Recent Posts

The worst of both worlds: Combining NTLM Relaying and Kerberos delegation

5 minute read

After my in-depth post last month about unconstrained delegation, this post will discuss a different type of Kerberos delegation: resource-based constrained delegation. The content in this post is based on Elad Shamir’s Kerberos research and combined with my own NTLM research to present an attack that can get code execution as SYSTEM on any Windows computer in Active Directory without any crede...

“Relaying” Kerberos - Having fun with unconstrained delegation

26 minute read

There have been some interesting new developments recently to abuse Kerberos in Active Directory, and after my dive into Kerberos across trusts a few months ago, this post is about a relatively unknown (from attackers perspective), but dangerous feature: unconstrained Kerberos delegation. During the writing of this blog, this became quite a bit more relevant with the discovery of some interesti...

Abusing Exchange: One API call away from Domain Admin

11 minute read

In most organisations using Active Directory and Exchange, Exchange servers have such high privileges that being an Administrator on an Exchange server is enough to escalate to Domain Admin. Recently I came across a blog from the ZDI, in which they detail a way to let Exchange authenticate to attackers using NTLM over HTTP. This can be combined with an NTLM relay attack to escalate from any use...

Active Directory forest trusts part 1 - How does SID filtering work?

16 minute read

This is the first post in a series on cross-forest Active Directory trusts. It will explain what exactly Forest trusts are and how they are protected with SID filtering. If you’re new to Active Directory trusts, I recommend you start by reading harmj0y’s in-depth guide about them. After reading his (excellent) post I had lots of questions about how this actually works under the hood and how tru...