LDAP authentication in Active Directory environments

Published on Tue 31 October 2023 by @lowercase_drm

Understanding the different types of LDAP authentication methods is fundamental to apprehend subjects such as relay attacks or countermeasures. This post introduces them through the lens of Python libraries.


Windows Installer arbitrary content manipulation Elevation of Privilege (CVE-2020-0911)

Published on Thu 06 July 2023 by @clavoillotte

The Windows Installer accesses the MSI files in C:\Windows\Installer while impersonating the user (and using the impersonated user's device map), and trusts these files to perform elevated/privileged operations such as registry key creation. This can be abused by an unprivileged user to obtain SYSTEM privileges.


Authenticating with certificates when PKINIT is not supported

Published on Wed 04 May 2022 by Yannick Méheut

A certificate obtained through Active Directory Certificate Services is usually used to get a TGT or recover the NT hash using PKINIT. But what can we do when it's not possible?


Bypassing LDAP Channel Binding with StartTLS

Published on Thu 28 April 2022 by @lowercase_drm

While doing research on LDAP client certificate authentication, we realized that the LDAP implementation of Active Directory supports the StartTLS mechanism, which has interesting implications on relay attacks.


LDAP relays for initial foothold in dire situations

Published on Mon 28 March 2022 by @SAERXCIT

Implementing existing attacks & techniques necessitating a domain account as black box LDAP relays to facilitate gaining initial access to a hardened domain.


HowTo: intercept mutually-authenticated TLS communications of a Java thick client

Published on Wed 31 March 2021 by @SAERXCIT

A quick guide on how to intercept TLS communications of a hardened Java thick client implementing client certificate authentication and certificate pinning using jdb.


(Super) Magic Hashes

Published on Mon 07 October 2019 by myst404 (@myst404_)

Magic hashes are well known specific hashes used to exploit Type Juggling attacks in PHP. Combined with bcrypt limitations, we propose the concept of Super Magic Hashes. These hashes can detect 3 different vulnerabilities: type juggling, weak password storage and incorrect Bcrypt usage. A Go PoC found some MD5, SHA1 and SHA224 super magic hashes.


An introduction to privileged file operation abuse on Windows

Published on Wed 20 March 2019 by @clavoillotte

This is a (bit long) introduction on how to abuse file operations performed by privileged processes on Windows for local privilege escalation (user to admin/system), and a presentation of available techniques, tools and procedures to exploit these types of bugs.


UAC bypass via elevated .NET applications

Published on Fri 15 September 2017 by @clavoillotte

.NET Framework can be made to load a profiling DLL or a COM component DLL via user-defined environment variables and CLSID registry entries, even when the process is elevated. This behavior can be exploited to bypass UAC in default settings on Windows 7 to 10 (including the latest RS3 builds) by making an auto-elevate .NET process (such as MMC snap-ins) load an arbitrary DLL.