7MS #405: Tales of Internal Pentest Pwnage - Part 16

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

Today's episode of pentest pwnage is the (hopefully) exciting conclusion to this episode. Last we left this pentest, we ran into some excellent blue team defenses, including:

• MFA on internal servers (which we bypassed)
• Strong passwords
• Limited vulnerable protocols (LLMNR/Netbios/etc) available to abuse for cred-capturing
• Servers that were heavily firewalled off from talking SMB to just any ol' subnet nor the Interwebs (here's a great video on how to fine-tune your software firewall chops)

In today's episode we talk about:

• How maybe it's not a good idea to make computer go completely "shields down" during pentests

• Being careful not to fat-finger anything when you spawn cmd.exe with creds, like

runas /netonly /user:samplecompany\billybob "C:\windows\system32\cmd.exe"

• Being careful not to fat-finger anything when using CrackMapExec

• How fundamental and really effective blue team controls (such as the ones mentioned above) can really make pentesting a headache!

• How you should be careful when spawning shells with MultiRelay (part of Responder is it creates new services on your victim machine

Has the 7MS podcast helped you in your IT and security career? Please consider supporting us!