NEBULA IN THE WILD
How a Real Engagement Runs
Real Breachline engagements — how Nebula tested, the surfaces it covered, and the outcome. Client details are fully anonymised: no names, sectors, domains, IPs, or data.
What the client needed and where their tooling fell short.
The methodology and, where relevant, the proven exploit chain.
The surfaces and categories tested, end to end.
Full-Spectrum Assessment — External, Web & Internal
We were asked to test a UK enterprise end to end: their public website, their external footprint, and a sizeable internal Windows and Linux estate running Active Directory. Nebula ran the whole engagement on its own and came back with more than 100 issues — every one backed by evidence.
The Challenge
Like a lot of fast-growing businesses, they'd outgrown their tooling. Scanners covered the obvious external surface, but nobody had taken a proper look at the internal network or Active Directory in a while. They didn't want another wall of CVSS numbers — they wanted to know what a real attacker could actually do, and what to fix first.
What Nebula Did
Nebula went in black-box, with no inside knowledge, and worked across all three fronts at once. It mapped the attack surface, picked the right specialist for each job, ran real offensive tooling in a throwaway sandbox, and stitched individual weaknesses into full attack paths. Nothing destructive — and every finding came with the proof to back it up.
Mapped the public footprint, exposed services, and edge configuration from the outside in — zero prior knowledge.
Authenticated and unauthenticated testing of the customer portal — auth, access control, injection, and business logic.
Assessed the internal Windows/Linux estate and AD — access, identity, segmentation, and privilege paths.
Every finding validated with a real, non-destructive proof in a sandbox, scored with CVSS 4.0, and mapped to remediation.
Proof — Full Domain TakeoverConfirmed Executed
From a single low-privileged account — no admin rights — Nebula chained six real weaknesses into full Active Directory compromise, executed live and non-destructively on production.
Started from a single low-privileged domain account on an internal segment — no administrative rights at the outset.
An unauthenticated SMB null session on a domain controller returned the full domain user list — hundreds of accounts, with descriptions that flagged the privileged ones.
DFSCoerce (MS-DFSNM) forced the domain controller’s machine account to authenticate to an attacker host; Responder captured its NetNTLMv1.
The NetNTLMv1 response (static challenge) was cracked to recover the domain controller’s machine-account NT hash.
Pass-the-hash as the DC machine account ran a DCSync that pulled every domain account hash, including krbtgt — all reached from the low-privileged start.
A Golden Ticket forged offline from the krbtgt AES256 key (unrotated ~10 years) was validated live against the production domain controller — full ADMIN$/C$/SYSVOL access — then deleted per cleanup rules.
Executed live on production (2026-05-14) from a single low-privileged account — no admin credentials at the start. The coercion → hash-recovery → pass-the-hash DCSync chain ran in about a minute (~15:00 BST); the Golden Ticket was forged and validated live against the production domain controller (11:12 BST), then deleted with no persistent artefacts. All identifiers (domain, hosts, IPs, accounts) are masked.
Areas Covered
Authentication, access control, injection, and multi-step business-logic testing.
Anonymous access, coercion surfaces, account hygiene, and privilege paths.
Open ports, cleartext protocols, unauthenticated data stores, and management interfaces.
Over-permissive files and logs containing sensitive operational data.
Password policy, end-of-life software, security headers, and misconfiguration.
Edge/WAF bypass exposure, header gaps, and information disclosure.
The full engagement produced 100+ findings with reproducible proof-of-concept steps, CVSS 4.0 scoring, and remediation mapped to OWASP, PCI-DSS, ISO 27001, and NIST — delivered as a board- and auditor-ready report.
See What Nebula Finds in Your Infrastructure
Nebula starts with zero knowledge and attacks from the outside in — across web, mobile, cloud, APIs, internal networks, and infrastructure. Every finding is real, exploitable, and proven.