I'm still writing about a three year old exploit because a post I wrote a long time ago continues to get traction on a monthly basis. 

    When this series of vulnerabilities appeared, Metasploit modules were written soon after which gave use the ability to point and click for root.  Then somewhere along the way, the following error started to appear:  "Unable to find accessible named pipe!"  I'd initially thought that machines were patched and that prevented the execution despite their vulnerable appearance.  Then, honestly, I just didn't have the interest to care. 


    If an attacker were to get on your network, compromise the domain, and takeover the krbtgt account, creating a golden ticket is an almost guaranteed method for persistence as long as you don't reset the password for that account -- twice.  "The password must be changed twice to effectively remove the password history."  I don't know if there's a "best practice" but according to Ping Castle, or at least its implication, we probably want to change it every 60 days.


    Kerbrute:  "A tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication"

    When running Nmap, we come across a server with open SMB ports and we might run Enum4Linux to gather information about the server.  In some cases, like with more modern and hardened servers, we probably won't get a whole lot of information.  But let's say when we run that Nmap scan, we see that Kerberos is running, that gives us another avenue for enumeration.


    The description states:  "Can you get past the gate and through the fire?

    Before I jump into this, I'd like to get a couple of things out of the way.  First, If you're doing this box, I assume you can find your way to the binary.  Second, with very few Windows buffer overflow problems on the Internet, it's nice to find another to work on those skills in a controlled environment.  Add this to the short list with SLMail and Brainpan.


    Token impersonation is a technique that allows one user to impersonate another user -- assuming they have the privileges to do so.  In this post, we're going to use Meterpreter but this can be done with other tools as well.  I believe PowerSploit has Invoke-TokenManipulation.ps1 which will do something along the same lines.  Aside from an improper configuration, we could run into this situation where a service account has privileges, we take over that service account, and from there, we can elevate to administrator or NT AUTHORITY\SYSTEM.


    Page 3 of 57

    © 2020 sevenlayers.com