7MS #423: Tales of Internal Pentest Pwnage - Part 18
7 Minute Security15 Heinä 2020

7MS #423: Tales of Internal Pentest Pwnage - Part 18

This is an especially fun tale of pentest pwnage because it involves D.D.A.D. (Double Domain Admin Dance) and varying T.T.D.A. (Time to Domain Admin). The key takeaways I want to share from these tests are as follows:

  • Responder.py -i eth0 -rPv is AWESOME. It can make the network rain hashes like manna from heaven!
  • Testing the egress firewall is easy with this script. Consider this SANS article for guidance on ports to lock down.
  • Testing for MS14-025 is easy with this site.
  • mitm6 and ntlmrelayx can work really well together to rain shells if you follow this article. It's especially handy/focused when you create a targets.txt that looks something like this:
smb://CORP\Administrator@192.168.195.2 smb://CORP\Administrator@192.168.195.3 smb://CORP\brian.admin@192.168.195.7 192.168.195.7 192.168.195.10

Then save that as your targets.txt and run ntlmrelayx with ./ntlmrelayx.py -tf /targets.txt -socks -smb2support. From there, once you get active socks connections, you can connect to them directly with a full interactive shell with something like proxychains smbclient //192.168.195.2/ -U CORP/brian.admin

  • I ran into a weird issue with CrackMapExec where the --local-auth flag didn't seem to be working so I ended up trying the binary version and then it worked like a champ!

  • Looking to dump lsass a "clean" way? Try RDPing in directly to the victim machine, opening up taskmgr.exe, click the Details tab, then right-click lsass.exe and choose Create dump file and bam, done.

  • Wanna spin up a quick SMB share from your Kali box? Try smbserver.py -smb2support share /share

  • Then, once you've pulled back the lsass.dmp file, you can rip through it easily with:

pip3 install pypykatz sudo pypykatz lsa minidump lsass.dmp > lsass.txt

Then comb through lsass.txt and hopefully there will be some delicious and nutritious DA creds there for you to much on!

Jaksot(683)

7MS #27: Backing Up with CrashPlan (audio)

7MS #27: Backing Up with CrashPlan (audio)

Hey, when it comes to backups…uh…you should have them! This is a NON-endorsed/sponsored episode about my personal favorite backup service called CrashPlan. Download: 7MS #27: Backing Up with Crashplan (audio)

20 Syys 20147min

7MS #26: The Importance of Training and Awareness (audio)

7MS #26: The Importance of Training and Awareness (audio)

Training and awareness – specifically as it relates to infosec – is something companies can’t spend enough $ on. But from my experience, not enough of them are making this a front-burner priority. This episode talks about one topic I’m particularly passionate about. I call it “How not to click on bad stuff.” Download: 7MS #26:…

13 Syys 20147min

7MS #25: Writing Better Pentest Reports (audio)

7MS #25: Writing Better Pentest Reports (audio)

This episode talks about some pointers, tools and tips towards writing better pentest reports. Download: 7MS #25: Writing Better Pentest Reports (audio)

23 Elo 20148min

7MS #24: Why Wireless Scares Me (audio)

7MS #24: Why Wireless Scares Me (audio)

This episode is all about why you should (probably not) use wireless hotspots, and keeping yourself safe in general when surfing the Web. Download: 7MS #24: Why Wireless Scares Me (audio)

16 Elo 20147min

7MS #23: OSCP – part 2 (audio)

7MS #23: OSCP – part 2 (audio)

In this episode I talk more about my adventures with OSCP and Offensive Security! . Download: 7MS #23: OSCP – part 2 (audio) Show notes: I recommend documenting ALL the exercises in the PDF. My understanding is that extra effort could be rewarded if you don’t do so hot on your final exam. Buffer overflows make…

9 Elo 20147min

7MS #22: Phishing with Black Squirrel (audio)

7MS #22: Phishing with Black Squirrel (audio)

In this episode I talk about using Black Squirrel to launch phishing campaigns! Download: 7MS #22: Phishing with Black Squirrel (audio) Show notes: Security Weekly is an excellent podcast/resource. Devour it regularly. Black Squirrel is the main tool discussed in this podcast. I’ve been using it for phishing campaigns and it’s been excellent in that capacity.

27 Heinä 20147min

7MS #21: OSCP – part 1 (audio)

7MS #21: OSCP – part 1 (audio)

In this episode I talk about my venture into Offensive Security! . Download: 7MS #21: OSCP – part 1 (audio) Show notes: It’s official – I have a death wish and have started the OSCP training. This episode is the first of what I hope will be a multi-part, spoiler-free series about my experience with OSCP. With…

20 Heinä 20147min

7MS #20: Moving from GoDaddy to DNSimple (audio)

7MS #20: Moving from GoDaddy to DNSimple (audio)

In this episode I talk about why I’m pulling my domains from GoDaddy, and making DNSimple their new home. Download: 7MS #20: Moving from GoDaddy to DNSimple (audio) Show notes: The service I’m talking about in this podcast is DNSimple. Troy Hunt‘s humorous/awesome article pushed me over the edge and convinced me to give DNSimple a…

15 Heinä 20147min

Suosittua kategoriassa Politiikka ja uutiset

rss-podme-livebox
ootsa-kuullut-tasta-2
aikalisa
et-sa-noin-voi-sanoo-esittaa
otetaan-yhdet
politiikan-puskaradio
rss-vaalirankkurit-podcast
aihe
rikosmyytit
the-ulkopolitist
rss-mina-ukkola
rss-tasta-on-kyse-ivan-puopolo-verkkouutiset
rss-hyvaa-huomenta-bryssel
rss-kyselytunti
linda-maria
rss-aijat-hopottaa-podcast
rss-kovin-paikka
rss-kaikki-paskaksi-ystavat
rss-tyolinjalla-pekka-sauri
rss-raha-talous-ja-politiikka