In this post, we will look at a few tools that we can use to enumerate MSRPC over SMB through UDP port 135, as well as TCP ports 135, 139, and 445. We will start by learning about MSRPC, NetBIOS and SMB as well as how all three services tie together. Enumeration will begin with […] The post AD Recon – MSRPC Over SMB (135/139/445) first appeared on Juggernaut Pentesting Blog.| Juggernaut Pentesting Blog
The PetitPotam technique is still fresh in people's minds. While it's not directly an exploit it's a useful step to get unauthenticated NTLM from a privileged account to forward to something like the AD CS Web Enrollment service to compromise a Windows domain. Interestingly after Microsoft initially shrugged about fixing any of this they went and released a fix, although it seems to be insufficient at the time of writing.| Tyranid's Lair
As part of updating NtApiDotNet to v1.1.28 I added support for Kerberos authentication tokens. To support this I needed to write the parsing code for Tickets. The majority of the Kerberos protocol uses ASN.1 encoding, however some Microsoft specific parts such as the Privileged Attribute Certificate (PAC) uses Network Data Representation (NDR). This is due to these parts of the protocol being derived from the older NetLogon protocol which uses MSRPC, which in turn uses NDR.| Tyranid's Lair
I did promise that I'd put out a blog post on how the Windows RPC filter works. Now that I released my more general blog post on the Windo...| www.tiraniddo.dev