Going back to learn more about things i really enjoy (exploit development) rather than spending so much time on the things i mostly do at work (infrastructure). The learnings from...
Exploit Dev practice - tiny buffer; leverage existing register values
Exploit Dev practice - small buffer; restoring ESP
Going back to learn more about things i really enjoy (exploit development) rather than spending so much time on the things i mostly do at work (infrastructure). The learnings from...
OpenShift from scratch - Part 2 > Basic Configuration for CRC on Windows.
ß Start / Stop / Delete: crc start crc stop crc delete View Configuration: Show options: crc config Show memory: crc config get memory Show CPU: crc config get cpus...
OpenShift from scratch - Part I > Windows installation.
BLUF: (Bottom line(s) up front because you probably don’t really need this post at all; the setup of code ready containers is really simple. The post just captures some of...
Using Microsoft CES/CEP for Linux Workstation Certificate Enrollment with Kerberos Workstation Authentication
This post is based on a recent project requirement: Windows Domain joined Linux workstations must use machine account Kerberos to authenticate and request workstation certificates from Microsoft Certificate Services. We...
Hello world for Azure Graph (PowerShell)
When i need quick PowerShell example to make sure i have configured the hosting/infrastructure/egress-allow correctly i use this small example. To set it up in Azure I go to “app...
Scripting big GPO ACL changes based on groups
Sometime’s it makes sense to remove the “Apply Group Policy” right from the everyone group and slowly add users from specific groups as a way to roll out the change....
WinDBG Notes
// This post will be updated regularily. Don’t rely on it, i’m learning. Working through a new course that encourages WinDBG over other debuggers. I love WinDBG, but i find...
Rubber Ducky on MacOS
I’ve been spending a big chunk of my time on an IAM project at work there and there hasn’t been much free time for “hacker crap” because of the deadlines...
Jekyll being painful
Quick post for future me: Jekyll was being incredibly painful on MacOS this morning. Installing eventmachine 1.2.7 with native extensions Gem::Ext::BuildError: ERROR: Failed to build gem native extension. and Could...
Older Posts
Adjusting Group Policy (Deny "Apply GPO") ACE's via PowerShell
01 Mar 2021
I think i’ll be able to use this again for other things, but the use case i needed to solve looked like this: A group policy to enforce some behaviour...
Quick and Simple WiFi Testing with besside-ng
07 Sep 2020
I’ve been using Bettercap for a while now, and i love it but i saw a post on the weekend that reminded me the value in going back to look...
DLL Hijack for Cisco Anyconnect
23 Aug 2020
Note 1: the best place to learn a lot about dll hijacking is https://institute.sektor7.net; the main purpose of this post is to capture my notes while applying some of the...
Exploit Guard vs Process (DLL) Injection
01 Jul 2020
In the previous post we evaluated Exploit Guard controls against a simple buffer overflow vulnerability in a test application. We used Matt Graeber’s Exploit Guard documentation as a guide. As...
Vulnserver Exploit vs Windows Defender Exploit Guard
27 Jun 2020
I’ve taken notes for exploiting Stephen Bradshaws ‘vulnserver’ in a previous post. I saved those here. This post evaluates the protection Windows Defender Exploit Guard can offer a vulnerable application....
Deploying Azure Web Services Manually
20 Jun 2020
Looking into how we’d deploy, scale and secure a web service on Azure. Starting right at the very basics - a hand jammed basic web service deployed from inside VS...
Signing .jar files with an existing certificate on Windows
11 Jun 2020
Install JDK Jump into the JDK binary folder cd C:\Program Files\Java\jdk-14.0.1\bin Create a Java Signing Keystore with your existing .p12: keytool -importkeystore -srckeystore c:\jarfiles\duff.p12 -srcstoretype pkcs12 -destkeystore c:\jarfiles\duff.jks -deststoretype JKS...
VMWare Workstation Automation (on Windows)
31 May 2020
First up, enable the GUI so that you can get familiar with the (REST) API. PS C:\Program Files (x86)\VMware\VMware Workstation> .\vmrest.exe -C VMware Workstation REST API Copyright (C) 2018-2019 VMware...
Cross Compile Windows binaries on Linux
29 Apr 2020
Very quick note for something that usually takes me too long to find :) sudo apt-get install mingw-w64 # C i686-w64-mingw32-gcc hello.c -o hello32.exe # 32-bit x86_64-w64-mingw32-gcc hello.c -o hello64.exe...
Infrastructure Notes - Azure site-to-site VPN
26 Apr 2020
Extending the on site lab network to an Azure VNET. VMWare Lab Network: 10.0.0.0/24 New Azure VNET: IP Range: 192.168.2.0/24 New Server Subnet: IP Range: 192.168.2.0/26 After creating the new...
Infrastructure Notes - Linux Host Security
28 Mar 2020
Using Andrew Malett’s ‘Linux Host Security’ course on Pluralsight procfs Virtual file system that is mounted through to proc. Mostly read only, but some can be tuned, written to. We...
Infrastructure Notes - Azure Key Vault
22 Mar 2020
Using Gary Grudzinskas ‘Securing Virtual Machines with Azure Key Vault’ training course on Pluralsight Azure Key Vault helps solve the following problems: Secrets Management - Azure Key Vault can be...
HTB - Forest (Hacking Active Directory walk-through)
21 Mar 2020
A HTB lab based entirely on Active Directory attacks. Starting out with a usual scan: nmap 10.10.10.161 -sV -sC -oA forestscan Among other things, we will find that there are...
Active Directory - Physical Disk Access to Domain Administrator in just a few minutes.
08 Mar 2020
If you get access to the unencrypted disk of a domain controller you can take NTDS.dit away and do horrible things with it offline. The most common approach seems to...
WinDBG for User-Mode Debugging
05 Mar 2020
WinDBG is the right way to go to analyze windows crash dumps if you have builds that are throwing a blue screen. For a really large percentage of those cases...
Active Directory - Recover deleted objects quickly
04 Mar 2020
You’re going to panic when something important is accidentally deleted. It’s scary. In the old days it was a little painful as well. Deleted objects had their links stripped (memberships)...
Active Directory - How Smart Card Logon Works
23 Feb 2020
The Smart card logon process goes like this: Smart card is shoved into a card reader. Smart card signals an event that prompts the user for their personal identification number...
Active Directory - Modify a system owned attribute
23 Feb 2020
First of all, you shouldn’t do this. But in case you are hell bent on making a mess the following steps will allow you to modify objects that Active Directory...
Windows Security - No disk encryption equals root level access in five minutes or less...
22 Feb 2020
After showing this to friend today i thought i should also write it down for quick reference. There’s nothing new here, this trick has been around forever - but it’s...
Infrastructure Notes - Azure Virtual Machine Scaling
12 Feb 2020
Infrastructure Notes - Azure Virtual Machine Scaling Availability Sets If we place two or more instances into the same ‘availability set’ Microsoft provide a 99.95 availability SLA. (The single instance...
Infrastructure Notes - Azure Storage Overview
09 Feb 2020
Infrastructure Notes: Azure Storage Overview Basics Microsoft’s cloud storage solution. ‘Massively’ scalable object store: data objects file system service for the cloud messaging store for reliable messaging NoSQL store All...
Infrastructure Notes - Azure Network Design Overview
02 Feb 2020
Infrastructure Notes: Azure Network Design Overview Start here: Azure Networking VNet Primary networking technology, like the VPC in AWS. Internet access is on by default. Cloud services can go in...
Infrastructure Notes - AWS Route 53
19 Jan 2020
Infrastructure Notes: AWS Route 53 I’ve been working through Ben Piper’s excellent course on Pluralsight: AWS Networking Deep Dive: Route 53 DNS. This post captures the notes i took along...
Try not to get too fancy with Active Directory Backup
14 Jan 2020
Active Directory does a few important things whenever it is backed up or restored to keep it working the way it was intended. For that reason (in most situations) it...
Cleaning House - SANS Pen test
07 Jan 2020
We’re moving house, so the old SANS Pentesing posters and notes are headed for the recycle bin :( I wouldn’t bother reading this post if i was you. Visit SANS.org...
When NTLM is used for Windows Login (Kerberos unavailable)
13 Dec 2019
I’m working on a larger post about the various types of login (network, local, rdp etc) and what each of them presents to an attacker; but i wanted to first...
IPSec for Windows Firewall Exceptions
21 Sep 2019
Generally speaking, a DENY rule in Windows firewall will override any ALLOW. s an example, if i want to do the right thing and DENY most PowerShell Remote (5985) in...
Getting Crafty with LAPS permissions
21 Jul 2019
Some notes about a recent requirement to modify the access to LAPS attributes in one of our directories. We had a specific class of computer objects that we did not...
Change Windows File or Folder ACL from shell
17 Jun 2019
You find a file called file.txt that wont allow you to do what you want despite having what you believe to be enough permissions:
cacls file.txt /E /G "Everyone":F
Crank up nmap on unknown port
09 Jun 2019
For example, an unknown port 9000 on host 10.0.0.1
nmap -vvv -A --reason --script="+(safe or deafult) and not broadcast" -p 9000 10.0.0.1
Old posts from my Microsoft gigs
09 Jun 2015
Old posts from Microsoft A collection of the things i wrote while i was at Microsoft Windows Kernel Team: Connected Standby & You Cheat Sheet: Break into a running Windows...