7MS #506: Tales of Pentest Pwnage - Part 32
7 Minute Security3 Helmi 2022

7MS #506: Tales of Pentest Pwnage - Part 32

Today's my favorite tale of pentest pwnage (again)! This time we're talking about sAMAccountName spoofing specifically. We also talk about my always-under-construction list of things I try early in a pentest for maximum pwnage:
  • Run PingCastle
  • Do the SharpHound/BloodHound dumps
  • Run the DHCP poisoning module of Responder
  • Check the ms-DS-MachineAccountQuota value in the domain - if its at the default (10), then any user can add machines to the domain.
Why is the ability to add machines to the domain important? Because in the case of the sAMAccountName spoofing, if you have a non-domain-joined machine like I do, you need the ability to add a computer object to the domain. Check the Pentestlab.blog article for more info, but essentially, if you have an unpatched domain controller and the ability to add computer objects to the domain, you can pull off the attack. The article goes into crazy good technical detail, and here's my not-so-technical explanation:

If I was on a pentest, and the DC was called 7MS-DC01, and I could join a machine to the domain (which as a reminder - ANY user can do if the machine quota value is at the default value of 10), I could rename that machine account to be 7MS-DC01 without the dollar sign, request a TGT for the domain controller's account, then restore the machine name back to what it was before. Now, because the TGT is stored in memory, we can use the S4U2self Kerberos extension to request a service ticket using a domain admin account. And because the original ticket belong to the 7MS-DC01 machine name which now doesn't exist, Kerberos will look for 7MS-DC01$ and will issue the ticket for the requested service.

I might've butchered that explanation mom, but I tried my best!

TLDL/TLDR: find and exploit these unpatched domain controllers with noPac. Enjoy!

Jaksot(695)

7MS #31: Network Detective (audio)

7MS #31: Network Detective (audio)

Network Detective is a tool we’ve been using as kind of an addendum to our full security assessment. It gives some nice, plain-English Excel spreadsheets and Word docs that report on AD health and structure, PC inventory and open ports, AV clients that aren’t working right, and a whole lot more. Download: 7MS #31: Network Detective…

25 Loka 20147min

7MS #30: Managing Privileged Accounts (audio)

7MS #30: Managing Privileged Accounts (audio)

Most organizations I talk to have no idea where their privileged accounts are used across the network. I recently saw a demo of a solution called CyberArk, which seems to address that problem. Download: 7MS #30: Managing Privileged Accounts (audio)

18 Loka 20147min

7MS #29: Follow Up Then (audio)

7MS #29: Follow Up Then (audio)

This isn’t necessarily related to security, but it’s about one of my favorite tools to keep my todos organized: FollowUp Then! Download: 7MS #29: Follow Up Then (audio)

11 Loka 20147min

7MS #28: Infosec for Kids? (audio)

7MS #28: Infosec for Kids? (audio)

This is more of a random, wondering aloud type of episode as I think about raising my kids with infosec in mind. Specifically, what’s life going to be like for them growing up in an Internet-soaked world where there are constantly text/video/photos of them going online – to stay forever? Download: 7MS #28: Infosec for Kids?…

27 Syys 20147min

7MS #27: Backing Up with CrashPlan (audio)

7MS #27: Backing Up with CrashPlan (audio)

Hey, when it comes to backups…uh…you should have them! This is a NON-endorsed/sponsored episode about my personal favorite backup service called CrashPlan. Download: 7MS #27: Backing Up with Crashplan (audio)

20 Syys 20147min

7MS #26: The Importance of Training and Awareness (audio)

7MS #26: The Importance of Training and Awareness (audio)

Training and awareness – specifically as it relates to infosec – is something companies can’t spend enough $ on. But from my experience, not enough of them are making this a front-burner priority. This episode talks about one topic I’m particularly passionate about. I call it “How not to click on bad stuff.” Download: 7MS #26:…

13 Syys 20147min

7MS #25: Writing Better Pentest Reports (audio)

7MS #25: Writing Better Pentest Reports (audio)

This episode talks about some pointers, tools and tips towards writing better pentest reports. Download: 7MS #25: Writing Better Pentest Reports (audio)

23 Elo 20148min

7MS #24: Why Wireless Scares Me (audio)

7MS #24: Why Wireless Scares Me (audio)

This episode is all about why you should (probably not) use wireless hotspots, and keeping yourself safe in general when surfing the Web. Download: 7MS #24: Why Wireless Scares Me (audio)

16 Elo 20147min

Suosittua kategoriassa Politiikka ja uutiset

rss-ootsa-kuullut-tasta
aikalisa
ootsa-kuullut-tasta-2
politiikan-puskaradio
rss-podme-livebox
rss-vaalirankkurit-podcast
otetaan-yhdet
linda-maria
the-ulkopolitist
et-sa-noin-voi-sanoo-esittaa
mita-koulussa-ei-opetettu
rss-hyvaa-huomenta-bryssel
rikosmyytit
rss-lets-talk-about-hair
rss-kovin-paikka
rss-fingo-podcast
rss-tyolinjalla-pekka-sauri
rss-raha-talous-ja-politiikka