Aug 19, 2020
Welcome to another fun tale of internal pentest pwnage! Today's tale includes these helpful informational tidbits:
My understanding is that in order for mitm6 relay attacks to
work against DCs, those DCs have to have LDAPS config'd properly.
Use nmap -sV -p646
name.of.domain.controller
to verify this
(thanks this
site for the tip!)
PowerView is awesome when used
with Find-InterestingDomainShareFile
to find
interesting files with the
word password or sensitive or
other helpful strings.
eavesarp helped me identify some weird hosts on weird subnets sending regular bursts of traffic to "interesting" hosts! Check out this video from Black Hills Infosec to learn more.
I've also got some personal updates for you, including: