BHIS | Coercions and Relays - The First Cred is the Deepest with Gabriel Prud'homme | 1.5 Hours
HTML-код
- Опубликовано: 6 авг 2024
- Join us in the Black Hills InfoSec Discord server here: / discord to keep the security conversation going!
Reach out to Black Hills Infosec if you need pentesting, threat hunting, ACTIVE SOC, incident response, or blue team services -- www.blackhillsinfosec.com/
00:00:00 - FEATURE PRESENTATION: Coercions and Relays - The First Cred is the Deepest
00:00:20 - Agenda
00:00:45 - Why This Talk?
00:02:10 - Why This Works
00:03:44 - Option 1
00:04:53 - Option 2
00:09:02 - Recon Tools
00:09:16 - 01 - Basic Responder
00:11:16 - 02 - Simple Relay (Local Admin SMB to SMB)
00:14:41 - 03 - Dump AD Information HTTP to LDAP (IPv6 Poisoning)
00:16:39 - 04 - Fake Machine Account Creation via DHCP Poisoning (HTTP to LDAP)
00:18:43 - 05 - SMB to SOCKS AD Users, Groups and Machine Accounts Dump (SOCKS)
00:22:04 - 06 - Domain Administrator Privilege Escalation NetNTLM v1
00:26:57 - 07 - Machine Account Admin to (Exchange Trusted Subsystem Group)
00:29:41 - 08 - Printer LDAP Pass Back Attack
00:31:56 - 09 - MSSQL Relay via XP_DIRTREE
00:37:30 - 10 - SCCM Client Push Installation
00:39:07 - 11 - Files That Coerce (SMB Share)
00:42:33 - Take a break; Let’s all go to the lobby, have a snack!
00:43:01 - What is WebDAV?
00:45:37 - 12 - Remote Code Execution (RCE) via WebDAV to RBCD Using Unauthenticated PetitPotam Proxy
00:53:55 - 13 - Local Privilege Escalation (LPE) via WebDAV to RBCD (Change Lock Screen)
00:59:09 - 14 - Local Privilege Escalation (LPE) via WebDAV to Shadow Credentials (Remote C2)
01:07:22 - 15 - Unauthenticated ADCS User Templates Dump Via Web (SMB to HTTP)
01:09:57 - 16 - Active Directory Certificate Services (ADCS) ESC8 via C2 (PortBender)
01:13:50 - 17 - RemotePotato Privilege Escalation via RPC Protocol
01:16:53 - 18 - Kerberos Relay DNS Authentication via Mitm6 (Krbrelayx)
01:19:57 - 19 - Kerberos KrbRelay and KrbRelayUp Tools Local Privilege Escalation (LPE)
01:22:36 - Mitigation
01:24:50 - Credit & Reference
01:25:32 - Post Show Questions
Description: In this 1.5-HOUR, Black Hills Information Security (BHIS) webcast, Gabriel Prud'homme will cover network protocol poisoning, relays, and abuses. Learn how to use Responder, Ntlmrelayx, and Mitm6. From PetitPotam to WebDAV remote and local privilege escalation, and much more.
Slides: www.blackhillsinfosec.com/wp-...
Black Hills Infosec Socials
Twitter: / bhinfosecurity
Mastodon: infosec.exchange/@blackhillsi...
LinkedIn: / antisyphon-training
Discord: / discord
Black Hills Infosec Shirts & Hoodies
spearphish-general-store.mysh...
Black Hills Infosec Services
Active SOC: www.blackhillsinfosec.com/ser...
Penetration Testing: www.blackhillsinfosec.com/ser...
Incident Response: www.blackhillsinfosec.com/ser...
Backdoors & Breaches - Incident Response Card Game
Backdoors & Breaches: www.backdoorsandbreaches.com/
Play B&B Online: play.backdoorsandbreaches.com/
Antisyphon Training
Pay What You Can: www.antisyphontraining.com/pa...
Live Training: www.antisyphontraining.com/co...
On Demand Training: www.antisyphontraining.com/on...
Educational Infosec Content
Black Hills Infosec Blogs: www.blackhillsinfosec.com/blog/
Wild West Hackin' Fest RUclips: / wildwesthackinfest
Active Countermeasures RUclips: / activecountermeasures
Antisyphon Training RUclips: / antisyphontraining
Join us at the annual information security conference in Deadwood, SD (in-person and virtually) - Wild West Hackin' Fest: wildwesthackinfest.com/
#bhis #infosec
Thanks a lot. I really liked this type of presentation where all commands and demos were shown. Straight to the point, but explained all necessary details without discussing god and the world. I would really wish that other people would structure/present talks in the same way. Thumbs up, one of the best talks I saw since a long time.
This was the most thorough and helpful video Ive ever seen, I cannot thank you enough!
Awesome talk bro, been deep diving into this topic lately so really useful to see such a comprehensive reference. Well presented.
Going to have to practice these, with Responder, then Inveigh, and finally, Pretender! Thanks so much!
I love the name of this talk so much
first time ever I leave a comment.... but bro this is such an amazing video... i am amazed. very useful
Great presentation! I've used Responder and Inveigh, but not Pretender. I'm gonna have to tinker a bit with the latter.
BHIS ROCKS
Amazing techniques! Congrats and tks a lot!
Great content, like it and was looking for it) Think Gabriel was messing a bit with a Windows computer locking shortcut( is pressing Windows Key + L).
Great presentation! Do the smbrelay and MiTM6 attacks only work if there are misconfigurations/share typo's?
I have had some engagements where they work great whereas others dont work at all and I dont know if its specific to the above or not. Every vid and reference I see intiiates the capture by accessing a non-existent share
John bl👍
Liters salm size big