![7 Minute Security artwork](https://is3-ssl.mzstatic.com/image/thumb/Podcasts123/v4/3f/c5/49/3fc5493b-b356-27bd-8751-e475bff2af75/mza_1008268055653442910.jpg/100x100bb.jpg)
7MS #390: Tales of Internal Network Pentest Pwnage - Part 11
7 Minute Security
English - December 06, 2019 21:25 - 1 hour - 86.3 MB - ★★★★★ - 63 ratingsTechnology News Tech News information security security Homepage Download Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute.
Today's episode is a twofer. That's right, two tales of internal network pentest pwnage. Whoop whoop! We cover:
What the SDAD (Single Domain Admin Dance) and DDAD (Double Domain Admin Dance) are (spoiler: imagine your dad trying to dance cool...it's like that, but more awkward)
A good way to quickly find domain controllers in your environment: nslookup -type=SRV _ldap._tcp.dc._msdcs.YOURDOMAIN.SUFFIX
This handy script runs nmap against subnets, then Eyewitness, then emails the results to you
Early in the engagement I'd highly recommend checking for Kerberoastable accounts
I really like Multirelay to help me pass hashes, like:
MultiRelay.py -t 1.2.3.4 -u bob.admin Administrator yourmoms.admin
Once you get a shell, run dump to dump hashes!
Then, use CME to pass that hash around the network!
crackmapexec smb 192.168.0.0/24 -u Administrator -H YOUR-HASH-GOES-HERE --local auth
Then, check out this article to use NPS and get a full-featured shell on your targets