Penetesting

Push it, Push it Real Good

[Edit 8/13/15] – Here is how the old version 1.9 cmdlets in this post translate to PowerView 2.0: Invoke-StealthUserHunter  ->  Invoke-UserHunter -Stealth Invoke-SearchFiles  ->  Find-InterestingFile Get-NetFileServers  ->  Get-NetFileServer My boss comes from a red teaming background; I do not. When I started to move beyond simple pentests and absorb his more advanced tradecraft, I was amazed that …

Push it, Push it Real Good Read More »

“I Hunt Sys Admins”

[Edit 8/13/15] – Here is how the old version 1.9 cmdlets in this post translate to PowerView 2.0: Get-NetGroups  ->  Get-NetGroup Get-UserProperties  ->  Get-UserProperty Invoke-UserFieldSearch  ->  Find-UserField Get-NetSessions  ->  Get-NetSession Invoke-StealthUserHunter  ->  Invoke-UserHunter -Stealth Invoke-UserProcessHunter  ->  Invoke-ProcessHunter -Username X Get-NetProcesses  ->  Get-NetProcess Get-UserLogonEvents  ->  Get-UserEvent Invoke-UserEventHunter  ->  Invoke-EventHunter [Note] This post is a companion to the Shmoocon …

“I Hunt Sys Admins” Read More »

Mining a Domain’s Worth of Data With PowerShell

On a red team engagement, our goal usually isn’t access, it’s data. While getting domain admin on a test is a great feeling, what actually matters to us is identifying what a customer is trying to protect and then targeting those crown jewels. Access is obviously a necessary component, but data mining is just as important. Some …

Mining a Domain’s Worth of Data With PowerShell Read More »

Dumping a Domain’s Worth of Passwords With Mimikatz pt. 2

A year ago, @mubix published a cool post on http://carnal0wnage.attackresearch.com/ about “Dumping a domain’s worth of passwords with mimikatz“. In the article, he talked about using a combination of PowerShell, file shares, .bat scripts and output files in order to run Mimikatz across a large number of machines in an enterprise using just WMI. A few …

Dumping a Domain’s Worth of Passwords With Mimikatz pt. 2 Read More »

The Case of a Stubborn ntds.dit

The awesomesauce of the Kerberos Golden Ticket (based on the spoofed-PAC whitepaper from BlackHat 2012) has started to change how I operate on my engagements, especially during repeat assessments done for the same customer. I’m now maniacally intent on getting the krbtgt hashes for as many domains as I can in the target network. Most often, I’ll try to …

The Case of a Stubborn ntds.dit Read More »

Finding Local Admin with the Veil-Framework

[Edit 8/13/15] – Here is how the old version 1.9 cmdlets in this post translate to PowerView 2.0: Invoke-FindLocalAdminAccess  ->  Find-LocalAdminAccess Additionally, the -Ping command for Invoke-ShareFinder is no longer needed Back in 2012 @zeknox wrote a great post on “Finding Local Admin with Metasploit” which I highly recommend everyone read. My team consistently runs into situations similar …

Finding Local Admin with the Veil-Framework Read More »

Pass-the-Hash is Dead: Long Live Pass-the-Hash

[Edit 3/16/17] Many elements of this post, specifically the ones concerning KB2871997, are incorrect. I have an updated post titled “Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy” that contains the most up-to-date and accurate information.   [Edit 8/13/15] – Here is how the old version 1.9 cmdlets in this post translate to PowerView 2.0: Invoke-EnumerateLocalAdmins  ->  Invoke-EnumerateLocalAdmin …

Pass-the-Hash is Dead: Long Live Pass-the-Hash Read More »