7MS #537: Tales of Pentest Pwnage - Part 42
7 Minute Security9 Sep 2022

7MS #537: Tales of Pentest Pwnage - Part 42

In today's episode we share some tips we've picked up in the last few weeks of pentesting, with hopes it will save you from at least a few rounds of smashing your face into the keyboard. Tips include:

  • If you find yourself with "owns" rights to a bajillion hosts in BloodHound, this query will give you a nice list of those systems, one system per line:

cat export-from-bloodhound.json | jq '.nodes[].label' | tr -d '"'

Then you can scan with nmap to find the "live" hosts:

nmap -sn -iL targets.txt

  • For resource based constrained delegation attacks, check out this episode of pwnage for some step-by-step instructions.

  • If you have RBCD admin access to victim systems, don't forget that CrackMapExec support Kerberos! So you can do stuff like:

cme smb VICTIM-SYSTEM -k --sam or cme smb VICTIM-SYSTEM -k -M wdigest -M ACTION=enable

  • Take the time to search SMB shares with something like PowerHuntShares. If you have write access in places, drop an SCF file to capture/pass hashes!

  • Looking to privilege escalate while RDP'd into a system? You owe it to yourself to check out KrbRelayUp!

  • Ever find yourself with cracked hashcat passwords that look something like '$HEX[xxxx]'? Check this tweet from mpgn for a great cracking tip!

Avsnitt(695)

7MS #23: OSCP – part 2 (audio)

7MS #23: OSCP – part 2 (audio)

In this episode I talk more about my adventures with OSCP and Offensive Security! . Download: 7MS #23: OSCP – part 2 (audio) Show notes: I recommend documenting ALL the exercises in the PDF. My understanding is that extra effort could be rewarded if you don’t do so hot on your final exam. Buffer overflows make…

9 Aug 20147min

7MS #22: Phishing with Black Squirrel (audio)

7MS #22: Phishing with Black Squirrel (audio)

In this episode I talk about using Black Squirrel to launch phishing campaigns! Download: 7MS #22: Phishing with Black Squirrel (audio) Show notes: Security Weekly is an excellent podcast/resource. Devour it regularly. Black Squirrel is the main tool discussed in this podcast. I’ve been using it for phishing campaigns and it’s been excellent in that capacity.

27 Juli 20147min

7MS #21: OSCP – part 1 (audio)

7MS #21: OSCP – part 1 (audio)

In this episode I talk about my venture into Offensive Security! . Download: 7MS #21: OSCP – part 1 (audio) Show notes: It’s official – I have a death wish and have started the OSCP training. This episode is the first of what I hope will be a multi-part, spoiler-free series about my experience with OSCP. With…

20 Juli 20147min

7MS #20: Moving from GoDaddy to DNSimple (audio)

7MS #20: Moving from GoDaddy to DNSimple (audio)

In this episode I talk about why I’m pulling my domains from GoDaddy, and making DNSimple their new home. Download: 7MS #20: Moving from GoDaddy to DNSimple (audio) Show notes: The service I’m talking about in this podcast is DNSimple. Troy Hunt‘s humorous/awesome article pushed me over the edge and convinced me to give DNSimple a…

15 Juli 20147min

7MS #19: Kioptrix! (audio)

7MS #19: Kioptrix! (audio)

In this episode I talk about a deliciously vulnerable series of VMs called Kioptrix, and how you can use them to sharpen your pentesting skills. Download: 7MS #19: Kioptrix! (audio) Show notes: The Kioptrix series of VMs is here: http://www.kioptrix.com/blog/test-page/ and here: http://vulnhub.com/?q=kioptrix&sort=date-des&type=vm. Got approved for my OSCP training and I start it in a few…

5 Juli 20147min

7MS #18: Wireless Security 101 (audio)

7MS #18: Wireless Security 101 (audio)

In this episode I talk about some wireless security basics that we’re not seeing when out on assessments. Download: 7MS #18: Wireless Security 101 (audio) Show notes: WEP encryption is very, very bad. It’s easy to crack. Don’t use it. Wifite will demonstrate how easy it is to crack WEP. Stronger encryption such as WPA/WPA2…

22 Juni 20147min

7MS #17: How to Pass the Certified Ethical Hacker Exam (audio)

7MS #17: How to Pass the Certified Ethical Hacker Exam (audio)

In this episode I share my experience with EC-Council’s Certified Ethical Hacker training and exam. Download: 7MS #17: How to Pass the Certified Ethical Hacker Exam (audio) Show notes: Here’s info on the CEH training and test outline. I took my CEH training through UFairfax with instructor Leo Dregier. See this post I wrote that…

14 Juni 20147min

7MS #16: PwnPad Initial Impressions – part 2! (audio)

7MS #16: PwnPad Initial Impressions – part 2! (audio)

In this episode I talk about my first-hand experience using the PwnPad for wireless pentesting. Download: 7MS #16: PwnPad Initial Impressions – Part 2 Show notes: In a nutshell: PwnPad is a great tool to simplify/automate some wireless recon and/or hacking! PwnieExpress has a great write-up on mapping APs w/GPS coordinates using Google Earth here:…

31 Maj 20147min

Populärt inom Politik & nyheter

aftonbladet-krim
motiv
p3-krim
rss-krimstad
fordomspodden
svd-dokumentara-berattelser-2
svenska-fall
flashback-forever
rss-viva-fotboll
olyckan-inifran
rss-sanning-konsekvens
aftonbladet-daily
rss-vad-fan-hande
svd-nyhetsartiklar
rss-frandfors-horna
grans
dagens-eko
rss-flodet
blenda-2
rss-krimreportrarna