ManageEngine ADSelfService Plus — Authentication Bypass (CVE-2021-40539)

Details:
https://www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html

Exploit:
https://github.com/synacktiv/CVE-2021-40539

#adselfservice #cve #auth #bypass

Authentication and Authorization Testing Mindmap

https://drive.google.com/file/d/1Jt1wzmgG3vDhU-vppms_KhP2ffvcMlD_/view

#appsec #mindmap #auth #testing

Zabbix SAML Authentication Bypass (CVE-2022-23131)

Research:
https://blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage

PoC:
https://github.com/jweny/zabbix-saml-bypass-exp

#zabbix #research #auth #bypass #cve

⚙️ Determining AD domain name via NTLM Auth

If you have nmap (http-ntlm-info) unable to determine the FQND of an Active Directory domain via OWA, for example due to Citrix NetScaler or other SSO solutions, do it manually!

1) curl -Isk -X POST -H 'Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAKANc6AAAADw==' -H 'Content-Length: 0' https://autodiscover.exmaple.com/ews

2) echo 'TlRMTVNTUAACAAAADAAMAD...' | python2 ./ntlmdecoder.py

One-Liner function for bashrc\zshrc\etc-rc:

ntlm_decode() { curl -Isk -X POST -H 'Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAKANc6AAAADw==' -H 'Content-Length: 0' "$1" | awk -F 'NTLM ' '/WWW-Authenticate: NTLM/ {print $2}' | python2 "$(locate ntlmdecoder.py)"; }

Source:
ntlmdecoder.py

#ntlm #auth #sso #tricks #pentest