18 Apr 2020 · 14 min
Author : Pixis
Within an Active Directory, services can be used by users. Sometimes these services need to contact others, on behalf of the user, like a web service might need to contact a file server. In order to allow a service to access another service on behalf of the user, a solution has been implemented (introduced in Windows Server 2000) to meet this need : Kerberos Delegation.
Read more →
01 Apr 2020 · 46 min
Author : Pixis
NTLM relay is a technique of standing between a client and a server to perform actions on the server while impersonating the client. It can be very powerful and can be used to take control of an Active Directory domain from a black box context (no credentials). The purpose of this article is to explain NTLM relay, and to present its limits.
Read more →
26 Mar 2020 · 5 min
Author : Pixis
With the help of previously discussed notions, we have everything in hand to explain the Kerberoasting attack principle, based on the TGS request and the SPN attributes of Active Directory accounts.
Read more →
19 Mar 2020 · 4 min
Author : Pixis
When asking for a TGT, by default, a user has to authenticate himself to the domain controller in order to get a response. Sometimes, no authentication is asked before returning a TGT for specific account, allowing an attacker to abuse this configuration.
Read more →
20 Jan 2020 · 8 min
Author : Pixis
This article focuses on SPN (Service Principal Names) in order to understand what they are and how they are used.
Read more →
15 Jan 2020 · 13 min
Author : Pixis
Now that we have seen how Kerberos works in Active Directory, we are going to discover together the notions of Silver Ticket and Golden Ticket. To understand how they work, it is necessary to primary focus on the PAC (Privilege Attribute Certificate).
Read more →
17 Dec 2019 · 21 min
Author : Pixis
During internal intrusion tests, lateral movement is an essential component for the auditor to seek information in order to elevate their privileges over the information system. The technique known as Pass the Hash is extremely used in this situation to become an administrator on a set of machines. We will detail here how this technique works.
Read more →
28 Nov 2019 · 21 min
Author : Pixis
In corporate penetration tests, lateral movement and elevation of privilege are two fundamental concepts for advancing and gaining control of the target. There are a multitude of ways to do one or the other, but today we will present a new technique for reading the content of a lsass dump remotely, significantly reducing latency and detection during password extraction on a set of machines.
Read more →