Syncing yourself to Global Administrator in Azure Active Directory

This blog describes a vulnerability discovered by Fox-IT last year in Azure AD Connect, which would allow anyone with account creation privileges in the on-premise Active Directory directory to modify the password of any cloud-only account in Azure AD. Because of the way accounts are commonly configured, this could often enable an attacker to take … Continue reading Syncing yourself to Global Administrator in Azure Active Directory

Getting in the Zone: dumping Active Directory DNS using adidnsdump

Zone transfers are a classical way of performing reconnaissance in networks (or even from the internet). They require an insecurely configured DNS server that allows anonymous users to transfer all records and gather information about host in the network. What not many people know however is that if Active Directory integrated DNS is used, any … Continue reading Getting in the Zone: dumping Active Directory DNS using adidnsdump

Compromising Citrix ShareFile on-premise via 7 chained vulnerabilities

A while ago we investigated a setup of Citrix ShareFile with an on-premise StorageZone controller. ShareFile is a file sync and sharing solution aimed at enterprises. While there are versions of ShareFile that are fully managed in the cloud, Citrix offers a hybrid version where the data is stored on-premise via StorageZone controllers. This blog … Continue reading Compromising Citrix ShareFile on-premise via 7 chained vulnerabilities

mitm6 – compromising IPv4 networks via IPv6

While IPv6 adoption is increasing on the internet, company networks that use IPv6 internally are quite rare. However, most companies are unaware that while IPv6 might not be actively in use, all Windows versions since Windows Vista (including server variants) have IPv6 enabled and prefer it over IPv4. In this blog, an attack is presented … Continue reading mitm6 – compromising IPv4 networks via IPv6

Relaying credentials everywhere with ntlmrelayx

Insecurities in NTLM Authentication have been known about for over 15 years. The protocol can be abused to hijack a victim’s session through a process called “relaying”, which abuses a victim’s credentials by forwarding them to a different service than intended. NTLM authentication is still supported and enabled by default in many cases, even though it has been replaced as default authentication method by the more secure Kerberos. In this blog we will demonstrate relaying credentials to LDAP, IMAP and MSSQL with Ntlmrelayx, a Fox-IT extension to the well-known smbrelayx tool.