7MS #395: Tales of Internal Pentest Pwnage - Part 12
This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.
In today's tale of pentest pwnage I got to try some tools and tricks for the first time! Here are the key points/takeaways from this test:
It's great to have additional goals to achieve in a network pentest outside of just "get DA"
PayloadsAllTheThings has a great section on Active Directory attacks
Using mitm6 and ntlmrelayx is now my new favorite thing thanks to The Cyber Mentor's fantastic video showing us exactly how to launch this attack!
If you're scared of running mitm6 and accidentally knocking folks off your network, setup your Kali box to reboot in a few minutes just to be safe. Do something like:
shutdown -r +15 "Rebooting in 15 minutes just in case I mitm6 myself right off this box!"
When mitm6+ntlmrelay dumps out a series of html/json files with lists of users, groups, etc., read through them! Sometimes they can include treats...like user passwords in the comment fields!
crackmapexec smb IP.OF.DOMAIN.CONTROLLER -u username -p passwordto verify if your domain creds are good!
There are a bunch of people I need to thank because their tools/encouragement/advice played a part in making the test successful:
- Cyber Mentor
- Josh T
- Dirk-jan Mollema
- Cyberfreaq who helped me resolve a key issue with mitm6
- Dominic from Slack
- Gh0sthax from Slack
- Nate from Slack