NetSPI Blog

Jake Karnes

Jake has a B.S. in Computer Science from San Jose State University, and holds the GIAC Certified Incident Handler and Certified Ethical Hacker certifications. He specializes in web application penetration testing. Jake also contributes to the development of applications and tools for the NetSPI penetration testing team.

Jake Karnes
December 8th, 2020

CVE-2020-17049: Kerberos Bronze Bit Attack – Practical Exploitation

This post reviews how the Kerberos Bronze Bit vulnerability (CVE-2020-17049) can be exploited in practice. I strongly suggest first reading the Bronze Bit Attack in Theory post to understand why and how this attacks works. It is also worth noting that Microsoft published a patch for the vulnerability on November 10, 2020. The patch rollout […]

Jake Karnes
December 8th, 2020

CVE-2020-17049: Kerberos Bronze Bit Attack – Theory

Introduction and Background This attack expands upon the excellent research documented by Elad Shamir in “Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory.” I’ll cover the key points below, but his article a great resource and primer for Kerberos and constrained delegation in AD. If you’re already familiar with the Kerberos fundamentals, […]

Jake Karnes
December 8th, 2020

CVE-2020-17049: Kerberos Bronze Bit Attack – Overview

With the release of Microsoft’s patch to fix CVE-2020-17049, I’m excited to share details about this vulnerability and how it could be exploited. This post is only a very high-level overview, and I strongly encourage readers who are interested to check out my follow-up posts which provide much more depth: To learn about Kerberos, Kerberos […]

Jake Karnes
March 30th, 2020

Decrypting Azure VM Extension Settings with Get-AzureVMExtensionSettings

TL;DR If you’re a local admin on an Azure VM, run the Get-AzureVMExtensionSettings script from MicroBurst to decrypt VM extension settings and potentially view sensitive parameters, storage account keys and local Administrator username and password. Overview The Azure infrastructure needs a mechanism to communicate with and control virtual machines. All Azure Marketplace images have the […]

Jake Karnes
February 13th, 2020

Attacking Azure with Custom Script Extensions

PowerShell and Bash scripts are excellent tools for automating simple or repetitive tasks. Azure values this and provides several mechanisms for remotely running scripts and commands in virtual machines (VMs). While there are many practical, safe uses of these Azure features, they can also be used maliciously. In this post we’ll explore how the Custom […]