7 Minute Security

7MS #353: Tales of Internal Pentest Pwnage - Part 1

March 22, 201942 min
Buckle up! This is one of my favorite episodes.
Today I'm kicking off a two-part series that walks you through a narrative of a recent internal pentest I worked on. I was able to get to Domain Admin status and see the "crown jewels" data, so I thought this would be a fun and informative narrative to share. Below are some highlights of topics/tools/techniques discussed:
Building a pentest dropbox
The timing is perfect - my pal Paul (from Project7) and Dan (from PlexTrac) have a two-part Webinar series on building your own $500 DIY Pentest Lab, but the skills learned in the Webinars translate perfectly into making a pentest dropbox. Head to our webinars page for more info.
Securing a pentest dropbox
What I did with my Intel NUC pentest dropbox is build a few VMs as follows:

Win 10 pro management box with Bitlocker drive encryption and Splashtop (not a sponsor) which I like because it offers 2FA and an additional per-machine password/PIN. I think I spent $100/year for it.


Kali attack box with an encrypted drive (Kali makes this easy by offering you this option when you first install the OS).

Scoping/approaching a pentest
From what I can gather, there are (at least) two popular schools of thought as it relates to approaching a pentest:

From the perimeter - where you do a lot of OSINT, phish key users, gain initial access, and then find a path to privilege from there.


Assume compromise - assume that eventually someone will click a phishing link and give bad guys a foothold on the network, so you have the pentester bring in a Kali box, plug it into the network, and the test begins from that point.

Pentest narrative
For one of the tests I worked on, here were some successes and challenges I had along the way:
Check out the show notes at 7MS.us as there's lots more good info there!

Chat About 7MS #353: Tales of Internal Pentest Pwnage - Part 1