Posts

Showing posts from 2019

No Shells Required - a Walkthrough on Using Impacket and Kerberos to Delegate Your Way to DA

Image
There are a ton of great resources that have been released in the past few years on a multitude of Kerberos delegation abuse avenues.   However, most of the guidance out there is pretty in-depth and/or focuses on the usage of @Harmj0y’s Rubeus.   While Rubeus is a super well-written tool that can do quite a few things extremely well, in engagements where I’m already running off of a primarily Linux environment, having tools that function on that platform can be beneficial.   To that end, all the functionality we need to perform unconstrained, constrained, and resource-based constrained delegation attacks is already available to us in the impacket suite of tools. This post will cover how to identify potential delegation attack paths, when you would want to use them, and give detailed  walkthroughs  of how to perform them on a Linux platform.   What we won’t be covering in this guide is a detailed background of Kerberos authentication, or how various types of delegation work in-depth

Proxy-Aware Payload Testing

Image
TL;DR - I get told that I am too wordy, so if you want the summary, here are some steps to setup a virtual testing environment to test payloads to see if they can handle HTTP(S) proxies and if so, can they authenticate properly through them as well. This post will cover the proxy setup without authentication since that is the easier part, and I will do a second post shortly to hack together the authentication portion of it. Skip down to the actual setup here if you wanted to skip the fluff. Introduction: There have been times in my red teaming and pentesting experience that I have run into networks where direct outbound traffic to the internet (or in some cases out of the subnet) is completely restricted. When I say direct, I mean that all DNS traffic first goes to an internal DNS server, all web traffic goes through an internal proxy, email to an internal SMTP/IMAP server, etc. From the client workstation to any internet IP address is dropped for TCP, UDP, and ICMP.

Popular posts from this blog

No Shells Required - a Walkthrough on Using Impacket and Kerberos to Delegate Your Way to DA

Executing Macros From a DOCX With Remote Template Injection

One Click to Compromise -- Fun With ClickOnce Deployment Manifests