Tips & Tricks

How to Export List of Domain Users in Active Directory Without AD Cmdlets

If you find yourself on a workstation that doesn’t have AD Cmdlets installed, you won’t be able to run things like “Get-ADUser. However, you can use the following commands in PowerShell to output a list of domain users and format it in a way that is helpful for password spraying attacks.

# store the results in an array.
$results = net group "Domain Users" /domain

# the size of the header and footer is always the same. select the data between these sections.
$results = $results[8..($results.Length-3)]

# replace the empty spaces with a comma. join on the comma, getting rid of blank lines.
foreach($result in $results) { 
    ($result -replace '\s+',',') -split ',' | ? { $_ } >> 'adusers.txt'
}

General Blog, Pentesting

Practical Network Penetration Tester (PNPT) Exam Review – TCM Security

In early July of 2021, I decided to take on TCM Security’s new PNPT certification and passed it on my first attempt! This post intends to serve as a review of my experience, as well as help answer some of the common questions that I’ve seen online regarding the exam.


What is the PNPT?

The exam begins with external enumeration and some OSINT in order to get your initial foothold. Once you have that, you’ll pivot inside the environment with the ultimate goal being to compromise a domain controller and set up some sort of persistence.

There are a number of machines in the internal network, and you’ll need to compromise each one of them before you’re able to make it to the end objective. To do this, you’ll need to know techniques for Active Directory enumeration, exploitation, lateral movement, and some privilege escalation.

There are no limitations on tools (including LinPEAS and Metasploit). Five day time limit to hack, with an extra two days to write and submit your report. The exam is not proctored and getting going is as simple as paying for the exam and getting it scheduled.

If you fail, you will get a 2nd attempt for free.


My Background.

Let’s take a step back so I can share who I am and what knowledge I had going into the PNPT. As a teen, I knew I wanted to become an ethical hacker and eventually explore the world of Pentesting. I graduated with an associates degree (2yr) in Cyber Security & Networking in 2016, but that really didn’t mean much since I finished that program with zero certifications. Really, it gave me the baseline understanding of security, networking, and computer concepts – enough to get me started in IT.

As soon as I graduated, I started working help desk for a small MSP. Before long, I became the lead technician there, an IT Manager, and helped hire and mentor every technician that we brought on to our team. Doing that for four years helped me learn a lot about Systems Administration, TCP/IP Networking, Office 365, Active Directory, PowerShell, etc. This job was great, but it wasn’t Pentesting – and I started to lose hope that I would ever make my dream a reality.

2019 is when that changed. I went to Defcon for the first time and really started to get involved with the Infosec community. When I got back home, I came across Heath Adams’ (the Founder of TCM Security) YouTube channel through his free 14hr “Zero to Hero” Ethical Hacking Course. The content on his channel helped me realize that becoming a Pentester is possible – you just have to put in the work.

Through his encouragement, I started down the OSCP path before 2019 was over, and unfortunately have been on it ever since. Countless hours of learning, and over $2,000 later, here I am in 2021 getting ready to take on the OSCP exam for the 5th time.

While I still haven’t earned the OSCP certification yet, I have definitely picked up a ton of skills along the way. I have since started Pentesting full time, and now help companies find vulnerabilities within their infrastructure, networks, and web applications. I have been doing this for a little over a year as of writing this post.


Why I Chose the PNPT

In late April, TCM Security announced the PNPT certification. By this point in time, I had already felt comfortable performing external and internal network penetration tests for real live companies, so taking on the PNPT was really only something I was interested in doing for two reasons:

  1. To support TCM Security. In many ways, I have always credited TCM Security with giving me the confidence to take the leap, quit my job, and get into Pentesting to begin with. Creating a new certification and taking on the big dogs is no small task, so I wanted to show my support for what they are doing as I know there are others out there that are in a similar situation as I was. Educational content that is easy to understand and affordable is something that this industry needs more of.
  2. To accredit my skills and give myself a boost of confidence. Failing the OSCP as many times as I have definitely doesn’t help with the rampant imposter syndrome that many folks in our community deal with day to day, and I really needed to prove to myself that I know what I’m doing. I had hoped the PNPT would help me verify that – and let me tell you, it really did.


My Exam Experience.

Let’s get down to the exam. The exam process is pretty straightforward and much like what you would expect if you were subcontracted on for a Pentest. You schedule a time for the engagement, that time comes around, and then you’re sent the Engagement Letter that contains the scope, limitations, and objectives. There will also be a VPN pack that you’ll use to connect to the environment and get to hackin’!

I decided to schedule my exam over the fourth of July holiday break since I had Monday off. I started my exam after work on Friday and was able to finish early Sunday afternoon – so roughly after 48 hours. I took the rest of Sunday to write up the report and actually received a reply later that same night, even though it was a US holiday. The 15 minute debrief call was scheduled for the next day, and I was told by the end of that call that I had passed!

I really enjoyed that the exam felt structured in a way where you’re able to make steady progress all the way through. While there are many rabbit holes, the exam felt architected so that you could tell whether or not you were on the right path and it seemed pretty clear that you would have to complete one objective before being able to move on to the next.


Ratings on Various Exam Aspects.

Note: Please keep in mind that these are my opinions as of time of writing. Because of this, these are subject to change in the future and do not represent the opinion of others.

Affordability – 10/10. Out of everything out there, I have not found another course/exam combo that can compete with the price offered by TCM Security. As of when I’m writing this post, the cost for the PNPT exam is $299, with various offers to get all of the training needed to pass for less than $100.

Course materials – 10/10. It’s refreshing to go through an exam where the course materials provided to you are sufficient for being able to pass the exam. For other exams in the industry, such as OSCP, it is common to have to pay an expensive amount for the course materials, and then fork out additional money for supplement materials in order to pass. In my experience, the materials offered by TCM Security Academy is sufficient to be able to pass the exam, with 80% of the necessary material being taught in the Practical Ethical Hacking (PEH) course.

Practicality – 10/10. As the name of the certification suggests, this exam is 100% practical. No multiple choice questions, no true or false – just you, computer systems, and your skills.

Lack of Stress – 8/10. Since you have 5 days before you have to worry about the report, there really isn’t a lot of pressure on this – especially compared to exams like the OSCP, where you only have 24 hours for exploitation. This exam also is not proctored, which can be seen as both a good and a bad thing. Considering there aren’t tool limitations in this exam, proctoring would only really be useful to try and validate your identity so that others don’t take the exam on your behalf. But in the end, you’re really just cheating yourself if you were to do something like that.

Realism – 7/10. There are many components of the exam that are realistic, but there are definitely items of the exam that are not realistic. For example, it never really felt like I was on actual corporate machines. The software installed on the various systems didn’t really make sense, especially when you correlate the job position of the user and the software on the systems. They also sprinkled in comedic bits throughout the exam, which I actually enjoyed quite a bit, but it does remind you that you’re in a fake environment and takes away from the “Real World” feel.

Difficulty – 6.5/10. During the exam, it is easy to feel pressure and get stuck. While I wouldn’t consider this exam difficulty “Advanced”, it was definitely challenging at times and you will find your emotions rising if you let them. Just remember that there are five days to complete this, which helps alleviate some of the pressure and puts things into perspective. You will also need to think a bit “outside the box” at times. You can’t just copy the course materials verbatim to get some attacks to work, rather, you’ll need to understand why the attack works and be able to apply critical thinking in order to successfully exploit them.

Recognition / Credibility – 3/10. This is, without a doubt, the number one drawback of taking the PNPT. As of today, the vast majority of organizations do not know what the PNPT is, nor what skillset it teaches. It is not currently recognizable by majority of HR departments, and likely not recognizable by many hiring managers in Infosec. This is not due to lack of the certification being worth anything, rather just a lack of time and exposure of the certification in the market. While holding this certification will definitely help you explain your skills within a job interview, I do feel like it will take some time before this certification will help you get passed the HR department on it’s own.


PNPT vs OSCP

This conversation could be its own independent post. In short, the OSCP and the PNPT are two very different exams with different requirements, different skillsets, and different objectives. They each hold a place in the market and I find them both valuable for various reasons.

While I do wish certain things about the OSCP and Offensive Security’s business practices were different, I cannot argue against the fact that the OSCP certification process is an extremely valuable experience for anybody getting into the world of Ethical Hacking. I would not be where I am today if it wasn’t for the OSCP journey.

With that said, the OSCP is not real-world realistic. It puts limitations on tools, sets an unrealistic timeframes, and uses unrealistic machines during the exam. The OSCP feels very much like a game in the sense that you’re only looking to pop shells while jumping through hoops – something that an organization doesn’t necessarily care about during a Pentest as long as you help them identify their most critical vulnerabilities.

Again, I could share a lot more on this topic – let me know if this is something you’d want to see.


Additional Tips

Remember the basics. It is easy to overthink things as you go into the exam. Just remember what you’ve learned and hold onto the basics. What is a reverse shell? What is a bind shell? 32bit vs 64bit executables. Common misconfigurations. Basics of enumerating common services. Etc.

Take breaks. This is a common suggestion for any practical exam in the Pentesting space, and it really is something that you must be doing. Don’t bang your head against the wall trying the same thing over and over – make sure to take breaks. Sometimes stepping away and coming back will help you find the item you’ve been missing.

Stay calm. This is a low pressure exam with plenty of time. If you’re ready to pass, you will know. If you’re not, well.. that takes us to my next tip.

Understand that failure is okay. TCM provides a free retake on their exam. Heath told me that only about 40% of their partipants pass on their first attempt, but majority make it on their 2nd. Failing doesn’t make you a loser – quitting does. Get back up, give it another shot, you’ll make it.

General Blog

Your Microsoft Teams chats aren’t as private as you think..

Encrypt and Anonymize Your Internet Connection for as Little as $3/mo with PIA VPN. Learn More

Microsoft Teams is a proprietary business communication platform developed by Microsoft, as part of the Microsoft 365 family of products. Teams primarily competes with the similar service Slack, offering workspace chat and videoconferencing, file storage, and application integration, and is used by hundreds of thousands of organizations across the world.

While some companies have policies that instruct users not to send sensitive information through cleartext channels, like Microsoft Teams, I’ve came across many organizations that do not adopt this behavior. A compromised Office 365 account could lead to all kinds of trouble, including giving an attacker access to communicated passwords, AWS keys, or PII through Microsoft Teams. To help counter this, companies may implement strict Conditional Access Policies and require MFA in order to gain access to a user’s Office 365 account. But what if I told you that you didn’t need the Office 365 account to read messages sent in Microsoft Teams?

Follow along and I’ll show you how access to a hard drive could be all an attacker needs to gain access to your “secret” Teams chats.


Where do Microsoft Teams messages live?

It’s no secret that Microsoft Teams is a cloud-based collaboration tool, so there is no doubt that the data sent to/from Microsoft Teams is stored in Microsoft’s cloud. However, it turns out that chat messages sent through Microsoft Teams also gets stored locally on a filesystem in the following location.

%AppData%\Microsoft\Teams\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb

Within this directory is a .log file that contains a lot of information. At first glance, you may think the file just contains a bunch of computer gibberish, but sorting through the data can reveal some valuable secrets.


Let’s prove a concept.

So take a scenario where an end-user asks another end-user for help signing into an account. In this case, Michael Scott is asking Pam for his computer login since he can never remember. He sends the message through Teams, perhaps on his phone, and Pam replies.

Now let’s go review that log file on either one of their computers that has Teams up and running. Any user that has local administrator access to this computer would be able to access this file, even for other users on the system.

Surely there is a way to parse this data natively in Windows, but the following command works very nicely in Linux, so I will just copy the log file off the system and place it onto my Kali box.

cat teams.log | grep \<div\> -A 2 | grep '\<div\>\|display' | cut -d ">" -f 2 | cut -d "<" -f 1 | uniq | sed 's/imdisplayname//g' | tr -d \" 

The output of the command isn’t the most graceful, but there’s enough text here to make out the gist of the conversation.

@_Xenov made a PowerShell parser that you can find below, or on GitHub.

$firstString = "<div"
$secondString = "div>"

$importPath = "$Env:AppData\Microsoft\Teams\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb\*.log"

$text = Get-Content $importPath

#Sample pattern
$pattern = "(?<=$firstString).*?(?=$secondString)"

$output = [regex]::Matches($text,$pattern).value

$hash = @{} 
echo $output | %{if($hash.$_ -eq $null) { $_ }; $hash.$_ = 1} 

Why do we care?

Armed with this information, why does this matter? This is an important attack vector for the following reasons.

Organizations that communicate credentials over Microsoft Teams. As a Penetration tester, I’ve seen passwords, social security numbers, addresses, AWS keys, sensitive admin panels, and much more be communicated through Microsoft Teams. All of this could be potentially accessible to any user who gains access to a system or hard-drive that has ran the software.

Organizations that give everybody local admin rights. Many organizations still provide end-users local admin rights on their computer systems. Imagine a scenario where an end-user is compromised and runs a piece of malware that made it through the email security filter. This would allow a remote, unauthenticated threat actor full access to the filesystem, and therefor, any Microsoft Teams chat logs on this system.

Organizations that assign multiple users to the same system. Given that a user has a local admin rights, they’d have read access to any other user’s AppData directory. This would allow them to read the messages of other users on the same system as them, without ever generating access logs or needing to authenticate to Office 365.

Old hard drives that aren’t properly encrypted or wiped. When’s the last time you discarded a computer or hard-drive? Did you wipe it first? Did you ensure that all blocks on the drive has been rewritten? Did you have encryhption enabled before-hand? If the answer to any of these questions is “no”, then the next owner of that hard-drive may be able to read your Teams chat history.


Where do we go from here?

I’ve only performed very little research on this so far, and I’m left with many questions.

  1. How long do these chat messages stay in the log file?
  2. Is this limited to only chat messages, or can we extract details about Team Channel updates as well?
  3. What about attachments or images being transferred?
  4. Can scripts or tools be written to easily parse this in a much more efficient manner?

While I will continue to research this and develop my own tools, this is where I look to the community. If you know of security research on this topic, or a tool that is already developed that can easily parse these log files, please let me know.

This article may be updated as time goes on.

WebApp 101

Panning for Gold in JavaScript Files Using Burp Suite and Grep

Want to learn how to hack things without breaking the bank? Check out TCM Academy. Learn more

As part of a webapp pentest, or when hunting for bug bounties, being able to find API endpoints, URIs, and sometimes even commented credentials/API keys through Javascript files is a good skillset to have. Luckily, using Burp Suite and Grep, it’s pretty trivial to hunt for this information.

Note: This post is fairly incomplete and will be updated as time goes on.


To begin, make sure you have your Burp Suite project capturing data as you browse the application. Manually crawl the website by navigating to every page and feature that you can find. Then, have Burp Suite crawl the page and do some enumeration of its own. Don’t skip this part, and make sure you do a thorough job, or you may be leaving Javascript files undiscovered.

Once properly enumerated, let’s extract all of the scripts that we can. This can be done by navigating to the Target tab, and selecting Site Map. Right click the target URL, head over to Engagement Tools, and then select Find Scripts.

Let’s start by updating our box installing Pip, and installing JavaScript Beautifier.

sudo apt update -y && sudo apt upgrade -y
sudo apt install python3-pip -y
sudo pip3 install jsbeautifier

Once you have the tool installed, run it specifying your input and output files.

js-beautify -o beautify.js input.js

Now that the output in cleaned up, you can get started grepping through it for gold!


Helpful grep commands

To find all that contain cmsapi:
grep --color -E "'\/cmsapi\/[^']+'" beautify.js

Or you could cat and pipe to grep:
cat beautify.js | grep -i passw

To find all items between single or double quotes:
grep --color -E "'\/[^']+'|\"\/[^\"]+\"" beautify.js

To find all IP addresses:
grep -E -o "([0-9]{1,3}[.]){3}[0-9]{1,3}" beautify.js

Tips & Tricks

Adding/Fixing Color Within Tmux on Ubunutu

I’ve found that anytime I spin up an Ubuntu system, whether in Digital Ocean, Google Cloud, or even through Windows Subsystem for Linux, color doesn’t seem to be working properly.

To fix this, there is a handy workaround that is very simple to implement.


First, let’s create a bash alias so that launching Tmux will actually launch with color settings configured. Start by editing the following file.

vi ~/.bash_aliases

Then add the following line.

alias tmux="TERM=xterm-256color tmux"

Now we will modify our Tmux configuration file as well.

vi ~/.tmux.conf

And add the following line.

set -g default-terminal "screen-256color"

Then we will restart Tmux.

tmux kill-server && tmux

Or you could just run these commands.

sudo echo "alias tmux=\"TERM=xterm-256color tmux\"" >> ~/.bash_aliases
sudo echo "set -g default-terminal \"screen-256color\"" >> ~/.tmux.conf
tmux kill-server && tmux

That’s it! Launch Tmux and you should now have color.

Hacking Tutorial

Linux Privilege Escalation: Weak File Permissions – Writable /etc/passwd

The /etc/passwd file contains information about user accounts. It is world-readable, but usually only writable by the root user. Historically, the /etc/passwd file contained user password hashes, and some versions of Linux will still allow password hashes to be stored there. If we have write access to this file as a low level user, we can abuse this privilege to actually overwrite the root user’s password hash.


Method 1 – Overwriting root password

Do do this, let’s first check the file permissions on the /etc/passwd file. In our example, we can see that our user account has read/write access.
ls -la /etc/passwd

Now we can use openssl to generate a new password hash in the format used by /etc/passwd.
openssl passwd <newPassword>

Now let’s edit the /etc/passwd file and paste the newly generated hash between the first and second colon.
vi /etc/passwd

Finally, we can switch to the root user using the new password.
su root


Method 2 – Creating a new user account

Alternatively, you could have also created a new user account with root group membership. This can easily be done in two steps:

  1. Copy the root user line, and paste it to the bottom of the /etc/shadow file.
  2. Place a password hash that you control between the first and 2nd colon.

Once this is done, you can simply switch to the new user.
su newroot

Hacking Tutorial

Linux Privilege Escalation: Weak File Permissions – Writable /etc/shadow

The /etc/shadow file contains user password hashes and is usually readable only by the root user. When this file is misconfigured, and global write access is allowed, this can allow us to overwrite the root password hash with one that we control.

Do do this, let’s first check the file permissions on the /etc/shadow file. In our example, we can see that our user account has read/write access.
ls -la /etc/shadow

Knowing that we can write to this file, let’s create a password hash that we control. While all we need to do is generate a SHA-512 hash, we can actually use a pre-installed utility called mkpasswd to generate one for us.
mkpasswd -m sha-512 <newPassword>

Copy the hash that gets generated, and lets go edit the /etc/shadow file.
vi /etc/shadow

You’ll want to paste the password between the first and second colon symbols. If a hash is present, overwrite it.

Once the file has been changed, you can now switch to the root user using the password you passed to the mkpasswd command.
su root

Enumeration Cheatsheets

Wireshark Filters Cheatsheet

There are literally hundreds of these type of posts on the internet, with one of my favorites being https://wiki.wireshark.org/CaptureFilters. However, I wanted to create this ‘short’ list that contains my favorite go-to’s after performing Man in the Middle attacks.

This post will be updated as time goes on.

Understanding the Packet Capture

Before diving too deep, it’s always a good idea to get an idea of what type of traffic was captured so you know which filters to apply.

Viewing Protocol Statistics:
In the Menu, click on Statistics and select Protocol Hierarchy.


Filtering HTTP

If non-encrypted HTTP traffic was captured, we may be able to extract juicy details.

View all plaintext HTTP GET requests:
http.request.method == "GET"

View all plaintext HTTP POST requests:
http.request.method == "POST"

Filtering by specific redirect location:
http.location == login_success.php

To export HTTP objects (such as images or pages):
Select File. Click on Export Objects, and then HTTP.

Remember to always Right-Click a packet, and Follow the TCP Stream to get more details from the raw data.


Filtering FTP

FTP is pretty simple, since all traffic is sent in plaintext.

To view all FTP related traffic:
ftp

To export FTP objects (such as transferred files):
Select File. Click on Export Objects, and then TFTP.

Remember to always Right-Click a packet, and Follow the TCP Stream to get more details from the raw data.


Filtering SMB

SMB is a favorite to capture, as it is usually not encrypted and you may be able to exfiltrate files over the wire.

To view packets related to SMB files:
smb.file

To export SMB objects (such as transferred files):
Select File. Click on Export Objects, and then SMB.

Tips & Tricks

Tcpdump Cheatsheet

This post contains various commands that may come in useful when utilizing tcpdump. This article will be expanded upon as time goes on.


Basic Usage

Run tcpdump to collect traffic:
sudo tcpdump -i <interface>

Run tcpdump with verbosity:
sudo tcpdump -i <interface> -v

Disable DNS Conversation:
sudo tcpdump -i <interface> -n

Quieter output:
sudo tcpdump -i <interface> -q

Specify the number of packets to capture:
sudo tcpdump -i <interface> -c 100


Applying Filters

Filter based on ICMP requests:
sudo tcpdump -i <interface> icmp

Filter based on IP or hostname:
sudo tcpdump -i <interface> host <hostname>

Filter based on specific source/destination address:
sudo tcpdump -i <interface> src 10.0.0.1 and dst 10.0.0.2

Rather than filter based on source/destination, you can use Grep:
sudo tcpdump -i <interface> | grep <ipAddr>


Saving / Reading Output

To save output to a text file:
sudo tcpdump -i <interface> -w output_file.txt

To read output from a text file:
sudo tcpdump -i <interface> -r output_file.txt

Enumeration Cheatsheets

Enumerating SNMP for Pentesting (UDP Ports 161, 162)

This post contains various commands and methods for performing enumeration the SNMP service. This article will be expanded upon as time goes on.


Using NMAP

Bruteforcing community strings:
sudo nmap -sU -p 161 --script snmp-brute <ipAddr>

Bruteforcing community strings with custom wordlist:
sudo nmap -sU -p 161 --script snmp-brute --script-args snmp-brute.communitiesdb=/usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt <ipAddr>

Enumerate users on remote machine:
sudo nmap -sU -p 161 --script snmp-win32-users <ipAddr>

Enumerate services on remote machine:
sudo nmap -sU -p 161 --script snmp-win32-services <ipAddr>

Run all SNMP-related Nmap Scripts:
sudo nmap -sU -p 161 --script snmp-* <ipAddr> -oG nmap/snmp.txt


Using SNMPWALK

Enumerate SNMPv2 with a community string of Public:
snmpwalk -v2c -c public <ipAddr>

To search for installed software:
snmpwalk -v2c -c public <ipAddr> hrSWInstalledName

To search amount of RAM on the host:
snmpwalk -v2c -c public <ipAddr> hrMemorySize

Note: There are additional OIDs that you can provide to enumerate specific information.


Using ONESIXTYONE

To brute-force communities:
onesixtyone -c /usr/share/doc/onesixtyone/dict.txt <ipAddr>


Using SNMPSET

To change an OID to a different value:
snmpwalk -v2c -c public <ipAddr> <OID> <newValue>

To change the sysContact OID:
snmpwalk -v2c -c public <ipAddr> sysContact <newValue>