Kerberoasting is an attack allowing an attacker to crack Active Directory (AD) service account passwords offline, and with no fear of detection.
Developed by Tim Medin, Kerberoasting relies on the fact that when an AD user requests access to a service, they receive back a Kerberos ticket signed with the NTLM hash of the account running the service, which an attacker can steal — even if they are a regular domain user — and crack elsewhere.
With that service account password in hand, one can then forge a “silver ticket” for that service, creating opportunities for privilege escalation.
Continue reading “Kerberoasting and Silver Tickets”
Writeup was a box listed as “easy” on Hackthebox.eu. While it was technically easy, its use of fail2ban had the potential to slow down one’s progress toward user, and getting the root flag required careful enumeration under particular circumstances.
Continue reading “HackTheBox Walkthrough: Writeup”
Recently I got interested in HTTP2. It’s a new protocol that’s going to change a lot in the way people work with web app pentesting. Among other changes, it’s binary, it allows servers to push data to clients, and it’s multiplexing (non-blocking). It’s supposed to be faster and more efficient than good old HTTP1.1. Apache and Nginx both support it, as does curl (the HTTP2 maintainers keep a list of known implementations here).
There also aren’t a lot of tools available for doing security testing of it.
Burp Suite doesn’t support it yet and hasn’t said when it will , although ZAP is working on it.
Yahoo’s pentesting group developed a very nice semi-intelligent fuzzer for HTTP2, described here, but they stopped development on it and let it without its replay mode.
I just released a new version which supports replay mode, when running as a client, on github. The original version is available here.
Aside – Paul’s Security Weekly did an episode on HTTP2 back in January (video | show notes).