Room362

Blatherings of a security addict

WPAD Persistence

Mostly just writing this so I can keep notes. Today I came up with the idea to forcibly put the WPAD entry into a Windows Domain’s DNS. For those who don’t know what this would do there is an entire Wikipedia article on the subject: https://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol I did this via PowerShell pretty easily on one of the domain controllers like so: PS C:\> Add-DnsServerResourceRecordA -Name wpad -ZoneName sittingduck.info -IPv4Address 107.170.50.74 Where 107.170.50.74 is the Digital Ocean box I stood up external to my test domain.

Kerberoasting - Part 3

Previous works: There has been a number of different blog posts, presentations and projects that have happened before this post and I will reference a number of them during the post and at the end have a link to all that I know about. If you know of any works on this subject that I am missing please submit a comment below and I’ll will be sure to reference it. Attacker KB Link: (to be updated later) Common Findings DB Link: (to be updated later) Now we start cracking the tickets we have and hopefully one will break.

Kerberoasting - Part 2

Previous works: There has been a number of different blog posts, presentations and projects that have happened before this post and I will reference a number of them during the post and at the end have a link to all that I know about. If you know of any works on this subject that I am missing please submit a comment below and I’ll will be sure to reference it. Attacker KB Link: (to be updated later) Common Findings DB Link: (to be updated later) Now that we’ve listed all the tickets in a ton of different ways, we need to request the ones we want and get them to a point that we can start cracking them.

Kerberoasting - Part 1

Previous works: There has been a number of differnet blog posts, presentations and projects that have happened before this post and I will reference a number of them during the post and at the end have a link to all that I know about. If you know of any works on this subject that I am missing please submit a comment below and I’ll will be sure to reference it. Attacker KB Link: (to be updated later) Common Findings DB Link: (to be updated later) What are SPNs Service Principal Names (SPNs) are: a unique identifier of a service instance.

BlackHat USA 2016

Once again, @egyp7 and I will be teaching both our Metasploit Basics course as well as the Mastery Course.

Metasploit Minute

Metasploit Minute Season 6 is on the air! I know we have been away for a long while. The first episode is posted https://www.patreon.com/posts/5083466 each Monday a link will be posted on the Patreon site, or if you find RSS feeds easier, you can find it over at http://metasploitminute.com

Another Blogging Platform

Yes yes yes, I know, another platform, but guess what, it’s my blog, so ne-ner-ne-ner-ne-ner Hugo removed what I didn’t like about Octopress (the generating / pushing of content using a mix of branches and such) The reason I moved from Blogger was I just can’t stand having to log in and be online to make posts. I love things like MarsEdit for doing offline posts to services like Blogger, but I never could get the formatting right when I was done, especiall for code, so I’m back to a markdown based system.

2016 Shmoocon Hiring List

Created the 2016 UNOFFICIAL ShmooCon Hiring List. To get on the list is even easier now! Just complete the following form: http://goo.gl/forms/pbYI0TZ9dG (One small tip, first come first serve, so if you want to be on the top of the list it’s best to submit the best info you have vs waiting on anyone, I don’t change the list order for anyone.) Direct Link to Google Doc: https://docs.google.com/spreadsheets/d/15xqphPVEnH7o2urovHWjJiS1VCjdAqcPNB_HS0yRexU/

Reverse Proxying Attacker Tools

Ever want to have all of your C2 go to the same box, have the functionality of Meterpreter, and Empire, while making it so if anyone goes to the actual site of your C2 all they get is something like Google? Nginx makes that possible, and instead of making a blog post that will disappear, I’ll point you at my combo in my “Attacker Knowledge Base” site: https://attackerkb.com/Combinations/ReverseProxyAttackTools and instead,

Reverse Proxying Attacker Tools

Ever want to have all of your C2 go to the same box, have the functionality of Meterpreter, and Empire, while making it so if anyone goes to the actual site of your C2 all they get is something like Google? Nginx makes that possible, and instead of making a blog post that will disappear, I’ll point you at my combo in my “Attacker Knowledge Base” site: https://attackerkb.com/Combinations/ReverseProxyAttackTools and instead,