November 18th, 2019
Analyzing DNS TXT Records to Fingerprint Online Service Providers
In this blog I’ll share a process/script that can be used to identify online service providers used by a target company through domain validation tokens stored in DNS TXT records.
November 11th, 2019
Exploiting SQL Server Global Temporary Table Race Conditions
This blog will walk through how to find and exploit SQL Server global temporary table race conditions to gain unauthorized access to data and execute code.
October 24th, 2019
Limiting The Exposure of Plain Text Passwords in C#
One vulnerability that we frequently look for when testing thick client applications is plain text passwords that are exposed in memory. Microsoft provides the SecureString to help protect passwords in memory, but what it does not provide is a perfect solution to actually using the SecureString when sending web requests. And as you’ll see below, […]
September 12th, 2019
Maintaining Azure Persistence via Automation Accounts
In every penetration test that involves Azure, we want to escalate our privileges up to a global administrator of the tenant. Once we’ve escalated our privileges in an Azure tenant, we want to have the ability to maintain our access to each subscription and the tenant as a whole. Aside from the benefits of controlling […]
August 29th, 2019
MachineAccountQuota Transitive Quota: 110 Accounts and Beyond
Background If you aren’t familiar with MachineAccountQuota (MAQ), I recommend skimming my previous blog post on the subject. TLDR Active Directory (AD) tracks transitive accounts created through MAQ to limit the number of accounts that can be added from a single unprivileged source account. AD calculates the maximum using a formula of Q * (Q […]
July 9th, 2019
Collecting Contacts from zoominfo.com
For our client engagements, we are constantly searching for new methods of open source intelligence (OSINT) gathering. This post will specifically focus on targeting client contact collection from a site we have found to be very useful (zoominfo.com) and will describe some of the hurdles we needed to overcome to write automation around site scraping. […]
March 20th, 2019
Using Azure Automation Accounts to Access Key Vaults
This is the second post in a series of blogs that focuses around Azure Automation. Check out “Exporting Azure RunAs Certificates for Persistence” for more info on how authentication works for Automation Accounts. In this installment, we’re going to focus on making use of Automation Accounts to gain access to sensitive data stored in Key […]
March 6th, 2019
MachineAccountQuota is USEFUL Sometimes: Exploiting One of Active Directory’s Oddest Settings
MachineAccountQuota (MAQ) is a domain level attribute that by default permits unprivileged users to attach up to 10 computers to an Active Directory (AD) domain. My first run-in with MAQ was way back in my days as a network administrator on a new job. I was assigned the task of joining a remote location’s systems […]
February 27th, 2019
Get-AzurePasswords: Exporting Azure RunAs Certificates for Persistence
This post will be the first blog in a series that focuses around Azure Automation. I’ve recently run into a fair number of clients making use of Azure Automation Runbooks, and in many cases, the runbooks are being misconfigured. As attackers, these misconfigurations can provide us credentials, sensitive data, and some interesting points for escalation. […]