7MS #432: Tales of Internal Network Pentest Pwnage - Part 21
2 min read Podcast, Pentesting

7MS #432: Tales of Internal Network Pentest Pwnage - Part 21

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

Yay! It's time for another tale of pentest pwnage! Highlights include:

  • Making sure you take multiple rounds of "dumps" to get all the delicious local admin creds.

  • Why lsassy is my new best friend.

  • I gave a try to using a Ubuntu box instead of Kali as my attacking system for this test. I had pretty good results. Here's my script to quickly give Ubuntu a Kali-like flair:

sudo apt-get update
sudo apt-get upgrade -y
sudo apt-get install openssh-server -y

sudo apt-get install nmap curl dnsrecon git net-tools open-vm-tools-desktop python3.8 python3-pip unzip wget xsltproc -y

#Aha helps take output from testssl.sh and make it nice and HTML-y
sudo git clone https://github.com/theZiz/aha.git /opt/aha

#Awesome-nmap-grep makes it easy to grep nmap exports for just the data you need!
sudo git clone https://github.com/leonjza/awesome-nmap-grep.git /opt/awesome-nmap-grep

#bpatty is...well...bpatty!
sudo git clone https://github.com/braimee/bpatty.git /opt/bpatty

#CrackMapExec is...awesome 
sudo mkdir /opt/cme
cd /opt/cme
sudo curl https://github.com/byt3bl33d3r/CrackMapExec/releases/download/v5.1.0dev/cme-ubuntu-latest.1.zip -L -o cme.zip
sudo unzip cme.zip
sudo chmod +x ./cme

#eyewitness is a nice recon tool for putting some great visualization behind nmap scans
sudo git clone https://github.com/FortyNorthSecurity/EyeWitness.git /opt/eyewitness
cd /opt/eyewitness/Python/setup
sudo ./setup.sh

#impacket is "a collection of Python classes for working with network protocols"
#I currently primarily use it for ntlmrelayx.py
sudo git clone https://github.com/CoreSecurity/impacket.git /opt/impacket
cd /opt/impacket
sudo pip3 install .

#mitm6 is a way to tinker with ip6 and get around some ip4-level protections
sudo git clone https://github.com/fox-it/mitm6.git /opt/mitm6
cd /opt/mitm6
sudo pip3 install -r requirements.txt

# install service-identity
sudo pip3 install service-identity

# lsassy
sudo python3 -m pip install lsassy

#nmap-bootstrap-xsl turns nmap scan output into pretty HTML
sudo git clone https://github.com/honze-net/nmap-bootstrap-xsl.git /opt/nmap-bootstrap-xsl

#netcreds "Sniffs sensitive data from interface or pcap"
sudo git clone https://github.com/DanMcInerney/net-creds /opt/netcreds

#PCCredz parses pcaps for sensitive data
sudo git clone https://github.com/lgandx/PCredz /opt/pcredz

#Powersploit is "a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment"
sudo git clone https://github.com/PowerShellMafia/PowerSploit.git /opt/powersploit

#PowerupSQL is a tool for discovering, enumerating and potentially pwning SQL servers!
sudo git clone https://github.com/NetSPI/PowerUpSQL.git /opt/powerupsql

#responder is awesome for LLMNR, NBT-NS and MDNS poisoning
sudo git clone https://github.com/lgandx/Responder.git /opt/responder