7MS #532: Tales of Pentest Pwnage - Part 39
SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!
Hey friends, wow...we're up to thirty-nine episodes of pwnage? Should we make a cake when we hit the big 4-0?! Anyway, today's TLDL is this:
If you get a nagging suspicion about something you find during enumeration, make sure to either come back to it later, or exhaust the path right away so you don't miss something! Because I did :-/
A tip that's been helping me speed along my use of CrackMapExec and other tools is by using Kerberos authentication. You can grab a ticket for your test AD account by using Impacket like so:
gettgt.py victim.domain/LowPrivUser
export KRB5CCNAME=LowPrivUser.ccache
Then in most tools you can pass the cred by doing something like:
crackmapexec smb DC01 -k
In my enumeration of this network, I used Certipy to find potential attack paths against Active Directory Certificate Services. Something cool I learned is that Certipy will spit out both a text and json dump so you can import into BloodHound and then pair that data with their custom queries json file for beautiful visual potential pwnage!
I ran into an issue where my certificate shenanigans resulted in an KDC_ERR_PADATA_TYPE_NOSUPP
. I originally gave up on this attack path, only to learn about this awesome PassTheCert tool from this rad blog post! After initially being hesitant to use a tool I'd never heard of, I raised a GitHub issue to calm my nerves and, shortly after, found myself doing a domain admin dance.
Oh, and although I didn't use it on this specific pentest, coercer is an awesome tool that helps you, ya know, coerce things!
In today's tangent department, you should sing this Rebecca Black tune to the lyrics that our friend PartyGolbez came up with in Slack:
Seven MS, wakin' up in the morning,
NUC gotta be fresh, for today's pentest.
Gotta lot to do, gotta run Powerview,
Get an easy win with EternalBlue...
Gotta lot to ponder, gotta run Responder,
Gotta catch your hash, then I see my friends (Snoop Dogg: "DAs!")
Try for local admin,
Run M.I.T.M. (Snoop Dogg: "6!")
Gotta make up my mind,
which path I take?
It's DA, DA
Gonna own you as DA,
Nobody's lookin' forward to the report, report..
(Snoop Rap Bridge)
B.J., Bryan J
So chillin' on ur DC,
Hacked u easy
U wanna know how I got my route in?
Better have a talk with Bob from Accountin' (accountin... accountin'....)