Today's episode is the thrilling, exciting, heart-pounding conclusion of Tales of Internal Pentest Pwnage - Part 1. In this episode, we cover the final "wins" that got me to Domain Admin status (and beyond!):
Got DA but can't get to your final "crown jewels" destinations? How about going after the organization's backups (evil grin!)
Got DA but stuck to find hot leads to where the crown jewels are? Get snoopy and go through people's files, folders and...bookmark caches! (evil grin #2!)
If your nmap/eyewitness scan turns up Web sites with simply an IIS default landing page or "It works!" Apache page on it, there's probably more there than meets the eye.
We also talk about lessons learned from this pentest - both things done well and things the org can do to make the next pentester's job a lot harder.