Aurelien Chalot
From flat networks to locked up domains with tiering models
I’ve been performing internal assessments for seven years and out of all the things I have learnt, one is certain: without a proper tiering model, security tools alone won’t stop your organization from collapsing after a major compromise.
In this post I’ll explain what a tiering model is, how to break a flat network even when protections are present, and, most importantly, how to build a defense-in-depth network providing practical tips and diagrams.
From flat networks to locked up domains with tiering models
I’ve been performing internal assessments for six years and out of all the things I have learnt, one is certain: without a proper tiering model, security tools alone won’t stop your organization from collapsing after a major compromise. In this post I’ll explain what a tiering model is, how to break a flat network even when protections are present, and, most importantly, how to build a defense-in-depth network providing practical tips and diagrams.
A journey implementing Channel Binding on MSSQLClient.py
A few weeks ago my friend Zblurx pushed a PR to Impacket in which he implemented the Channel Binding Token computation based on code that was developed by @lowercase_drm for the ldap3 library. This PR allowed any tool relying on the ldap3 library to be able to connect to LDAP servers even if LDAP signing and LDAPS channel binding are enabled. Looking at the code I thought it would be easy to implement the same mechanism on other protocols such as MSSQL which I was already working on pushing as PRs on NetExec.
Is TLS more secure? The WinRMS case.
0/ TL;DR WinRM is protected against NTLMRelay as communications are encrypted. However WinRMS (the one communicating over HTTPS) is not entirely. That said, WinRMS is not configured on a default server installation (while WinRM is). So, if someone tried to harden their servers’ configurations (by removing the HTTP endpoint), they would open a new possible target that can be used to relay HTTP/SMB and LDAP NTLMv1 only authentications to WinRMS and thus gain remote code execution.
Browser Cache Smuggling: the return of the dropper
A year and a half ago I wrote a blog post describing how browsers’ cache system can be abused to drop malware on targets’ computers. As of today, this technique is still relevant. Browsers haven’t changed their behaviour and as such you can still use it for red team assessments.
I had the opportunity to present the technique at Insomni’hack 2025 and while the technique itself is, I believe, quite interesting, I wanted to go a little further and:
PsExec’ing the right way and why zero trust is mandatory
2021 was the year I met two incredible hackers, Michael and Reino with whom I had the opportunity to work with during my first ever SenseCon.
The Sensecon is an internal conference that lasts 3 days during which we meet people, share knowledge and have fun. There is also a day long hackathon during which we work on hacking subjects we are interested in.
For that hackathon, we wanted to dig into PsExec.exe in order to see if it is possible to communicate with it via a python script and thus not depend anymore on a windows system. Spoiler alert, we were able to! But for some reasons, the project died in a private repo.
Dumping LSA secrets: a story about task decorrelation
While doing an internal assessment, I was able to compromise multiple computers and servers but wasn’t able to dump the LSA secrets because of a particular EDR being installed and pretty aggressive against me.
In this blog post we’ll see how this EDR was blocking me and why it is still possible to dump these secrets exploiting decorrelation attacks! As a bonus, I’ll show you a fancy way of retrieving the Windows boot key without having to dump the SYSTEM hive.
Guest vs Null session on Windows
If you have been doing internal assessments on Active Directory infrastructure you may have heard the following words: “Null session”, “Guest session” and “Anonymous session”. These words describe techniques that can be used on Windows servers to connect to resources and obtain information about a computer or Active Directory objects such as users or SMB shares you have access on. Even if these techniques are well known I realised that people, including myself, didn’t understand them completely. This got me wanting to better understand it, hence this blogpost :)!
Sensecon 23: from Windows drivers to an almost fully working EDR
TL;DR I wanted to better understand EDR’s so I built a dummy EDR and talk about it here. EDR (Endpoint Detection and Response) is a kind of security product that aims to detect abnormal activities being executed on a computer or a server.
When looking for resources about how EDR’s work, I realised that, even if there is a lot of literature available about EDR’s, there aren’t many articles explaining how an EDR’s is architected and how the different components of a EDR are orchestrated. This article aims to demystify how EDR’s work while building a custom one that will implement a few techniques used by real EDR’s.
Browsers’ cache smuggling
On red team engagements, I often use social engineering to get one of my client’s employees to run my malicious code on their machines, allowing me to get access to their system. A typical approach I’ve used is to call them up, tell them I’m from IT support, and then get them to go to an official looking web page that contains some PowerShell code they need to run, to fix some made-up problem.
Page 1 of 2
Next