7MS #432: Tales of Internal Network Pentest Pwnage - Part 21

7MS #432: Tales of Internal Network Pentest Pwnage - Part 21

Yay! It's time for another tale of pentest pwnage! Highlights include:

  • Making sure you take multiple rounds of "dumps" to get all the delicious local admin creds.

  • Why lsassy is my new best friend.

  • I gave a try to using a Ubuntu box instead of Kali as my attacking system for this test. I had pretty good results. Here's my script to quickly give Ubuntu a Kali-like flair:

sudo apt-get update sudo apt-get upgrade -y sudo apt-get install openssh-server -y sudo apt-get install nmap curl dnsrecon git net-tools open-vm-tools-desktop python3.8 python3-pip unzip wget xsltproc -y #Aha helps take output from testssl.sh and make it nice and HTML-y sudo git clone https://github.com/theZiz/aha.git /opt/aha #Awesome-nmap-grep makes it easy to grep nmap exports for just the data you need! sudo git clone https://github.com/leonjza/awesome-nmap-grep.git /opt/awesome-nmap-grep #bpatty is...well...bpatty! sudo git clone https://github.com/braimee/bpatty.git /opt/bpatty #CrackMapExec is...awesome sudo mkdir /opt/cme cd /opt/cme sudo curl https://github.com/byt3bl33d3r/CrackMapExec/releases/download/v5.1.0dev/cme-ubuntu-latest.1.zip -L -o cme.zip sudo unzip cme.zip sudo chmod +x ./cme #eyewitness is a nice recon tool for putting some great visualization behind nmap scans sudo git clone https://github.com/FortyNorthSecurity/EyeWitness.git /opt/eyewitness cd /opt/eyewitness/Python/setup sudo ./setup.sh #impacket is "a collection of Python classes for working with network protocols" #I currently primarily use it for ntlmrelayx.py sudo git clone https://github.com/CoreSecurity/impacket.git /opt/impacket cd /opt/impacket sudo pip3 install . #mitm6 is a way to tinker with ip6 and get around some ip4-level protections sudo git clone https://github.com/fox-it/mitm6.git /opt/mitm6 cd /opt/mitm6 sudo pip3 install -r requirements.txt # install service-identity sudo pip3 install service-identity # lsassy sudo python3 -m pip install lsassy #nmap-bootstrap-xsl turns nmap scan output into pretty HTML sudo git clone https://github.com/honze-net/nmap-bootstrap-xsl.git /opt/nmap-bootstrap-xsl #netcreds "Sniffs sensitive data from interface or pcap" sudo git clone https://github.com/DanMcInerney/net-creds /opt/netcreds #PCCredz parses pcaps for sensitive data sudo git clone https://github.com/lgandx/PCredz /opt/pcredz #Powersploit is "a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment" sudo git clone https://github.com/PowerShellMafia/PowerSploit.git /opt/powersploit #PowerupSQL is a tool for discovering, enumerating and potentially pwning SQL servers! sudo git clone https://github.com/NetSPI/PowerUpSQL.git /opt/powerupsql #responder is awesome for LLMNR, NBT-NS and MDNS poisoning sudo git clone https://github.com/lgandx/Responder.git /opt/responder

Avsnitt(684)

7MS #532: Tales of Pentest Pwnage - Part 39

7MS #532: Tales of Pentest Pwnage - Part 39

Hey friends, wow...we're up to thirty-nine episodes of pwnage? Should we make a cake when we hit the big 4-0?! Anyway, today's TLDL is this: If you get a nagging suspicion about something you find during enumeration, make sure to either come back to it later, or exhaust the path right away so you don't miss something! Because I did :-/ A tip that's been helping me speed along my use of CrackMapExec and other tools is by using Kerberos authentication. You can grab a ticket for your test AD account by using Impacket like so: gettgt.py victim.domain/LowPrivUser export KRB5CCNAME=LowPrivUser.ccache Then in most tools you can pass the cred by doing something like: crackmapexec smb DC01 -k In my enumeration of this network, I used Certipy to find potential attack paths against Active Directory Certificate Services. Something cool I learned is that Certipy will spit out both a text and json dump so you can import into BloodHound and then pair that data with their custom queries json file for beautiful visual potential pwnage! I ran into an issue where my certificate shenanigans resulted in an KDC_ERR_PADATA_TYPE_NOSUPP. I originally gave up on this attack path, only to learn about this awesome PassTheCert tool from this rad blog post! After initially being hesitant to use a tool I'd never heard of, I raised a GitHub issue to calm my nerves and, shortly after, found myself doing a domain admin dance. Oh, and although I didn't use it on this specific pentest, coercer is an awesome tool that helps you, ya know, coerce things!

5 Aug 202254min

7MS #531: Interview with Christopher Fielder and Eugene Grant of Arctic Wolf

7MS #531: Interview with Christopher Fielder and Eugene Grant of Arctic Wolf

Today we're joined by some of our friends at Arctic Wolf - Eugene Grant and Christopher Fielder - to talk about compliance. Now hold on - don't leave yet! I know for many folks, compliance makes them want to bleach their eyeballs. But compliance is super important - especially because it is not the same as being secure. So we discuss the differences between security and compliance, and practical work we can do to actually be more compliant and secure, including: Knowing what you have (assets, installed software, etc.) - Rumble is a cheap/free way to find out! Creating core policies and procedures that you will actually follow Learning about security frameworks that will help you build a security program from scratch Preparing for your first (or next) pentest. Tools like PingCastle and BloodHound can help find hacker low-hanging fruit! Knowing where your crown jewels are - be that data, a database, a key system, etc. Writing critical documentation - especially backup/restore procedures. Forming a security "dream team" to help drive your program Asking the right security maturity questions at your next job interview (so you don't get hired into a dumpster fire!) P.S. this is Christopher's sixth time on the program. Be sure to check out his first, second, third, fourth and fifth interviews with 7MS.

1 Aug 202257min

7MS #530: Tales of Pentest Pwnage - Part 38

7MS #530: Tales of Pentest Pwnage - Part 38

Hey friends, we have another fun tale of pwnage for you today. I loved this one because I got to learn some new tools I hadn't used before, such as: Get-InternalSubnets.ps1 - for getting internal subnets Adalanche for grabbing Active Directory info (similar to SharpHound) This tool worked well for me with this syntax: adalanche-windows-x64-v2022.5.19.exe collect activedirectory --domain victim.domain --port=389 --tlsmode=NoTLS Copernic Desktop Search for pillaging through shares with Google-like search capabilities! PowerHuntShares is my new favorite tool for enumerating network shares and associated permissions! CeWL for creating awesome wordlists to crack with! I don't have a Toyota TRD Pro, but I can't stop watching this reel.

22 Juli 202247min

7MS #529: Interview with Matthew Warner of Blumira

7MS #529: Interview with Matthew Warner of Blumira

Today we're featuring a great interview with Matthew Warner, CTO and co-founder of Blumira. You might remember Matt from such podcasts as this one) when Matt gave us a fountain of info on why out-of-the-box Windows logging isn't awesome, and how to get it turned up to 11! Today, we talk about a cool report that Blumira put out called 2022 Blumira's State of Detection & Response, and dive into some interesting topics within it, including: How do companies like Blumira (who we rely on to stay on top of threats) keep their teams on top of threats? Why open source detections are a great starting point - but not a magic bullet Consider this "what if" - a C2 beacon lands on your prod file server in the middle of the work day. Do you take it down during a busy time to save/clean the box as much as possible? Or do you hope to be able to wait until the weekend and triage it on a weekend? Why annoying traffic/alerts are still worth having a conversation about. For example, if you RDP out of your environment and into Azure, that might be fine. But what about when you see an RDP connection going out to a Digital Ocean droplet? Should you care? Well, do you use Digital Ocean for legit biz purposes? Data exfiltration - where does it sit on your priority list? How hard is it to monitor/block? Common lateral movement tools/techniques Why honeypots rule!

15 Juli 20221h 13min

7MS #528: Securing Your Family During and After a Disaster - Part 6

7MS #528: Securing Your Family During and After a Disaster - Part 6

In today's episode, I try to get us thinking about our extended family's emergency/DR plan. Why? Because I recently had a close family member suffer a health scare, and it brought to light some questions we didn't have all the answers for: Do we have creds to log onto his computer? How about his email accounts? Do we have usernames/passwords for retirement accounts, bank accounts, etc.? For vehicles/ATVs/boats/etc. - do we have documentation about their service records? How about titles? Can we get into his phone to get key info off of text messages and grab phone #s of key contacts? What are his wishes if he were to pass? Do not resuscitate? How is the money getting handled? Cremation vs. burial? Do we have redundancy in this plan, or is it all on paper in a file somewhere?

8 Juli 202240min

7MS #527: First Impressions of Purple Knight

7MS #527: First Impressions of Purple Knight

In today's episode we talk about Purple Knight, a free tool to help assess your organization's Active Directory security. I stuck Purple Knight in our Light Pentest LITE pentest training lab and did an informal compare-and-contrast of its detection capabilities versus PingCastle, which we talked about in depth in episode #489.

1 Juli 202252min

7MS #526: Tales of Pentest Pwnage - Part 37

7MS #526: Tales of Pentest Pwnage - Part 37

Today's another fun tale of pentest pwnage - specifically focused on cracking a hash type I'd never paid much attention to before: cached domain credentials. I also learned that you can at least partially protect against this type of hash being captured by checking out this article, which has you set the following setting in GPO: Under Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options set Interactive logon: Number of previous logons to cache to 0. Be careful, as you will have login problems if a domain controller is not immediately accessible! In regards to defending against secretsdump, this article I found this article to be super interesting.

24 Juni 202234min

7MS #525: First Impressions of InsightIDR - Part 2

7MS #525: First Impressions of InsightIDR - Part 2

Today we're sharing an updates to episode #512 where we ran Rapid7's InsightIDR through a bunch of attacks: Active Directory enumeration via SharpHound Password spraying through Rubeus Kerberoasting and ASREPRoasting via Rubeus Network protocol poisoning with Inveigh. Looking for a free way to detect protocol poisoning? Check out CanaryPi. Hash dumping using Impacket. I also talk about an interesting Twitter thread that discusses the detection of hash dumping. Pass-the-hash attacks with CrackMapExec In today's episode I share some emails and conversations we had with Rapid7 about these tests and their results. I'm also thrilled to share with you the articles themselves: Getting Started with Rapid7 InsightIDR: A SIEM Tutorial Testing & Evaluating SIEM Systems: A Review of Rapid7 InsightIDR

17 Juni 202233min

Populärt inom Politik & nyheter

p3-krim
svd-dokumentara-berattelser-2
rss-krimstad
flashback-forever
rss-viva-fotboll
aftonbladet-daily
olyckan-inifran
rss-sanning-konsekvens
rss-vad-fan-hande
svenska-fall
krimmagasinet
rss-expressen-dok
motiv
fordomspodden
svd-nyhetsartiklar
dagens-eko
rss-frandfors-horna
blenda-2
spar
spotlight