7MS #455: Tales of Internal Network Pentest Pwnage - Part 24
SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!
Hey everybody! Sorry that we're late again with today's episode, but I got COVID shot #2 and it kicked my behind BIG TIME today. But I'm vertical today and back amongst the living and thrilled to be sharing with you another tale of pentest pwnage! Yeah! This might be my favorite tale yet because:
-
I got to use some of my new CRTP skills!
-
Make sure on your pentests that you're looking for "roastable" users. Harmj0y has a great article on this, but the TLDR is make sure you run PowerView with the
-PreauthNotRequired
flag to hunt for these users:
Get-DomainUser -PreauthNotRequired
-
Check for misconfigured LAPS installs with Get-LAPSPasswords!
-
The combination of
mitm6.py -i eth0 -d company.local --no-ra --ignore-nofqdn
+
ntlmrelayx -t ldaps://domain.controller.ip.address -wh attacker-wpad --delegate-access
is reeeeeealllllyyyyyyy awesome and effective! -
When you are doing the
--delegate-access
trick, don't ignore (like I did for years) if you get administrative impersonation access on a regular workstation. You can still abuse it by impersonating an admin, run secretsdump or pilfer the machine for additional goodies! -
SharpShares is a cool way to find shares your account has access to.
-
I didn't get to use it on this engagement but Chisel looks to be a rad way to tunnel information
-
Once you've dumped all the domain hashes with secretsdump, don't forget (like me) that you can do some nice Mimikatz'ing to leverage those hashes! For example:
sekurlsa::pth /user:administrator /ntlm:hash-of-the-administrator-user /domain:yourdomain.com
Do that and bam! a new command prompt opens with administrator privileges! Keep in mind though, if you do a whoami
you will still be SOMEWORKSTATION\joeblo, but you can do something like psexec \\VICTIM-SERVER cmd.exe
and then do a whoami
and then POW! - you're running as domain admin!
-
Once you've got domain admin access, why not run Get-LAPSPasswords again to get all the local admin passwords across the whole enterprise? Or you can do
get-netcomputer VICTIM-SERVER
and look for themc-mcs-admpwd
value - which is the LAPS password! Whooee!!! That's fun! -
Armed with all the local admin passwords, I was able to run
net use Q: \\VICTIM-SERVER\C$" /user:Adminisrator LAPS-PASSWORD
to hook a network drive to that share. You can also donet view \\VICTIM-SERVER\
to see all the shares you can hook to. And that gave me all the info I needed to find the company's crowned jewels :-)