Search Results For ""
I recently landed on a client’s network with an implementation of Microsoft LAPS on a few thousand hosts. This blog post will walk through how to identify the users sysadmins delegated to view LAPS passwords, and how to identify the users sysadmins have no idea can view LAPS passwords.
Metasploit Module 
When conducting email phishing engagements I often run into situations where I gain a meterpreter session on the internal network, but I don’t have local admin privileges. Often times many penetration testers give up on the assessment because they have already illustrated access to the internal network and consider that adequate on an external engagement. I like to go that extra mile and really make an impact by showing what a malicious user can do once inside.
I feel many penetration testers ignore the fact that a user executed the payload. A user that is most likely part of a domain, and may have access to many additional resources on the internal network that we wouldn’t otherwise have access to.
While conducting penetration tests I almost always obtain user credentials; sometimes in cleartext, and other times just the hash. If your like me; you’ve often wondered, where do I have local Administrative privileges with these credentials. If you haven’t checked out Joesph Pierini’s blog post here, I highly suggest you check it out before continuing.
I can’t even count the number of times I have had user credentials or a hash and wondered where I had Local Administrative privileges. Sure I could fire up metasploit’s msfconsole and psexec across the network. Hell I could even create a resource script to automate the entire task for me, but its doesn’t scale very well and often times the default metasploit config is not very stealth when you flag every workstation and server antivirus on the network. That’s when I started to utilize Nmap’s smb-enum-shares NSE script. I’ve been aware of the script for sometime now, but I wasn’t aware that you can feed it arguments such as a username, password, domain and others. Even better, the NSE script doesn’t need cleartext credentials so you can pass-the-hash like we all love to do. The syntax is pretty straightforward as seen below:Read More
- Playing With the New Burp Suite REST API
- Burp Suite 2.0 Beta Review
- Attacking Palo Alto Networks PAN-OS ‘readSessionVarsFromFile()’
- GPG Errors While Updating Kali Linux
- Installing Kali NetHunter on HTC Nexus 9
Subscribe To Our Mailing List
Want To Be a Better Pentester
Subscribe to our mailing list and recieve FREE pentest tips, tricks, product reviews, news, article release notifications and more!
The Ultimate Burp Suite Training Program
Learn Network Penetration Testing
- Burp Suite
- Forensics and Incident Response
- Information Gathering
- Penetration Testing Tutorials
- Web Applications
Web Application Hacking