Friday, November 2, 2018

Post Exploitation - DCSync

Now that we have a Domain Admin account, another step that can be taken is to run "DCSync". DCSync effectively impersonates a Domain Controller and requests account password data from the targeted Domain Controller. This will allow an attacker to potentially maintain persistence by acquiring more credentials across the domain.

As always, this is more of a step-by-step walkthrough on how the actions are performed. There are many other blogs that go into further detail on the attack and how to mitigate. I will not be doing that here.

To continue about our example, we will assume the following:

Gaining a foothold: Using Responder and NTLM Relay attack

A previous post showed how to capture hashes and cracking them. But what if you can't crack the passwords? Is there anyway to pass this captured hash instead? Lucky for us, there is! A great post written by byt3bl33d3r back in 2017 that covers exactly what I'm about to briefly show, I suggest you check out his post for more information.

Like most my posts, I only scratch the surface and emulate a real attack. I don't go in depth since there are tons of other write-ups out there that do. Instead, I make more of a step-by-step illustration of how the attack was conducted.

To get started, it is important to know the difference between some of the technology:

Friday, October 26, 2018

Post Exploitation - Kerberoasting

Below is a real world use case of kerberoasting. This is not intended to be a guide on kerberoasting, there are way better guides out there and explanations on how it all works. Rather, this is more of a step by step walk-through of using kerberoasting to escalate privileges from a regular domain user to a higher privileged user.

Thursday, May 17, 2018

Gaining a foothold: Using Responder to capture NTLMv2 Hashes and cracking with John the Ripper

Recently, I finally got my new home lab set up and I figured it was time to start documenting some tools that are used quite often within penetration testing.

Today I am going to demonstrate how to run Responder in its most basic form, capture an NTLMv2 Hash and cracking it with John the Ripper. While this will not be an exhaustive list and showing all the possible examples (there are many blog posts out there that do), I will just be demonstrating how this can be done at its simplest form. It is up to you to decide how far you want to go with this information.

Wednesday, May 2, 2018

Running an Obfuscated version of Mimikatz in Memory to bypass AntiVirus and other host based controls


The other day I was part of an engagement that required a post exploitation (already obtained administrative access to the system) of the target system and steal credentials. There are many posts online that have done this and I will be referencing them as we go. This is just a supplement to everything else out there.

Mimikatz is a tool that collects credentials, including cleartext passwords, Lan manager hashes, Kerberos tickets and a number of other items. This post is to leverage Mimikatz, but instead of downloading the binary to the targets disk and jeopardizing AntiVirus to trip, or other host based controls stopping us, we will download the script directly in memory and run it without ever touching disk.

Additionally, there are a few obfuscation techniques that can be used with simple Linux fu to help generate this "custom" version of Mimikatz to help bypass AV. Lastly, there is another technique to help obfuscate the actual powershell command that calls the download to run the exploit.