In part one of this series, we discussed how attackers may attempt to gain persistence in Active Directory by forging Kerberos tickets, as well as ways to detect these efforts. In this part, we’ll discuss another method attackers may use: domain replication abuse.
Vulnerabilities can be found in just about any type of software—and even some pieces of hardware. Threat actors are all too eager to take advantage of these vulnerabilities, leveraging them to gain access to or escalate privileges in an organization’s IT infrastructure. When these vulnerabilities are discovered before the vendor is aware, these are known as zero-day threats.
In the first Inside the Mind of an Attacker series, we walked through scenarios of potential attacks on Active Directory, as well as techniques on how to identify and avoid breaches.
As data breaches continue to dominate the headlines, suggestions for enhancing your cybersecurity stance are everywhere. While much of this advice may be worth following, it’s often complicated, entailing multi-step processes or requiring expert intervention. However, before you start exploring advanced options, it’s important to begin with the basics. When it comes to cybersecurity, the simplest advice is to always implement patches.
In part 8, we solved ABO3 using IDA FREE. In this part, we’ll use Radare to solve ABO4.
First, we’ll need to update to the new version of Cutter, the Radare GUI. A pop-up will prompt us to update whenever there is a new version:
Title: Cisco AnyConnect Posture (HostScan) Security Service CVE-2021-1366 Bypass
Advisory ID: CORE-2021-0002
Advisory URL: https://www.coresecurity.com/core-labs/advisories/cisco-anyconnect-posture-hostscan-security-service-bypass
Date published: 2021-06-16
CVE-2021-26897 is a DNS server RCE vulnerability, and is triggered when many consecutive Signature RRs Dynamic Updates are sent. This vulnerability is an OOB write on the heap when combining the many consecutive Signature RR Dynamic Updates into base64-encoded strings before writing to the Zone file.
In part 7, we solved ABO2 in GHIDRA. In this part, we’ll use IDA FREE to solve ABO3.
As is the case with all of the ABOS, the goal is to run the calculator or some other executable that we want.
Unfortunately, the reality of cybersecurity is that attackers will sometimes succeed in breaching an IT environment. Accepting this probability allows you to focus on learning how to detect a breach and manage such attacks.
Cybersecurity expert Julio Sanchez demonstrates approaches threat actors may take in an attempt to gain persistence after compromising Active Directory. Learn how each technique leaves different signs of compromise and how open-source tools can be used to spot them.