Today’s a fun tale of pentest pwnage where we leveraged a WinRM service ticket in combination with the shadow credentials attack, then connected to an important system using evil-winrm and make our getaway with some privileged Kerberos TGTs! I also share an (intentionally) vague story about a personal struggle I could use your thoughts/prayers/vibes with.

Hello! This week Joe “The Machine” Skeen and I kicked off a series all about pentesting GOAD (Game of Active Directory). In part one we covered:

• Checking for null session enumeration on domain controllers
• Enumerating systems with and without SMB signing
• Scraping AD user account descriptions
• Capturing hashes using Responder
• Cracking hashes with Hashcat

Hi friends, today I’m kicking off a series talking about the good/bad/ugly of hosting security services. Today I talk specifically about transfer.zip. By self-hosting your own instance of transfer.zip, you can send and receive HUGE files that are end-to-end encrypted using WebRTC. Sweet! I also supplemented today’s episode with a short live video over at 7MinSec.club.

Hi friends, in this edition of what I’m working on this week:

• 3 pulse-pounding pentests that had…problems
• Something I’m calling the unshadow/reshadow credentials attack
• Heads-up on a new video experiment I’m going to try next week

Hola friends! Today’s tale of pentest pwnage talks about abusing Exchange and the Azure ADSync account! Links to the discussed things:

• adconnectdump – for all your ADSync account dumping needs!
• Adam Chester PowerShell script to dump MSOL service account
• dacledit.py (part of Impacket) to give myself full write privileges on the MSOL sync account: dacledit.py -action ‘write’ -rights ‘FullControl’ -principal lowpriv -target MSOL-SYNC-ACCOUNT -dc-ip 1.2.3.4 domain.com/EXCHANGEBOX$ -k -no-pass
• Looking to tighten up your Exchange permissions – check out this crazy detailed post

Hey friends, our good buddy Joe “The Machine” Skeen and I are back this week with part 2 (check out part 1!) tackling GOAD SCCM again! Spoiler alert: this time we get DA! YAY!

Definitely check out these handy SCCM resources to help you – whether it be in the lab or IRL (in real life):

• GOAD SCCM walkthrough
• MisconfigurationManager – tremendous resource for enumerating/attacking/privesc-ing within SCCM
• This gist from Adam Chester will help you decrypt SCCM creds stored in SQL

Today we have a smattering of miscellaneous pentest tips to help you pwn all the stuff!

• Selective Snaffling with Snaffler
• The importance of having plenty of dropbox disk space – for redundant remote connectivity and PXE abuse!
• TGTs can be fun for SMB riffling, targeted Snaffling, netexec-ing and Evil-WinRMing!

Hello there friends, I’m doing another “what I’m working on this week” episode which includes:

• BPATTY v1.6 release – big/cool/new content to share here
• PWPUSH – this looks to be an awesome way (both paid and free) to securely share files and passwords