Posts

Cloud penetration testing: Not your typical internal penetration test

Image
There seems to be a common path for experienced penetration testers who are thrown into the world of cloud penetration testing. I'm talking about internal (aka assumed breach) tests, where the goal is to demonstrate the impact of a compromised user with access to the cloud or a compromised application in the cloud.  The path usually starts with ignorance, is followed by total confusion and questioning everything you know about penetration testing, and ends with… well, it never ends. Why? Because the cloud providers and the cloud native technologies running in these clouds keep evolving at a remarkable rate. There's always more to learn and more attack paths waiting to be found. I hope walking through my own path and defining the stages of ignorance and awareness I encountered in a playful way might help others progress through the early stages more quickly than I did.  Level 1: This is just like any other Internal Penetration Test, right? You connect to your assumed breach star

Pentest Home Lab - 0x3 - Kerberoasting: Creating SPNs so you can roast them

Image
TL;DR There are a lot of great blogs out there that show you how to Kerberoast.  In this post, I'm going to walk through the process of setting up your lab so that you can practice this attack.  This involves creating a domain user and then mapping a SPN to that account. After that, I'll walk through using Empire to launch Invoke-Kerberoast, and I'll crack the hashes offline with Hashcat. Pentest Home Lab Recap If you don't already have an Active Directory lab and want to build one so that you can play along, check out my previous posts: Pentest Home Lab - 0x0 - Building A Virtual Corporate Domain   Pentest Home Lab - 0x1 - Building Your AD Lab on AWS Pentest Home Lab - 0x2 - Building Your AD Lab on Premises using Proxmox VE The Attack: Kerberoasting Attack Goals Domain privesc & lateral movement.  If you have domain credentials and access to the domain, this is a relatively easy way to gain additional access within the domain. If all goes well, you

Pentest Home Lab - 0x2 - Building Your AD Lab on Premises

Image
In Pentest Home Lab - 0x0 - Building a virtual corporate domain , we talked about why you would want to build your own AD pentest lab, where you can build it, and the pros and cons of each option. In Pentest Home Lab - 0x1 - Building Your AD Lab on AWS , we walked through setting up a fully functional home lab in AWS. In this third installment, I'm going to walk through setting up a pentest active directory home lab in your basement, closet, etc.  I'll be using Proxmox VE, an open source virtualization environment (aka hypervisor) similar to Vmware ESXi or Citrix XEN. The series so far: Pentest Home Lab - 0x0 - Building A Virtual Corporate Domain  (This post) Pentest Home Lab - 0x1 - Building Your AD Lab on AWS Pentest Home Lab - 0x2 - Building Your AD Lab on Premises using Proxmox VE Pentest Home Lab - 0x3 - Kerberoasting: Creating SPNs so you can roast them Table of Contents What are we going to build? Example server specs Let's talk about networ

Pentest Home Lab - 0x1 - Building Your AD Lab on AWS

Image
In Pentest Home Lab - 0x0 - Building a virtual corporate domain , we talked about why you would want to build your own AD pentest lab, where you can build it (cloud vs on-premises options), and the pros and cons of each option. This post covers building your lab on AWS. Even if you have a lab at home, setting up a small second home lab on AWS is a worthwhile exercise. You'll learn a lot about AWS in the process. The series so far: Pentest Home Lab - 0x0 - Building A Virtual Corporate Domain  (This post) Pentest Home Lab - 0x1 - Building Your AD Lab on AWS Pentest Home Lab - 0x2 - Building Your AD Lab on Premises using Proxmox VE Pentest Home Lab - 0x3 - Kerberoasting: Creating SPNs so you can roast them Table of Contents What are we going to build? Creating your AWS instances Instance #1: This will be the Domain Controller Instance #2: This will be Workstation01  Disable IE Enhanced Security Configuration Instances #3 & #4 (Optional) Create security