7MS #353: Tales of Internal Pentest Pwnage - Part 1

7 Minute Security - A podcast by Brian Johnson - Fridays

Categories:

Buckle up! This is one of my favorite episodes. Today I'm kicking off a two-part series that walks you through a narrative of a recent internal pentest I worked on. I was able to get to Domain Admin status and see the "crown jewels" data, so I thought this would be a fun and informative narrative to share. Below are some highlights of topics/tools/techniques discussed: Building a pentest dropbox The timing is perfect - my pal Paul (from Project7) and Dan (from PlexTrac) have a two-part Webinar series on building your own $500 DIY Pentest Lab, but the skills learned in the Webinars translate perfectly into making a pentest dropbox. Head to our webinars page for more info. Securing a pentest dropbox What I did with my Intel NUC pentest dropbox is build a few VMs as follows: Win 10 pro management box with Bitlocker drive encryption and Splashtop (not a sponsor) which I like because it offers 2FA and an additional per-machine password/PIN. I think I spent $100/year for it. Kali attack box with an encrypted drive (Kali makes this easy by offering you this option when you first install the OS). Scoping/approaching a pentest From what I can gather, there are (at least) two popular schools of thought as it relates to approaching a pentest: From the perimeter - where you do a lot of OSINT, phish key users, gain initial access, and then find a path to privilege from there. Assume compromise - assume that eventually someone will click a phishing link and give bad guys a foothold on the network, so you have the pentester bring in a Kali box, plug it into the network, and the test begins from that point. Pentest narrative For one of the tests I worked on, here were some successes and challenges I had along the way: Check out the show notes at 7MS.us as there's lots more good info there!