7MS #401: Tales of Internal Pentest Pwnage - Part 15

7MS #401: Tales of Internal Pentest Pwnage - Part 15

It’s episode 401 and we’re having fun, right? Some things we cover today:

  • The Webinar version of the DIY Pwnagotchi evening will be offered in Webinar format on Tuesday, March 10 at 10 a.m.

  • A quick house fire update - we’re closer to demolition now!

  • I finally got a new guitar!

Besides that, I’ve got a wonderful tale of pentest pwnage for you. Warning: this is a TBC (to be continued) episode in that I don’t even know how it will shake out. I’m honestly not sure if we’ll get DA! Here are the highlights:

  • I think in the past I might've said unauthenticated Nessus scans weren't worth much, but this test changed my mind.

  • If you can't dump local hashes with CrackMapExec, try SecretsDump!

./secretsdump.py -target-ip {IP of target machine} localhost/{username}@{target IP}
  • If you're relaying net user commands (or just typing them from a relayed shell), this one-liner is a good way to quickly add your user to local admins and the Remote Desktop Users group:
net user /add ladmin1 s00p3rn4ughtyguy! /Y & net localgroup Administrators ladmin1 /add & net localgroup "Remote Desktop Users" ladmin1 /add
  • Trying to RDP into a box protected with Duo MFA? If you can edit the c:\windows\system32\drivers\etc\hosts file, you might be able change the Duo authentication server from api-xxxxxxx.duosecurity.com to 127.0.0.1 and force authenetication to fail open! Source: Pentest Partners

  • In general, keep an eye on CrackMapExec's output whenever you use the '-x' flag to run commands. If the system is "hanging" on a command for a while and then gives you NO output and just drops you back at your Kali prompt, the command might not be running at all due to something else on the system blocking your efforts.

More on today's show notes at 7ms.us!

Episoder(696)

7MS #681: Pentesting GOAD – Part 3

7MS #681: Pentesting GOAD – Part 3

Today Joe “The Machine” Skeen and I pwn the third and final realm in the world of GOAD (Game of Active Directory): essos.local!  The way we go about it is to do a WinRM connection to our previously-pwned Kingslanding domain, coerce authentication out of MEEREEN (the DC for essos.local) and then capture/abuse the TGT with Rubeus!  Enjoy.

27 Jun 18min

7MS #680: Tips for a Better Purple Team Experience

7MS #680: Tips for a Better Purple Team Experience

Today I share some tips on creating a better purple team experience for your customers, including: Setting up communication channels and cadence Giving a heads-up on highs/criticals during testing (not waiting until report time) Where appropriate, record videos of attacks to give them more context

20 Jun 26min

7MS #679: Tales of Pentest Pwnage – Part 73

7MS #679: Tales of Pentest Pwnage – Part 73

In today’s tale of pentest pwnage I talk about a cool ADCS ESC3 attack – which I also did live on this week’s Tuesday TOOLSday.  I also talk about Exegol’s licensing plans (and how it might break your pentest deployments if you use ProxmoxRox).

13 Jun 30min

7MS #678: How to Succeed in Business Without Really Crying – Part 22

7MS #678: How to Succeed in Business Without Really Crying – Part 22

Today I share some tips on presenting a wide variety of content to a wide variety of audiences, including: Knowing your audience before you touch PowerPoint Understanding your presentation physical hookups and presentation surfaces A different way to screen-share via Teams that makes resolution/smoothness way better!

6 Jun 33min

7MS #677: That One Time I Was a Victim of a Supply Chain Attack

7MS #677: That One Time I Was a Victim of a Supply Chain Attack

Hi everybody. Today I take it easy (because my brain is friend from the short week) to tell you about the time I think my HP laptop was compromised at the factory!

30 Mai 13min

7MS #676: Tales of Pentest Pwnage – Part 72

7MS #676: Tales of Pentest Pwnage – Part 72

Today’s fun tale of pentest pwnage discuss an attack path that would, in my opinion, probably be impossible to detect…until it’s too late.

27 Mai 59min

7MS #675: Pentesting GOAD – Part 2

7MS #675: Pentesting GOAD – Part 2

Hey friends! Today Joe “The Machine” Skeen and I tackled GOAD (Game of Active Directory) again – this time covering: SQL link abuse between two domains Forging inter-realm TGTs to conquer the coveted sevenkingdoms.local! Join us next month when we aim to overtake essos.local, which will make us rulers over all realms!

16 Mai 31min

7MS #674: Tales of Pentest Pwnage – Part 71

7MS #674: Tales of Pentest Pwnage – Part 71

Today’s tale of pentest pwnage is another great one!  We talk about: The SPNless RBCD attack (covered in more detail in this episode) Importance of looking at all “branches” of outbound permissions that your user has in BloodHound This devilishly effective MSOL-account-stealing PowerShell script (obfuscate it first!) A personal update on my frustration with ringing in my ears

9 Mai 49min

Populært innen Politikk og nyheter

giver-og-gjengen-vg
aftenpodden
forklart
aftenpodden-usa
stopp-verden
popradet
fotballpodden-2
nokon-ma-ga
dine-penger-pengeradet
det-store-bildet
rss-dannet-uten-piano
frokostshowet-pa-p5
aftenbla-bla
rss-ness
bt-dokumentar-2
rss-penger-polser-og-politikk
e24-podden
rss-borsmorgen-okonominyhetene
rss-gukild-johaug
ukrainapodden