Researched and written by Rindert Kramer and Dirk-jan Mollema Introduction During internal penetration tests, it happens quite often that we manage to obtain Domain Administrative access within a few hours. Contributing to this are insufficient system hardening and the use of insecure Active Directory defaults. In such scenarios publicly available tools help in finding and exploiting these issues … Continue reading Escalating privileges with ACLs in Active Directory
Compromising Citrix ShareFile on-premise via 7 chained vulnerabilities
A while ago we investigated a setup of Citrix ShareFile with an on-premise StorageZone controller. ShareFile is a file sync and sharing solution aimed at enterprises. While there are versions of ShareFile that are fully managed in the cloud, Citrix offers a hybrid version where the data is stored on-premise via StorageZone controllers. This blog … Continue reading Compromising Citrix ShareFile on-premise via 7 chained vulnerabilities
mitm6 – compromising IPv4 networks via IPv6
While IPv6 adoption is increasing on the internet, company networks that use IPv6 internally are quite rare. However, most companies are unaware that while IPv6 might not be actively in use, all Windows versions since Windows Vista (including server variants) have IPv6 enabled and prefer it over IPv4. In this blog, an attack is presented … Continue reading mitm6 – compromising IPv4 networks via IPv6
Lessons learned from a Man-in-the-Middle attack
It’s become a widely accepted mantra that experiencing a cyber breach is a question of ‘when’ and not ‘if’. For Fox-IT ‘if’ became ‘when’ on Tuesday, September 19 2017, when we fell victim to a “Man-in-the-Middle” attack. As a result of the multi-layered security protection, detection and response mechanisms we had in place, the incident … Continue reading Lessons learned from a Man-in-the-Middle attack
Criminals in a festive mood
This morning the Fox-IT Security Operations Center observed a large number of phishing e-mails that contained a link to a downloadable zip file. Anyone downloading and opening that zip file would infect themselves with banking malware, that would subsequently try to lure the victim into divulging their credit card information. So far nothing new: e-mail … Continue reading Criminals in a festive mood
Detection and recovery of NSA’s covered up tracks
Part of the NSA cyber weapon framework DanderSpritz is eventlogedit, a piece of software capable of removing individual lines from Windows Event Log files. Now that this tool is leaked and public, any criminal willing to remove its traces on a hacked computer can use it. Fox-IT has looked at the software and found a … Continue reading Detection and recovery of NSA’s covered up tracks
Further abusing the badPwdCount attribute
Researched and written by Rindert Kramer Introduction At Fox-IT, we often do internal penetration tests for our customers. One of the attacks that we perform is password spraying. In a password spraying attack the attacker tries to authenticate as one of the user accounts that is found in Active Directory using a common password. These … Continue reading Further abusing the badPwdCount attribute
