November 2012 - Pentest Geek

Posted On:November 2012 - Pentest Geek

standard

NetLM Downgrade Attacks with Metasploit

2012/11/30 - By 

Metasploit Module [1]

Recently I added a post exploit module to the metasploit framework  that will help automate the NetLM Downgrade attack.  If you are not familiar with the  attack, I highly suggest you read the following article by Dave Howard before continuing.

The purpose of this article is not to describe the NetLM attack, but rather demonstrate how the post exploit module functions and how it can save  time on a pentest or even get you that next step in order to take over the network.

Read More


standard

Dumping Domain Password Hashes Using Metasploit (ntds_hashextract.rb)

2012/11/16 - By 

Earlier this week I released a blog post on the Accuvant website explaining at a high level some of the techniques and use cases for my recently developed Metasploit modules. This article will be the first in a series of tutorials where I plan to do a deeper dive into the individual modules and some of their many uses during an Information Security Assessment or Penetration Testing exercise.
The ntds_hashextract.rb script is a standalone tool that can be used to quickly and efficiently extract Active Directory domain password hashes from the exported datatable of an NTDS.dit database. As it turns out, exporting the datatable can sometimes be tricky so here is a detailed tutorial covering the methodology that I use and continue to have success with.

Step 1 – Install Libesedb

Libesedb is an open source C library developed to forensically extract information from Extensible Storage Engine (ESE) database files. In order to get what we need out of NTDS.dit we will first have to download and install the library using the following URL
Read More


standard

Finding Logged In Users – Metasploit Module

2012/11/05 - By 

Sometimes during an Information Security Assessment I find myself spending a fair amount of effort locating a server or workstation with a specific user logged into it. This could be because I am searching for a box with a Domain Admin, or maybe my engagement’s scope has a CTF style scope that requires me to find a single user logged into a large enterprise domain.

Whatever the reason, this processes can sometimes take a long time. Especially on a sizable network. Like most security auditors I’m not a big fan of doing the same thing over and over again so I decided to build a tool to help automate this process.

First we query HKEY_USERS to find out how many legitimate SIDs are currently logged in. We should see an output simalr to this.

Read More


standard

Find Local Admin with Metasploit

2012/11/03 - By 

Metasploit Module [1]

When conducting email phishing engagements I often run into situations where I gain a meterpreter session on the internal network, but I don’t have local admin privileges. Often times many penetration testers give up on the assessment because they have already illustrated access to the internal network and consider that adequate on an external engagement. I like to go that extra mile and really make an impact by showing what a malicious user can do once inside.

I feel many penetration testers ignore the fact that a user executed the payload. A user that is most likely part of a domain, and may have access to many additional resources on the internal network that we wouldn’t otherwise have access to.

Read More


Share This

Recent Posts

Subscribe To Our Mailing List

The Ultimate Burp Suite Training Program

Learn Network Penetration Testing

Penetration Testing

Categories

Metasploit

Web Application Hacking


Brandon McCann

Copyright 2024

css.php