7MS #395: Tales of Internal Pentest Pwnage - Part 12
This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.
In today's tale of pentest pwnage I got to try some tools and tricks for the first time! Here are the key points/takeaways from this test:
-
It's great to have additional goals to achieve in a network pentest outside of just "get DA"
-
PayloadsAllTheThings has a great section on Active Directory attacks
-
Using mitm6 and ntlmrelayx is now my new favorite thing thanks to The Cyber Mentor's fantastic video showing us exactly how to launch this attack!
-
If you're scared of running mitm6 and accidentally knocking folks off your network, setup your Kali box to reboot in a few minutes just to be safe. Do something like:
shutdown -r +15 "Rebooting in 15 minutes just in case I mitm6 myself right off this box!"
-
When mitm6+ntlmrelay dumps out a series of html/json files with lists of users, groups, etc., read through them! Sometimes they can include treats...like user passwords in the comment fields!
-
Use
crackmapexec smb IP.OF.DOMAIN.CONTROLLER -u username -p password
to verify if your domain creds are good!
There are a bunch of people I need to thank because their tools/encouragement/advice played a part in making the test successful:
- Cyber Mentor
- hausec
- Josh T
- Dirk-jan Mollema
- Cyberfreaq who helped me resolve a key issue with mitm6
- Dominic from Slack
- Gh0sthax from Slack
- Nate from Slack