Blog Posts

If you’d like to be notified when I post new things, you can sign up for email notifications below

Categories:

All posts:

Downgrading Kerberos Encryption & Why It Doesn’t Work In Server 2019

This took me a while to get my head around recently so I figured I’d document it here in case it helps someone else. Thanks to @exploitph for answering several questions about this and @harmj0y for writing this blog post which explains the entire process. Whilst that post does go into a lot of detail,…

How Windows Stops Kerberos Usernames Being Case Sensitive

We’re all used to Windows treating usernames as not being case sensitive, i.e. a username of JOE.BLOGGS is the same as joe.bloggs. However this idea falls apart when you use that username as part of the salt for AES encryption, which is case sensitive. Which is exactly what happens when we perform Kerberos preauthentication using…

Kerberos Protocol Explained

This blog post is intended to supplement the Kerberos explanation video that just went live on my Youtube channel: As such, I’m not going to explain everything in detail here. This post is intended as a quick reference for all of the diagrams I made for that video. Hopefully they can be useful on their…

Using .NET To Get Process Command Lines

No exploits in this one – just some good old fashioned coding tips. I wanted to show the command line used to launch each process that’s running on the machine (the executable file path along with arguments passed to it, i.e. C:\Windows\system32\svchost.exe -k netsvcs). Now there’s plenty of examples online showing how to do this…

VbRev Early Alpha Released

As per my previous post, I’ve been working on building a GUI reverse shell utility for the last week or so. The first alpha version has just been released and you can find more information along with a download link on the dedicated page for the tool here: https://vbscrub.com/tools/vbrev/ I’ve also just uploaded a quick…

VbRev – A Reverse Shell GUI

We’ve all used netcat reverse shells and similar alternatives to explore remote machines, but I recently found myself thinking it would be nice if I could just explore the file system through a GUI and skip all the constant typing needed to navigate between directories and download files etc. So I’m developing this little tool…

Port Forwarding Explained (with PT.exe Download)

I recently uploaded a video explaining port forwarding, or port tunnelling as I like to call it. This is a technique that allows you to remotely connect to TCP ports that would not normally allow inbound remote connections (either due to firewall or the way the listener is configured). EDIT: A few people have asked…

Ricoh Printer Exploit (Priv Esc To Local System)

First of all I should point out that at the moment this priv esc exploit only works on a workstation OS and not on a server OS (unless you can get into the Print Operators group). This post is about me trying, and failing, to get it to work on a server OS. For more…

Hack The Box – Forest (Video Walkthrough)

Recently uploaded my video guide to the HTB Forest machine that was retired this weekend: To get a good understanding of everything in this one, I’d recommend watching the two videos below as well:

DC Sync Attacks Explained (Video)

Just uploaded a new video taking an in depth look at how a DC Sync attack works and making use of another Impacket script called secretsdump.py:

Getting Passwords From Kerberos Pre-Authentication Packets

If you’ve watched my video on Kerberos Pre-Authentication and how Impacket’s GetNPUsers script takes advantage of that being disabled, you’ll be aware that by default user accounts are not vulnerable to this kind of attack. I also mentioned in the video that in 8 years of Windows network admin in various organisations, I’ve never actually…

Active Directory Basics Video

I see a lot of people in the CTF community saying AD/LDAP is their weakness and that they don’t know much about it. So I made this video to explain all of the basics to someone that has pretty much zero experience with AD. There will be more in depth videos on specific topics coming…

Impacket’s GetNPUsers Script Explained

I’ve seen a lot of people using this tool in various CTF challenges but not really having any idea how or why it works. So I put together this video explaining it in detail. Enjoy!

HackTheBox – JSON [Video Walkthrough]

Here is the first of many HTB machine video guides that I will be releasing. Today the JSON machine was retired so that’s what we are taking a look at in this video. Rather than just tell you what to type and click on to get the user/root flag, these videos are going to be…

.NET Deserialization Exploits Explained

Tools like ysoserial.net will generate a .NET deserialization payload for you to send to a remote server and give you remote code execution… but how and why does this actually work?

Installing Impacket On Windows

I found a couple of guides online about how to get the python Impacket scripts working on Windows, but they didn’t quite work for me (on Windows 7 x64) so here’s what I ended up having to do: Download and install the X86 version of Python 2.7 from here (has to be version 2.x, not…

Azure AD Connect Database Exploit (Priv Esc)

The Azure AD Connect service is essentially responsible for synchronizing things between your local AD domain, and the Azure based domain. However, to do this it needs privileged credentials for your local domain so that it can perform various operations such as syncing passwords etc. I recently discovered this great video that explains where it…

DNS Server Plugin DLL Example (DnsPluginInitialize etc)

There’s a great blog post from Shay Ber on this subject already, but when I tried to follow along myself I hit a few stumbling blocks with the C++ parts as I’ve got no experience with that language (and after using it, my god I realise how spoiled we are with languages like C#.NET). Anyway,…