Navigating Security
Posts
The Quickest Route To Domain Admin?

The Quickest Route To Domain Admin?

Also, stop using ChatGPT for coding

Tadi
April 19, 2024

Yoo Welcome to Issue #11 of Navigating Security.

🍃Quote of the week:

Getting domain admin is exciting, but it is just the beginning.

Nikhil Mittal

What To Expect 🫡

👑The quickest route to domain admin - ADCS?
🤖You should stop writing code with AI tools - it increases code churn
📃A comprehensive web application pentesting and bug bounty checklist

This Week’s YouTube Video:

⚠️ The newsletter is currently not sponsored

The quickest route to Domain Admin 👑

There’s an article that went viral a couple of years ago that highlighted the top five ways you can pwn a domain before lunch time. In as much as those attack paths are still relevant today, there are relatively newer attack paths that seem to always get you to domain admin. I say relatively because Specterops dropped this research and reignited the AD buzz in 2021!

I did two internal penetration tests this past month and one route that always led to DA was some sort of misconfiguration in the Active Directory Certificate Service (ADCS). I wonder why this is still an issue in 2024. Is it the fact that you have to configure multiple components such as certificate templates, certificate revocation lists (CRLs), key archival, and certificate enrollment policies? Is it some lack of awareness? IDK 🤷🏾‍♂️

Of note, nearly every environment with AD CS that we’ve examined for domain escalation misconfigurations has been vulnerable. It’s hard for us to overstate what a big deal these issues are.

Specterops

If you do not know what ADCS is, here is what Specterops has to say:

AD CS is Microsoft’s PKI implementation that provides everything from encrypting file systems, to digital signatures, to user authentication (a large focus of our research), and more. While AD CS is not installed by default for Active Directory environments, from our experience in enterprise environments it is widely deployed, and the security ramifications of misconfigured certificate service instances are enormous.

Specterops

Here are some resources for y’all to start your deep dive into ADCS:

Intro Blogs With Examples from BHIS:

Specterops Blog & Whitepaper:

Tryhackme Room:

https://tryhackme.com/r/room/adcertificatetemplates

Stop using ChatGPT to write your code 🤖

Saw this post on LinkedIn discussing how AI is probably going to be one of the reasons code quality declines over the next few years and I totally agree. AI tools, while helpful, can lead to complacency and reduced code quality.

Learn as much as you possibly can before you completely rely on AI tools and AI-generated code. The people at the top of our craft barely even use chatbots such as Chaptgpt and Bard - they still raw-dog StackOverflow.

A whitepaper from Gitclear called “Coding on copilot” had the following to say:

We find disconcerting trends for maintainability. Code churn -- the percentage of lines that are reverted or updated less than two weeks after being authored -- is projected to double in 2024 compared to its 2021, pre-AI baseline. We further find that the percentage of "added code" and "copy/pasted code" is increasing in proportion to “updated,” “deleted,” and “moved” code. In this regard, code generated during 2023 more resembles an itinerant contributor, prone to violate the DRY-ness of the repos visited.

Gitclear

LinkedIn Post: https://www.linkedin.com/posts/ralph-aboujaoude-diaz-40838313_technology-ai-generative-activity-7183365624843157504-z_Jx/?utm_source=share&utm_medium=member_ios

Whitepaper: https://gitclear-public.s3.us-west-2.amazonaws.com/Coding-on-Copilot-2024-Developer-Research.pdf

A comprehensive web application penetration checklist 📃

Bumped into this checklist by Cristi Vlad a while ago. I just hadn’t gotten to sharing it with y’all but here it is. You can use this during your web app pentests or even as a bug bounty checklist - whatever tickles your fancy.

It’s comprehensive because outside of just giving you objectives, it outlines different ways to test the objective in question. Brilliant isn’t it?

Example:

Test Name: Test for Subdomain Takeover

Objective:

Enumerate all possible domains (previous and current).
Identify any forgotten or misconfigured domains.

How To Test:

Enumerate victim's DNS servers and resource records using methods like DNS enumeration with common subdomains, brute force, or OSINT data sources, and check for DNS server response messages like NXDOMAIN, SERVFAIL, REFUSED, or no servers could be reached.
Perform basic DNS enumeration with tools like dnsrecon to identify inactive or unused DNS records, especially A and CNAME records.
For A records, perform a whois lookup to identify the service provider and check for a "404 - File not found" response which indicates vulnerability.
Test NS record subdomain takeover by identifying all nameservers for the domain and checking if any are associated with domains available for purchase.

Checklist: https://docs.google.com/spreadsheets/d/1BWs_SzkO7al59gSwZHFh3ISvK9zO4kEN/edit#gid=2050760890

⏱️Incase you missed the previous issue, here you go:

It's Q2, How Was Q1?Are Your New Years Resolutions Still Relevant?www.navigatingsecurity.net/p/direction-and-goal-setting

Suggestions

Hit me up on Discord or LinkedIn if you have anything you feel would be cool to include. Thanks, Cheers.