Automating the Pentesting Process: Using NTLM Relaying & Deathstar to get Domain Admin

What I’m using: Responder Empire Deathstar Ntlmrelayx.py (Install Guide here) Operating Systems Host: Ubuntu 16.04, Kali Linux (Latest) Target 1: Windows Server 2008 R2 (Dummy server) Target 2: Windows Server 2008 R2 (Domain Controller) In a domain, it’s not uncommon for NTLMv2 hashes to be captured in some way while doing a penetration test. The problem … Continue reading Automating the Pentesting Process: Using NTLM Relaying & Deathstar to get Domain Admin

Domain Penetration Testing: Using BloodHound, Crackmapexec, & Mimikatz to get Domain Admin

In the previous two articles, I gathered local user credentials and escalated to local administrator, with my next step is getting to domain admin. Since I have local admin, I'll be using a tool called Bloodhound that will map out the entire domain for me and show where my next target will be. After getting … Continue reading Domain Penetration Testing: Using BloodHound, Crackmapexec, & Mimikatz to get Domain Admin

Domain Penetration Testing: Privilege Escalation via Group Policy Preferences (GPP)

In my previous article, I used LLMNR poisoning to gather credentials of a low-privilege user on the network. Now, I will attempt to escalate those privileges by exploiting a common misconfiguration in group policy preferences. Prior to patch MS14-025, there was a horrible storage of local administrator password, in a readable SMB share, SYSVOL, if … Continue reading Domain Penetration Testing: Privilege Escalation via Group Policy Preferences (GPP)

Domain Penetration Testing: Credential Harvesting via LLMNR Poisoning

Depending on the pentest given (whitebox/greybox/blackbox) you may or may not have a scope. For these examples, I'll be under the assumption I have a scope from the customer for their domain, corp.local which runs under the 192.168.1.0/24 network. For these examples, I have my ESXI server running four VMs: Windows Server 2008 R2 (Primary … Continue reading Domain Penetration Testing: Credential Harvesting via LLMNR Poisoning

Using ETERNALBLUE & DOUBLEPULSAR (Shadowbroker’s Dump/NSA Tools)

In my previous article I showed how to set up the Fuzzbunch framework. Now I'll show how to use it to exploit a vulnerable target. What I'm using in this demo: Kali Linux  Windows XP  Windows 7 (Unpatched) First is to make a malicious .DLL. Essentially, this exploit will create a backdoor with ETERNALBLUE and upload … Continue reading Using ETERNALBLUE & DOUBLEPULSAR (Shadowbroker’s Dump/NSA Tools)