Published: 19 October 2020    Last Updated: 03 July 2023

Link-Local Multicast Name Resolution (LLMNR) and NetBIOS-Name Service (NBT-NS) are name resolution protocols that are enabled by default on Windows machines. They’re both used as a fallback for DNS. If a machine requests a hostname, such as when attempting to connect to a file-share, and the DNS server doesn’t have an answer – either because the DNS server is temporarily unavailable or the hostname was incorrectly typed – then an LLMNR request will be sent, followed by an NBT request. LLMNR is a multicast protocol and NBT-NS is a broadcast protocol.

Therefore, an attack can take place where an attacker responds to these requests with illegitimate requests. For example, directing the requesting user to connect to the attacker's machine where an authentication attempt will be made – disclosing hashed credentials for the targeted user.

Published: 19 October 2020    Last Updated: 03 July 2023

We recently published an article on using Incognito for privilege escalation as part of a short series on using Metasploit. In this article we’ll cover an alternative approach for privilege escalation – extracting plaintext credentials. Whilst incognito is generally easier to use, Mimikatz is powerful and flexible.

In this part we’re just going to look at password extraction; but Mimikatz can be used for many other attacks – such as extracting domain hashes from a domain controller. As before, password extraction is really a post-exploitation steps and is very useful for escalating from local administrator access to domain administrator access. As this is a post-exploitation step, we’ll be starting with a SYSTEM shell through PsExec for this demonstration. As an example of when these steps could be deployed, they could be a step taken after successfully performing an attack to gain an initial foothold such as LLMNR and NBT-NS Spoofing, which we covered previously.

Published: 19 October 2020    Last Updated: 05 July 2023

Incognito is a tool which can be used for privilege escalation, typically from Local Administrator to Domain Administrator. It achieves this by allowing for token impersonation. As a local administrator can read the entirety of memory, if a domain administrator is logged in their authentication token can be stolen. We'll investigate its use here.

There are several types of authentication token on Windows systems, but Delegation tokens can be used network wide. This therefore allows a threat actor to extract one of these tokens and then execute commands on other machines (such as the Domain Controller). Incognito can be executed within Meterpreter, or as a standalone EXE.

Published: 19 October 2020    Last Updated: 03 July 2023

Metasploit is an exploitation framework. It’s a core tool of the penetration tester’s toolset and we use it for several of our vulnerability demonstrations, so it makes sense to write a quick “introduction to” for Metasploit. We’re going to look at the module system, navigating around, setting variables and running payloads.

Since there are so many modules, it's worthwhile becoming familiar with the search functionality. You can search for modules using the "search" command, and you can filter results based on features such as module type, CVE number, or platform. The command "help search" will reveal all filter options.

Published: 19 October 2020    Last Updated: 03 July 2023

Before being able to determine if systems are vulnerable, it’s critical to first find as many active systems within the scope as possible and to accurately determine what services those systems expose. A common tool for use in network mapping is Nmap.

Before we start looking at the many, many, options that Nmap has, we'll take a look at a simple example. Nmap can be invoked with a target IP address and it will perform a default scan. If Nmap is invoked with administrative/root privileges it will perform a "half-open" SYN scan which is beneficial for its potential to be stealthier and faster than a "full" scan. A full-handshake scan can will be performed if administrative permissions are not granted, or optionally with the -sT flag.

Published: 19 October 2020    Last Updated: 05 July 2023

If an Active Directory user has pre-authentication disabled, a vulnerability is exposed which can allow an attacker to perform an offline bruteforce attack against that user’s password.

This attack is commonly known as “AS-REP Roasting” in reference to Authentication Service Requests, a part of the process of authentication with Kerberos. An attacker who is able to find a user with pre-authentication disabled can request an AS-REP ticket for that user and this will contain data encrypted with the user’s password.

Published: 19 October 2020    Last Updated: 03 July 2023

Any domain user within Active Directory can request a service ticket (TGS) for any service that has an SPN (Service Principal Name). A part of the service ticket will be encrypted with the NTLM hash of the target user, allowing for an offline bruteforce attack.

This is true for user accounts and computer accounts, but computer account passwords are randomised by default and rotated frequently (every 30 days). However service user accounts may have weak passwords set which could be cracked. This attack is commonly called Kerberoasting. Although, don’t confuse this attack with the similarly named ASREP Roasting. A common setup where you might find this vulnerability is where a service account has been set up for Microsoft SQL Server.

Published: 19 October 2020    Last Updated: 03 July 2023

It is possible to brute-force Windows accounts directly, using tools like Metasploit using modules such as smb_login, which will target port 445 (SMB). However, it’s also possible to brute-force the Active Director authentication protocol Kerberos directly.

This can be beneficial to an attack for two reasons, the first is that it will be logged differently and depending on how the blue team are monitoring for attacks it might fly under the radar. A standard login attempt that fails will result in event 4625, whereas a failed Kerberos login attempt will likely result in event 4771.

Published: 19 October 2020    Last Updated: 05 July 2023

A common configuration on Windows Active Directory accounts is to have an account lockout threshold of say, 5 invalid attempts, and an observation window of 30 minutes. This is likely due to the fact that the “Suggested Setting” after setting a threshold is to enable a short observation window.

When setting an account lockout threshold, Windows “suggests” that you set the observation window at the same time, to 30 minutes. The observation window is often overlooked as a security risk; however it allows a threat actor to perform a bruteforce attack without locking an account.

Published: 19 October 2020    Last Updated: 03 July 2023

IPv6 is not new, RFC1883 discussed the protocol back in 1995. However, it has been updated several times, becoming a Draft Standard with RFC2460 in 1998, and an Internet Standard with RFC8200 in 2017!

If you’re wondering if there was an IPv5 the answer is sort of, in the Experimental Internet Stream Protocol, Version 2 (ST-II) which used the IP version number 5 within its packet header, that’s RFC1190. IPv7 was sort of RFC1475, IPv8 was sort of RFC1162, and for an April fools joke we go IPv9 in RFC1606.

Published: 19 October 2020    Last Updated: 05 July 2023

SQL Injection is an old vulnerability; first published on Christmas Day 1998 in Phrack Magazine 54. The issue occurs where user supplied input is insecurely concatenated into an SQL query. It generally allows a threat actor to perform any of the operations that the database user can execute – such as extracting, changing, or deleting database contents. Rarely, where the database user is highly privileged, this can allow for command execution through features such as the MSSQL xp_cmdshell system stored procedure.

Exploiting the issue manually is often trivial, but there are freely available public exploitation tools available – such as SQLmap.

Published: 19 October 2020    Last Updated: 03 July 2023

With error-based injection, data can be extracted from the database where an error message can be crafted which contains confidential data. For example:

MySQL: AND ExtractValue('',Concat('=',@@version))
MSSQL: AND 1 in (@@version)

With the MSSQL payload above the intention is to cause a string to be converted to an integer – which may throw an error where the error will contain the contents of the string. With the MySQL payload above a similar thing is attempted however this is achieved through an XPath function.

Published: 19 October 2020    Last Updated: 03 July 2023

UNION SELECT statements can be used for retrieving the results of a second SELECT statement by appending it to the end of another query. This is useful for SQL injection as it allows you to append a query to the end of a query executed by a developer to retrieve arbitrary database contents. It’s important to note that the details of the second query must match the first, specifically they must have the same number of columns and those columns must match in type.

Therefore the first step to exploiting SQL injection through UNION injection is to determine how many columns there are in the original query. This is possible in two main ways – either by creating a select statement and increasing the column count until the query executes or alternatively using “ORDER BY” syntax and increasing the column count until an error occurs – which implies that the number which causes an error is higher than the number of columns in use.

Published: 19 October 2020    Last Updated: 03 July 2023

Target were breached in 2013. The story was initially broken by Brian Krebs in a post published on 18 December 2013 and titled “Sources: Target investigating Data Breach”. This was followed up by a statement from Target announcing the breach on 19 December. The target confirmation stated the breach lasted between November 27 and December 15.

The breach was achieved through first compromising Target’s HVAC vendor, Fazio Mechanical. This was achieved through a phishing email which deployed malware which targeted credentials. These credentials were then used to access Target’s network.

Published: 19 October 2020    Last Updated: 03 July 2023

TalkTalk suffered a series of security issues in 2015. Right from the start of the year people were discussing an increased number of scam calls. On 26 February 2015 TalkTalk emailed customers to inform them of a data breach in which account numbers, addresses, and phone numbers were taken. The email detailed that a third-party contractor was believed to be responsible, and that TalkTalk was taking legal action against them. It was believed that “a few thousand” customers were affected.

On 10 August 2017, TalkTalk were fined again for failing to adequately protect personal data “because it allowed staff to have access to large quantities of customer’s data” which “left the data open to exploitation by rogue employees”.