ITSEC Newsletter
Posts
ITSEC Newsletter 2023-07-13

ITSEC Newsletter 2023-07-13

Red team is best team

Henrik Falk
July 13, 2023

LDAP Queries for Offensive and Defensive Operations

The intention of this post is to provide basic queries for targeted AD DS information gathering used in penetration testing. The reader can

www.politoinc.com/post/ldap-queries-for-offensive-and-defensive-operations

"The intention of this post is to provide basic queries for targeted AD DS information gathering used in penetration testing. The reader can pick their poison when deciding how to deliver them. Some delivery method examples include vbscript, powershell (i.e. adsi and adsisearcher type accelerators), dsquery, ADExplorer, AdsiEdit, javascript, win32API, .NET languages, ldapsearch, adfind, adsearch, and likely many others. Equally, defenders can use these queries to test their detection capabilities when large traffic spikes may not be produced, see what attackers will see from various perspectives within their environment, and aid to remediate domain privilege escalation and lateral movement opportunities from breach hosts."

Chaining Vulnerabilities to Exploit POST Based Reflected XSS - TrustedSec

TrustedSec's blog is an expert source of information on information security trends and best practices for strategic risk management.

www.trustedsec.com/blog/chaining-vulnerabilities-to-exploit-post-based-reflected-xss

"For many XSS vulnerabilities we can craft a malicious URL that will run our payload if a user clicks the link, say in a phishing email. Sometimes we can inject our payload into the application and it is stored in the database before being served up to other users later when they access specific areas of the application. But with a reflected POST based XSS vulnerability, the payload has to be typed into a form or field on the webpage, submitted, and the payload runs in the response to that POST. We would need to convince a user to manually type in our malicious payload into the application and submit it in order to get our payload to run in their browser, which is a scenario even the best of social engineers would consider unlikely. Due to how difficult the vulnerability is to exploit, reflected POST based XSS vulnerabilities are often relegated to the lower severity findings in penetration test reports. There are a few scenarios however where these vulnerabilities are perfectly exploitable. Reflected POST based XSS just needs to be chained with other vulnerabilities."

Code for reading Windows serialized certificates

What are Windows “serialized certificates” found on disk? Which CryptoAPI function to open them? Why can’t we enumerate them sometimes?

medium.com/tenable-techblog/code-for-reading-windows-serialized-certificates-8634d3487ec7

"On a Windows machine, we can find users’ certificates stored in files in C:\Users\\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates (i.e. “%APPDATA%\Microsoft\SystemCertificates\My\Certificates”). These files have seemingly random names (i.e. “3B86DFC25CFB1B47EB4CBF53FD4028239D0C690E”) and no extension. What is their format? How to open them in code? With which Windows APIs?"-