3. What to do to step my game up?

What to do to step my game up?

Pen Testing every month now Vulnerability scan every month now.

With pentesting you should try and exploit every finding from your scan and also pentest the items that wouldn't show on a scanner. Vuln scanners will miss a LOT so you have to do it by hand. I would start reading books on pentesting. I like "The Hackers Playbook" (there is a part two now as well) as it is written and geared directly towards pentesters. Something I almost guarantee is vulnerable in your environment and the scanner didn't pick up is WPAD. Your environment being susceptible to WPAD style attacks. You have to be careful though because tools like Responder can break things in your environment if you don't know what you're doing. Things like that exist and won't show on most scanners. Weak passwords for users. You can use Medusa to test for that. Get a solid of usernames and see if Medusa can trigger on guessed passwords against the DC.

For example:

medusa -t 1 -b -v 5 -R 1 -M smbnt -m GROUP:DOMAIN -m AUTH:NTLM -h 192.168.1.5 -U ‘userlist.txt' -p 'Summer15' -O 'medusa-domain-success.txt’

So in this case medusa will try all the usernames in the list called "userlist.txt" with the password of "Summer15" and output the results to a file called medusa-domain-success.txt. Why "Summer15" you ask? Well, some people change passwords given the season and year. So if you had to change passwords every 3 months you would see people do Winter15 (or Winter2015), Spring2015, Fall2015, Winter2015, etc, etc.

Don't try more than a few times depending on your account lockout policy or you'll find yourself with everyone locked out their account.!!!

.

-t is the total number of logins to concurrently test (just keep it at one)

-b supresses the startup banner

-v is the verbose level

-R is the number of attempts before giving up (obviously no reason to try more than once for the same password)

-M name of the module to execute (in this case it is the smbnt module)

-m Parameter to pass to the module

-h target hostname or IP address

-U file containing the usernames

-p The password to test

-O File to append log info to

You might also ask yourself, "Well how would an attacker get this list?" They can get it through social media, or other discovery means or even in the environment. I run into environments all the time where companies use 2003 domain controllers still or they upgraded to 2008 and carried over the configuration. The issue with that is DCs that are 2000 and 2003 will allow NULL sessions by default. 2008 DCs will too if they were upgraded from 2003 and had the configuration carried over. I run into this ALL THE TIME. So there are many ways to exploit this but the easiest is a script that comes with Kali by default called enum4linux. You would run the following:

enum4linux <IP of your Domain Controller>

If you start seeing a lot of output then your most likely vulnerable. It will spit out usernames, password policy for the domain, SIDs, RIDs, groups, who belongs to these groups, and more.

If they are vulnerable just output it to a file (e.g. enum4linux 192.168.0.1 > enum4linuxResults.txt

From there you can find out someones passwords and the tool mentioned earlier, "Responder" will most likely capture the NTLMv2 hash which may be crackable using something like John (John the ripper tool). From there you can use various tools to see if that person is a local administrator for their own machine.. If so, you can use metasploits psexec_psh (psexec powershell) to gain reverse shells or use powershell itself to get reverse shells as both of these will avoid AV. Once you get reverse shell (shells) you can use load mimikatz and get clear text creds.

What's cool about this route is all of this was done without running an actual exploit against the system. You can do this and get Domain Admin fairly quick by just users having weak passwords and being local admins.

Printers. Oh boy, printers. If you have printers like multifunction type printers at your company you can get creds (sometimes domain admin creds) right from the printers. Many printers have the default admin password still in play. I find them every assessment. You can go in and see if the LDAP setting is setup (many companies use this for email, scanning, etc). If so, change the LDAP IP to your Kali box and run netcat listening to port 389. (e.g. nc -lp 389). On the printer save the setting and run a "test" page. Looking back at your Kali box you will see a username and cred come across. I do this on every assessment and had domain admins creds a handful of times. If anything you get a cred to start with.

Anyhow, things like this are things your scanner won't focus on and won't know.

/r/AskNetsec Thread
Previous
Next

Recently removed from /r/AskNetsec

Pentesters, what web vulnerability scanner do you use? Web App Pentesting Career Path Is a "security engineer" = a software dev focused on security or is it something uniquely different? What subjects would you take in hackerschool? Most reasonable way to protect Windows laptop from BadUSB? Your recommendations, I have an opportunity to learn netsec but I am at the starting line. I will be traveling to one of the countries hosting a great firewall, will only be using my phone to access anything. What kind of modifications and precaution should I be taking to protect myself from both of privacy and security perspective? Anyone interested in Advanced WiFi Pentesting Webinar? if net neutrality fails, could an online company provide a "neutral net" loophole? GCIH - using braindump questions to test my knowledge. Good or bad? Let's say you find an exploit in a vendors application. What's the best way to inquire about a bug bounty if one isn't already listed? Minimum Requirements For Entry Level Pentesting Job Can someone recommend how I can get into malware research/reverse engineering? Security clearance question What can a script kiddie do?

More Random Comments

Shipping time for SPES orders? And experience with custom sized jackets? Giving back and starting my own ventures. I'm waking up with itchy marks that disappear to almost nothing in an hour. All Vermont counties experiencing high virus transmission Was My Resident Joking? As Promised, I Have Returned With Lots Of Charts And Graphs. (Explanation In The Comments) Top De Guptill89 "Los personajes femeninos Mas ardientes de Sonic" Now, I'm curious, Myrla, kissing, your opinion, and what generation are you? Pitching onto a yeast cake How the Environmental Lawyer Who Won A Massive Judgement Against Chevron Lost Everything Why do you avoid talking to people with different political views? I work in a main hospital in London and without giving too much detail away, I can confirm that this panic buying of fuel is now affecting the healthcare sector. Home restorers of Reddit, have you ever restored an old home you thought was haunted? What happened? Tomarry and the debacle of being unfinished Dr. Josef Mengele: Nazi kampı ve insanlık suçları dediğimiz şeyin baş aktörüdür. Esirler üzerinde yaptığı sözde deneyler ve keyfi işkencelerle iki milyondan fazla insanın ölümünden sorumludur. Yaptığı şeyleri buraya yazmaya karakter yetmeyeceği için yorum olarak ekliyorum. (Günün Orospu Çocuğu #2)