Browsed by
Category: Windows Security

Using Docker and Windows Subsystem for Linux to Learn and Experiment with New Information Security Tools

Using Docker and Windows Subsystem for Linux to Learn and Experiment with New Information Security Tools

Over the years when presenting at conferences, user groups, and customer presentations I have often talked about some of the “new ways” to help learn tools and techniques in information security. One of the resources I specifically recommend is using Docker containers and Windows Subsystem for Linux to quickly experiment with tooling without the need to manage a virtual machine or other infrastructure. I have often been asked to expand upon this topic so I wanted to document some of…

Read More Read More

Commando VM: Using the Testing Platform

Commando VM: Using the Testing Platform

Windows Offensive VM from Mandiant FireEye Previously, I wrote a high-level overview of the testing platform Commando VM and an installation guide to get started with it. Today, I’ll be diving into a proof of concept of sorts to show off some of the tools and flexibility that the testing platform offers. My goal with this post is to highlight some things that can be done with the platform, situations enterprises should try to be wary of, and some ways…

Read More Read More

What is the Kerberos PAC?

What is the Kerberos PAC?

The Privileged Attribute Certificate (PAC) is an extension to Kerberos tickets that contains useful information about a user’s privileges.  This information is added to Kerberos tickets by a domain controller when a user authenticates within an Active Directory domain.  When users use their Kerberos tickets to authenticate to other systems, the PAC can be read and used to determine their level of privileges without reaching out to the domain controller to query for that information (more on that to follow)….

Read More Read More

Commando VM: Installation & Configuration

Commando VM: Installation & Configuration

Windows Offensive VM from Mandiant FireEye Last time, I wrote a high-level overview of Commando VM and why it is important for both red and blue teamers to be familiar with the tools that come pre-packaged in testing platforms like this one. Today, I’ll be covering the installation and any configuration needed to get up and running with Commando VM. Prerequisites Commando VM can be installed on a virtual machine or physical machine but for ease of use and deployment,…

Read More Read More

Commando VM: Introduction

Commando VM: Introduction

Windows Offensive VM from Mandiant FireEye What is Commando VM? Commando VM is a Windows testing platform, created by Mandiant FireEye, meant for penetration testers who are more comfortable with Windows as an operating system. Commando VM is essentially the sister to Kali, a Linux testing platform widely used throughout the penetration testing community. These testing platforms are packaged with all the common tools and scripts that a tester would need to utilize during an engagement. Commando VM can be…

Read More Read More

What is Unstructured Data?

What is Unstructured Data?

Data is what drives business, and businesses are generating and consuming more data all of the time. The explosion of collaboration tools and big data analytics has only accelerated the desire for more employees to share more data across the enterprise. So it’s no surprise to IT teams that we are being asked to retain more data, of all types, make it freely available to employees in different departments and with outside business partners and, oh yeah, secure it all,…

Read More Read More

WDigest Clear-Text Passwords: Stealing More Than a Hash

WDigest Clear-Text Passwords: Stealing More Than a Hash

What happens when a malicious user has access to more than just an NTLM hash? What is WDigest? Digest Authentication is a challenge/response protocol that was primarily used in Windows Server 2003 for LDAP and web-based authentication. It utilizes Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges to authenticate. At a high level, a client requests access to something, the authenticating server challenges the client, and the client responds to the challenge by encrypting its response with…

Read More Read More

RID Hijacking: When Guests Become Admins

RID Hijacking: When Guests Become Admins

Securing Windows workstations and servers should be a priority for any organization; preventing a machine from getting compromised and being used to move laterally within an environment is a major concern. What happens when a machine is already compromised? A persistence method called ‘RID Hijacking’ is a way for an attacker to persist within your environment by granting the Guest account, or another local account, local administrator privileges by ‘hijacking’ the RID (relative identifier) of the Administrator account. Creating persistence…

Read More Read More

Start a Free StealthAUDIT® Trial!

No risk. No obligation.