7MS #506: Tales of Pentest Pwnage - Part 32
7 Minute Security3 Helmi 2022

7MS #506: Tales of Pentest Pwnage - Part 32

Today's my favorite tale of pentest pwnage (again)! This time we're talking about sAMAccountName spoofing specifically. We also talk about my always-under-construction list of things I try early in a pentest for maximum pwnage:
  • Run PingCastle
  • Do the SharpHound/BloodHound dumps
  • Run the DHCP poisoning module of Responder
  • Check the ms-DS-MachineAccountQuota value in the domain - if its at the default (10), then any user can add machines to the domain.
Why is the ability to add machines to the domain important? Because in the case of the sAMAccountName spoofing, if you have a non-domain-joined machine like I do, you need the ability to add a computer object to the domain. Check the Pentestlab.blog article for more info, but essentially, if you have an unpatched domain controller and the ability to add computer objects to the domain, you can pull off the attack. The article goes into crazy good technical detail, and here's my not-so-technical explanation:

If I was on a pentest, and the DC was called 7MS-DC01, and I could join a machine to the domain (which as a reminder - ANY user can do if the machine quota value is at the default value of 10), I could rename that machine account to be 7MS-DC01 without the dollar sign, request a TGT for the domain controller's account, then restore the machine name back to what it was before. Now, because the TGT is stored in memory, we can use the S4U2self Kerberos extension to request a service ticket using a domain admin account. And because the original ticket belong to the 7MS-DC01 machine name which now doesn't exist, Kerberos will look for 7MS-DC01$ and will issue the ticket for the requested service.

I might've butchered that explanation mom, but I tried my best!

TLDL/TLDR: find and exploit these unpatched domain controllers with noPac. Enjoy!

Jaksot(695)

7MS #648: First Impressions of Level.io

7MS #648: First Impressions of Level.io

Hey friends, today I’m sharing my first (and non-sponsored) impressions of Level.io, a cool tool for managing Windows, Mac and Linux endpoints. It fits a nice little niche in our pentest dropbox deployments, it has an attractive price point and their support is fantastic.

1 Marras 202440min

7MS #647: How to Succeed in Business Without Really Crying – Part 19

7MS #647: How to Succeed in Business Without Really Crying – Part 19

Today we’re talkin’ business – specifically how to make your report delivery meetings calm, cool and collect (both for you and the client!).

25 Loka 202422min

7MS #646: Baby’s First Incident Response with Velociraptor

7MS #646: Baby’s First Incident Response with Velociraptor

Hey friends, today I’m putting my blue hat on and dipping my toes in incident response by way of playing with Velociraptor, a very cool (and free!) tool to find evil in your environment.  Perhaps even better than the price tag, Velociraptor runs as a single binary you can deploy to spin up a server and then request endpoints to “phone home” to you by way of GPO scheduled task.  The things I talk about in this episode and show in the YouTube stream are all based off of this awesome presentation from Eric Capuano, who also was kind enough to publish a handout to accompany the presentation.  And on a personal note, I wanted to share that Velociraptor has got me interested in jumping face first into some tough APT labs provided by XINTRA.  More to come on XINTRA’s offering, but so far I’m very impressed!

18 Loka 202416min

7MS #645: How to Succeed in Business Without Really Crying - Part 18

7MS #645: How to Succeed in Business Without Really Crying - Part 18

Today I do a short travelogue about my trip to Washington, geek out about some cool training I did with Velociraptor, ponder drowning myself in blue team knowledge with XINTRA LABS, and share some thoughts about the conference talk I gave called 7 Ways to Panic a Pentester.

14 Loka 202431min

7MS #644: Tales of Pentest Pwnage – Part 64

7MS #644: Tales of Pentest Pwnage – Part 64

Hey!  I’m speaking in Wanatchee, Washington next week at the NCESD conference about 7 ways to panic a pentester!  Today’s tale of pentest pwnage is a great reminder to enumerate, enumerate, enumerate!  It also emphases that cracking NETLM/NETNTLMv1 isn’t super easy to remember the steps for (at least for me) but this crack.sh article makes it a bit easier!

4 Loka 202441min

7MS #643: DIY Pentest Dropbox Tips – Part 11

7MS #643: DIY Pentest Dropbox Tips – Part 11

Today we continue where we left off in episode 641, but this time talking about how to automatically deploy and install a Ubuntu-based dropbox!  I also share some love for exegol as an all-in-one Active Directory pentesting platform.

27 Syys 202426min

7MS #642: Interview with Ron Cole of Immersive Labs

7MS #642: Interview with Ron Cole of Immersive Labs

Ron Cole of Immersive Labs joins us to talk pentest war stories, essential skills he learned while serving on a SOC, and the various pentest training and range platforms you can use to sharpen your security skills! Here are the links Ron shared during our discussion: VetSec Fortinet Veterans Program Immersive Labs Cyber Million FedVTE

23 Syys 202442min

7MS #641: DIY Pentest Dropbox Tips – Part 10

7MS #641: DIY Pentest Dropbox Tips – Part 10

Today we’re revisiting the fun world of automating pentest dropboxes using Proxmox, Ansible, Cursor and Level.  Plus, a tease about how all this talk about automation is getting us excited for a long-term project: creating a free/community edition of Light Pentest LITE training!

13 Syys 202427min

Suosittua kategoriassa Politiikka ja uutiset

rss-ootsa-kuullut-tasta
aikalisa
ootsa-kuullut-tasta-2
politiikan-puskaradio
rss-podme-livebox
rss-vaalirankkurit-podcast
otetaan-yhdet
linda-maria
the-ulkopolitist
et-sa-noin-voi-sanoo-esittaa
mita-koulussa-ei-opetettu
rss-hyvaa-huomenta-bryssel
rikosmyytit
rss-lets-talk-about-hair
rss-mina-ukkola
rss-fingo-podcast
rss-tyolinjalla-pekka-sauri
rss-raha-talous-ja-politiikka