OP
Uploaded byOctavio Paguaga
PPTX, PDF263 views

Bsidesnova- Pentesting Methodology - Making bits less complicated

The document discusses various penetration testing techniques including: 1. Using OSINT techniques like disabling content security policies to scrape invite links from a site. 2. Checking domains with services like VirusTotal to see their categorization and reputation over time. 3. Using Azure domain fronting to hide command and control domains from network defenders. 4. Enumerating Active Directory with tools like Bloodhound to find high privilege accounts and exploit delegation.

Embed presentation

Download to read offline
Pentesting Methodology - Making bits less complicated Octavio Paguaga TrustWave Government Solutions
Introduction & Thank yous • Senior Security Consultant at TrustWave Government Solutions • Thank you • Steve Borosh @rvrsh3ll • Will Schroeder @HarmJ0y • Andy Robbins @Waldo • Jimmy Bayne @bohops • hacktheplanet Discord & Bloodhound Slack Channel • @b33f & @ippsec  Check out their content/Patreon • Jason Lang – CuriousJack – • https://www.youtube.com/watch?v=kf829-tm0VM
OSINT https://generated.photos
Clear violation of Terms of Service, but… • Disable Content Security Policy • Open Developer tools var jqry = document.createElement('script'); jqry.src = "https://code.jquery.com/jquery-3.3.1.min.js"; document.getElementsByTagName('head')[0].appendChild(jqry); jQuery.noConflict(); setInterval(function() { window.scrollTo(0, document.body.scrollHeight); }, 500);
Clear violation of Terms of Service, but… jQuery('button[data-control-name="invite"]').each(function(index, value) { setTimeout(function() { jQuery(value).trigger('click'); }, index * 1000); });
Domain Ownership • Phishing Domain • C2 Domain • Domain Fronting • https://chigstuff.com/blog/metasploit-domain-fronting-with-microsoft-azure/ • https://medium.com/@rvrsh3ll/hardening-your-azure-domain-front- 7423b5ab4f64
Services to show categorization • https://fortiguard.com/webfilter • Fortiguard shows “Newly Observed Domain” • https://www.virustotal.com/gui/domain/ • Virus Total shows clean now and 12 months ago • Trustedsource.org • shows the site as Uncategorized with a reputation as Unverified • https://talosintelligence.com/reputation_center • Not blacklisted. Unknown to Talos Intelligence too (Cisco) • https://urlfiltering.paloaltonetworks.com/ • Palo Alto URL test shows it as “Alcohol and Tobacco” and “Low Risk” meaning benign activity for last 90 days • https://sitereview.bluecoat.com/#/ • Blue coat (Symantec) shows it as Business Economy category • https://www.brightcloud.com/tools/url-ip-lookup.php • Webroot shows Moderate Risk and category “Home and Garden”
Commands used • curl -H "Content-Type: BSIDES_CHARM" bsidescharm.azureedge.net • curl bsidescharm.azureedge.net • https://blog.cobaltstrike.com/2019/02/19/cobalt-strike-team-server- population-study/ • https://www.flashpoint-intel.com/blog/the-challenges-of-cobalt- strike-server-fingerprinting/
Azure domain front photos go here
Azure Domain Fronting
Commands used • curl -H "Content-Type: BSIDES_CHARM" bsidescharm.azureedge.net • curl bsidescharm.azureedge.net • https://blog.cobaltstrike.com/2019/02/19/cobalt-strike-team-server- population-study/ • https://www.flashpoint-intel.com/blog/the-challenges-of-cobalt- strike-server-fingerprinting/
Commands used
Azure Filtering to hide from defenders https://medium.com/@rvrsh3ll/hardening-your-azure-domain-front-7423b5ab4f64
Phishing Payload • HTA • SharpShooter • TikiTorch • demiguise • EvilClippy
Active Directory • SUCCESS! • Where do we start • Enumerate local machine • PSP’s • Whoami ? • What tools/scripts can I run • Manual Enumeration of AD • Bloodhound
KERBEROASTING • Targets accounts with Service Principal Name • e.g. MSSQLSvc/<FQDN> is assigned to a username • The password of the username is used to sign the TGS provided to the client. • hashcat –m 13100 <TGS> <wordlist> SPN Username MSSQLSvc/SQL01.east.com Oaktree
Active Directory • SUCCESS! • Where do we start • Enumerate local machine • PSP’s • Whoami ? • What tools/scripts can I run • Manual Enumeration of AD • Bloodhound
Manual Enumeration • Description Field • Get-DomainUser | select Description
Bloodhound & ACLs
GenericWrite permissions
Other ACL types • ForceChangePassword • AddMembers • GenericAll • GenericWrite • WriteOwner • WriteDACL
Delegation • https://adsecurity.org/wp-content/uploads/2015/08/Visio-KerberosDoubleHop-Visio.png
Delegation • Unconstrained • Constrained • For a given computer or user account, this attribute specifies the list of service principal names (SPN) corresponding to Windows services that can act on behalf of the computer or user account. • msDS-AllowedToDelegateTo • Resource Based Constrained Delegation • “(specifically msDS-AllowedToActOnBehalfOfOtherIdentity, so rights would include GenericAll, GenericWrite, WriteOwner, etc.) we can abuse this access and a modified S4U Kerberos ticket request process to compromise the computer itself.” • https://www.harmj0y.net/blog/activedirectory/a-case-study-in-wagging-the-dog-computer- takeover/ Accounts trusted for delegation (userAccountControl:1.2.840.113556.1.4.803:=524288)
Unconstrained Delegation Demo
DPAPI Data Protection API
• The Data Protection API (DPAPI) helps to protect data in Windows 2000 and later operating systems. DPAPI is used to help protect private keys, stored credentials (in Windows XP and later), and other confidential information that the operating system or a program wants to keep confidential. DPAPI is not responsible for storing the confidential information it protects. It is only responsible for encrypting and decrypting data for programs that call it, such as Windows Credential manager, the Private Key storage mechanism, or any third-party programs that call the CryptProtectData() function and the CryptUnprotectData() function in Windows 2000, Windows XP, or later.
Getting creds from Chrome
Getting creds from Chrome
Notes for Demonstration • Credentials are stored in user's profile. Can use Seatbelt to identify these. • Run vault::cred within Mimikatz before continuing • Usually in: • %appdata%MicrosoftCredentials • %localappdata%MicrosoftCredentials • We can unlock the credential blob by requesting the masterkey as the user by using the /rpc flag • We can unlock any credential blob if we can obtain the masterkey of a domain admin.
Access Credential Manager Vault
• https://github.com/gentilkiwi/mimikatz/wiki/module-~-dpapi • https://github.com/gentilkiwi/mimikatz/wiki/howto-~-credential- manager-saved-credentials • https://www.harmj0y.net/blog/redteaming/operational-guidance- for-offensive-user-dpapi-abuse/
Notes /export - optional - tickets are exported in .kirbi files. They start with user's LUID and group number (0 = TGS, 1 = client ticket(?) and 2 = TGT)

More Related Content

PPTX
Case Study of Django: Web Frameworks that are Secure by Default
byMohammed ALDOUB
 
ODP
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
byThreatReel Podcast
 
PDF
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
bydrewz lin
 
PDF
Java EE 6 Security in practice with GlassFish
byMarkus Eisele
 
PPTX
Secure Coding for NodeJS
byThang Chung
 
PDF
Two scoops of Django - Security Best Practices
bySpin Lai
 
PPTX
Django Web Application Security
bylevigross
 
ODP
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
byThreatReel Podcast
 
Case Study of Django: Web Frameworks that are Secure by Default
byMohammed ALDOUB
 
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
byThreatReel Podcast
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
bydrewz lin
 
Java EE 6 Security in practice with GlassFish
byMarkus Eisele
 
Secure Coding for NodeJS
byThang Chung
 
Two scoops of Django - Security Best Practices
bySpin Lai
 
Django Web Application Security
bylevigross
 
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
byThreatReel Podcast
 

What's hot

PDF
Modern Web Application Defense
byFrank Kim
 
PDF
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
byOutlyer
 
ODP
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
byThreatReel Podcast
 
PDF
Looking for Vulnerable Code. Vlad Savitsky
byVlad Savitsky
 
PDF
Protecting Java EE Web Apps with Secure HTTP Headers
byFrank Kim
 
PPTX
Phu appsec13
bydrewz lin
 
PPTX
Hashicorp Vault ppt
byShrey Agarwal
 
PDF
Security and Privacy on the Web in 2015
byFrancois Marier
 
PDF
Hacking sites for fun and profit
byDavid Stockton
 
PDF
HTTP Security Headers Every Java Developer Must Know
byAyoma Wijethunga
 
PDF
When Ajax Attacks! Web application security fundamentals
bySimon Willison
 
PDF
WebView security on iOS (EN)
bylpilorz
 
PDF
Polyglot payloads in practice by avlidienbrunn at HackPra
byMathias Karlsson
 
PPTX
Six Degrees of Domain Admin - BloodHound at DEF CON 24
byAndy Robbins
 
PDF
Hacking sites for fun and profit
byDavid Stockton
 
PDF
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
byJeff Horwitz
 
PPTX
Cross Site Scripting (XSS)
byOWASP Khartoum
 
PPTX
Java script, security and you - Tri-Cities Javascript Developers Group
byAdam Caudill
 
PDF
Vault 101
byHazzim Anaya
 
PPTX
W3 conf hill-html5-security-realities
byBrad Hill
 
Modern Web Application Defense
byFrank Kim
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
byOutlyer
 
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
byThreatReel Podcast
 
Looking for Vulnerable Code. Vlad Savitsky
byVlad Savitsky
 
Protecting Java EE Web Apps with Secure HTTP Headers
byFrank Kim
 
Phu appsec13
bydrewz lin
 
Hashicorp Vault ppt
byShrey Agarwal
 
Security and Privacy on the Web in 2015
byFrancois Marier
 
Hacking sites for fun and profit
byDavid Stockton
 
HTTP Security Headers Every Java Developer Must Know
byAyoma Wijethunga
 
When Ajax Attacks! Web application security fundamentals
bySimon Willison
 
WebView security on iOS (EN)
bylpilorz
 
Polyglot payloads in practice by avlidienbrunn at HackPra
byMathias Karlsson
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
byAndy Robbins
 
Hacking sites for fun and profit
byDavid Stockton
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
byJeff Horwitz
 
Cross Site Scripting (XSS)
byOWASP Khartoum
 
Java script, security and you - Tri-Cities Javascript Developers Group
byAdam Caudill
 
Vault 101
byHazzim Anaya
 
W3 conf hill-html5-security-realities
byBrad Hill
 

Similar to Bsidesnova- Pentesting Methodology - Making bits less complicated

PDF
Socially Acceptable Methods to Walk in the Front Door
byMike Felch
 
PPTX
BSIDES-PR Keynote Hunting for Bad Guys
byJoff Thyer
 
PPTX
Getting Started in Pentesting the Cloud: Azure
byBeau Bullock
 
PDF
DerbyCon 8 - Attacking Azure Environments with PowerShell
byKarl Fosaaen
 
PPTX
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
byBeau Bullock
 
PDF
Gartner Security & Risk Management Summit 2018
byPaula Januszkiewicz
 
PDF
The Web Application Hackers Toolchain
byjasonhaddix
 
PPTX
Ethical hacking 101 - Singapore RSA 2019
byPaul Haskell-Dowland
 
PPTX
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
byRob Fuller
 
PPTX
Become a Threat Hunter by Hamza Beghal
byNull Singapore
 
PPTX
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
bykieranjacobsen
 
PDF
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
bygmaran23
 
PDF
Advanced Domain Hacking
byUTD Computer Security Group
 
PPTX
BSides SG Practical Red Teaming Workshop
byAjay Choudhary
 
PPTX
Secure360 - Attack All the Layers! Again!
byScott Sutherland
 
PPTX
Pentest Apocalypse - SANSFIRE 2016 Edition
byBeau Bullock
 
PPTX
PHDAYS: DGAs and Threat Intelligence
byJohn Bambenek
 
PPTX
Raising the dead to save the living
byJaredPeck
 
PDF
Internal penetration test_hitchhackers_guide
byDarin Fredde
 
PDF
BSides Portland - Attacking Azure Environments with PowerShell
byKarl Fosaaen
 
Socially Acceptable Methods to Walk in the Front Door
byMike Felch
 
BSIDES-PR Keynote Hunting for Bad Guys
byJoff Thyer
 
Getting Started in Pentesting the Cloud: Azure
byBeau Bullock
 
DerbyCon 8 - Attacking Azure Environments with PowerShell
byKarl Fosaaen
 
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
byBeau Bullock
 
Gartner Security & Risk Management Summit 2018
byPaula Januszkiewicz
 
The Web Application Hackers Toolchain
byjasonhaddix
 
Ethical hacking 101 - Singapore RSA 2019
byPaul Haskell-Dowland
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
byRob Fuller
 
Become a Threat Hunter by Hamza Beghal
byNull Singapore
 
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
bykieranjacobsen
 
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
bygmaran23
 
Advanced Domain Hacking
byUTD Computer Security Group
 
BSides SG Practical Red Teaming Workshop
byAjay Choudhary
 
Secure360 - Attack All the Layers! Again!
byScott Sutherland
 
Pentest Apocalypse - SANSFIRE 2016 Edition
byBeau Bullock
 
PHDAYS: DGAs and Threat Intelligence
byJohn Bambenek
 
Raising the dead to save the living
byJaredPeck
 
Internal penetration test_hitchhackers_guide
byDarin Fredde
 
BSides Portland - Attacking Azure Environments with PowerShell
byKarl Fosaaen
 

Recently uploaded

PPTX
UNIT 1- Introduction to Basic of Computer Fundamentals
bypawarbhaktiit
 
PDF
Mobile Onboarding UX 11 Best Practices for Retention (2026).pdf
byDesign Studio UI UX
 
PDF
How Automation Powers Data Quality and Governance at Scale
bySafe Software
 
PDF
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 
PDF
Hart, Inc. M&A Data Transition Checklist
byHart, Inc.
 
PDF
KM World 2025 Enterprises, KM, & Agentic AI
byEnterprise Knowledge
 
PDF
Are AI Hallucinations Getting Better or Worse? We Analyzed the Data.
byScott M. Graffius
 
PPTX
Building Real-Time Voice AI — Udaiappa Ramachandran
byUdaiappa Ramachandran
 
PPTX
Lecture 04. about Black heads and Hackerss.pptx
byvinocol222
 
PPTX
KTU-PEMET413 -MODULE 2-POLYMER MATRIX COMPOSITES - LECTURE 1.pptx
byVINAY B
 
PDF
AI Data Analyst: Smarter Insights for Modern Real Estate Decisions
byLeni Analyst
 
PPTX
AI_in_Cybersecurity_Insights_Case_Studies.pptx
bywrksmith9
 
PPTX
Lecture 05. API Security for DevSecOps Eng.pptx
byvinocol222
 
PDF
January Patch Tuesday
byIvanti
 
PPTX
02_Extended Warehouse Management Functions and Features.pptx
byUdayakumar218983
 
PDF
Louisville User Group: Transforming Technical Debt into Technical Wealth
byLynda Kane
 
PPTX
Oracle SCM Cloud Solutions for Smart Supply Chain Management
byChetu
 
PPTX
Design Flaws and Known Attacks in Agentic AI - ITI Business Session
byInformation Technology Institute
 
PPTX
Why GEO Is the Next Big Shift in Content Marketing.pptx
bySambitParhi2
 
PPTX
On-Device AI with Gemma 3n and PaliGemma 2 Session Slides - GDG VESIT
bygdgcodecellcmpn
 
UNIT 1- Introduction to Basic of Computer Fundamentals
bypawarbhaktiit
 
Mobile Onboarding UX 11 Best Practices for Retention (2026).pdf
byDesign Studio UI UX
 
How Automation Powers Data Quality and Governance at Scale
bySafe Software
 
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 
Hart, Inc. M&A Data Transition Checklist
byHart, Inc.
 
KM World 2025 Enterprises, KM, & Agentic AI
byEnterprise Knowledge
 
Are AI Hallucinations Getting Better or Worse? We Analyzed the Data.
byScott M. Graffius
 
Building Real-Time Voice AI — Udaiappa Ramachandran
byUdaiappa Ramachandran
 
Lecture 04. about Black heads and Hackerss.pptx
byvinocol222
 
KTU-PEMET413 -MODULE 2-POLYMER MATRIX COMPOSITES - LECTURE 1.pptx
byVINAY B
 
AI Data Analyst: Smarter Insights for Modern Real Estate Decisions
byLeni Analyst
 
AI_in_Cybersecurity_Insights_Case_Studies.pptx
bywrksmith9
 
Lecture 05. API Security for DevSecOps Eng.pptx
byvinocol222
 
January Patch Tuesday
byIvanti
 
02_Extended Warehouse Management Functions and Features.pptx
byUdayakumar218983
 
Louisville User Group: Transforming Technical Debt into Technical Wealth
byLynda Kane
 
Oracle SCM Cloud Solutions for Smart Supply Chain Management
byChetu
 
Design Flaws and Known Attacks in Agentic AI - ITI Business Session
byInformation Technology Institute
 
Why GEO Is the Next Big Shift in Content Marketing.pptx
bySambitParhi2
 
On-Device AI with Gemma 3n and PaliGemma 2 Session Slides - GDG VESIT
bygdgcodecellcmpn
 

Bsidesnova- Pentesting Methodology - Making bits less complicated

  • 1.
    Pentesting Methodology - Makingbits less complicated Octavio Paguaga TrustWave Government Solutions
  • 2.
    Introduction & Thankyous • Senior Security Consultant at TrustWave Government Solutions • Thank you • Steve Borosh @rvrsh3ll • Will Schroeder @HarmJ0y • Andy Robbins @Waldo • Jimmy Bayne @bohops • hacktheplanet Discord & Bloodhound Slack Channel • @b33f & @ippsec  Check out their content/Patreon • Jason Lang – CuriousJack – • https://www.youtube.com/watch?v=kf829-tm0VM
  • 4.
  • 5.
    Clear violation ofTerms of Service, but… • Disable Content Security Policy • Open Developer tools var jqry = document.createElement('script'); jqry.src = "https://code.jquery.com/jquery-3.3.1.min.js"; document.getElementsByTagName('head')[0].appendChild(jqry); jQuery.noConflict(); setInterval(function() { window.scrollTo(0, document.body.scrollHeight); }, 500);
  • 6.
    Clear violation ofTerms of Service, but… jQuery('button[data-control-name="invite"]').each(function(index, value) { setTimeout(function() { jQuery(value).trigger('click'); }, index * 1000); });
  • 8.
    Domain Ownership • PhishingDomain • C2 Domain • Domain Fronting • https://chigstuff.com/blog/metasploit-domain-fronting-with-microsoft-azure/ • https://medium.com/@rvrsh3ll/hardening-your-azure-domain-front- 7423b5ab4f64
  • 9.
    Services to showcategorization • https://fortiguard.com/webfilter • Fortiguard shows “Newly Observed Domain” • https://www.virustotal.com/gui/domain/ • Virus Total shows clean now and 12 months ago • Trustedsource.org • shows the site as Uncategorized with a reputation as Unverified • https://talosintelligence.com/reputation_center • Not blacklisted. Unknown to Talos Intelligence too (Cisco) • https://urlfiltering.paloaltonetworks.com/ • Palo Alto URL test shows it as “Alcohol and Tobacco” and “Low Risk” meaning benign activity for last 90 days • https://sitereview.bluecoat.com/#/ • Blue coat (Symantec) shows it as Business Economy category • https://www.brightcloud.com/tools/url-ip-lookup.php • Webroot shows Moderate Risk and category “Home and Garden”
  • 10.
    Commands used • curl-H "Content-Type: BSIDES_CHARM" bsidescharm.azureedge.net • curl bsidescharm.azureedge.net • https://blog.cobaltstrike.com/2019/02/19/cobalt-strike-team-server- population-study/ • https://www.flashpoint-intel.com/blog/the-challenges-of-cobalt- strike-server-fingerprinting/
  • 11.
    Azure domain frontphotos go here
  • 12.
  • 13.
    Commands used • curl-H "Content-Type: BSIDES_CHARM" bsidescharm.azureedge.net • curl bsidescharm.azureedge.net • https://blog.cobaltstrike.com/2019/02/19/cobalt-strike-team-server- population-study/ • https://www.flashpoint-intel.com/blog/the-challenges-of-cobalt- strike-server-fingerprinting/
  • 14.
  • 15.
    Azure Filtering tohide from defenders https://medium.com/@rvrsh3ll/hardening-your-azure-domain-front-7423b5ab4f64
  • 16.
    Phishing Payload • HTA •SharpShooter • TikiTorch • demiguise • EvilClippy
  • 17.
    Active Directory • SUCCESS! •Where do we start • Enumerate local machine • PSP’s • Whoami ? • What tools/scripts can I run • Manual Enumeration of AD • Bloodhound
  • 19.
    KERBEROASTING • Targets accountswith Service Principal Name • e.g. MSSQLSvc/<FQDN> is assigned to a username • The password of the username is used to sign the TGS provided to the client. • hashcat –m 13100 <TGS> <wordlist> SPN Username MSSQLSvc/SQL01.east.com Oaktree
  • 20.
    Active Directory • SUCCESS! •Where do we start • Enumerate local machine • PSP’s • Whoami ? • What tools/scripts can I run • Manual Enumeration of AD • Bloodhound
  • 21.
    Manual Enumeration • DescriptionField • Get-DomainUser | select Description
  • 22.
  • 23.
  • 24.
    Other ACL types •ForceChangePassword • AddMembers • GenericAll • GenericWrite • WriteOwner • WriteDACL
  • 25.
  • 26.
    Delegation • Unconstrained • Constrained •For a given computer or user account, this attribute specifies the list of service principal names (SPN) corresponding to Windows services that can act on behalf of the computer or user account. • msDS-AllowedToDelegateTo • Resource Based Constrained Delegation • “(specifically msDS-AllowedToActOnBehalfOfOtherIdentity, so rights would include GenericAll, GenericWrite, WriteOwner, etc.) we can abuse this access and a modified S4U Kerberos ticket request process to compromise the computer itself.” • https://www.harmj0y.net/blog/activedirectory/a-case-study-in-wagging-the-dog-computer- takeover/ Accounts trusted for delegation (userAccountControl:1.2.840.113556.1.4.803:=524288)
  • 27.
  • 29.
  • 30.
    • The DataProtection API (DPAPI) helps to protect data in Windows 2000 and later operating systems. DPAPI is used to help protect private keys, stored credentials (in Windows XP and later), and other confidential information that the operating system or a program wants to keep confidential. DPAPI is not responsible for storing the confidential information it protects. It is only responsible for encrypting and decrypting data for programs that call it, such as Windows Credential manager, the Private Key storage mechanism, or any third-party programs that call the CryptProtectData() function and the CryptUnprotectData() function in Windows 2000, Windows XP, or later.
  • 31.
  • 32.
  • 33.
    Notes for Demonstration •Credentials are stored in user's profile. Can use Seatbelt to identify these. • Run vault::cred within Mimikatz before continuing • Usually in: • %appdata%MicrosoftCredentials • %localappdata%MicrosoftCredentials • We can unlock the credential blob by requesting the masterkey as the user by using the /rpc flag • We can unlock any credential blob if we can obtain the masterkey of a domain admin.
  • 34.
  • 35.
  • 36.
    Notes /export - optional- tickets are exported in .kirbi files. They start with user's LUID and group number (0 = TGS, 1 = client ticket(?) and 2 = TGT)