In a previous post I discussed to setup basic redirectors with Covenant C2. In this post, I hope to show you how to use domain fronting through an Azure CDN for your C2 traffic. A lot of this is based on another post I read from ar-infosec that you can find here. What is Domain…
All posts in Covenant
Resource Based Constrained Delegation
Earlier this year on a internal penetration test for my employer, I was stuck on Active Directory (AD) escalation. I had gotten a foothold in the environment by cracking a user’s hashed credentials that I had captured through DHCPv6 spoofing. However, the user didn’t belong to any privileged groups and didn’t have local admin privileges…
Constrained Delegation
In previous posts, I have discussed how to setup an AD lab in AWS, attack AD using Kerberoast, and attacking AD with Unconstrained Delegation. In this post I am going to discuss another attack I built into my lab Constrained Delegation. This will all be done through Covenant C2, which I discussed how to setup…
Unconstrained Delegation
One of the weaknesses that I configured in my lab environment was “Unconstrained Delegation.” Systems in an Active Directory (AD) environment can be configured for unconstrained delegation. This means that a system can “delegate”, or impersonate users that authenticate to it. Normally, when a user authenticates to a service running on a system, the user…
Kerberoasting
This post will demonstrate how to perform a “Kerberoasting” attack in an Active Directory (AD) environment. In a previous post, I detailed how to create an AD lab in AWS and how to configure a user with a Service Principal Name (SPN) that will allow for the Kerberoasting attack. Background Information Kerberoasting is an attack…
Covenant C2 Infrastructure with Redirectors
In my previous post, I wrote about getting started with Covenant C2. In that post the infrastructure I setup for the C2 communications was very simple: The C2 agents connected directly to the C2 server over a private subnet. This works for a lab environment, but for a real world redteam engagement having your C2…
Getting Started with Covenant C2
In my previous blog post, I created an Active Directory (AD) lab environment in AWS that I wanted to use to test/practice various redteam concepts and tools. One of the tools I was interested in testing is the new version of Covenant C2. Covenant is a command-and-control (C2) framework. What this means is if you…