Dumping Credentails with MIMIKATZ and Passing the Hash (PTH)

I kid you not, I forget the commands, so I thought, hey let’s write a small blog post on credential dumping and pass the hash.

To achieve this we need: Debug privileges on a single machine or we need access to a disk that does not have full disk encryption. We also need the password to be re-used.

Mimikatz

Ok for this demo I’m going to run with the out of the box release for Mimikatz on a domain joined windows PC with Defender disabled.

To gain system we launch mimikatz from an admin shell and run:

privilege::debug

token::elevate

Now we are SYSTEM we access a range of high privilege level areas. Read more “Dumping Credentails with MIMIKATZ and Passing the Hash (PTH)” →

Defense

Hacking Guide – AESREPRoast and Kerberoasting

Kerberos Pre-Authentication Hash Retrieval and Cracking

We can enumerate active directory to find accounts that do not require pre-authentication. There’s a simple way of doing this using Rubeus:

.\Rubeus.exe asreproast /format:hashcat

We can see there is a vulnerable account that has Kerberos Pre-Authentication disabled.

This hash can be loaded into hashcat and possibly cracked (the hash in the screenshot is weak on purpose) Read more “Hacking Guide – AESREPRoast and Kerberoasting” →

Defense

Executing/Creating a process via WMI Methods

WMI is an awesome technology capability for Windows administration, I’ve been using WMI since the Windows 2000 era, I’ve written WMI based scripts/tools to defeat malware, yay, however with any tool the use can be for good and for evil!

This post is going to focus on Win32_Process:Create (there are other methods as well!) Read more “Executing/Creating a process via WMI Methods” →

Guides

From Zero to DA using ‘PetitPotam’

Introduction

Whilst I was on ‘holiday’ (seriously even when on holiday I almost always must do some work!) a few Windows vulnerabilities were published. Great work by Gilles Lionel, Benjamin Delpy and many many others!

Lab Setup

A Domain Controller
A Separate ADCS Install with Web Enrolment or two DCs one with ADCS installed.
A windows Client Device (non-domain joined)
An attacker device (I used Kali)

You do not need any domain credentials to conduct this exploit chain, so from a network adjacent unauthenticated position you can get DA with the right circumstances (default configuration). Read more “From Zero to DA using ‘PetitPotam’” →

Defense

Changing a security posture requires changing your own behaviours

I’m sure you will have had a marketing firm or some random sales person on Linkedin tell you that security should be simple and that their product will save you from all the ATPs and nation state hax0rs under the sun. However let’s get real, thats almost certainly not true and also security isnt simple or we’d all be out of jobs and everyon woulndn’t be getting owned all the time.

Getting real

Defense

Ransomware Defence: Part 2a – Persistence, Privilege Escalation and…

Recap

In Part 1 (Initial Access Defence and Checklist) we looked at ways of hardening your attack surface to defend against initial access. When it comes to ransomware there is a range of elements and variables in the kill chain that need to be successful for the outcomes to be achieved by the criminals. Here we are going to move further into the kill chain to look at further defences. Remember you need to have an “Assume Breach” mindset if you are going to be able to defend against ransomware, that being said, there is a hell of a lot of things you can do for 0 to low investment costs that provide a great ROI. Now some of this is going to be repeated guidance from part 1, that’s ok repetition is good (make sure you are covered from multiple perspectives). Ok let us get to it! Read more “Ransomware Defence: Part 2a – Persistence, Privilege Escalation and Lateral Movement” →

Guides

Secure Service Design: Practical Solution Architecture

The truth shall set you free

I’ve worked in technology a long time now (relatively for me). It’s now over 20 years professionally and when I was a kid, I used to remove malware from small business’s etc. I’ve travelled to some funky places and done some cool things, but I learn new things every day. I do however come across some repeating patterns in my adventures as a consultant. There is a hidden truth that many are scared to admit…

Most organisations are not very good at service design, let alone secure service design!

Ok so there it is, I hope that this blog doesn’t age very well, but I’m 20 years in and I chat with my dad about his past life in the corporate world and we both see the same things being repeated. So, what can we do about it? Well sharing is caring, so here’s some things to think about when planning and designing a new service. I’m going to focus on the technology and security aspects, clearly, I am not saying ignore the business and value alignment but for the purposes of this post I’m assuming that the functional service capabilities and alignment are in effect. I’m also assuming that business case is solid because you know, without £ it’s a bit hard to create an operate a service (that’s a whole new post!). Read more “Secure Service Design: Practical Solution Architecture” →

Defense

Modern Workspace: PowerShell OAuth Error

Create PowerShell Session is failed using OAuth

When connecting to Exchange online (there was a reason I needed to do this) I had the following error:

I did some googling that luckily someone has already posted how to fix this:

https://www.vansurksum.com/2021/03/11/create-powershell-session-is-failed-using-oauth-when-using-the-exchange-online-v2-powershell-module/

It turns out WINRM’s ability to use BASIC client authentication is disabled as part of the standard Windows 10 hardening baseline deployed via Intune.

To fix these we need to re-enable BASIC client side WINRM authentication. Read more “Modern Workspace: PowerShell OAuth Error” →

CTF

How to enable NULL Bind on LDAP with Windows…

History of NULL bind

Back in the early Active Directory days NULL bind was actually enabled by default, these days you can get a rootDSE NULL bind out of the box but on Windows Server 2019 you can even disable this!

So why would I want to enable NULL bind? Well, some legacy apps may need it but generally speaking you don’t want NULL bind enabled.

The lesson here is DO NOT copy what I am doing here! Simples! Read more “How to enable NULL Bind on LDAP with Windows Server 2019” →

Defense

The anatomy of designing resilience, recoverability, and contingency into…

I want a simple way of restoring service in the event of a disaster

Foreward

I wrote this over 5 years ago and wanted to see if it stood the test of time – I also see too often that organisations don’t have the right capabilitites to recover so I figured this is a good post on the subject.