When organizations choose to isolate networks, they often choose to implement technologies like private VLANs, use separate hosts and hypervisors and maybe even separate physical locations in order to guarantee the isolation. But what if these separated environments share the same Active Directory environment? It's not hard to come up with ideas why this might seem like a good idea, however, it also provides an opportunity to exchange data over LDAP. After all, even in non-Windows environments LDAP is still used as a central node within the network. During this talk I will go into detail about the process of designing & building a stealth C2 LDAP channel, which makes communication between different strictly firewalled network segments possible.
I started back in 2011 as a system administrator, but came to the conclusion that breaking infrastructures was more fun than actually maintaining it. Since breaking stuff is not particularly appreciated when you're a sysadmin, I joined Fox-IT to use my Windows and Active Directory background to break stuff, which resulted in tools such as Invoke-ACLPwn, Invoke-Credentialphisher and more.