On a recent penetration test I made heavy use of Sec-1 Ltd’s tool sharecheck in a way to gain Domain Administrator privileges that had previously been missed. Effectively there was a lot of ground work in horizontal propagation which I automated through Meterpreter and Sharecheck. I’ve mentioned Sharecheck before on my Internal Penetration Testing post, but I don’t believe I’ve ever ran through the features of this tool which I make use of on almost every test. Effectively this tool allows you to do four main things:
During Penetration Tests I often gain access to a selection of domain user accounts on my path to compromising a domain admin account. This is often a requirement these days for enumerating domain policy and also it’s quite common to find standard user accounts that have access to interesting information, such as HR or Finance accounts with access to staff and payroll information or a user with VPN access. During the post-engagement meeting with clients they’re often shocked at how I could launch online brute-force attacks against accounts without locking them out.