7MS #420: Tales of Internal Pentest Pwnage - Part 17
This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.
Today's episode is a fun tale of pentest pwnage! Interestingly, to me this pentest had a ton of time-sponging issues on the front end, but the TTDA (Time to Domain Admin) was maybe my fastest ever.
I had to actually roll a fresh Kali VM to upload to the customer site, and I learned (the hard way) to make that VM disk as lean as possible. I got away with a 15 gig drive, and the OS+tools+updates took up about 12 gig.
One of the biggest lessons I learned from this experience is to make sure that not only is your Kali box updated before you take it to a customer site (see this script), but you should make sure you install all the tool dependencies beforehand as well (specifically, Eyewitness, Impacket and MITM6).
This pentest was also extremely time-boxed, so I tried to get as much bang out of it as possible. This included:
- Capturing hashes with Responder
- Checking for "Kerberoastable" accounts (
GetUserSPNs.py -request -dc-ip x.x.x.x domain/user)
- Check for MS14-025 (see this article)
- Check for MS17-010 (
nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010 192.168.0.0/24 -oA vulnerable-2-eblue) and try this method of exploiting it
- Check for DNS zone transfer (
dnsrecon -d name.of.fqdn -t axf)
- Test for egress filtering of ports 1-1024
- Took a backup of AD "the Microsoft way" and then cracked with secretsdump:
sudo python ./secretsdump.py -ntds /loot/Active\ Directory/ntds.dit -system /loot/registry/SYSTEM -hashes lmhash:nthash LOCAL -outputfile /loot/ad-pw-dump