5 months ago @tifkin_ and I started looking into the security of Active Directory Certificate Services. Today we're releasing the results of that research- a blog post posts.specterops.io/certifie… + a 140-page whitepaper and defensive audit tool (links at the top of the post) [1/6]
Y’all knew it was just a matter of time : ) PowerShell is definitely a "gateway drug" to C# - GhostPack is a collection of new security tools (currently C#) details at posts.specterops.io/ghostpac… , code live at github.com/GhostPack
If you're interested in Kerberos or Active Directory and haven't read @elad_shamir's "Wagging the Dog" post, do yourself a favor and dive in. You won't regret it. shenaniganslabs.io/2019/01/2…
Hey, do you like tokens? Have you always wanted to "harvest" tokens for offensive purposes? If so check out my new post posts.specterops.io/koh-the-… where I show I can (finally) write a technical post without memes, and then check out the Koh toolset at github.com/GhostPack/Koh
"Operational Guidance for Offensive User DPAPI Abuse" posts.specterops.io/operatio… documenting some of the ways to use Mimikatz to play with DPAPI. Thanks @gentilkiwi for all the awesome features! :)
The offensive security community means a lot to me. Following @Antonlovesdnb's great thread that injected some much needed infosec positivity, I wanted to highlight a few (offensive-ish) posts/talks that my team and myself enjoyed over the last year or so.
Mad props to Microsoft for taking this very very seriously! techcommunity.microsoft.com/… Reminder that on July 9 things flip, disallowing delegated TGTs across forest trust boundaries by default. This is an awesome fix for the issue that @tifkin_ and I discovered, hats off 👍
Finally the end of a very fun ride- I've merged Dev to Master for PowerSploit and marked the project as no longer supported. Offensive PowerShell was how I started my career, and I owe @obscuresec and @mattifestation a debt of gratitude for bringing me in. [1/3]
Over the last year @tifkin_ and I rewrote GhostPack's Seatbelt from the ground up. Highlights- completely modularized, nearly 2x increase in checks, remote enumeration options, and structured output. Complete changelog at github.com/GhostPack/Seatbel… , code at github.com/GhostPack/Seatbel…
@tifkin_ and I give you "Certificates and Pwnage and Patches, Oh My!" posts.specterops.io/certific… . We clarify some misconceptions we had about AD CS, explain the KB5014754 patch and its implications, and detail some of the awesome AD CS work from people like @ly4k_ . Enjoy!
Nothing revolutionary, but revisiting one of our favorite TTPs in depth, explaining some of the "weird" behavior we've seen in the last few years. Includes details on recent Rubeus kerberoasting enhancements! posts.specterops.io/kerberoa…
Good news everyone! Rubeus 2.0 is coming _very_ soon, with massive improvements and new features from @exploitph and @_EthicalChaos_ . They've worked hard to bring us all some new fun :)
Just released SharpDPAPI v 1.6.0. Landed @lefterispan's PR to incorporate /password:X for masterkey decryption, and integrated the new Chrome v80+ AES key stuff from @djhohnstein's SharpChrome project. Chrome triage is back on the table! github.com/GhostPack/SharpDP…
I've been working on machine learning for a while now. After two years, I think I'm finally starting to (maybe) emerge from the "Valley of Despair". Should have some fun stuff coming out soon!
@tifkin_ and I are super excited to present "Certified Pre-Owned: Abusing Active Directory Certificate Services" at BlackHat USA 2021 this year! blackhat.com/us-21/briefings…
For anyone interested, SharpDPAPI/SharpChrome have had some recent mods, including KeePass ProtectedUserKey.bin decryption, a revamp for certificate extraction (including CNG support), and lots of usability updates. Changelog (as always) at github.com/GhostPack/SharpDP…
[thread 🧵] Kerberos basics & (ab)use of Certificates within Active Directory (i.e. AD CS and PKINIT)
- Kerberos 101
- Pass-the-Certificate
- UnPAC-the-Hash
- Shadow Credentials
- AD CS escalation (ESC1 to ESC8)
(Links and credits at the end)
@tifkin_ and myself are happy to announce Seatbelt 1.1.0 ! Various fixes and 10 new modules means we've passed the 100 module mark. Full changelog at github.com/GhostPack/Seatbel…
Tomorrow morning @tifkin_ and I are releasing something we've been working on for over 5 months. We're proud of the work and excited to help shed some more light on the security of Active Directory Certificate Services!
Here's first post on my journey into security-focused machine learning, "Learning Machine Learning Part 1: Introduction and Revoke-Obfuscation" posts.specterops.io/learning… Huge shoutout to @danielhbohannon and @Lee_Holmes on blazing the way on this problem set!
Nothing fancy, but dug this out of the archives in case anyone else needs to PTH to RDP github.com/GhostPack/Restric… . tl;dr uses the StdRegProv WMI class to enable Restricted Admin Mode on a remote system you have admin on. The code isn't great but it's functional 👍
"Another Word on Delegation" posts.specterops.io/another-… - abusing resource-based constrained delegation to take over computer objects. Thanks to @elad_shamir for the idea and Rubeus addition!
The detailed breakdown of the remote reg DACL modification work from @tifkin_, @enigma0x3, and myself - "Remote Hash Extraction On Demand Via Host Security Descriptor Modification" posts.specterops.io/remote-h…
The third post in my adversarial ML series "Learning Machine Learning Part 3: Attacking Black Box Models" is now up at posts.specterops.io/learning… and the Invoke-Evasion repo has been updated with the associated Jupyter notebooks/samples github.com/GhostPack/Invoke-…
thinking of releasing Azure build scripts to create the reference trust architecture used in my "Guide to Attacking Domain Trusts" post posts.specterops.io/a-guide-… - any interest?
Thank you so much to @x33fcon and its organizers for an awesome experience! @tifkin_ and I had a blast talking about the new Nemesis 2.0 rewrite (code live at github.com/SpecterOps/Nemesi… !) and hope to be back next year #x33fcon
I usually don't share a lot of personal details on Twitter- this past fall my mom died from a rare brain disease and the @ASPCA was one of her favorite causes. Andy/the BH team let me choose them for the charity drive in her honor. Thank you to all who grab a shirt <3
The #BloodHoundEnterprise team presents: #BloodHound 4.1!
Highlights for this release in this thread 🧵:
With this release, we are selling this limited edition BloodHound shirt. All profits from the sales of this shirt will be donated to the @ASPCA: customink.com/fundraising/bl…
In case you missed it, @tifkin_ and I recently rolled up changes for Seatbelt into a 1.2.0 release with details in the CHANGELOG at github.com/GhostPack/Seatbel… . Definitely have some fun new things, thanks to everyone who contributed!
I know I haven't blogged for a bit, but I promise @tifkin_, @0xdab0, and I have been working on something cool! This is the first blog in a series on the problem set we've been tackling, leading up to what we've built to address it - "On (Structured) Data" posts.specterops.io/on-struc…
It's almost here! @tifkin_ and I will finally be releasing Certify (for AD CS misconfig abuses) and ForgeCert (for "golden" forged certificates) during the virtual session at #BHUSA Wednesday of our "Certified Pre-Owned" talk! blackhat.com/us-21/briefings…
"A Case Study in Wagging the Dog: Computer Takeover" posts.specterops.io/a-case-s… - another example of @elad_shamir's recent resource-based constrained delegation work!
My second post in my adversarial ML series "Learning Machine Learning Part 2: Attacking White Box Models" is now up at posts.specterops.io/learning… and the Invoke-Evasion repo has been updated with the Jupyter notebooks/samples from the post github.com/GhostPack/Invoke-…
Pushed a new Rubeus release after getting some additional feedback from our most recent AT:RTO students. The full changes are detailed here github.com/GhostPack/Rubeus/… . To highlight a few new features- "/nowrap" globally prevents base64 blobs from line-wrapping, (1/4)
I missed this post when it first dropped exploit.ph/strange-case-of-t… but it's a really neat trick! Why is this useful? Say you're in domain A, and A -external_trust-> B -any_trust-> C. Because external trusts don't have transitivity, you can't query/kerberoast/etc. domain C [1/4]
Happy Friday! @tifkin_ and I are happy to announce that we have cut the release for Nemesis 2.0.0 - check out the CHANGELOG for a (brief) summary of changes, and dive into our new docs for more detail! We're extremely proud and excited for this release github.com/SpecterOps/Nemesi…
By @tifkin_ and @Ne0nd0g's request, just pushed a "triage" command to let you easily triage servers with a lot of tickets. Can filter by /luid:X, /user:USER, or /service:KRBTGT github.com/GhostPack/Rubeus#… . Less detail than the "klist" cmd, but easier to handle for lots of results
In my first foray into what @moo_hax terms "Offensive ML", I took at shot at data mining documents for passwords using deep learning. You can read about the approach at posts.specterops.io/deeppass… and can find the notebook + Dockerized model at github.com/GhostPack/DeepPas…
The follow up to our "On (Structured) Data" post is now up, "Challenges In Post-Exploitation Workflows" posts.specterops.io/challeng… . We cover a number of common workflow challenges and briefly introduce the solution @tifkin_, @0xdab0, and I have been working on: Nemesis! 1/3
Sidenote for anyone interested, instructions on using Rubeus as a library and/or running Rubeus through PowerShell are now up on the README.mdgithub.com/GhostPack/Rubeus/…
In case you missed it, @exploitph and @4ndr3w6S just released some _awesome_ work that just landed into Rubeus' master branch- "Diamond Tickets"! Check out more details at semperis.com/blog/a-diamond-…. Great work Charlie and Andrew!!
The slides for @tifkin_'s and my #BlackHatEurope 2021 talk "ReCertifying Active Directory" about securing Active Directory Certificate Services are up at slideshare.net/harmj0y/recer… . Thanks to everyone who attended!
Finally got des_cbc_md5 and aes128_cts_hmac_sha1 support fully integrated into Rubeus so @gentilkiwi would stop being disappointed in me :) Also have some recent Kerberoasting modifications I'll be blogging about soon!
github.com/GhostPack/Rubeus/…