7MS #396: Tales of Internal Pentest Pwnage - Part 13
This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.
In last week's episode I was very close to potentially synching up some very sensitive data with my super secret back door account. In this episode, we resolve the cliffhanger and talk about:
How I don't remember lyrics or titles to songs - even the ones I love - such as My Prerogative. That's why Jack Black is my spirit animal, and he's awesome for singing Elton John songs right to Elton John
If you get DA (relatively) quickly, consider pivoting to a network assessment and crack hashes with secretsdump, test egress filtering, run Network Detective and more
Once you've cracked all the hashes you can, run it through hashcombiner and Pipal like this:
python /opt/hashcombiner/hash_combiner.py user_hash hash_password | sort > combined.txt cut -d ':' -f 2 combined.txt > passwords.txt ruby /opt/pipal/pipal.rb passwords.txt > pip.txt
The procdump + lsass trick is still really effective (though sometimes AV gobbles it)
Wanna see if a user has a specific Chrome extension installed? Check this article and then use CrackMapExec with
-x dir c:\x\y\zto verify its existence!
I jacked up my ankle and suffered an avulsion fracture. It's good times.
There are a bunch of people I need to thank because their tools/encouragement/advice played a part in making the test successful:
- Cyber Mentor
- Josh T
- Dirk-jan Mollema
- Cyberfreaq who helped me resolve a key issue with mitm6
- Dominic from Slack
- Gh0sthax from Slack
- Nate from Slack