A walkthrough of LLMNR poisoning attacks in an Active Directory environment. LLMNR (Link Local Multicast Name Resolution) acts as a DNS fallback, and when a user mistypes a hostname, an attacker on the same network can intercept the request using Responder, capture NTLMv2 password hashes, and crack them with Hashcat using a wordlist like rockyou.txt. The demo uses a Windows Server 2016 domain controller and a Windows 10 Enterprise client in a VMware lab.
Nguồn: https://infosecwriteups.com/demonstrating-llmnr-poisoning-in-active-directory-d531a1920f02. 8sync News chỉ tóm tắt và dẫn link; bản quyền nội dung thuộc tác giả và nguồn gốc.
A detailed technical walkthrough of Resource-Based Constrained Delegation (RBCD) exploitation in Active Directory environments. Covers Kerberos delegation fundamentals (TGT, TGS, S4U2Self, S4U2Proxy), explains how RBCD differs from classic constrained delegation by accepting non-forwardable tickets, and provides a full step-by-step exploit chain. Prerequisites include write permissions on a computer object and an account with an SPN (or the ability to create one via MachineAccountQuota). Both Linux (Impacket, BloodyAD) and Windows (Powermad, Rubeus) command examples are provided for creating a rogue computer account, configuring RBCD, obtaining a service ticket impersonating Administrator, and passing the ticket to gain shell access or dump credentials.
A beginner-level walkthrough of post-compromise attacks in an Active Directory lab environment. Covers using CrackMapExec to validate stolen credentials across a subnet via SMB, dumping SAM hashes with the --sam flag and Impacket's secretsdump, gaining a shell via psexec.py, and cracking NTLM hashes with Hashcat. The lab uses Windows Server 2016 with two Windows Enterprise machines, and credentials were initially obtained via LLMNR poisoning.
A detailed exam write-up for the CyberWarfare Labs AD-RTS (Active Directory Red Team Specialist) certification, covering two full adversary paths through a simulated telecom enterprise environment. Path 1 starts from zero credentials and chains DNS zone transfer abuse, ASREPRoasting, SQL Server xp_cmdshell, GodPotato privilege escalation, ADCS ESC1 certificate abuse, and VMware ESXi hypervisor pivoting to reach Domain Admin and guest VM code execution. Path 2 begins with a low-privilege IIS foothold and exploits ASP.NET ViewState deserialization via a leaked machine key, DPAPI-protected registry credentials, a second ESC1 ADCS template, Exchange ApplicationImpersonation abuse, and hardcoded credentials in scheduled task scripts. The write-up emphasizes understanding attack chains over individual exploits, and closes with defensive recommendations around certificate template hardening, credential hygiene, and RBAC scoping for Exchange impersonation roles.
A deep dive into alternative Windows credential theft techniques beyond LSASS dumping, covering both attacker and defender perspectives. Topics include quick wins like stealer logs, plaintext password files, PowerShell ConsoleHost history, and GPP cPassword vulnerabilities, as well as advanced techniques: registering malicious Security Support Provider (SSP) DLLs, Password Filter DLLs, and Network Provider DLLs to intercept cleartext credentials at login. Real incident response case examples illustrate each technique. Detection guidance covers Sysmon Event IDs 11 and 13 for registry and file monitoring, and hardening recommendations include disabling custom SSPs, auditing AD attributes, and using tools like Snaffler and Velociraptor.
Step-by-step guide for configuring Kerberos authentication on Amazon RDS for Db2 using a self-managed Active Directory. Covers creating a dedicated OU and service account, delegating nine specific AD permissions (including the non-obvious use of ADSI Edit for servicePrincipalName on User objects), storing credentials in a KMS-encrypted Secrets Manager secret, and validating the setup from a domain-joined Amazon Linux 2023 EC2 client. Also addresses networking requirements (DNS, Kerberos, LDAP, RPC dynamic ports) and common pitfalls like incorrect object scoping and username format in Secrets Manager.
A detailed forensic analysis of a multi-stage ransomware intrusion that began with SEO poisoning on Bing, luring users to a trojanized ManageEngine OpManager installer. The BumbleBee loader was deployed via DLL side-loading, followed by an AdaptixC2 beacon for persistent C2. Over five days, threat actors performed extensive credential harvesting (NTDS.dit, Veeam, LSASS), lateral movement via RDP and reverse SSH tunnels, and exfiltrated over 75GB of data via FileZilla/SFTP to a server in Ukraine. The intrusion concluded with Akira ransomware deployment across root and child domains, with Volume Shadow Copies deleted via WMI. A parallel Swisscom intrusion tied to the same campaign is also documented, including BYOVD attacks and Cloudflare tunnel persistence.
A first-person account of passing the OSCP certification after 3 months of preparation, emphasizing the mental resilience required over technical skill. Covers prep strategy using PEN-200, Proving Grounds, and AD-focused labs, key tools like netexec, BloodHound, mimikatz, and ligolo-ng, and a detailed walkthrough of the 24-hour exam experience including rabbit holes, strategic breaks, and a last-minute breakthrough that swung 50 points in 30 minutes.
A deep technical investigation into ldapnomnom, a tool that claims to generate no Windows audit logs while brute-forcing Active Directory usernames via LDAP Ping (cLDAP). Source code analysis reveals the tool actually uses TCP (not UDP), making it detectable via Event 5156 from the Windows Filtering Platform. The post explains why Event 1644 structurally cannot log LDAP Ping traffic (it bypasses the LDAP engine entirely, routing to netlogon.dll instead), while netlogon.log with debug logging captures every queried username. A key defender advantage: netlogon.log distinguishes disabled accounts from nonexistent ones, while attackers see identical responses for both. True UDP cLDAP (demonstrated with a custom cldap_ping.py) does evade Event 5156 but still appears in netlogon.log without source IP attribution. Microsoft Defender for Identity (MDI external ID 2437) can detect both TCP and UDP variants via packet capture but is threshold-based and bypassable with throttling. The recommended detection approach correlates netlogon.log usernames with Event 5156 source IPs using a 5-second timestamp window.