Active Directory is daunting, but you want to learn more, and not feel like a total idiot at the same time ... read this: ... it wins because it's written concisely and in an easy to consume language (from
@Nutritionist_AP
feed, thanks 👏)
1
44
170
Visited new customer the other day for a sales meeting. There was a couple of hours of waiting time, so I asked if it was OK to "look around their infrastructure?". It was, so I plugged in and enumerated 40% of their AD users in 3 minutes with my own tool.
5
23
170
(Re)introducing source -> target searches. Here I'm searching for accounts with passwords older than 5 years and asking adalanche if any of those has a path to one of the "Domain Admins" groups in this multi forest analysis. Code is on Github!
2
44
167
I know it's "just" a LEGO set, but for me it's a fond childhood memory of dreaming of going to space. I really loved building this one. Thanks
@LEGO_Group
for making stuff for us old kids.
4
2
161
A way to shoot yourself in the foot with Active Directory, is to forget to clean up exposed cPassword data in GPOs. Now adalanche detects this, and everyone that can access these passwords too. If you're doing pen tests or securing AD, this makes it very easy to find this.💪💪💪
3
40
160
Backdoor an AD: bring your own innocently named CA, place it in CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=contoso,DC=local - you can now always bring your own cert and be anyone. RT for reach, quote with a novel alternative.
4
31
161
Even if you aren't coding Go, here's a good explainer on tokens in Windows. I went through the same for the userspace service in our EDR product, service ran as high-priv and launched low priv interactive user tray bar when it detected a user logging in.
0
37
145
You can harden your Active Directory against wrong owners and permissions on Computer objects, which is a typical scenario with devastating results if it's a Domain Controller object. I've written about this problem earlier here. 1/11
Find DCs with wrong object owners using adalanche, and see the impact it's having to your security. If you're doing multi forest analysis, you can get really interesting results, as it will expose forest-to-forest takeover scenarios (names anonymized to protect the innocent) 1/5
4
19
80
3
43
137
It will take you only 30 seconds to go from RDP login to Adalanche attack graph results
3
25
136
Dump remote Windows hashes from SAM/SECURITY - this dumper overcomes SYSTEM only access by simply using admin rights to modify DACL, reading SAM and then restoring DACL - also supports NTLM relaying
1
35
136
Active Directory sysadmins: Run these extensive but easy to use tests on your infrastructure to show the most obvious problems. You'll get a goldmine of results back ranging from technical to security issues. Here's how you do it ... 1/5
2
27
127
Danish Identity Authority MitID (which is replacing the old NemID system here in Denmark) forgets to renew their SSL certificate. Minor mistake, but still my trust with them drops from "lukewarm" to "is the backend running with duct tape"🤦♂️
5
15
125
Highly underrated GitHub repo from
@DebugPrivilege
here - if you do lowlevel-ish coding or just want to learn about Windows internal stuff, it's a real gold mine with knowledge that is reasonably easy to pick up. Can't believe it only has so few stars.
2
36
126
New offensive security tool: Hash Muncher. It dumps incoming NTLM authentication hashes from SMB/file share access. It's based on ultra cool research from
@Nettitude_Labs
, great work!
2
42
120
Hacker strategy evolved: pwn a corp box, raise small alert that could be nothing. Wait for SOC employee to log into compromised box. Let them investigate and leave. Meanwhile steal their credentials, and then pwn everything because they have local admin on all boxes.
11
23
113
Audit your LAPS setup with adalanche: search for (_pwnable=ReadLAPSPassword). You'll probably get way too many targets, so limit it to a random subset with (_random100<5) which return ~5% of the targets. This is a LDAP query, so wrap both in (&(query)(query)) as pictured.
4
33
115
The amount of work put into the latest Game Of AD is just crazy. Super work,
@M4yFly
and contributors ♥️
4
22
114
Funny thing ... doing a website for hackers - yes, I'm looking at you that looked this up NTLM hash 634A8D63867B2E64855DED9537420986 on 🤣... so now we do proper escaping
2
16
109
If you have internet facing Windows machines, this is a good option to bring down attack surface a bit.
There is also the
@Crowd_Security
Windows agent which is an early alpha (for test systems!)
Or wait a bit for
@UK_Daniel_Card
to release his RDP guard.
Any Internet-facing Windows machines?
1. Go to
2. Pick your favorite evil country.
3. Select "IP Range" as format.
4. Copy the result to clipboard.
5. Run the script from
12
167
574
4
40
102
If you're running Windows 11, it's preloaded onto the system, so you can skip this part. On Windows 10, go to the Microsoft Store and search for "app installer". Here is my laptop which hasn't been powered on for quite a while - ironically it has a winget update available :-) 2/5
2
7
103
Oh, boy. The LDAP Ping. I thought I knew LDAP, and here's something I didn't know about. It's pseudo code, a fate worse than a bicycle accident. The rootDSE can be probed anonymously. Notice any problems? ;-)
3
15
101
If you're curious about how the backend for is holding up ... well, it's not exactly under pressure. If you spend your entire 1000 lookup quota in one go, you'll keep it busy for ~1 second
2
5
99
AzureAD let's users access resources based on the permissions they have. Unless they claim to be using Powershell, then you get some extra read-only permissions thrown in for free. Bonus: every application can claim to be Powershell by using its client ID ¯\_(ツ)_/¯
3
26
97
I will keep whining about the task manager being hosed in Windows 11 until someone from Microsoft fixes it. CPU usage @ 20% yet details show 96% idle. Current best option is asking
@SwiftOnSecurity
to help the mothership.
14
3
91
Yo, pentesters! What are the "Game Over" scenarios for an AD domain? Ran DCsync, issued certificate for other user, pwned a DC via GPO, reached user that is member of AD/DA/EA ... others? Trying to map out what nodes that are *final* goals of most attacks.
12
13
89
My little box of USB toys. Can you recognize any of them?
23
2
89
Of course you will not get everything upgraded on your system, but if you're like me you have a *lot* of freely available software on your system. Most of this will get upgraded ... now run "winget upgrade --all" if you feel confident nothing will break 4/5
5
3
84
Not sure if malware is already doing this or not (I bet it is), but this seems like one of these "stupid but crazy efficient" techniques.
0
21
84
Explore how hackers attack Active Directory by abusing common misconfigurations! I've made the Orange CyberDefense GOAD lab available as sample data for Adalanche, so you can visualize and look at real world attack paths in 5 minutes.
3
27
83
Android RCE+root via browser nets you $7.700,- at TianfuCup.
The same exploit will get you up to $500.000 at Zerodium.
You'd have to have pretty high morals combined with your technical skills to not just sell your exploit quietly.
If people want to check this year's target list for TianfuCup, have a look here =>
0
8
10
6
17
80
GPO vulnerability analysis is now working as intended in adalanche. Here's a great example, labels removed to protect the innocent, but I'll explain below what's going on here 1/n
1
30
84
Find DCs with wrong object owners using adalanche, and see the impact it's having to your security. If you're doing multi forest analysis, you can get really interesting results, as it will expose forest-to-forest takeover scenarios (names anonymized to protect the innocent) 1/5
4
19
80
@SwiftOnSecurity
Adalanche is my AD analysis tool. It shows graphs that visualize attack paths and other access methods in AD and Windows systems. It will take you less than 5 minutes to get results.
1
17
74
If your SCCM server controls your AD controllers -> SCCM servers are Tier 0 ... and if the SQL server storing the SCCM DB contains push credentials for Tier 0 -> that makes the SQL server Tier 0 as well.
Attack paths are so much fun, but hard to lock down.
Taking a look at SCCM on this lazy Sunday evening? Of course you are, what else is there to do?! One of the things that's likely to draw your interest are just how all those user accounts are stored. Check out the SC_UserAccount table in the SQL DB.
4
99
372
0
19
74
Patching cycle in companies
1
15
73
Active Directory is just a bottomless pit of opportunities for configuration mistakes. Hello there, Foreign-Security-Principal with full access to the keys to the kingdom by endless PKI abuse. Maybe this should be a predefined search somehow.
2
7
68
"It's all fun an games until someone loses a username". LDAP Nom Nom v1.0.7 high performance anonymous username bruteforcer for Active Directory - now with evasive maneuvers.
3
20
68
Hackers love IT documentation! It saves them so much time when doing the recon phase. They're often found in text files, Word documents, Outlook and Sharepoint. Leave false documentation lying around, pointing to internal honeypots or canary tokens.
1
14
67
Insta-crack NetNTLMv1 .... works with any challenge, even ESS/SSP - as long as the password is in the database (cc
@vysecurity
)
1
8
66
New upgrade to the deploy-goad script I made for Ubuntu. If you don't know GOAD, it's an excellent vulnerable Active Directory lab from Orange Cyberdefense. Super easy to deploy a lab to test out detection, attacks and see some typical problems.
1
17
66
If you don't know ripgrep, you should. On my machine scans files at around ~2GB/s
9
14
64
PassTester is a PowerShell based script that allows you to dump NTDS.DIT and scan for weak passwords using in order to immediately locate the most predictable passwords.
0
19
64
First some basics: when you join a computer to an Active Directory, it gets a machine account in the AD. This is like a user account, but with objectClass value 'computer' (and others) and some userAccountControl flags indicating it to be a computer (0x1000). But ... 2/🧵
1
2
63
To fix it, you need admin access to the machine. There are multiple ways to do this 1) local admin account 2) unrotated LAPS account (unlikely) or 3) cached domain account which is local admin. 4) break into machine with your fav ISO and pwn local administrator account. 5/🧵
5
3
60
What's your favorite hashcat rules and wordlists for attacking NTLM dumps?
I do get fairly good results, but it's always more or less random experimentation at the last percentages I'm able to squeeze out.
7
6
60
So to sum it up: locally stored machine password and AD password must match. Resyncing them is possible and easy, but must be done on both ends at the same time for it to work. 12/🧵END
7
1
59
@AntJanus
@SwiftOnSecurity
Look here, second tool listed will probably show you the responsible driver
1
5
57
Monitoring the LockBit leak site
1
3
57
Now that Uber is leaking left and right, where's that AD Explorer dump? Asking for a friend.
3
7
56
@Eric0Lawton
@kcolbin
@JacquelynGill
I did one project, to fix a door security system written in Turbo Pascal in 1992. Not all code was available, and different parts of code on random disks. I spent at least 2 months on that in total. Doors wouldn't have unlocked 1/1/2000 if I hadn't. This is just a tiny example.
0
7
53
From "Golden Ticket" to "Diamond Ticket" attack - manipulate a genuine ticket to suit your needs. Ingenious!
1
20
55
LDAP Nom Nom v1.3.0 is released
- finally with an ASCII logo
- obfuscated builds also available
- uses Go 1.22 for compiles, garble for obfuscation
2
13
55