One Box To Rule Them All

This is for all you lazy ass pentesters that don’t want to move out of their comfort zone a.k.a. their Hobbit cave to conduct an on site assessment.
I lately (for reasons) was on the hunt for options to have something I could send to a customer and do all my testing as if I were there in person.
You are invited to join me on this small journey and follow along my thoughts, building process, buying stuff etc.

Read More

Amazon Cognito Ratelimit Bypass

Howdy folks. I am going to keep this one relatively short. But being my first ever reported public vuln, I want to keep this for the records.
This is my journey of discovering and reporting a ratelimit bypass in one of the biggest IDPs out there.

Read More

gaylord M FOCker - ready to pwn your MIFARE tags

Hello everyone and a happy new year (well, aparently you can see how long it took me to finish this masterpiece :) ).
This time we will low dive a little into the world of RFID and NFC.
Did you ever want to scare the shit out of your customer in regards to the security of his door locking system?
Do you think it is cool to open gates with a Flipper Zero?
You like yourself some close combat Red Teaming?
Get your Flipper Zero and Proxmarks ready and follow along, as we cover some basics and carry out a variety of attacks.
As this is absolute uncharted territory for me, this will (like almost always) be very beginner friendly.

Read More

Skidaddle Skideldi - I just pwnd your PKI

My dear Bagginses and Boffins, Tooks and Brandybucks, Grubbs, Chubbs, Hornblowers, Bolgers, Bracegirdles and Proudfoots - it is time for some new shit.
We are going to explore the wonderful world of Active Directory Certificate Services, aka ADCS.
If you want to leave an impression on your next pentest, this one’s for you, as Microsoft’s PKI implementation is widely used but little understood (well at least in terms of security).
Same is true if you live on the blue side, as you can proactively mitigate issues an earn some bonus points with your boss, maybe.
Prepare yourself for a shitload of pictures, memes, usefull as well as meaningless information.

Read More

S4fuckMe2selfAndUAndU2proxy - A low dive into Kerberos delegations

Hello fellow h4x0rs, this time we are going to have a closer look at the different types of delegations inside an Active Directory.
We’ll try to figure out what this magic is all about and of course how we can abuse it for fun and profit.

Prepare yourself for some absolute brainfuck and some bonus info if you make it through to the end.

Read More

Go away BitLocker, you´re drunk

This time we want to try to do some hardware hackery stuff and attack BitLocker encrypted drives where TPM is used but no additional factor like a PIN or password.

Read More

I got 99 problems but my NAC ain´t one

This post will be all about Network Access Control (NAC) solutions and how they might lull you into a sense of security.
Designed to keep rouge devices out of your network, I´ll show you ways around it, as well as ways to protect yourself.
From a pentester´s or red teamer´s perspective this might come in handy when customers protect their networks with these kinds of tools.

Read More

Evil Logitech - erm I ment USB cable

New series: Things you don´t need - but will probably want!

Did you ever want to have your own, handmade, remote controlled, stealthy USB implant / HID injector, but didn´t want to sell your soul for it? Well then this one is for you :)
I already heared about something like this in the past, which reminded me of the expensive O.MG cable from HAK5 or the USB Ninja.
But If you like to tinker a little bit and are on a budget, you can pretty much get the same results for like 30 bucks.

I already own a DSTIKE WiFi Duck and several Digisparks, but plugging these into someones computer is far more suspicious than a black USB cable. I also own a CrazyRadio, with which one can inject keystrokes into wireless receivers for keyboards and mice, with the help of e.g. bettercap - but to be honest this is a real pain in the ass.

I recently stumbled upon some great articles on Twitter regarding an alternative in form of a UNIFY receiver implanted into an USB cable. When I red those lines, I also wanted an USB cable that would still be able to charge a phone, but also could be used to inject keystrokes into the victims systems or even give me a remote shell.

Read More

Relaying 101

Hello fellas, or as we say in Germany: “Hallo Freunde der fettfreien Leberwurst.”

In today’s blog-post we´ll be talking about relaying attacks, or more precisely about NTLM relaying attacks. So let´s get started.

As you already know I am new to the pentest field and as such we´re not going to deep dive here, but instead I am trying to give you an overview of what, why and when, mixed with some practical examples in regards to relaying attacks. Wherever applicable I´ll provide you with links for further reading.

There´s nothing new here, just a short overview of the different types of attacks. All the hard work has been done beforehand by awesome people like Dirk-jan Mollema, Laurent Gaffie, byt3bl33der and all the crazy people behind impacket, responder, mitm6 and bettercap.

Read More

Sailing Past Security Measures In AD

Today we´re going to talk a little about possible ways to circumvent some of the security measures one might face during an engagement in an Active Directory environment.

We as pentesters are heavily relying on our tools like Bloodhound, Rubeus, mimikatz and all the other fancy stuff. Be it for an internal assessment or a Red Team campaign.

But the Blue Team is not at sleep, trying to keep the bad guys outside with their newest AI machine learning cyber tools.

broken

Read More

Pentest - Everything SMTP

In this blog-post I am trying to demystify SMTP (at least for myself).
What exactly is it used for? What parties are involved? What about authentication and when? What attack surfaces are you opening with incorrect settings?

As you may have read in the other posts, I will most likely try to reflect my knowledge on specific topics or work on certain problems I face (mainly during work), where these blog-posts are aimed to help me.

This time it´s all about SMTP in regards of possible attacks and countermeasures, all from the point of view of an external attacker.

broken

Read More

AS_REP Roasting vs Kerberoasting

Recently my team had a discussion about what the exact difference between AS_REP Roasting and Kerberoasting is.
As we were short of time, we did not come to a concrete answer and were also not able to find an article that explains it in short.

I am neither a professional with years of experience nor a Kerberos guru. So if you are looking for a complex deep-dive, feel free to move along.


Credits to: Allagar´s Art

Read More

My Way Into InfoSec

This is my very first blog post ever, which I am trying to use to get a little into github (pages), and because I was in the mood to write something.
As I am fairly new into being a fulltime InfoSec guy, I´ll be writing about how I got into it and how I landed my current job as a pentester.
This will also reflect my point of view regarding the right mindset and certifications that might get you started.

broken

Read More