BITSADMIN's blog on security research and red teaming https://blog.bitsadmin.com/ Thu, 30 Nov 2023 21:18:50 +0000 Thu, 30 Nov 2023 21:18:50 +0000 Jekyll v3.9.3 Living Off the Foreign Land (LOFL) allows attackers to use Windows' built-in powerful tooling (LOFLCABs) to attack remote systems. The first part in this 3-part article discusses how to setup the Linux VM to transparently tunnel traffic over SOCKS. This enables an Offensive Windows VM to natively use Kerberos to interact with systems in the target network. Tue, 15 Aug 2023 02:00:00 +0000 https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform windows living-off-the-foreign-land active-directory powershell Living Off the Foreign Land (LOFL) allows attackers to use Windows' built-in powerful tooling (LOFLCABs) to attack remote systems. The second part in this 3-part article discusses how to configure the Offensive Windows VM so it can use Kerberos authentication with the target network, and also how to obtain various types of credentials and them use them from the Offensive Windows VM. Tue, 15 Aug 2023 01:00:00 +0000 https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform-part-2 https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform-part-2 windows living-off-the-foreign-land active-directory powershell Living Off the Foreign Land (LOFL) allows attackers to use Windows' built-in powerful tooling (LOFLCABs) to attack remote systems. The last part in this 3-part article discusses the various LOFL Cmdlets and Binaries (CABs) that can be used to attack systems in the target network, and also provides pointers on how these attacks can be detected. Tue, 15 Aug 2023 00:00:00 +0000 https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform-part-3 https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform-part-3 windows living-off-the-foreign-land active-directory powershell Sometimes during red team engagements there is no obvious path to escalate and the only way to move forward is to perform an evaluation of the filesystem and network shares. This article discusses how to perform such evaluation efficiently to find the needles in the haystack. Mon, 03 Apr 2023 00:00:00 +0000 https://blog.bitsadmin.com/digging-for-secrets https://blog.bitsadmin.com/digging-for-secrets powershell windows Article discussing some of the challenges I faced importing large datasets into BloodHound including some scripts to overcome these challenges. Additionally some tricks are discussed on how to use Neo4j's Cypher language from PowerShell to get the right results quickly. Mon, 27 Jun 2022 09:00:00 +0000 https://blog.bitsadmin.com/dealing-with-large-bloodhound-datasets https://blog.bitsadmin.com/dealing-with-large-bloodhound-datasets active-directory bloodhound Windows versions, releases and patch levels are a rather complex matter. This post brings structure in how Windows versioning and patching works and how to identify which vulnerabilities a Windows installation is vulnerable to. Thu, 11 Nov 2021 09:00:00 +0000 https://blog.bitsadmin.com/windows-security-updates-for-hackers https://blog.bitsadmin.com/windows-security-updates-for-hackers windows kbs patches wesng How to spy on users on remote computers making only use of Windows' built-in functionality? This post will explain the steps to (ab)use Windows' Remote Desktop feature to view a remote user's desktop using native Windows functionality without them noticing it. Fri, 26 Mar 2021 09:00:00 +0000 https://blog.bitsadmin.com/spying-on-users-using-rdp-shadowing https://blog.bitsadmin.com/spying-on-users-using-rdp-shadowing living-off-the-land windows remote-desktop How to obtain the credentials from a remote machine or Domain Controller making only use of Windows' built-in functionality? This post will go through the steps of using WMI and SMB in PowerShell from an attacker Windows machine to get hold of the remote files storing the credentials and subsequently extracting them. Tue, 26 May 2020 09:00:00 +0000 https://blog.bitsadmin.com/extracting-credentials-from-remote-windows-system https://blog.bitsadmin.com/extracting-credentials-from-remote-windows-system living-off-the-land windows credentials