Preview Mode Links will not work in preview mode

7 Minute Security


Sep 9, 2022

In today's episode we share some tips we've picked up in the last few weeks of pentesting, with hopes it will save you from at least a few rounds of smashing your face into the keyboard. Tips include:

  • If you find yourself with "owns" rights to a bajillion hosts in BloodHound, this query will give you a nice list of those systems, one system per line:

cat export-from-bloodhound.json | jq '.nodes[].label' | tr -d '"'

Then you can scan with nmap to find the "live" hosts:

nmap -sn -iL targets.txt

  • For resource based constrained delegation attacks, check out this episode of pwnage for some step-by-step instructions.

  • If you have RBCD admin access to victim systems, don't forget that CrackMapExec support Kerberos! So you can do stuff like:

cme smb VICTIM-SYSTEM -k --sam or cme smb VICTIM-SYSTEM -k -M wdigest -M ACTION=enable

  • Take the time to search SMB shares with something like PowerHuntShares. If you have write access in places, drop an SCF file to capture/pass hashes!

  • Looking to privilege escalate while RDP'd into a system? You owe it to yourself to check out KrbRelayUp!

  • Ever find yourself with cracked hashcat passwords that look something like '$HEX[xxxx]'? Check this tweet from mpgn for a great cracking tip!