FalconOps is excited to announce the upcoming launch of two new blog post series aimed at highlighting prevalent attack paths identified during security assessments and guiding organizations straightforward, yet powerful, strategies to eliminate these vulnerabilities and reduce their attack surface.

This introductory post outlines what readers can anticipate in the forthcoming months, providing a snapshot of each attack technique that will be explored in greater detail in our subsequent entries. If the concepts or terminology seem unfamiliar at this point, rest assured, our future posts are designed to demystify these topics.

What to Expect

We are introducing two distinct series, with a new entry slated for release roughly every month:

1. Offensive Security for System Administrators → Designed as a primer on offensive security principles and strategies, this series requires little prior knowledge. It will present clear methods for identifying attack vectors commonly exploited by adversaries, along with recommendations for safeguarding against them.
2. Securing Active Directory (AD) → Targeted at individuals with a basic understanding of AD concepts or administration, this series will delve into potentially exploitable AD configurations. Discussions will revolve around reasons an organization might choose certain AD setups, how these choices could become targets for threat actors, and alternative configurations that reduce the attack surface while accommodating organizational requirements.

With each installment, FalconOps aims to furnish practical tools (scripts) to facilitate the identification and mitigation of the vulnerabilities addressed. While the topics of our posts are carefully selected to remain relevant and insightful, please note that they are adaptable to ensure alignment with the latest cybersecurity trends. At the time of this announcement, the detailed plans for the content to be featured in each series are as follows:

Offensive Security for System Administrators

• Stages of an internal pen test and where vulnerabilities come from  
• Scanning with nmap → identifying exposed services
• Searching for and modifying CVE exploit code → identifying known vulnerabilities
• Password attacks: credential stuffing, bruteforcing, password spraying
• Hashes and hash cracking → converting a dictionary of common passwords to their corresponding hash to see if any match up with a given hash, thus identifying the password
• Using a vulnerability scanner

Attack vectors by service:  

File Transfer Protocol (FTP)

• Anonymous access → accessing files without a password
• Plaintext login and data transfers, and secure alternatives

Server Message Block (SMB)  

• Null session → accessing file shares without a username nor password
• Guest session → accessing file shares as a guest without a password)
• SMBv1 and attacks like EternalBlue → outdated SMB protocol

Microsoft SQL Server (MSSQL)  

• User impersonation → performing SQL queries as another user  
• Lateral movement over links → abusing trust between multiple SQL servers
• Command execution with xp_cmdshell

Simple Mail Transfer Protocol (SMTP)  

• VRFY, EXPN, and RCPT TO username disclosure → get valid usernames from list

HTTP/HTTPS or related (like DNS)  

• DNS zone transfer → requesting a copy of DNS records to find additional subdomains
• Directory bruteforcing → finding hidden but accessible directories
• Subdomain bruteforcing → finding hidden but accessible subdomains
• Basics of BurpSuite and what each tab is used for
• Login page bruteforcing → trying username and password combinations in bulk
• Basic web attacks: command injection, SQLi, XXS, FIV, FUV, or similar → exact attacks to be determined

Active Directory Misconfigurations and Remediation

• Stages of an internal pen test and where vulnerabilities come from  
• Utilizing BloodHound to find common Active Directory attack paths
• LLMNR/NBT-NS poisoning → responding to requests meant for another computer and leveraging that to obtain a password
• SMB relay → forwarding requests from one computer to another to gain access
• IPv6 DNS domain takeover → specifying a fake IPv6 DNS server and leveraging that to obtain a password
• User enumeration and password spraying → finding valid usernames or credentials from a list
• NTLM theft with URL/LNK/etc files → coercing authentication to an attacker-controlled machine when someone views a network share, and leveraging that to obtain a password
• AS-REP roasting → obtaining a Kerberos user ticket, and using this to determine the user's password
• Kerberoasting → obtaining a Kerberos service ticket, and using this to determine the service user's password
• Pass-the-ticket → dumping cached Kerberos tickets as an administrator and using them to impersonate other domain users
• Silver ticket, golden ticket, diamond ticket → generating Kerberos tickets for both escalating privileges and establishing persistence
• Token impersonation → taking on the permissions of another Windows user without knowing their password
• ACL/ACE abuse → abusing overly permissive permissions to Organizational Units
• RBCD → abusing msDS-AllowedToActOnBehalfOfOtherIdentity to move to another domain compture
• Shadow credentials → abusing msDS-KeyCredentialLink to move to another domain computer
• Kerberos relay → as a regular user, gaining full control as SYSTEM over any machine in domain environments where LDAP signing is not enforced
• GPO permissions → abusing permissions to modify existing Group Policy Objects or create and link new ones
• Unconstrained delegation → given permission, acting on behalf of any entity to gain further network access
• Constrained delegation → given permission, acting on behalf of another specific entity to gain further network access
• DCSync → requesting a copy of domain information from a Domain Controller
• OU descriptions → finding confidential information in descriptions for Organizational Units that are accessible to any domain user
• ADCS ESC1-11 → various documented abuses with Active Directory Certificate Services
• Domain trusts: inbound, outbound, and bidirectional → abusing trusts between AD domains to move from one domain to another
• Common older CVEs like ZeroLogon

At FalconOps Cybersecurity, our goal is to demystify security and make it a seamless aspect of organizational operations for everyone. In pursuit of this mission, we are pleased to offer this complimentary blog post series, sharing knowledge and techniques that you can apply with minimal specialized expertise.

We recognize, however, that the hands-on, "DIY" approach may not align with everyone's capacity or preferences. If you're keen on safeguarding your organization against these attack methods but lack the time or resources to delve into them personally, Contact FalconOps to inquire about our hardening assessment services. Our team of experts will conduct thorough checks for these and other potential vulnerabilities, ensuring your systems are secure and giving you peace of mind. Moreover, these assessments are provided at a more cost-effective rate than traditional penetration testing.

‍