I'm excited to share that CVE-2020-17049 has been issued for a vulnerability that I found. There are more details to come, but I'll be holding off publishing for now while the patchwork is still ongoing. msrc.microsoft.com/update-guide/v…

I'm super excited about this post finally going live, but here is some fantastic Kerberos research by NetSPI 's Jake Karnes! This link is the intro post, but additional links are there for the two deep dive follow up posts on CVE-2020-17049. blog.netspi.com/cve-2020-17049…

All the details for CVE-2020-17049 are now available! The overview contains a summary of the vulnerability and its exploit, including links to 2 deep dive posts which cover much more. blog.netspi.com/cve-2020-17049…

Wooho, just got local PTH for an interactive shell working! All other PTH tools can only be used for network auth. as far as I can tell. I used a modified Invoke-SMBExec from Kevin Robertson and a modified RoguePotato from Antonio Cocomazzi and Andrea P. Blog post will follow!

Is anyone still seeing wpad resolved through LLMNR/mDNS with chrome/edge? My Windows 10 lab systems are trying to resolve through DNS only now. It may be related to this bugs.chromium.org/p/chromium/iss…

MitM Tip: The Windows 10 WebDAV client verifies certs when connecting with a FQDN or IP address but not a hostname (\\host@SSL\share). For now, MS will not be patching this issue. Bonus Tip: By default, WebDAV basic auth is enabled over SSL only so cleartext creds can be exposed.

Training Announcement - NetSPI's first public course of the "Dark Side Ops: Azure Cloud" training will be this August 23-24. This will be a virtual training, but we hope to do an in person training in the near future. Tickets and course information here - netspi.com/training/dark-…

More amazing research from Jake Karnes around alternative ways to execute commands on Azure VMs. I think the persistence options (see the examples at the end) are going to be a great way to maintain access on an Azure VM - netspi.com/blog/technical…

Lot's of new updates to Tokenvator! Check out the related blog by Alexander Polce Leary on the NetSPI blog - netspi.com/blog/technical…

About a year ago, @asegunlolu reached out about being a co-author on an Azure pentesting book. We are currently wrapping up the final chapters and the book is now available for pre-order on Amazon - amazon.com/Penetration-Te…

New blog just went live. It walks through the details of a new Azure attack that I've dubbed "API Connection Hijacking", plus some tips on where to find creds in Logic Apps. netspi.com/blog/technical…

Here's another serious vulnerability to add onto the list of recent Azure issues. This is our write up (and a thread) on CVE-2021-42306 (CredManifest), which addresses the cleartext storage of App Registration credentials in AAD SP manifests. netspi.com/blog/technical… (1/5)

[BLOG] Attacking and Remediating Excessive Network Share Permissions in Active Directory Environments netspi.com/blog/technical… #NetSPI #PowerShellAllTheThings

Slides from our Active Directory & DNS (ADIDNS) talk at BSidesCharm 2023 are up. AD & DNS: A Match Made in Heck I believe video will be released soon(ish).

Recording of the talk is up: youtu.be/QSRxrTXj8G0 This was my first public talk, so yes I don't know how to use a handheld microphone. :)

Part 2 of our DACL abuse attack/detections is live! This time Megan and myself explore various attributes that can be modified with Kevin Robertson’s PowerMAD tool.

Today I had the pleasure of presenting my research at #BHEU, and I am now very excited to share it with the rest of the world. TL;DR - unauthenticated attackers can spoof sensitive DNS records by abusing Microsoft DHCP. Akamai Security Intelligence Group 1/7