7MS #455: Tales of Internal Network Pentest Pwnage - Part 24
7 Minute Security19 Feb 2021

7MS #455: Tales of Internal Network Pentest Pwnage - Part 24

Hey everybody! Sorry that we're late again with today's episode, but I got COVID shot #2 and it kicked my behind BIG TIME today. But I'm vertical today and back amongst the living and thrilled to be sharing with you another tale of pentest pwnage! Yeah! This might be my favorite tale yet because:

  • I got to use some of my new CRTP skills!

  • Make sure on your pentests that you're looking for "roastable" users. Harmj0y has a great article on this, but the TLDR is make sure you run PowerView with the -PreauthNotRequired flag to hunt for these users:

Get-DomainUser -PreauthNotRequired

  • Check for misconfigured LAPS installs with Get-LAPSPasswords!

  • The combination of mitm6.py -i eth0 -d company.local --no-ra --ignore-nofqdn +
    ntlmrelayx -t ldaps://domain.controller.ip.address -wh attacker-wpad --delegate-access is reeeeeealllllyyyyyyy awesome and effective!

  • When you are doing the --delegate-access trick, don't ignore (like I did for years) if you get administrative impersonation access on a regular workstation. You can still abuse it by impersonating an admin, run secretsdump or pilfer the machine for additional goodies!

  • SharpShares is a cool way to find shares your account has access to.

  • I didn't get to use it on this engagement but Chisel looks to be a rad way to tunnel information

  • Once you've dumped all the domain hashes with secretsdump, don't forget (like me) that you can do some nice Mimikatz'ing to leverage those hashes! For example:

sekurlsa::pth /user:administrator /ntlm:hash-of-the-administrator-user /domain:yourdomain.com

Do that and bam! a new command prompt opens with administrator privileges! Keep in mind though, if you do a whoami you will still be SOMEWORKSTATION\joeblo, but you can do something like psexec \\VICTIM-SERVER cmd.exe and then do a whoami and then POW! - you're running as domain admin!

  • Once you've got domain admin access, why not run Get-LAPSPasswords again to get all the local admin passwords across the whole enterprise? Or you can do get-netcomputer VICTIM-SERVER and look for the mc-mcs-admpwd value - which is the LAPS password! Whooee!!! That's fun!

  • Armed with all the local admin passwords, I was able to run net use Q: \\VICTIM-SERVER\C$" /user:Adminisrator LAPS-PASSWORD to hook a network drive to that share. You can also do net view \\VICTIM-SERVER\ to see all the shares you can hook to. And that gave me all the info I needed to find the company's crowned jewels :-)

Avsnitt(684)

7MS #548: Tales of Pentest Pwnage - Part 44

7MS #548: Tales of Pentest Pwnage - Part 44

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! Happy belated Thanksgiving! This is not a brag or a flex, but this episode covers a coveted achievement I haven't achieved in my whole life...until now: TDAD: Triple Domain Admin Dance!!!!1111!!!1!1!!!! We talk about the fun attack path that led to the TDAD (hint: always check Active Directory user description fields!), as well as a couple quick, non-spoilery reviews of a few movies: V for Vendetta and The Black Phone.

25 Nov 202250min

7MS #547: Tales of Pentest Pwnage - Part 43

7MS #547: Tales of Pentest Pwnage - Part 43

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. Today we're talking about tales of pentest pwnage - specifically how much fun printers can be to get Active Directory creds. TLDL: get into a printer interface, adjust the LDAP lookup IP to be your Kali box, run nc -lvp 389 on your Kali box, and then "test" the credentials via the printer interface in order to (potentially) capture an Active Directory cred! Today we also define an achievement that's fun to unlock called DDAD: Double Domain Admin Dance.

18 Nov 202242min

7MS #546: Securing Your Mental Health - Part 3

7MS #546: Securing Your Mental Health - Part 3

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. Today we're talking about securing your mental health! I share some behind-the-scenes info about my own mental health challenges, and share a great tip a counselor gave me for getting into a good headspace before heading into a difficult conversation/situation.

11 Nov 202239min

7MS #545: First Impressions of Snipe-IT

7MS #545: First Impressions of Snipe-IT

Today’s episode of the 7 Minute Security podcast is brought to you by Blumira, which provides easy-to-use automated detection and response that can be set up in…well..about 7 minutes. Detect and resolve security threats faster, and prevent breaches. Try it free today at blumira.com/7ms. Hey friends, today we're giving you a first impressions look at a free easy asset management tool called Snipe-IT you can use to build your inventory with! Why is this important? Because it's the first critical security control! It might help to see this tool in action, so we invite you to check out our recent Twitch stream where we got it up and running in about 45 minutes.

4 Nov 202240min

7MS #544: Interview with Nato Riley of Blumira

7MS #544: Interview with Nato Riley of Blumira

Today’s episode is brought to us by Blumira, which provides easy to use, automated detection and response that can be setup in…well…about 7 minutes! Detect and resolve security threats faster and prevent breaches. Try it free today at blumira.com/7ms! Today we have a really fun interview with Nato Riley of Blumira. He cut his IT/security teeth working for a cell phone company, exorcising malware demons out of workstations, and even building an email-based SIEM. He has had a very cool career path that involves embracing newbness, pushing aside imposter syndrome, and even begging for jobs! I think this interview can best be summed up by a direct quote from Nato: "Things absolutely go wrong, and I think that's what deters people from trying. But just because something goes wrong, doesn't mean you're necessarily going to die from it. So why not try?"

28 Okt 202258min

7MS #543: How to Succeed in Business Without Really Crying - Part 12

7MS #543: How to Succeed in Business Without Really Crying - Part 12

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. Hey friends! Today we talk about a SoSaaS (Spreadsheet on Steroids as a Service...not a real thing) that is helping 7MinSec be more organized - both from a project standpoint and from an "alert us when important things are due!" standpoint.

21 Okt 20221h

7MS #542: Eating the Security Dog Food - Part 5

7MS #542: Eating the Security Dog Food - Part 5

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. In today's episode we talk more about eating the security dog food (following the best practices we preach!). Specifically, we focus on keeping that bloated email inbox a little more lean and mean. There are lots of tools/services to help with this, but we had a blast playing with MailStore (not a sponsor but we'd like them to be:-).

14 Okt 202228min

7MS #541: Tales of Blue Team Bliss - Part 2

7MS #541: Tales of Blue Team Bliss - Part 2

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit SafePass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! Today we talk about configuring your Active Directory with MFA protection thanks to AuthLite. In the tangent department, we give you a short, non-spoilery review of the film Smile.

7 Okt 202235min

Populärt inom Politik & nyheter

p3-krim
svd-dokumentara-berattelser-2
rss-krimstad
flashback-forever
rss-viva-fotboll
aftonbladet-daily
rss-vad-fan-hande
olyckan-inifran
rss-sanning-konsekvens
svenska-fall
krimmagasinet
rss-expressen-dok
motiv
fordomspodden
rss-frandfors-horna
svd-nyhetsartiklar
dagens-eko
blenda-2
spar
spotlight