7MS #692: Tales of Pentest Pwnage – Part 76

Today's my favorite tale of pentest pwnage (again)! This time we're talking about sAMAccountName spoofing specifically. We also talk about my always-under-construction list of things I try early in a pentest for maximum pwnage: Run PingCastle Do the SharpHound/BloodHound dumps Run the DHCP poisoning module of Responder Check the ms-DS-MachineAccountQuota value in the domain - if its at the default (10), then any user can add machines to the domain. Why is the ability to add machines to the domain important? Because in the case of the sAMAccountName spoofing, if you have a non-domain-joined machine like I do, you need the ability to add a computer object to the domain. Check the Pentestlab.blog article for more info, but essentially, if you have an unpatched domain controller and the ability to add computer objects to the domain, you can pull off the attack. The article goes into crazy good technical detail, and here's my not-so-technical explanation: If I was on a pentest, and the DC was called 7MS-DC01, and I could join a machine to the domain (which as a reminder - ANY user can do if the machine quota value is at the default value of 10), I could rename that machine account to be 7MS-DC01 without the dollar sign, request a TGT for the domain controller's account, then restore the machine name back to what it was before. Now, because the TGT is stored in memory, we can use the S4U2self Kerberos extension to request a service ticket using a domain admin account. And because the original ticket belong to the 7MS-DC01 machine name which now doesn't exist, Kerberos will look for 7MS-DC01$ and will issue the ticket for the requested service. I might've butchered that explanation mom, but I tried my best! TLDL/TLDR: find and exploit these unpatched domain controllers with noPac. Enjoy!

3 Helmi 202252min

Hey friends, today I talk about the old school way I used to pwn wifi networks, then a more modern way, and then my new favorite way (spoiler alert: I use Bettercap).

28 Tammi 202248min

Hey friends, today we're talking about how to monitor all your cloud thingies (Web servers, mail servers, etc.) with UptimeRobot. And I'm sharing some fun tips to monitor your internal thingies as well - without the use of any extra agent software.

20 Tammi 202240min

Today's episode is all about Brute Ratel, a command and control center that is super cool, quick to setup, and much easier to use (IMHO) than Cobalt Strike. I also talk specifically about some of my favorite command line features, how slick and simple lateral movement is, and the "killer feature" that makes me giggle like the bad guy from Sonic the Hedgehog. In the tangent department, Mrs. 7MS makes an appearance via phone and I bore you to tears about my continued iFly addiction.

12 Tammi 202237min

Happy new year friends! Today I share the good, bad, ugly, and BROKEN things I've come across while migrating our Light Pentest LITE training lab from on-prem VMware ESXi to Azure. It has been a fun and frustrating process, but my hope is that some of the tips in today's episode will save you some time/headaches/money should you setup a pentesting training camp in the cloud. Things I like No longer relying on a single point of failure (Intel NUC, switch, ISP, etc.) You can schedule VMs to auto-shutdown at a certain time each day, and even have Azure send you a notification before the shutdown so you can delay - or suspend altogether - the operation Things I don't like VMs are by default (I believe) joined to Azure AD, which I don't want. Here's how I got machines unjoined from Azure AD and then joined to my pwn.town domain: dsregcmd /leave Add-Computer -DomainName pwn.town -Restart Accidentally provision a VM in the wrong subnet? The fix may be rebuilding the flippin' VM (more info in today's episode). Just about every operation takes for freakin' ever. And it's confusing because if you delete objects out of the portal, sometimes they don't actually disappear from the GUI for like 5-30 minutes. Using backups and snapshots is archaic. You can take a snapshot in the GUI or PowerShell easy-peasy, but if you actually want to restore those snapshots you have to convert them to managed disks, then detach a VM's existing disk, and attach the freshly converted managed disks. This is a nightmare to do with PowerShell. Deleting data is a headache. I understand Azure is probably trying to protect you against deleting stuff and not being able to get it back, but they night a right-click > "I know what I'm doing, DELETE THIS NOW" option. Otherwise you can end up in situations where in order to delete data, you have to disable soft delete, undelete deleted data, then re-delete it to actually make it go away. WTH, you say? This doc will help it make more sense (or not). Things that are broken Promiscuous mode - just plain does not work as far as I can tell. So I can't do protocol poisoning exercises with something like Inveigh. Hashcat - I got CPU-based cracking working in ESXi by installing OpenCL drivers, but try as I may, I cannot get this working in Azure. I even submitted an issue to the hashcat forums but so far no replies. On a personal note, it has been good knowing you because I'm about to spend all my money on a new hobby: indoor skydiving.

5 Tammi 202251min

Today we're closing down 2021 with a tale of pentest pwnage - this time with a path to DA I had never had a chance to abuse before: Active Directory Certificate Services! For the full gory details on this attack path, see the Certified Pre-Owned paper from the SpecterOps crew. The TLDR/TLDL version of how I abused this path is as follows: Grab Certi Grab Certify Run Certify.exe find /vulnerable, and if you get some findings, review the Certified Pre-Owned paper and the Certify readme file for guidance on how to exploit them. In my case, the results I got from Certify showed: msPKI-Certificates-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT Reading through the Certify readme, I learned "This allows anyone to enroll in this template and specify an arbitrary Subject Alternative Name (i.e. as a DA)." The Certify readme file walks you through how to attack this config specifically, but I had some trouble running all the tools from my non-domain-joined machine. So I used a combination of Certify and Certi to get the job done. First I started on Kali with the following commands: sudo python3 /opt/impacket/examples/getTGT.py 'victimdomain.domain/MYUSER:MYPASS' export KRB5CCNAME=myuser.cache sudo python3 ./certi.py req 'victimdomain.domain/MYUSER@FQDN.TO.CERT.SERVER' THE-ENTERPRISE-CA-NAME -k -n --alt-name DOMAIN-ADMIN-I-WANT-TO-IMPERSONATE --template VULNERABLE-TEMPLATE NAME From that you will get a .pfx file which you can bring over to your non-domain-joined machine and do: rubeus.exe purge rubeus.exe asktgt /user:DOMAIN-ADMIN-I-WANT-TO-IMPERSONATE /certificate:DOMAIN-ADMIN-I-WANT-TO-IMPERSONATE@victim.domain.pfx /password:PASSWORD-TO-MY-PFX-FILE /domain:victimdomain.domain /dc:IP.OF.DOMAIN.CONTROLLER And that's it! Do a dir \\FQDN.TO.DOMAIN.CONTROLLER\C$ and enjoy your new super powers!

29 Joulu 202144min

HAPPY 500 EPISODES, FRIENDS! That's right, 7MS turned 5-0-0 today, and so we asked John Strand of Black Hills Information Security to join us and talk about all things security, including the John/BHIS superhero origin story, the future of pentesting, the (perceived) cybersecurity talent shortage, how to get started with good security practices in your organization, and more! P.S. check out John's first visit to the show here.

22 Joulu 202158min

Today we have some cool updates on this SIEM-focused series we've been doing for a while. Specifically, I want to share that one of these solutions can now detect three early (and important!) warning signs that bad things are happening in your environment: ASREPRoasting WDigest flag getting flipped (reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1) Restricted admin mode getting enabled (reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f) - see n00py's blog for more info

16 Joulu 202121min