Education
In this scenario it is assumed you do not have credentials, but you do have either adjacent or routable access to an Active Directory Domain Controller and can access common ports/services such as: LDAP, LDAPS, SMB, NETBIOS, KERBEROS, DNS
Read more “Active Directory Attacks – “It’s cold out here””
Hacking
My friend Lars and I were just talking about some of the research areas we are working on and randomly the conversation turned into “what shall we call it?” and then LDAPNomNom came up! So I whilst laughing (coz the name is lulz) with my buddy I downloaded and ran LDAPNomNom against a lab vm quickly! (Lars also fixed an error with readme.md that I pointed out coz my debug skillz ROCK! š )
So here we have me doing username enumeration via LDAP Ping using LDAPNOMNOM!
Read more “Stealthy Active Directory Username Enumeration with LDAPNomNom”
Education
I’ve not slept well for the last week and my brain is hurting, so I thought I would see if I can take our lovely new SKYNET overload AI “CHATGPT” and make it do all my work for me!
A common vulnerability in systems like Active Directory is where a system administrator writes a password in the description field. So the easy answer to this is DO NOT DO THIS. However during penetration testing we want to check. There’s tons of ways to do this but I thought I’d ask our AI roboto to help, so let’s see!
Read more “Active Directory Enumeration with ChatGPT”
Leadership
Whilst every marketing person will talk about the latest and greatest tech innovation and product, how much does that reflect the reality of technology deployed in the world? Everyone is running Windows 11 and Windows Server 2022 right?! They also don’t use computers, because everything is cloud and mobile first right! and security, well everyone has that down as well! Great… let’s just go and check those statements out… oh wait…. no maybe err.. let’s take a look with our friends at shodan.io
Read more “Technology in the Wild”
Vulnerabilities
Yesterday I created a honeypot running Exchange 2019 in the lab. I configured very little and setup a test rule as per the MS blog to stop the SSRF from the āAutodiscoverā endpoint to the Powershell function call. I put a custom response with some humour (coz why not!) but I disabled the rule:
This rule was placed in the Autodiscover virtual directory which in Exchange by default is here:
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\autodiscover\web.config
My custom rule:
Read more: Exchange Emergency Mitigation (EM) service|
<rewrite> <rules> <rule name=”RequestBlockingRule1″ enabled=”false” patternSyntax=”Wildcard” stopProcessing=”true”> <match url=”*” /> <conditions> <add input=”{REQUEST_URI}” pattern=”.*autodiscover\.json.*\@.*Powershell.*” /> </conditions> <action type=”CustomResponse” statusCode=”403″ statusReason=”No Hacks for You” statusDescription=”Say no to exploits!” /> </rule> </rules> </rewrite> |
This morning I checked the Honeypot, and I found the following:
This rule is hosted in:
C:\inetpub\wwwroot\web.config
|
<rewrite> <rules> <rule name=”EEMS M1.1 PowerShell – inbound” stopProcessing=”true”> <match url=”.*” /> <conditions> <add input=”{REQUEST_URI}” pattern=”.*autodiscover\.json.*\@.*Powershell.*” /> </conditions> <action type=”AbortRequest” /> </rule> </rules> </rewrite> |
As you can see this was modified at 03:21 01/10/2022
This comes from:
Exchange Emergency Mitigation Service (Exchange EM Service) | Microsoft Learn
āExchange Emergency Mitigation (EM) serviceā
You can check if this is enabled by running the following PowerShell:
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn;
Get-OrganizationConfig | Select-Object MitigationsEnabled
So here we can see that with this enabled, the Exchange server will download and deploy the HTTP re-write rules automatically (if the server has the required version/config etc.)
You can enable or disable it with the following:
Set-OrganizationConfig -MitigationsEnabled $true
Set-OrganizationConfig -MitigationsEnabled $falseYou can check this feature works using the following (modify path as required for relevent exchange version)
. "C:\Program Files\Microsoft\Exchange Server\V15\Scripts\Test-MitigationServiceConnectivity.ps1"
Check the MS docs and check your Exchange Server version to see if you have this feature etc.
GCM exsetup |%{$_.Fileversioninfo}You learn something new everyday!
Defense
This is a big thing in the Exchange world from my POV! I believe this is dropping sometime today (28th September!)
Exchange OWA, ECP etc. are exposed online not only for mailbox access, calendar sharing but also are a requirement for hybrid mode sync capabilities.
Vulnerabilities in Exchange this year (ProxyLogon/ProxyShell) have shown how problematic an attack surface this is. The good news is, Microsoft have created a feature for Exchange to help mitigate these attacks in the future via the EM Service!
Read more “Exchange Emergency Mitigation Service with new CU Update”
Defense
Ok so the other day āweā as a community put out some guidance around post active directory compromise actions for when you canāt simply nuke the forest from orbit. Well, following on from that a friend asked about how to restore AdminSDHolder permissions? Read more “How to restore AdminSDHolder Object Permissions using ADSIedit”
Defense
Nuke it from orbit, itās the only way to be sure!
Ok, in an ideal world you can re-deploy your entire environment from scratch, but back in the most peopleās real worldās thatās not that simple. So, what do we do if we canāt nuke from orbit in a post compromise situation? Well, we need to clean up! This isn’t an exhaustive list, not a total guide. it’s a quick list to make you think about some key common areas and actions that might need to be taken! after all if someone got r00t, who knows what they did! (trust me, most orgs monitoring is a bit naff!)
Read more “Post Compromise Active Directory Checklist”
Defense
In Part 1 (Initial Access Defence and Checklist) we looked at ways of hardening your attack surface to defend against initial access. When it comes to ransomware there is a range of elements and variables in the kill chain that need to be successful for the outcomes to be achieved by the criminals. Here we are going to move further into the kill chain to look at further defences. Remember you need to have an āAssume Breachā mindset if you are going to be able to defend against ransomware, that being said, there is a hell of a lot of things you can do for 0 to low investment costs that provide a great ROI. Now some of this is going to be repeated guidance from part 1, thatās ok repetition is good (make sure you are covered from multiple perspectives). Ok let us get to it! Read more “Ransomware Defence: Part 2a ā Persistence, Privilege Escalation and Lateral Movement”
CTF
Back in the early Active Directory days NULL bind was actually enabled by default, these days you can get a rootDSE NULL bind out of the box but on Windows Server 2019 you can even disable this!
So why would I want to enable NULL bind? Well, some legacy apps may need it but generally speaking you donāt want NULL bind enabled.
The lesson here is DO NOT copy what I am doing here! Simples! Read more “How to enable NULL Bind on LDAP with Windows Server 2019”