Sometime back i came across a blog post on FritzFrog botnet which was targeting SSH servers. I was very much inspired after reading the blog post and thought why not create my own version of wormable SSH bot similar to FritzFrog. This blog post is purely based on my learning process on creating and emulating… Continue reading Yantra Manav – A wormable SSH bot
LAPS Overview: LAPS (Local Administrator Password Solution) is a tool for managing local administrator passwords for domain joined computers. It stores passwords/secrets in a confidential attribute in the computer’s corresponding active directory object. LAPS eliminates the risk of lateral movement by generating random passwords of local administrators. LAPS solution is a Group Policy Client Side… Continue reading Malicious use of Microsoft LAPS
Background: DCShadow is a post exploitation attack, the authors call this as the domination concept. The DCShadow attack was demonstrated by Vincent Le Toux and Benjamin Delpy at Blue Hat 2018. DCShadow attack abuses Directory Replication Service (DRS) Remote Protocol [MS-DRSR] and Active Directory Technical specification [MS-ADTS]. The DCShadow attack allows an attacker with appropriate… Continue reading Tales of a Rogue Domain Controller – The DCShadow Attack
Active Directory as a C2 Really ? I was amazed when i read a blog post on AD as a C2 on @Harmj0y‘s blog. Curiosity grew into me and wanted to explore it in my lab setup. Why AD as a C2? Active Directory is a Central Authentication and Access control. All the Endpoints Workstations/Servers are… Continue reading Active Directory as a C2 (Command & Control)
This blog post is another one on the well known Kerberos abuses. The attack is very similar to Kerberoasting where we scanned for service accounts and requested for RC4 ETYPES tickets and cracked TGS ticket offline. In AS-REP Roasting we will request for RC4 ETYPES TGT ticket and crack the TGT ticket offline. AS-REP… Continue reading AS-REP Roasting – Cracking User Account Password
This blog post is based on “Tradecraft Security Weekly Talk EP 21” given by @dafthack and @ustayready from Black Hills Information Security. Microsoft word document “DOCX” file is an ZIP archive of XML files. These XML documents controls the Theme,Fonts and web settings of the document. Historically Word document used to be HTML editor. we… Continue reading Leaking windows Credentials via Microsoft Office Document
This blog post is inspired from Rob ‘mubix’ Fuller post on “Dump LAPS passwords with ldapsearch“. So in this blog post we will explore different methods or ways to dump LAPS password in clear text. By Default all the Domain Admins have view access to ms-MCS-AdmPwd attribute. Lets have a look at the following ways… Continue reading Dump LAPS password in clear text
My presentation on Active Directory Attacks and Detection. Follow the link to view/download it. Active Directory Attacks and Detection Active_Directory_Attacks_Detections_Part-II Active_Directory_Attacks Detections_Part-III
So my co-workers have figured it out that it was a VB Script file. They were able to stop the script by searching .VBS files on the system and then deleting suspicious VBS files. This motivated me to write script in another language so this time I have come up with Windows JS and the… Continue reading Fun with Unattended Workstations Part II
You would find unattended workstations in your office and this post is going to help you out in panicking your co-workers by creating a simple BAT and VBS script to produce pop-ups and locking their machine. You can find the BAT code below: open notepad copy and paste it and save it with extension as… Continue reading Fun with Unattended Workstations
