7MS #455: Tales of Internal Network Pentest Pwnage - Part 24

Hello! We're back with our pal Joe "The Machine" Skeen (a.k.a. Gh0sthax) who has prepared some awesome and actionable news stories for us to digest. Today's stories include: Hackers are trying to steal admin passwords from F5 devices Secret service reports increase in hacked MSPs Most Popular Home Routers Have ‘Critical’ Flaws "Sigred" DNS vulnerability in Microsoft DNS

22 Jul 202033min

This is an especially fun tale of pentest pwnage because it involves D.D.A.D. (Double Domain Admin Dance) and varying T.T.D.A. (Time to Domain Admin). The key takeaways I want to share from these tests are as follows: Responder.py -i eth0 -rPv is AWESOME. It can make the network rain hashes like manna from heaven! Testing the egress firewall is easy with this script. Consider this SANS article for guidance on ports to lock down. Testing for MS14-025 is easy with this site. mitm6 and ntlmrelayx can work really well together to rain shells if you follow this article. It's especially handy/focused when you create a targets.txt that looks something like this: smb://CORP\Administrator@192.168.195.2 smb://CORP\Administrator@192.168.195.3 smb://CORP\brian.admin@192.168.195.7 192.168.195.7 192.168.195.10 Then save that as your targets.txt and run ntlmrelayx with ./ntlmrelayx.py -tf /targets.txt -socks -smb2support. From there, once you get active socks connections, you can connect to them directly with a full interactive shell with something like proxychains smbclient //192.168.195.2/ -U CORP/brian.admin I ran into a weird issue with CrackMapExec where the --local-auth flag didn't seem to be working so I ended up trying the binary version and then it worked like a champ! Looking to dump lsass a "clean" way? Try RDPing in directly to the victim machine, opening up taskmgr.exe, click the Details tab, then right-click lsass.exe and choose Create dump file and bam, done. Wanna spin up a quick SMB share from your Kali box? Try smbserver.py -smb2support share /share Then, once you've pulled back the lsass.dmp file, you can rip through it easily with: pip3 install pypykatz sudo pypykatz lsa minidump lsass.dmp > lsass.txt Then comb through lsass.txt and hopefully there will be some delicious and nutritious DA creds there for you to much on!

15 Jul 202059min

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit [safepass.me](https://safepass.me/?7ms422 for more details, and tell them 7 Minute Security sent you to get a 10% discount! Today's episode continues the work we started in episode #419. We talk about the importance of having a good foundation of security documentation - including a reading out of the following policies: Acceptable use Data protection and privacy

10 Jul 202042min

Today my pal Gh0sthax and I pick apart the Verizon Data Breach Investigations Report and help you turn it into actionable items so you can better defend your network! I'm especially excited because today's episode marks two important 7MS firsts: The episode has been crafted by a professional podcast producer The episode has been transcribed by a professional transcription service

1 Jul 202036min

Today's episode is a fun tale of pentest pwnage! Interestingly, to me this pentest had a ton of time-sponging issues on the front end, but the TTDA (Time to Domain Admin) was maybe my fastest ever. I had to actually roll a fresh Kali VM to upload to the customer site, and I learned (the hard way) to make that VM disk as lean as possible. I got away with a 15 gig drive, and the OS+tools+updates took up about 12 gig. One of the biggest lessons I learned from this experience is to make sure that not only is your Kali box updated before you take it to a customer site (see this script), but you should make sure you install all the tool dependencies beforehand as well (specifically, Eyewitness, Impacket and MITM6). This pentest was also extremely time-boxed, so I tried to get as much bang out of it as possible. This included: Capturing hashes with Responder Checking for "Kerberoastable" accounts (GetUserSPNs.py -request -dc-ip x.x.x.x domain/user) Check for MS14-025 (see this article) Check for MS17-010 (nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010 192.168.0.0/24 -oA vulnerable-2-eblue) and try this method of exploiting it Check for DNS zone transfer (dnsrecon -d name.of.fqdn -t axf) Test for egress filtering of ports 1-1024 Took a backup of AD "the Microsoft way" and then cracked with secretsdump: sudo python ./secretsdump.py -ntds /loot/Active\ Directory/ntds.dit -system /loot/registry/SYSTEM -hashes lmhash:nthash LOCAL -outputfile /loot/ad-pw-dump

26 Jun 202044min

Today we're talking about eating the security dog food! What do I mean by that? Well, a lot of security companies I worked for in the past preached to clients about the importance of having a good security program, but didn't have one of their own! I'm trying to break that pattern now that I'm in a position to lead an information security program for 7MS. In today's episode we talk about getting your company started with a good set of infosec policies/procedures. First up is a "mothership" infosec policy with the following sub-policies inside it: Acceptable Use Data Protection and Privacy Physical Security Tools and Technology Training and Awareness Reporting Oh, and the song I jazz/scat/sang coming out of the jingle was If I Were a Dog

17 Jun 202040min

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! Today's episode is all about mental health! I talk about some of my challenges with stress/anxiety and how I finally put on my big boy pants, dropped some misconceptions and decided to do something about it. Additionally, this episode contains references to: Jon Secada Arsenio Hall Lone Wolf McQuade

11 Jun 202044min

Today's episode is all about getting the most value out of your vulnerability scans, including: Why, IMHO you should only do credentialed scans Policy tweaks that will keep servers from tipping over and printers from printing novels of gibberish ;-) How to make your scan report more actionable and less unruly Turning up logging to 11 (use with caution!) A small tweak to an external scan policy that can result in the difference between a successful or failed scan The nessusd.rules file is awesome for excluding specific hosts and services from your scans

4 Jun 202043min