Compass Security Blog

Offensive Defense

BloodHound Inner Workings & Limitations – Part 3: Session Enumeration Through Remote Registry & Summary

BloodHound is the way to go to for finding attack paths in an Active Directory (AD) environment. However, it is not always clear how the data is gathered without looking at the code of SharpHound, the data ingestor for BloodHound. Microsoft hardened their systems over time through updates, which makes enumeration of Active Directory (AD) […]

Continue reading

BloodHound Inner Workings & Limitations – Part 2: Session Enumeration Through NetWkstaUserEnum & NetSessionEnum

BloodHound is the way to go to for finding attack paths in an Active Directory (AD) environment. However, it is not always clear how the data is gathered without looking at the code of SharpHound, the data ingestor for BloodHound. Microsoft hardened their systems over time through updates, which makes enumeration of Active Directory (AD) […]

Continue reading

BloodHound Inner Workings & Limitations – Part 1: User Rights Enumeration Through SAMR & GPOLocalGroup

BloodHound is the way to go to for finding attack paths in an Active Directory (AD) environment. However, it is not always clear how the data is gathered without looking at the code of SharpHound, the data ingestor for BloodHound. Microsoft hardened their systems over time through updates, which makes enumeration of Active Directory (AD) […]

Continue reading

Weekly penetration tests for agile software – Does it work well?

Agile software development models have become the de-facto standard. They are taught at universities and implemented in practice as far as possible. Anyone who doesn’t develop software using agile processes is on the verge, and already tilting towards that. At least that is how it seems. Consequently, the question is not whether the integration of […]

Continue reading

SAML Raider Release 1.4.0

SAML Raider 1.4.0 is out which contains several new features like UI changes, new text editor, raw mode, XSW match/replace, parameter name definition and attack templates for XXE and XSLT attacks.

Continue reading

.CH Zone Lookup Tool

Fighting cybercrime is one of the reason Switch announced to publish the .ch zone. Switzerland has a law on Open-Government-Data-Strategy that follows the open-by-default strategy The .ch zone file contains all registered .ch domain names that have a NS record that points to the nameserver that gives authoritative answers for that domain name. Compass Security is offering […]

Continue reading

The “Volatility Triage App” for Splunk

Intro into a Compass Splunk App, which can be used to perform a first triage and high level analysis of Volatility results coming from multiple hosts.

Continue reading

Burp Extension: Copy Request & Response

Writing good reports is key in penetration tests / security assessments, since this is the final result delivered to the customer. Vulnerabilities should be described in a way so that the customer can understand and also reproduce the issue. For web application pentests, the best way is often to show the HTTP requests and responses to explain an issue. This Burp Suite extension “Copy Request & Response” can assist you while the report.

Continue reading

101 for lateral movement detection

The article discusses the very basics to keep systems ready for analysis of lateral movement. We present some guidelines in form of a cheat sheet and a tool (Readinizer) that you can run, to ensure that everything is set up as in the guidelines provided.

Continue reading

Relaying NTLM authentication over RPC

Since a few years, we – as pentesters – (and probably bad guys as well) make use of NTLM relaying a lot for privilege escalation in Windows networks.

In this article, we propose adding support for the RPC protocol to the already great ntlmrelayx from impacket and explore the new ways of compromise that it offers.

This vulnerability was discovered by Compass Security in January 2020, disclosed to Microsoft Security Response Center and assigned CVE-2020-1113 as identifier.

Continue reading

« Older posts