7MS #390: Tales of Internal Network Pentest Pwnage - Part 11


Manage episode 247648027 series 1288763
By Brian Johnson. Discovered by Player FM and our community — copyright is owned by the publisher, not Player FM, and audio is streamed directly from their servers. Hit the Subscribe button to track updates in Player FM, or paste the feed URL into other podcast apps.

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute.

Today's episode is a twofer. That's right, two tales of internal network pentest pwnage. Whoop whoop! We cover:

  • What the SDAD (Single Domain Admin Dance) and DDAD (Double Domain Admin Dance) are (spoiler: imagine your dad trying to dance cool...it's like that, but more awkward)

  • A good way to quickly find domain controllers in your environment: nslookup -type=SRV _ldap._tcp.dc._msdcs.YOURDOMAIN.SUFFIX

  • This handy script runs nmap against subnets, then Eyewitness, then emails the results to you

  • Early in the engagement I'd highly recommend checking for Kerberoastable accounts

  • I really like Multirelay to help me pass hashes, like:

MultiRelay.py -t -u bob.admin Administrator yourmoms.admin

  • Once you get a shell, run dump to dump hashes!

  • Then, use CME to pass that hash around the network!

crackmapexec smb -u Administrator -H YOUR-HASH-GOES-HERE --local auth

  • Then, check out this article to use NPS and get a full-featured shell on your targets

398 episodes