Story begin:
I walk her through what my campaign is. First I gather all the names about he company workers
I can then generate emails based upon it. I use a 3rd party "People Finder" service to build a database of their personal emails.
With a large database of emails, I grep through a bunch of previously pwned databases I keep on a spare hard drive to create a juicy
password list that is bound to get a hit. I fire up metasploits OWA bruteforce to confirm work emails and start brute forcing and go exercise.
Alright it's now two hours later, I've biked around 25 miles and have showered. Time to check who I've pwned. What !? No one? Am I losing my touch
with this? Do I have to resort to phishing !? Well before that lets create a password list that is almost too stupid to work.
Okay Password complexity is generally between change passwords every 4 months, and must have characters of all character classes. We have to keep it
under four passwords to try to not lock anyone out. Lets try November2020 !, December2020 !, and Winter2020!
Whoa, I'm in! Winter2020 worked! Wow, I'm so glad I did Some good Redteam lab years ago I guess.
A SharePoint instance that is only accessible internally, a timecard system, and a helpdesk. Well if I don't get anywhere, atleast I know what their timecard looks
like and on Friday I can send more people a phishing email letting them know they need to login and submit time.
These types of targeted phishes can fail magnificently thoe. From a Soc guy perspective, doing this tactic against an organization have a rule that
emails admins when new domains email them, and saw the typosquated domain pretty quickly.
If you want to make a sysadmin go from 0-100 fast. Do a targeted phish that requires a little insider knowledge. If it gets caught, be prepared to send the team on
high alert ... Sometimes it may be better to test generic phishes first and measure what level of phish is successful
Anyways, this hour I'm not a good guy I gotta get into this company ... I log into the help desk and see if there are any services I miss, password scheme exposed,
or in general what else I can get ... No matter what side I'm on, I love help desks and tickets.
Great, I see a VPN! However, there is MFA applied to this. I'm worried I may get caught now, I want to tell the help desk i got a new phone and need to setup the
MFA. The problem is if the user has email on their phone they may see these emails and catch wind of my exploits.
I could do create an OWA Rule to automatically delete emails from the help desk and work out of the recycle bin so the user doesn't see it. But if these admins
follow best practices any rules created will send an email to security .... What to do? This is tough.
It's been 30 minutes, I decide to create the rule, if I get caught it's a nice kudos to include in the report. I love writing about what teams do well, so it
isn't just all bad. You'd be surprised how much more pleasant people are to work with when you dont make them look bad
Back to the hack. It's been 15 minutes. I'm in the VPN, I have to say their helpdesk is really helpful. If only MFA was on their email I would have been stopped.
I'm almost certain I'll be caught soon, I just broke their user's VPN access. Time to run http://bloodhound.py
I normally don't open up with http://Bloodhound.py but time is of the essence and I already did what I suspect will get caught quickly. I did specify only run
the DCChecks, at a bare minimum I can get computers and a list of users and their password change times.
Alright. Got bloodhound, it shows some kerberoastable accounts, Running impacket's Get-UserSPN shows two accounts. Great, if I get caught and they didn't see
this there's a chance I will crack a hash and have another way in. I rarely will limit myself to just one back door.
Running CrackMapExec with guessed creds from earlier shows SMB Signing is enabled everywhere, which is good for them ntlmrelayx probably won't be much use for
me today. Because I'm on a VPN, responder isn't too helpful as I'm not on the same broadcast domain.
Computers ticking away no pwned ... Wait there's one! They are local admin of their workstation. I run impackets http://wmiexec.py because AV's hate it less than
http://psexec.py - I probably should boot up windows and use sysinternal psexec tool but im lazy.
Looks like they use Kaspersky. That's a shame this client shouldn't run foreign AV but it does a good job stopping most of the opensource toolkits. Thankfully,
I have one I develop with a friend which should do the trick. I just can't touch LSASS, so no cleartext passwords.
Hmm. I can't reach my C2 because of a transparent proxy blocking uncategorized sites. Time to go to http://expireddomains.net and buy one on the list. Thankfully
this proxy has a service where people can submit URL's and it says if its malicious or not and says the category of url
Domain purchased, time to wait for DNS to update. This can take some time. Meanwhile, I'm still cracking away at those kerberoasted accounts and looking at
Bloodhound for what I can do with them.
Oh one of the kerberoast accounts cracked, but it isn't a Domain Admin. B4 we do anything this could be an old invalid hash. Im going to run KerBrute to test
out if its valid. I like this rule because on failure it doesn't create 4625, instead its a 4678 and not logged by default
Awesome. My domain registration went through. Time to recompile my implant and get a shell. I hate operating through "Reverse Shells" because they are hard to
log and track what artifacts I leave behind to clean up.
I want to log onto the server, with the kerberoasted credential. Before I do, lets setup persistence on a workstation. I can write to C: \ windows due to local admin,
so I'm just going to give a dll a magical name and persist via dll injection. No registry / sched task this ways
I do have my dll coded to delete itself after 7 days just incase I forget to clean up after myself. But now time to wmiexec to the server and load my implant.
I'm on the server! And I'm not the only one here! There is a domain admin! Quick time to run mimikatz and dump their password!
My c2 tells me it's a horrible idea because of Kaspersky being installed ... As a joke I added "Clippy" to this thing which would pop up and tell me when I'm
being rash. Turns out that fun POC saved me here. I really should finish all the clippy features i wanted, i like it a lot
Well. No touching LSASS, but I can dump the SAM and grab local hashes. I don't see LAPS being used so there's a chance this local administrator account shares
the passwords of other servers.
LocalAdmin hash gained! Time to throw this into hashcat and try to crack it while I pass the hash and it works on the DC! Whew. That was much faster than I thought.
while I come up with something and then run SecretsDump to grab a list of all password hashes and go back to the crack them.
Whoa 45% passwords are cracked[.] There's plenty of bad ones I even see Sprint2018 !, do they not have PW Expiration !? Or is it just some accounts. I should really slow down and look at things but it's such an adrenaline rush every time I jump to the next box
I take a list of everything I cracked and go back to the mystical hard drive with database dumps on it ... I run grep this time but with the passwords I cracked that look unique, checking to see if there are any personal emails I missed at the beginning.
End Story.
I walk her through what my campaign is. First I gather all the names about he company workers
I can then generate emails based upon it. I use a 3rd party "People Finder" service to build a database of their personal emails.
With a large database of emails, I grep through a bunch of previously pwned databases I keep on a spare hard drive to create a juicy
password list that is bound to get a hit. I fire up metasploits OWA bruteforce to confirm work emails and start brute forcing and go exercise.
Alright it's now two hours later, I've biked around 25 miles and have showered. Time to check who I've pwned. What !? No one? Am I losing my touch
with this? Do I have to resort to phishing !? Well before that lets create a password list that is almost too stupid to work.
Okay Password complexity is generally between change passwords every 4 months, and must have characters of all character classes. We have to keep it
under four passwords to try to not lock anyone out. Lets try November2020 !, December2020 !, and Winter2020!
Whoa, I'm in! Winter2020 worked! Wow, I'm so glad I did Some good Redteam lab years ago I guess.
A SharePoint instance that is only accessible internally, a timecard system, and a helpdesk. Well if I don't get anywhere, atleast I know what their timecard looks
like and on Friday I can send more people a phishing email letting them know they need to login and submit time.
These types of targeted phishes can fail magnificently thoe. From a Soc guy perspective, doing this tactic against an organization have a rule that
emails admins when new domains email them, and saw the typosquated domain pretty quickly.
If you want to make a sysadmin go from 0-100 fast. Do a targeted phish that requires a little insider knowledge. If it gets caught, be prepared to send the team on
high alert ... Sometimes it may be better to test generic phishes first and measure what level of phish is successful
Anyways, this hour I'm not a good guy I gotta get into this company ... I log into the help desk and see if there are any services I miss, password scheme exposed,
or in general what else I can get ... No matter what side I'm on, I love help desks and tickets.
Great, I see a VPN! However, there is MFA applied to this. I'm worried I may get caught now, I want to tell the help desk i got a new phone and need to setup the
MFA. The problem is if the user has email on their phone they may see these emails and catch wind of my exploits.
I could do create an OWA Rule to automatically delete emails from the help desk and work out of the recycle bin so the user doesn't see it. But if these admins
follow best practices any rules created will send an email to security .... What to do? This is tough.
It's been 30 minutes, I decide to create the rule, if I get caught it's a nice kudos to include in the report. I love writing about what teams do well, so it
isn't just all bad. You'd be surprised how much more pleasant people are to work with when you dont make them look bad
Back to the hack. It's been 15 minutes. I'm in the VPN, I have to say their helpdesk is really helpful. If only MFA was on their email I would have been stopped.
I'm almost certain I'll be caught soon, I just broke their user's VPN access. Time to run http://bloodhound.py
I normally don't open up with http://Bloodhound.py but time is of the essence and I already did what I suspect will get caught quickly. I did specify only run
the DCChecks, at a bare minimum I can get computers and a list of users and their password change times.
Alright. Got bloodhound, it shows some kerberoastable accounts, Running impacket's Get-UserSPN shows two accounts. Great, if I get caught and they didn't see
this there's a chance I will crack a hash and have another way in. I rarely will limit myself to just one back door.
Running CrackMapExec with guessed creds from earlier shows SMB Signing is enabled everywhere, which is good for them ntlmrelayx probably won't be much use for
me today. Because I'm on a VPN, responder isn't too helpful as I'm not on the same broadcast domain.
Computers ticking away no pwned ... Wait there's one! They are local admin of their workstation. I run impackets http://wmiexec.py because AV's hate it less than
http://psexec.py - I probably should boot up windows and use sysinternal psexec tool but im lazy.
Looks like they use Kaspersky. That's a shame this client shouldn't run foreign AV but it does a good job stopping most of the opensource toolkits. Thankfully,
I have one I develop with a friend which should do the trick. I just can't touch LSASS, so no cleartext passwords.
Hmm. I can't reach my C2 because of a transparent proxy blocking uncategorized sites. Time to go to http://expireddomains.net and buy one on the list. Thankfully
this proxy has a service where people can submit URL's and it says if its malicious or not and says the category of url
Domain purchased, time to wait for DNS to update. This can take some time. Meanwhile, I'm still cracking away at those kerberoasted accounts and looking at
Bloodhound for what I can do with them.
Oh one of the kerberoast accounts cracked, but it isn't a Domain Admin. B4 we do anything this could be an old invalid hash. Im going to run KerBrute to test
out if its valid. I like this rule because on failure it doesn't create 4625, instead its a 4678 and not logged by default
Awesome. My domain registration went through. Time to recompile my implant and get a shell. I hate operating through "Reverse Shells" because they are hard to
log and track what artifacts I leave behind to clean up.
I want to log onto the server, with the kerberoasted credential. Before I do, lets setup persistence on a workstation. I can write to C: \ windows due to local admin,
so I'm just going to give a dll a magical name and persist via dll injection. No registry / sched task this ways
I do have my dll coded to delete itself after 7 days just incase I forget to clean up after myself. But now time to wmiexec to the server and load my implant.
I'm on the server! And I'm not the only one here! There is a domain admin! Quick time to run mimikatz and dump their password!
My c2 tells me it's a horrible idea because of Kaspersky being installed ... As a joke I added "Clippy" to this thing which would pop up and tell me when I'm
being rash. Turns out that fun POC saved me here. I really should finish all the clippy features i wanted, i like it a lot
Well. No touching LSASS, but I can dump the SAM and grab local hashes. I don't see LAPS being used so there's a chance this local administrator account shares
the passwords of other servers.
LocalAdmin hash gained! Time to throw this into hashcat and try to crack it while I pass the hash and it works on the DC! Whew. That was much faster than I thought.
while I come up with something and then run SecretsDump to grab a list of all password hashes and go back to the crack them.
Whoa 45% passwords are cracked[.] There's plenty of bad ones I even see Sprint2018 !, do they not have PW Expiration !? Or is it just some accounts. I should really slow down and look at things but it's such an adrenaline rush every time I jump to the next box
I take a list of everything I cracked and go back to the mystical hard drive with database dumps on it ... I run grep this time but with the passwords I cracked that look unique, checking to see if there are any personal emails I missed at the beginning.
End Story.