7MS #537: Tales of Pentest Pwnage - Part 42
Today’s episode is brought to us by Blumira, which provides easy to use, automated detection and response that can be setup in…well…about 7 minutes! Detect and resolve security threats faster and prevent breaches. Try it free today at blumira.com/7ms!
In today's episode we share some tips we've picked up in the last few weeks of pentesting, with hopes it will save you from at least a few rounds of smashing your face into the keyboard. Tips include:
- If you find yourself with "owns" rights to a bajillion hosts in BloodHound, this query will give you a nice list of those systems, one system per line:
cat export-from-bloodhound.json | jq '.nodes.label' | tr -d '"'
Then you can scan with nmap to find the "live" hosts:
nmap -sn -iL targets.txt
For resource based constrained delegation attacks, check out this episode of pwnage for some step-by-step instructions.
If you have RBCD admin access to victim systems, don't forget that CrackMapExec support Kerberos! So you can do stuff like:
cme smb VICTIM-SYSTEM -k --sam or
cme smb VICTIM-SYSTEM -k -M wdigest -M ACTION=enable
Take the time to search SMB shares with something like PowerHuntShares. If you have write access in places, drop an SCF file to capture/pass hashes!
Looking to privilege escalate while RDP'd into a system? You owe it to yourself to check out KrbRelayUp!
Ever find yourself with cracked hashcat passwords that look something like '$HEX[xxxx]'? Check this tweet from mpgn for a great cracking tip!