Red Teaming

The Case of a Stubborn ntds.dit

The awesomesauce of the Kerberos Golden Ticket (based on the spoofed-PAC whitepaper from BlackHat 2012) has started to change how I operate on my engagements, especially during repeat assessments done for the same customer. I’m now maniacally intent on getting the krbtgt hashes for as many domains as I can in the target network. Most often, I’ll try to …

The Case of a Stubborn ntds.dit Read More »

Trusts You Might Have Missed

[Edit 8/13/15] – Here is how the old version 1.9 cmdlets in this post translate to PowerView 2.0: Get-NetForestTrusts  ->  Get-NetForestTrusts Get-NetForestDomains  ->  Get-NetForestDomain Get-NetDomainTrust  ->  Get-NetDomainTrust How often do you investigate trust relationships between Windows domains during a penetration test? You may have domain admin or other privileged access on your target and not even …

Trusts You Might Have Missed Read More »

A Brave New World: Malleable C2

Last week, Raphael Mudge released an awesome update to Cobalt Strike’s asynchronous agent, Beacon, in the form of new fully customizable/malleable command and control communications. Beacon’s initial communications channel with its C2 server was with HTTP, with a DNS control channel added soon after. This allowed Beacon to behave similarly to most documented crimeware strains. The ability to communicate using SMB pipes was added …

A Brave New World: Malleable C2 Read More »

Veil-PowerView: A Usage Guide

[Edit 8/13/15] – Many of the cmdlets listed here have changed. Check out the PowerView 2.0 post to see the new updates. [Note: this topic was cross-posted on the Veil-Framework site] Veil-PowerView is a project that was originally prompted by a client who locked down their corporate machines by disabling all “net *” commands for normal users. While building pure …

Veil-PowerView: A Usage Guide Read More »

File Server Triage on Red Team Engagements

Note: this topic was cross-posted on the official Veris Group blog One common activity performed during red team assessments is data pilfering of compromised servers, particularly file servers. These systems can host an incredible amount of useful information and often the target data you’re after. However, the triage of a machine with literally millions of files can be an incredibly …

File Server Triage on Red Team Engagements Read More »