Using Microsoft CES/CEP for Linux Workstation Certificate Enrollment with Kerberos Workstation Authentication
01 Nov 2021
This post is based on a recent project requirement: Windows Domain joined Linux workstations must use machine account Kerberos to authenticate and request workstation certificates from Microsoft Certificate Services. We...
Hello world for Azure Graph (PowerShell)
11 Jul 2021
When i need quick PowerShell example to make sure i have configured the hosting/infrastructure/egress-allow correctly i use this small example. To set it up in Azure I go to “app...
Scripting big GPO ACL changes based on groups
22 Mar 2021
Sometime’s it makes sense to remove the “Apply Group Policy” right from the everyone group and slowly add users from specific groups as a way to roll out the change....
WinDBG Notes
14 Mar 2021
// This post will be updated regularily. Don’t rely on it, i’m learning. Working through a new course that encourages WinDBG over other debuggers. I love WinDBG, but i find...
Rubber Ducky on MacOS
06 Mar 2021
I’ve been spending a big chunk of my time on an IAM project at work there and there hasn’t been much free time for “hacker crap” because of the deadlines...
Jekyll being painful
06 Mar 2021
Quick post for future me: Jekyll was being incredibly painful on MacOS this morning. Installing eventmachine 1.2.7 with native extensions Gem::Ext::BuildError: ERROR: Failed to build gem native extension. and Could...
Adjusting Group Policy (Deny "Apply GPO") ACE's via PowerShell
01 Mar 2021
I think i’ll be able to use this again for other things, but the use case i needed to solve looked like this: A group policy to enforce some behaviour...
WDAC Notes
26 Jan 2021
The place to learn the most about Windows Defender Application Control (WDAC) the fastest is youtube. Matt Graeber put together an amazing set of tutorials, and if you’re trying to...
Wireguard on Ubuntu
21 Dec 2020
Very quick post to remind me how to set up the Wireguard client for Ubuntu quickly: (Most of this is taken from the Algo project documentation) First, visit the downloads...
Windows 20H2 changes
14 Nov 2020
Comparison of Windows 10 2004 and Windows 10 20H2 installations that might assist others who need to check off some of these things in their pre-deployment security review. The details...
Older Posts
edgegdi.dll for persistence 10 Oct 2020
Overview There’s a .dll which just about every process on my Windows machine is interested in called edgegdi.dll. Unfortunately, the dll: edgegdi.dll isn’t there (or anywhere on the system). You’ll...
Quick and Simple WiFi Testing with besside-ng 07 Sep 2020
I’ve been using Bettercap for a while now, and i love it but i saw a post on the weekend that reminded me the value in going back to look...
DLL Hijack for Cisco Anyconnect 23 Aug 2020
Note 1: the best place to learn a lot about dll hijacking is https://institute.sektor7.net; the main purpose of this post is to capture my notes while applying some of the...
Exploit Guard Mistakes 18 Jul 2020
This post details the mistakes I’ve made using and tuning Exploit Guard. They’re not meant to be interpreted as criticisms of the product; just thing’s I wish I’d realized earlier...
Exploit Guard vs Process (DLL) Injection 01 Jul 2020
In the previous post we evaluated Exploit Guard controls against a simple buffer overflow vulnerability in a test application. We used Matt Graeber’s Exploit Guard documentation as a guide. As...
Vulnserver Exploit vs Windows Defender Exploit Guard 27 Jun 2020
I’ve taken notes for exploiting Stephen Bradshaws ‘vulnserver’ in a previous post. I saved those here. This post evaluates the protection Windows Defender Exploit Guard can offer a vulnerable application....
Deploying Azure Functions 22 Jun 2020
We’re going to try to move the main random password code from the previous blog post to Azure ‘Functions’ - the Azure serverless offering. Fundamentals: We define a trigger for...
Deploying Azure Web Services Manually 20 Jun 2020
Looking into how we’d deploy, scale and secure a web service on Azure. Starting right at the very basics - a hand jammed basic web service deployed from inside VS...
Signing .jar files with an existing certificate on Windows 11 Jun 2020
Install JDK Jump into the JDK binary folder cd C:\Program Files\Java\jdk-14.0.1\bin Create a Java Signing Keystore with your existing .p12: keytool -importkeystore -srckeystore c:\jarfiles\duff.p12 -srcstoretype pkcs12 -destkeystore c:\jarfiles\duff.jks -deststoretype JKS...
Ansible & PowerShell 07 Jun 2020
Install sudo yum install -y python3 python3-pip sudo alternatives --set python /usr/bin/python3 pip3 install ansible --user Test PS-Remoting $pwd = ConvertTo-SecureString -String 'P@@@ssword54321' -AsPlainText -Force $psCredential = New-Object System.Management.Automation.PSCredential('jmpesp\administrator',$pwd) Test-WSMan...
Windows Persistence 05 Jun 2020
Notes while working through the (excellent) Sektor7 windows persistence course. Important point: don’t just rely on the notes here. They’re mainly reminders for me :) It’s the templates and tools...
VMWare Workstation Automation (on Windows) 31 May 2020
First up, enable the GUI so that you can get familiar with the (REST) API. PS C:\Program Files (x86)\VMware\VMware Workstation> .\vmrest.exe -C VMware Workstation REST API Copyright (C) 2018-2019 VMware...
Docker Day 24 May 2020
Spending the day going over Docker topics. Containers are really just about running software with all the things required bundled in and ready to go. When getting started, use that...
Windows Malware Creation Notes 19 May 2020
I recently worked through Sektor7’s “Red Team Operator - Malware Development”. The course is excellent because the author will supply you with all the templates you need to get started,...
Cross Compile Windows binaries on Linux 29 Apr 2020
Very quick note for something that usually takes me too long to find :) sudo apt-get install mingw-w64 # C i686-w64-mingw32-gcc hello.c -o hello32.exe # 32-bit x86_64-w64-mingw32-gcc hello.c -o hello64.exe...
Infrastructure Notes - Azure site-to-site VPN 26 Apr 2020
Extending the on site lab network to an Azure VNET. VMWare Lab Network: 10.0.0.0/24 New Azure VNET: IP Range: 192.168.2.0/24 New Server Subnet: IP Range: 192.168.2.0/26 After creating the new...
X-Forwarded-For Header 25 Apr 2020
The X-Forwarded-For (XFF) header is a de-facto standard header for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or a load...
10 minute personal VPN 04 Apr 2020
Quick VPN endpoint all to yourself using your Azure (or AWS) subscription based on the Trail of Bits Algo project: If you’re on Windows, fire up WSL to make your...
Infrastructure Notes - Linux Host Security 28 Mar 2020
Using Andrew Malett’s ‘Linux Host Security’ course on Pluralsight procfs Virtual file system that is mounted through to proc. Mostly read only, but some can be tuned, written to. We...
Infrastructure Notes - Azure Key Vault 22 Mar 2020
Using Gary Grudzinskas ‘Securing Virtual Machines with Azure Key Vault’ training course on Pluralsight Azure Key Vault helps solve the following problems: Secrets Management - Azure Key Vault can be...
HTB - Forest (Hacking Active Directory walk-through) 21 Mar 2020
A HTB lab based entirely on Active Directory attacks. Starting out with a usual scan: nmap 10.10.10.161 -sV -sC -oA forestscan Among other things, we will find that there are...
CVE-2020-0796 Mitigations 11 Mar 2020
3/12/20 fixed typo with rule direction in step 2 thanks to @TechGrlTweeter 3/12/20 Microsoft has patched the issue. Details here. Ned Pyle also confirmed that the mitigation to disable SMB...
Active Directory - Physical Disk Access to Domain Administrator in just a few minutes. 08 Mar 2020
If you get access to the unencrypted disk of a domain controller you can take NTDS.dit away and do horrible things with it offline. The most common approach seems to...
WinDBG for User-Mode Debugging 05 Mar 2020
WinDBG is the right way to go to analyze windows crash dumps if you have builds that are throwing a blue screen. For a really large percentage of those cases...
Active Directory - Recover deleted objects quickly 04 Mar 2020
You’re going to panic when something important is accidentally deleted. It’s scary. In the old days it was a little painful as well. Deleted objects had their links stripped (memberships)...
YubiHSM for code signing 27 Feb 2020
Thought this might save someone a few hours working out the steps to set up and use a YubiHSM for code signing. This nifty little device seems to work flawlessly...
Active Directory - How Smart Card Logon Works 23 Feb 2020
The Smart card logon process goes like this: Smart card is shoved into a card reader. Smart card signals an event that prompts the user for their personal identification number...
Active Directory - Modify a system owned attribute 23 Feb 2020
First of all, you shouldn’t do this. But in case you are hell bent on making a mess the following steps will allow you to modify objects that Active Directory...
Windows Security - No disk encryption equals root level access in five minutes or less... 22 Feb 2020
After showing this to friend today i thought i should also write it down for quick reference. There’s nothing new here, this trick has been around forever - but it’s...
Infrastructure Notes - AWS VPC 22 Feb 2020
(Notes based mainly on the content from Ben Piper’s excellent pluralsight course) Usually goes without saying, but especially when configuring VPC’s and hosts inside them on AWS - default is...
Infrastructure Notes - Azure AD PTA 19 Feb 2020
Infrastructure Notes - Azure AD Pass-through Authentication Basic installation steps: AD connect install first, this can also configure the first PTA agent Deploy additional agents. Microsoft recommends at least three....
LDAPS across disparate namespaces 14 Feb 2020
LDAPS across disparate namespaces That title is a mouthful, and there’s probably a better way to say it, but here’s the situation: You have test infrastructure available that you connect...
Infrastructure Notes - Azure Virtual Machine Scaling 12 Feb 2020
Infrastructure Notes - Azure Virtual Machine Scaling Availability Sets If we place two or more instances into the same ‘availability set’ Microsoft provide a 99.95 availability SLA. (The single instance...
Scapy 101 and an old Windows IPv6 DoS 10 Feb 2020
Scapy 101 Quickstart notes for when you need that perfect packet. If it’s installed, just type scapy for an interactive session. my_packet = IP(dst="10.0.0.110") my_packet /= TCP(dport=139) sr1(my_packet) Note: the...
Debugging Notes - GDP Cheatsheet 09 Feb 2020
Debugging Notes: GDB Cheatsheet info reg : display the register state. info func : display the functions in the program disass functionname : disassemble a function. break *0x080484d4 : set...
Infrastructure Notes - Azure Storage Overview 09 Feb 2020
Infrastructure Notes: Azure Storage Overview Basics Microsoft’s cloud storage solution. ‘Massively’ scalable object store: data objects file system service for the cloud messaging store for reliable messaging NoSQL store All...
Infrastructure Notes - Azure Network Design Overview 02 Feb 2020
Infrastructure Notes: Azure Network Design Overview Start here: Azure Networking VNet Primary networking technology, like the VPC in AWS. Internet access is on by default. Cloud services can go in...
Infrastructure Notes - AWS Route 53 19 Jan 2020
Infrastructure Notes: AWS Route 53 I’ve been working through Ben Piper’s excellent course on Pluralsight: AWS Networking Deep Dive: Route 53 DNS. This post captures the notes i took along...
Try not to get too fancy with Active Directory Backup 14 Jan 2020
Active Directory does a few important things whenever it is backed up or restored to keep it working the way it was intended. For that reason (in most situations) it...
Cleaning House - SANS Pen test 07 Jan 2020
We’re moving house, so the old SANS Pentesing posters and notes are headed for the recycle bin :( I wouldn’t bother reading this post if i was you. Visit SANS.org...
When NTLM is used for Windows Login (Kerberos unavailable) 13 Dec 2019
I’m working on a larger post about the various types of login (network, local, rdp etc) and what each of them presents to an attacker; but i wanted to first...
IPSec for Windows Firewall Exceptions 21 Sep 2019
Generally speaking, a DENY rule in Windows firewall will override any ALLOW. s an example, if i want to do the right thing and DENY most PowerShell Remote (5985) in...
Getting Crafty with LAPS permissions 21 Jul 2019
Some notes about a recent requirement to modify the access to LAPS attributes in one of our directories. We had a specific class of computer objects that we did not...
Exploiting Vulnserver 14 Jul 2019
Background: While i was working through the OSCE I remember folk were looking for something that would be roughly as challenging as the exam to practice the full fuzz RCE,...
Skeleton Key 17 Jun 2019
Short version: privilege::debug misc::skeleton Writes a new password to memory on the host (“mimikatz”) that will work in addition to the realpassword for any user. (switching to an attacker machine...
Silver ticket (in short) 17 Jun 2019
Summary: An attacker has obtained a long term key for a service account Often obtained via kerberoast against accounts with a SPN and offline cracking; but also via taking credentials...
Overpass the hash 17 Jun 2019
In short: Kerberos based pass the hash ake the ntlm hash (mimikatz can get this from memory for you); work towards a TGT with it. Possible because the NT hash...
Infrastructure Security Review 17 Jun 2019
Cheap and cheerful approach to front up with for your next infrastructure security office hours: Get a diagram (every, damn, time) Break the diagram into trust zones Draw the data...
Golden Ticket (in short) 17 Jun 2019
In Short: The attacker has retrieved the krbtgt long term key The attacker can then create a forged TGT for any domain account because they are able to encrypt the...
Cracking PDF 17 Jun 2019
You need to convert to export the hash to an appropriate format first: pdf2john sample.pdf > out.txt Then crack as usual: john out.txt --format=PDF -wordlist=rockyou.txt
Change Windows File or Folder ACL from shell 17 Jun 2019
You find a file called file.txt that wont allow you to do what you want despite having what you believe to be enough permissions: cacls file.txt /E /G "Everyone":F
Attacking basic authentication 17 Jun 2019
The GET request of basic authentication is base64 encoded. Example: Authorization:BASIC blah43234343== Burp can decode this if you can get in the middle. Also, you can configure burp to brute...
Crank up nmap on unknown port 09 Jun 2019
For example, an unknown port 9000 on host 10.0.0.1 nmap -vvv -A --reason --script="+(safe or deafult) and not broadcast" -p 9000 10.0.0.1
Old posts from my Microsoft gigs 09 Jun 2015
Old posts from Microsoft A collection of the things i wrote while i was at Microsoft Windows Kernel Team: Connected Standby & You Cheat Sheet: Break into a running Windows...