Abusing Service Principal Names

by Vince
in Blog
Hits: 743

"A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name."

I have to be honest, in my many years as an administrator, I've never had to set this up.  Though as a penetration tester, I like to understand both sides of what's going on.  I've used GetUserSPNs a few times but the question that I've asked myself is -- how did this happen?

Read more

C# Reverse Shell

by Vince
in Blog
Hits: 848

I've been noodling around with C# and I came up with an idea.  When we compile an executable, we get that generic application icon.  With a simple flag, we can add an icon -- I thought the PDF icon would be interesting for obvious reasons.  Let's start with something simple, we're just going to compile this C# that pops open notepad.

Read more

Abusing ACLs

by Vince
in Blog
Hits: 643

For the sake of keeping it simple -- Access Control Lists provide granular permissions to objects.  Quoting Microsoft:  "Access control for objects in Active Directory Domain Services is based on Windows NT and Windows 2000 access-control models.  Access privileges for resources in Active Directory Domain Services are usually granted through the use of an access control entry (ACE)."

Often times what I find is that a misunderstanding of what permissions do is what gets people into trouble.  Let's look at a standard Active Directory user:

Read more