با برنامه Player FM !
7MS #537: Tales of Pentest Pwnage - Part 42
Manage episode 340698088 series 2540717
In today's episode we share some tips we've picked up in the last few weeks of pentesting, with hopes it will save you from at least a few rounds of smashing your face into the keyboard. Tips include:
- If you find yourself with "owns" rights to a bajillion hosts in BloodHound, this query will give you a nice list of those systems, one system per line:
cat export-from-bloodhound.json | jq '.nodes[].label' | tr -d '"'
Then you can scan with nmap to find the "live" hosts:
nmap -sn -iL targets.txt
For resource based constrained delegation attacks, check out this episode of pwnage for some step-by-step instructions.
If you have RBCD admin access to victim systems, don't forget that CrackMapExec support Kerberos! So you can do stuff like:
cme smb VICTIM-SYSTEM -k --sam or cme smb VICTIM-SYSTEM -k -M wdigest -M ACTION=enable
Take the time to search SMB shares with something like PowerHuntShares. If you have write access in places, drop an SCF file to capture/pass hashes!
Looking to privilege escalate while RDP'd into a system? You owe it to yourself to check out KrbRelayUp!
Ever find yourself with cracked hashcat passwords that look something like '$HEX[xxxx]'? Check this tweet from mpgn for a great cracking tip!
695 قسمت
Manage episode 340698088 series 2540717
In today's episode we share some tips we've picked up in the last few weeks of pentesting, with hopes it will save you from at least a few rounds of smashing your face into the keyboard. Tips include:
- If you find yourself with "owns" rights to a bajillion hosts in BloodHound, this query will give you a nice list of those systems, one system per line:
cat export-from-bloodhound.json | jq '.nodes[].label' | tr -d '"'
Then you can scan with nmap to find the "live" hosts:
nmap -sn -iL targets.txt
For resource based constrained delegation attacks, check out this episode of pwnage for some step-by-step instructions.
If you have RBCD admin access to victim systems, don't forget that CrackMapExec support Kerberos! So you can do stuff like:
cme smb VICTIM-SYSTEM -k --sam or cme smb VICTIM-SYSTEM -k -M wdigest -M ACTION=enable
Take the time to search SMB shares with something like PowerHuntShares. If you have write access in places, drop an SCF file to capture/pass hashes!
Looking to privilege escalate while RDP'd into a system? You owe it to yourself to check out KrbRelayUp!
Ever find yourself with cracked hashcat passwords that look something like '$HEX[xxxx]'? Check this tweet from mpgn for a great cracking tip!
695 قسمت
همه قسمت ها
×به Player FM خوش آمدید!
Player FM در سراسر وب را برای یافتن پادکست های با کیفیت اسکن می کند تا همین الان لذت ببرید. این بهترین برنامه ی پادکست است که در اندروید، آیفون و وب کار می کند. ثبت نام کنید تا اشتراک های شما در بین دستگاه های مختلف همگام سازی شود.