Published | JUMPSEC LABS

NTLM Relaying – Making the Old New Again

by David Kennedy | Sep 17, 2024 | Red Teaming

I am old enough to remember that it was not always possible to get domain admin within the first hour of a test via Active Directory Certificate Services (ADCS) misconfigurations or over permissioned SCCM NAA accounts. At present we are spoilt for choice in regards to privilege escalation vectors within the on-premise AD environment's, but I wanted to take a look at some of the other misconfigurations that proved to be fruitful before the advent of ADCS and SCCM and continue to land me quick wins on engagements, such as: Lack of SMB signing Lack of LDAP signing and/or channel binding Machine Account Quota > 0 NTLM relaying The undelaying exploits are not new here, only the old revisited, but just maybe some of the modern techniques for abusing them have slipped your mind in the rush to abuse ESC1. These techniques should be part of your on-premise AD toolkit, so let's jump into the...

How Cloud Migration is Affecting AppSec – A Red Teamer’s Perspective

Introduction I’ve recently spoken at several conferences about the changes that are underway within red teaming as a result of cloud migration. My team and I have been delivering...

Putting the C2 in C2loudflare

tl;dr How to bring up an entire C2 infrastructure with all your tooling and their corresponding redirectors within 5 minutes with the help of Azure Snapshots, Cloudflare and Tmux...

Car Hacking – Manual Bypass of Modern Rolling Code Implementations

by 0x5c4r3 | Jul 22, 2021 | Exploitation, Social Engineering

Introduction I recently researched modern algorithms used by keyfobs to open cars. Since most of the blogs online talking about the topic are unfortunately quite old and in general and do not precisely describe the exact path followed in detail, nor the code used. I thought that talking about my experience could be interesting and inspiring for other researchers. I won’t go in depth on certain...

Obfuscating C2 During a Red Team Engagement

by Patryk Zajdel | Jul 16, 2021 | Red Teaming

Command-and-Control (C2) infrastructure is one the most important tools in a red teamer’s arsenal. In this article, we introduce a few simple methods that red teams use to harden their C2 infrastructure.

PRINTNIGHTMARE NETWORK ANALYSIS

by editor | Jul 7, 2021 | Detection, Uncategorized

By Dray Agha The infosec community has been busy dissecting the PrintNightmare exploit. There are now variations of the exploit that can have various impacts on a target machine. When we at JUMPSEC saw that Lares had captured some network traffic of the PrintNightmare exploit in action, I wondered if there was an opportunity to gather network-level IoCs...

Securing against new offensive techniques abusing active directory certificate service

by editor | Jul 6, 2021 | Detection, Vulnerability

SpecterOps recently released an offensive security research paper that details techniques enabling an adversary to abuse insecure functionality in Active Directory Certificate Service. SpecterOps reports that abusing the legitimate functionality of Active Directory Certificate Service will allow an adversary to forge the elements of a certificate to authenticate as any user or administrator in...

Overcoming Issues Using Custom Python Scripts with Burp Suite Professional

by p.osborn | Apr 28, 2021 | Application Security

Summary / TL:DR I recently encountered some issues when using Burp Suite Professional which led me to playing around with the Python Scripter extension. The extension allows running custom Python scripts on every request/response processed by Burp, including those generated by functionality such as Burp's active scanner. This has a number of potential use cases, but I found it particularly...

Win a place @HackFu 2021 Community Edition!

by Ed Chan | Dec 21, 2020 | CTFs

Hello world!At JUMPSEC we’ve managed to get our hands on tickets to what is probably the greatest cyber security event in the calendar, HackFu!In order to be in with a chance of winning you simply need to complete the following challenge which you can download here (the download contains all the information needed to complete the challenge):...

Detecting known DLL hijacking and named pipe token impersonation attacks with Sysmon

by xnand | Nov 13, 2020 | Detection, Jumpsec, Research

Recently we posted a bunch of advisories relating to Ivanti Unified Endpoint Manager, a couple of which are for vulnerabilities which can be used to achieve local privilege escalation. We will give a brief explanation of the vulnerabilities and an example of Sysmon configuration rules to log exploitation attempts, along with the rationale behind them so you can adapt them to your existing configuration if needed.

Advisory CVE-2020-13773 – Ivanti Unified Endpoint Manager Reflected XSS

by xnand | Nov 13, 2020 | Jumpsec, Research

Software: Ivanti Endpoint ManagerAffected Versions: <= 2020.1.1Vendor page: www.ivanti.comCVE Reference: CVE-2020-13773Published: 13/11/2020CVSS 3.1 Score: 5.5 - AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:LAttack Vector: Remote, authenticatedCredits: Andrei Constantin Scutariu, Lenk Ratchakrit, Calvin Yau Summary Various web pages on Ivanti Unified Endpoint Manager web management console lack proper...

« Older Entries

Next Entries »

JUMPSEC LABS

NTLM Relaying – Making the Old New Again

Putting the C2 in C2loudflare

Obfuscating C2 During a Red Team Engagement

PRINTNIGHTMARE NETWORK ANALYSIS

Securing against new offensive techniques abusing active directory certificate service

Overcoming Issues Using Custom Python Scripts with Burp Suite Professional

Win a place @HackFu 2021 Community Edition!

Detecting known DLL hijacking and named pipe token impersonation attacks with Sysmon

Advisory CVE-2020-13773 – Ivanti Unified Endpoint Manager Reflected XSS

[Latest Posts]

[Categories]

GitHub Activity

Twitter

Latest from JUMPSEC

Disclaimer