RedTeam Pentesting Blog

A Look in the Mirror - The Reflective Kerberos Relay Attack

Wed, 11 Jun 2025 00:00:00 +0000

It is a sad truth in IT security that some vulnerabilities never quite want to die and time and time again, vulnerabilities that have long been fixed get revived and come right back at you. While researching relay attacks, the bane of Active Directory, we accidentally revived the reflective relay attack. Since 2008 with MS08-068, it is impossible to relay back NTLM messages to the host they were initiated from. In 2025 we asked ourselves: What if we try it with Kerberos, instead?

As it turns out, this question led to the discovery of the Reflective Kerberos Relay Attack. It not only bypasses the restrictions put in place for NTLM reflection but it also exploits a privilege-escalation vulnerability. If you can coerce any Windows host to authenticate back to you via SMB, you can relay the computer account’s Kerberos ticket back to the host and obtain NT AUTHORITY\SYSTEM privileges and thereby Remote Code Execution.

A patch for this vulnerability was released as part of Patch Tuesday on 10th June 2025.

The Ultimate Guide to Windows Coercion Techniques in 2025

Wed, 04 Jun 2025 00:00:00 +0000

Windows authentication coercion often feels like a magic bullet against the average Active Directory. With any old low-privileged account, it usually allows us to gain full administrative access to almost arbitrary Windows workstations and servers, after which compromising the entire Active Directory is only a matter of time. It hardly comes as a surprise, then, that Microsoft has implemented various changes in recent Windows versions which aim to mitigate this attack vector. In this blog post, we provide a comprehensive reference of coercion techniques in Windows domains, and discuss their current effectiveness, quirks, and typical applications. We further explain, how our recent patches to Impacket and NetExec help circumvent some of Microsoft’s new mitigations and present an implementation of a coercion technique that is currently not widely used.

Back to School - Exploiting a Remote Code Execution Vulnerability in Moodle

Tue, 27 Aug 2024 00:00:00 +0000

Surprisingly often, implementations include functionality where user input is passed to dangerous functions like PHP’s eval() - despite clear warnings. Often, devs are somewhat aware of this danger and attempt to sanitize the input, but this approach is rarely as robust as assumed. In this post, we will show you how we bypassed the sanitization attempts of the popular learning platform Moodle to achieve remote code execution, and demonstrate why it is always best to stick to the famous quote from Rasmus Lersdorf, creator of PHP:

If eval() is the answer, you’re almost certainly asking the wrong question.

The vulnerability was corrected in Moodle versions 4.4.2, 4.3.6, 4.2.9, and 4.1.12 released Aug 10, 2024.

Bitwarden Heist - How to Break Into Password Vaults Without Using Passwords

Wed, 03 Jan 2024 00:00:00 +0000

Sometimes, making particular security design decisions can have unexpected consequences. For security-critical software, such as password managers, this can easily lead to catastrophic failure: In this blog post, we show how Bitwarden’s Windows Hello implementation allowed us to remotely steal all credentials from the vault without knowing the password or requiring biometric authentication. When we discovered this during a penetration test it was so unexpected for us that we agreed with our client to publish a blog post about it and tell the story.

Better dSAFER than Sorry - An Attacker's Overview of Ghostscript

Wed, 11 Oct 2023 00:00:00 +0000

Ghostscript is the backbone of document processing for a lot of web apps and programs. If you have never heard of Ghostscript yet, you still have very likely already used it a lot through various programs such as PDF viewers, office suites or document converters. However, since you are reading a security-centric blog, you may have already heard of Ghostscript due to various high-profile vulnerabilities that allowed for powerful attacks against it. Even without vulnerabilities in Ghostscript itself, there are still a lot of pitfalls and misconceptions that can easily result in serious vulnerabilities in programs that rely on Ghostscript.

Join us on a deep dive into how and where Ghostscript is commonly used, what PostScript is and how attackers can abuse it to achieve remote code execution (RCE) and arbitrary file disclosure using practical examples. We will also highlight some obscure facts about the security features of Ghostscript and how the recent bypasses (CVE-2023-36664 and CVE-2023-43115) for these security features works.

Bringing Monsoon to the Next Level

Wed, 12 Jul 2023 00:00:00 +0000

We’ve just a released a major update for our HTTP fuzzer monsoon with many new features and improvements. In this blog post we will cover these changes in detail. If you haven’t heard about monsoon, you should start with our announcement blog post where we explain the purpose of monsoon and show how it can be used in various scenarios. With that said, let’s jump into the changes.

Storing Passwords - A Journey of Common Pitfalls

Mon, 05 Jun 2023 00:00:00 +0000

As pentesters, we regularly see creative ways of handling authentication and almost as often we see the pitfalls that come along with these unconventional ways. For instance, we recently discovered a vulnerability in the web interface of STARFACE PBX allowing login using the password hash rather than the cleartext password (see advisory). We want to use this as an opportunity to discuss how we analyse such login mechanisms and talk about the misconceptions in security concepts that result in such pitfalls along the way.

Introducing resocks - An Encrypted Back-Connect SOCKS Proxy for Network Pivoting

Tue, 09 May 2023 00:00:00 +0000

Compromising a host in a company’s perimeter often creates the opportunity to pivot into an internal network. From there on, each additional compromised system may grant us access into further subnets. Pivoting like this is second nature to pentesters, but let’s step back and look at this scenario in detail in order to understand why we created our newest open-source tool resocks - a secure reverse SOCKS5 proxy (reverse as in reverse shell, not as in reverse proxy).

Rooting a Common-Criteria Certified Printer to Improve OPSEC

Wed, 12 Apr 2023 00:00:00 +0000

Besides conducting penetration tests, we also attend to maintenance tasks of our internal infrastructure in order to have all systems being involved in our everyday work meet our specified requirements. One of these systems is the printer that we use to print our penetration test reports. When our service provider announced that they will not be able to provide maintenance services for our printer anymore, we started looking for a new one. This blog post deals with the analysis process of our new Canon imageRUNNER ADVANCE DX C5850i printer with the aim to meet our specified security requirements according to our threat model.

Introducing Pretender - Your New Sidekick for Relaying Attacks

Wed, 13 Jul 2022 00:00:00 +0000

We’ve just released another open-source tool: pretender, a cross-platform tool to obtain a machine-in-the-middle position inside Windows networks in the spirit of Responder and mitm6. It implements local name resolution spoofing using the mDNS, LLMNR, and NetBIOS-NS protocols as well as a DHCPv6 DNS takeover attack. Since last year pretender has become a frequently used tool in our network penetration tests and we are proud to share our work with the community.

Inside a PBX - Discovering a Firmware Backdoor

Mon, 20 Dec 2021 00:00:00 +0000

This blog post illustrates how RedTeam Pentesting discovered a real-world backdoor in a widely used Auerswald phone system (see also the advisory and CVE-2021-40859). We will describe the methodology used to find the backdoor by examining the firmware, highlight the practical implications of the vulnerability and outline our communications with Auerswald.

Remarkable Encryption - From Threat Model to Final Implementation

Fri, 21 May 2021 00:00:00 +0000

In the process of going paperless, we recently acquired multiple reMarkable 2 epaper tablets. Among other things, the tablets will be used for taking notes about engagements. These data are highly sensitive and must be well protected. Unfortunately, by default the reMarkable offers little protection against attackers with physical access. We therefore opted to add a layer of encryption to our tablets. In this blog post we outline our journey from threat modeling to a secure, reliable and user-friendly implementation using gocryptfs, C++, Qt and systemd. The final result has been released on GitHub.

Wholesome curl Calls for Your Blog Posts

Thu, 04 Mar 2021 00:00:00 +0000

An important part of each penetration test is the documentation of all discovered vulnerabilities. The documentation often includes program calls to further demonstrate how a vulnerability was found, tested or exploited. To better visualise these steps in the context of web applications, we often include invocations of the command-line HTTP client curl. In the following, we discuss how program calls can be styled for documentation to appeal to all audiences.

Insecure Deserialization - How to Trace Down a Gadget Chain

Mon, 04 Jan 2021 00:00:00 +0000

Insecure deserialization vulnerabilities potentially result in the ability to remotely execute code on the affected system. Once such a vulnerability is identified it is still necessary to compose a gadget chain that provides this ability. This post deals with the complex but also fascinating process of finding a gadget chain in the Yii PHP framework. Finally, the discovered gadget chain is demonstrated by means of an example application.

Introducing monsoon ‒ a Lean and Versatile HTTP Enumerator

Wed, 02 Dec 2020 00:00:00 +0000

We recently released our first open-source project, monsoon. monsoon is a so-called command-line HTTP enumerator: A tool that iterates over a list of values, for example a word list or a range of integers, and sends one HTTP request per item towards a given server. The target server, path and HTTP headers can be configured on the command line. There, one can replace parts of the HTTP request with the placeholder FUZZ. All its occurrences are replaced with the current item during each iteration. Optionally, monsoon can filter or even parse the HTTP response.

monsoon can be very helpful during penetration testing and in this blog post we would like to motivate its development and introduce some common scenarios that can be tackled using monsoon.

Diving into a WebSocket Vulnerability in Apache Tomcat

Mon, 02 Nov 2020 00:00:00 +0000

Apache Tomcat is a Java application server commonly used with web applications, which we often encounter in penetration tests.

In this post we will dive into the analysis of a vulnerability in the Apache Tomcat server and an exploit which helped our customer to assess the risk on their business. The vulnerability is a denial-of-service vulnerability appearing in conjunction with WebSockets, and has been assigned CVE-2020-13935.