7MS #423: Tales of Internal Pentest Pwnage - Part 18

Hey!  I’m speaking in Wanatchee, Washington next week at the NCESD conference about 7 ways to panic a pentester!  Today’s tale of pentest pwnage is a great reminder to enumerate, enumerate, enumerate!  It also emphases that cracking NETLM/NETNTLMv1 isn’t super easy to remember the steps for (at least for me) but this crack.sh article makes it a bit easier!

4 Okt 202441min

Today we continue where we left off in episode 641, but this time talking about how to automatically deploy and install a Ubuntu-based dropbox!  I also share some love for exegol as an all-in-one Active Directory pentesting platform.

27 Sep 202426min

Ron Cole of Immersive Labs joins us to talk pentest war stories, essential skills he learned while serving on a SOC, and the various pentest training and range platforms you can use to sharpen your security skills! Here are the links Ron shared during our discussion: VetSec Fortinet Veterans Program Immersive Labs Cyber Million FedVTE

23 Sep 202442min

Today we’re revisiting the fun world of automating pentest dropboxes using Proxmox, Ansible, Cursor and Level.  Plus, a tease about how all this talk about automation is getting us excited for a long-term project: creating a free/community edition of Light Pentest LITE training!

13 Sep 202427min

This was my favorite pentest tale of pwnage to date!  There’s a lot to cover in this episode so I’m going to try and bullet out the TLDR version here: Sprinkled farmer files around the environment Found high-priv boxes with WebClient enabled Added “ghost” machine to the Active Directory (we’ll call it GHOSTY) RBCD attack to be able to impersonate a domain admin using the CIFS/SMB service against the victim system where some higher-priv users were sitting Use net.py to add myself to local admin on the victim host Find a vulnerable service to hijack and have run an evil, TGT-gathering Rubeus.exe – found that Credential Guard was cramping my style! Pulled the TGT from a host not protected with Credential Guard Figured out the stolen user’s account has some “write” privileges to a domain controller Use rbcd.py to delegate from GHOSTY and to the domain controller Request a TGT for GHOSTY Use getST.py to impersonate CIFS using a domain admin account on the domain controller (important thing here was to specify the DC by its FQDN, not just hostname) Final move: use the domain admin ccache file to leverage net.py and add myself to the Active Directory Administrators group

7 Sep 202443min

Today’s tale of pentest pwnage talks about the dark powers of the net.py script from impacket.

3 Sep 20247min

Today we’re talking pentesting – specifically some mini gems that can help you escalate local/domain/SQL privileges: Check the C: drive! If you get local admin and the system itself looks boring, check root of C – might have some interesting scripts or folders with tools that have creds in them. Also look at Look at Get-ScheduledTasks Find ids and passwords easily in Snaffler output with this Snaffler cleaner script There’s a ton of gold to (potentially) be found in SQL servers – check out my notes on using PowerUpSQL to find misconfigs and agent jobs you might able to abuse!

23 Aug 202432min

Hello friends, I’m excited to release BPATTY[RELOADED] into the world at https://bpatty.rocks! – which stands for Brian’s Pentesting and Technical Tips for You! It’s a knowledge base of IT and security bits that help me do a better job doing security stuff! Today I do an ACTUAL 7-minute episode (GASP…what a concept!) covering my favorite bits on the site so far. Enjoy!

17 Aug 20247min