Délégation contrainte Kerberos avec transition de protocole

    P.S: an english version will be translated soon.


    Aujourd’hui nous allons parler de l’exploitation des extensions de protocole Kerberos S4U2Self et S4U2Proxy afin d’impersonifier un utilisateur privilégié du domaine.

    L’objectif de ce post est de nous concentrer sur la délégation contrainte avec transition de protocole que nous abrègerons T2A4D (TrustedToAuthForDelegation); comment l’énumérer, comment l’exploiter et s’en servir comme méthode de persistance.

    Read more ...

    More BloodHound Cypher queries


    In this blog post i will share my Cypher queries which i’m using in my daily engagements. I aim to be complementary to the cheatsheets you can found out there and to the default queries you will find in BloodHound.

    Read more ...

    SecurityTube Advanced Red Team Lab training - Worth it ?

    Quick answer: Totally !

    Hello everybody,

    I would like to talk a bit about the SecurityTube red team labs, specifically the Advanced Red Team Lab which leads to the CRTE (Certified Red Team Expert) certification. P.S: i’m not affiliated with securitytube.

    Some great reviews are already existing, so i will focus on why i chose this lab and certification. I will give you some hints about how to approach your targets. Most importantly, i would like to introduce you a tool that i developped which will help you during your journey, Invoke-Recon.

    Read more ...

    What solutions to prevent git leaks ?


    I will do a quick and dirty post about what’s out there to find / prevent leaks of secrets in your git repositories.
    I did not try all of these tools. For the search part, i’m mainly using a fork of Trufflehog with some added features (search in filenames, commits comments, also with custom regexes).

    Objectives :

    • Look into the commits history for sensitive information publicly accessible by an attacker ;
    • Prevent secrets leaks ;
    • Monitoring and integrating these checks in the Continous Delivery process - aka DevSecOps
    Read more ...

    Gathering some information from web exposed GIT repositories

    Hello folks,

    Last week, while i was doing recon on some websites, i noticed that we can still found some versioning repositories in production. I found some classic .git exposed, and in a lesser extent some .svn directories. I decided to gather a bunch of websites caught in the TOP Alexa in order to look for the proportion of .git exposed; with 112332 domains scanned (mixed TLDs), i found 453 .git exposed, which is only 0.4%. Not bad.

    How to scan for web exposed git directories:
    nmap --open -PN -n -p80,81,82,8000,8080,443,8443,9443 --script http-git -oA http-git -iL domains.lst

    Read more ...