Category Archives: Windows

Notes from the field – Penetration tests

This blog post is by no means a comprehensive guide from an expert in the cyber security area. However my previous role meant I had the pleasure of reviewing a number of customer penetration tests and from this, pretty much all of them were all exploited in the same way. So I put together some basic information for any of my customers to review and think about before they had a penetration booked.

After all, might as well make it a challenge for the people you are hiring to hack your network 😉


Ok, so I’m only going to cover the basics, as there are far better articles out there on this.

  • Reconnaissance
    • Information gathering before attending the targets site
      • IP addresses of websites and MX record details
      • Details of email addresses (shared mailboxes, employees direct)
      • Social networks (details shared on LinkedIn by Employees, the companies twitter posts etc)
        • Consider the below twitter post by a company, what information can you glean from seeing a picture of their racks and other equipment.
        • If we know the company name, we can enumerate the various domain names they own to public IP addresses, and just plug that into a website like and maybe look for that Sonicwall and find out if its running the latest firmware.
        • Below when zooming in on the image, we can find details of an ADSL line
      • Job websites; are they hiring, especially in IT, what skills do they want? Looking for an engineer that knows a particular accountancy package?
  • Enumeration/Identification
    • Assessment of devices found and the search for vulnerabilities
      • Tools in use such as, but not limited to; nmap, Nessus, Metasploit, unicornscan, nikto, dotdotpwn, gobuster.
  • Exploitation
    • Create a plan of action/attack based on the information gathered.
    • Perform the attack/exploitation itself to achieve the end goal, usually access to systems from zero, escalation with the end goal being access to private/sensitive/restricted systems and data.
    • Tools in use such as, but not limited to; Kali Linux (OS and contains a lot of tooling), Nmap, Metasploit, BurpSuite, SQLMap, padbuster, custom exploit scripts
Common exploits to gain access

Ok so first, lets review how multiple networks were exploited or hacked.

Below is the common summary of issues found at many sites I reviewed, and this is what I will cover in this blog post ;

  • Null session authentication on Domain Controllers
  • Devices configured to use NBT-NS / LLMNR
  • SMB Signing
  • NTLMv1 in use for network authentication
  • Domain Users have Local Admin permissions to their machines
  • Poor password policy
  • No split accounts for Domain Admins
  • Poor patching on systems
Null Session Authentication

By default null sessions (unauthenticated) are enabled on Windows 2000 & 2003 servers. Therefore anyone can use these NULL connections to enumerate potentially sensitive information from the servers, read this as information from your Active Directory.

Therefore anyone with a legacy domain which has been upgraded through the years, will find that Null Session Authentication is enabled on their environments.

Seeing it in action Continue reading Notes from the field – Penetration tests

vBrownBag Session – Microsoft Azure for vSphere Admins

At VMworld 2018 I was invited to speak on the vBrownbag platform, which is a great community focused and run resource. Below is my session “Microsoft Azure for vSphere Admins”

You can find the presentation here –



Powershell – Get-ADuser and output the homedrives to CSV file

I had a customer with around 27 file servers used as locations for AD home drives. We needed to do some analysis on which users used which server, as things like DFS or a strategy of where to place users were not in place. So PowerShell to the rescue.

A simple version of this script is;

get-aduser -Filter * -properties * | select DisplayName,Enabled,HomeDirectory,LastLogonDate,CanonicalName | Export-csv -path c:\scripts\userhomefolder.csv

I created this more complex script after the amount of unique objects exceeded the maximum filter within excel, so by splitting into a file per server fixed this.

First off, create an array with the multiple file servers, then used the “foreach” command to loop a PowerShell command with each file server name.

We look into all user’s in AD and output to a CSV file any users with file server X into a CSV file.

#Add the AD module into the Powershell session
Import-module ActiveDirectory

#Array containing each File Server, can be FQDN or short name
$fileservers = 'FS1','FS2','FS3'

#Loop to run a script for each object in the array against all AD users, outputs in CSV to C:\ folder
Foreach ($fileserver in $Fileservers)
get-aduser -Filter * -properties * | select DisplayName,Enabled,HomeDirectory,LastLogonDate,CanonicalName | Where {$_.HomeDirectory -like "*$fileserver*"} |Export-csv -path c:\scripts\userhomefolder2-$fileserver.csv





Citrix StoreFront – Creating a Public SSL Certificate

The latest versions of Citrix receiver require that you use HTTPS for the server bound connections, otherwise you cannot connect.

Citrix reciever https error

And the information on the Citrix website can be a bit thin when it comes to using a Public CA SSL Certificate. Here is the documentation link to using certificates for the Storefront component.

Here I am covering;

  • Workaround – Bypassing the HTTPS SSL warning when adding a store to Citrix Receiver
  • Creating the Public SSL Certificate request for your StoreFront Server
  • Importing the Public SSL Certificate onto your StoreFront Server
  • Exporting the SSL Certificate for use on additional servers
  • Linking the SSL Certificate in IIS to the StoreFront Website

Continue reading Citrix StoreFront – Creating a Public SSL Certificate

DCPromo Fails – The directory service is missing mandatory configuration information

On a Server 2008 R2 machine, I had an issue demoting from being a Domain Controller, after moving the FSMO roles onto a new machine. This was after a second domain controller died. I am not sure of the previous history of where the FSMO roles were for this client.

Two new DC’s were created and promoted, after cleaning up DNS to remove the old configuration of the dead DC.

The Error

I was provided with the following error in a dialog box and in the event log

Continue reading DCPromo Fails – The directory service is missing mandatory configuration information