I am old enough to remember that it was not always possible to get domain admin within the first hour of a test via Active Directory Certificate Services (ADCS) misconfigurations or over permissioned SCCM NAA accounts. At present we are spoilt for choice in regards to privilege escalation vectors within the on-premise AD environment's, but I wanted to take a look at some of the other misconfigurations that proved to be fruitful before the advent of ADCS and SCCM and continue to land me quick wins on engagements, such as: Lack of SMB signing Lack of LDAP signing and/or channel binding Machine Account Quota > 0 NTLM relaying The undelaying exploits are not new here, only the old revisited, but just maybe some of the modern techniques for abusing them have slipped your mind in the rush to abuse ESC1. These techniques should be part of your on-premise AD toolkit, so let's jump into the...
JUMPSEC LABS
The JUMPSEC Lab is a place where the the technical team get creative and showcase their latest security research, publications, interesting news and general thoughts! We love what we do and are passionate about security, with some great upcoming projects planned, bookmark our site and stick around to see what we are working on.
Building Forensic Expertise: A Two-Part Guide to Investigating a Malicious USB Device (Part 2)
In this part 2, we'll walk you through the step-by-step process of setting up and conducting a Digital Forensics and Incident Response (DFIR) investigation using a virtual...
Building Forensic Expertise: A Two-Part Guide to Investigating a Malicious USB Device (Part 1)
JUMPSEC believes heavily in learning and developing through real world experience. The incident described in this blog post presented a fantastic opportunity for 3 junior team...
Adversary at the Door – Initial Access and what’s currently on the menu
Based on the data from the Cyber Security Breaches Survey 2024, phishing with malicious links or malware remains the most common initial access vector, followed by impersonation. The challenge with impersonation attacks is that current technology often struggles to accurately determine the purpose of a website. Although checks on domain maturity, reputation, categorization, and certificates are...
SSH Tunnelling to Punch Through Corporate Firewalls – Updated take on one of the oldest LOLBINs
In my formative days of learning network hacking, SSH tunnelling was amongst the first tunnelling techniques that I learnt. I still remember trying to repeatedly decode my notes and diagrams on the rather cumbersome syntax of single port forwarding with the -L and -R flags, which at the time was taught as “the way to do it”. If your foothold is (luckily) a Linux server, then you’re blessed with...
How to Handle Development Projects in a Pentest Company
If you are a pentester you probably never really think about programming. Instead you are testing what others have developed. However, every now and then a quick python or bash script is needed to exploit some stuff you have found, or automate a certain process you are using. Things become interesting when you are in a penetration testing company that has many strong penetration testers and...
How Cloud Migration is Affecting AppSec – A Red Teamer’s Perspective
Introduction I’ve recently spoken at several conferences about the changes that are underway within red teaming as a result of cloud migration. My team and I have been delivering majority cloud red team work over the last year and the differences are becoming more apparent by the day. One point I’ve mentioned as ‘controversial’ at several of these events is that cloud migration has actually made...
Putting the C2 in C2loudflare
tl;dr How to bring up an entire C2 infrastructure with all your tooling and their corresponding redirectors within 5 minutes with the help of Azure Snapshots, Cloudflare and Tmux Resurrect. Every so often I seem to stumble across various ideas, that when combined, massively improve my overall productivity at work. Most of these ideas on their own are nothing new, but when used in tandem can...
Bullet Proofing Your Email Gateway
In this labs post, I will introduce you to modern security controls that are currently used (but not always correctly) by the vast majority of enterprises, and hopefully by the end of this write-up, the topic will become a little clearer and the concepts will become easier to grasp. In today’s world of spammers, intruders, and fake emails, having a robust setup for your email deliveries is...
What’s in a Name? Writing custom DNS tunnelling protocol, exploiting unexpected AWS Lambda misconfiguration – in a web app Pen test (Part 2)
In Part 1 of the series we looked at how an AWS Lambda-powered feature was exploited in a web app penetration test initially leading to RCE and further on with out-of-band data exfiltration via DNS. Though the exact mechanism of achieving remote-code execution with Python was not discussed, we went in depth in how to return data as a result of the code being executed. Initially, with...
What’s in a Name? Writing custom DNS tunnelling protocol, exploiting unexpected AWS Lambda misconfiguration – in a web app Pen test (Part 1)
This is a war story of an AWS web application test where remote code execution was first obtained on the client's application. Then I needed to write my own DNS tunnelling 'protocol' to get the data out. Following a number of twists and turns I impersonated the application and attempted to laterally move within the AWS tenant. Before storytelling though, let's start with a public service...
GitHub Activity
Disclaimer
The information provided on this website is to be used for educational purposes only. The author is in no way responsible for any misuse of the information provided. Any actions and or activities related to the material contained within this website is solely your responsibility.