Today's episode is a fun tale of pentest pwnage! Interestingly, to me this pentest had a ton of time-sponging issues on the front end, but the TTDA (Time to Domain Admin) was maybe my fastest ever.
I had to actually roll a fresh Kali VM to upload to the customer site, and I learned (the hard way) to make that VM disk as lean as possible. I got away with a 15 gig drive, and the OS+tools+updates took up about 12 gig.
One of the biggest lessons I learned from this experience is to make sure that not only is your Kali box updated before you take it to a customer site (see this script), but you should make sure you install all the tool dependencies beforehand as well (specifically, Eyewitness, Impacket and MITM6).
This pentest was also extremely time-boxed, so I tried to get as much bang out of it as possible. This included:
- Capturing hashes with Responder
- Checking for "Kerberoastable" accounts (GetUserSPNs.py -request -dc-ip x.x.x.x domain/user)
- Check for MS14-025 (see this article)
- Check for MS17-010 (nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010 192.168.0.0/24 -oA vulnerable-2-eblue) and try this method of exploiting it
- Check for DNS zone transfer (dnsrecon -d name.of.fqdn -t axf)
- Test for egress filtering of ports 1-1024
- Took a backup of AD "the Microsoft way" and then cracked with secretsdump:
sudo python ./secretsdump.py -ntds /loot/Active\ Directory/ntds.dit -system /loot/registry/SYSTEM -hashes lmhash:nthash LOCAL -outputfile /loot/ad-pw-dump
06/26/20 • 44 min
Episode Comments
0.0
out of 5
No ratings yet
eg., What part of this podcast did you like? Ask a question to the host or other listeners...
Post
Generate a badge
Get a badge for your website that links back to this episode
<a href="https://goodpods.com/podcasts/7-minute-security-46574/7ms-420-tales-of-internal-pentest-pwnage-part-17-2277223"> <img src="https://storage.googleapis.com/goodpods-images-bucket/badges/generic-badge-1.svg" alt="listen to 7ms #420: tales of internal pentest pwnage - part 17 on goodpods" style="width: 225px" /> </a>
Copy