Nmap Netdiscover arp-scan Scanning Masscan Metasploit Nessus Nikto Dirbuster Dirb Gobuster HTTP/HTTPS Source Code Burp Suite Test Server upload Davtest Msfconsole - smb_version smbclient SMB Enumeration Scanning & Enumeration LLMNR Responder enum4linux (not working properly) Connection attempt SSH anonymous access DNS/MDNS LLMNR Poisoning Disable LLMNR and NBT-NS FTP binary NBT-NS Defences Require Network Access Control Require Strong User Passwords ipconfig /all arp -a Capturing NTLMv2 Hashes Network route print Responder Password Cracking (Hashcat) netstat -ano Nessus Host Discovery SMB Signing Disabled Google Searchsploit HTTP Off Responder Vulnerability Research Exploit Database Nmap script SMB Off Metasploit - search Crack offline SAM Hashes Dump WHOIS Pass-the-Hash Interactive shell -i nslookup Target Validation Netcat ntlmrelayx Powershell dnsrecon Command execute -c Google Fu Reverse shell SMB Relay Attacks other dig Execute .exe file -e Nmap Finding Subdomains Sublist3r Defences crt.sh Nmap Fingerprinting Netcat Gain Shell Access psexec.py Breach-Parse wmiexec.py Less noisy / Half-shell Hunter.io (Domain Search) email:username* info dump (loot folder) ntlmrelayx IPv6 Attacks Identify Target delegate access Disable IPv6 Breach-Parse Possible unwanted side effects Define Block Rules / instead of Allow Rules Disable wpad if not in use Defenses Breached Credentials scylla.sh new user creation on DC LDAP Relay Email Address Gathering bugcrowd.com aclpwn restore mitm6 leakedsource.ru Enable LDAP signing and channel binding usually not enabled Put admin users into the protected users group The Harvester OSINT OWASP Amass prevent impersonation or delegation Get loot back Sublist3r crt.sh prevent lateral movement AV noisy Less noisy / Half-shell Reconaissance No local Admin exploit/windows/smb/psexec_psh smbexec.py scylla.sh If Kerberos stops working, back to NTLM Local Admin restriction HaveIbeenPwned Data Breaches Performance issues with file copy exploit/windows/smb/psexec msfconsole BuiltWith WeLeakInfo It will completely stop the attack Admin only logging into their accounts / servers / domain controllers Account tiering Wappalyzer meterpreter Stops the attack Disable NTLM Authentication Overview WhatWeb msfvenom Enable SMB signing on all devices Bluto email:*bbc.co.uk msf web_delivery Get account created on Domain Controller mitm6 Early morning Subdomains Lunch time Tomnomnom HTTPprobe Are they giving us hashes ? BuiltWith Are those hashes easy to crack ? Initial Attack Vectors Identify Website Technologies Wappalizer See how the network responds whatweb Google Fu Twitter Easy win Responder Information Gathering with Burp Suite LinkedIn Easy win might have had Pentest before If LMNR is disabled might know common attacks Looking for hashes Early morning Social Media Lunch time Nessus scan Mutual Non-Disclosure Agreement (NDA) Nmap scan Performance Objectives Outline the Responsabilities https://www.rapid7.com/legal/msa/ Other Attack Vectors and Strategies Master Service Agreement (MSA) Day begins with Morning Look for SMB open / signing disbled Pickup targets / hashes for SMB Relay attacks Afternoon Relay hashes Loot at logins Rapid7 MSA example Activities Check for default creds Check for Vulns Sales Scan-to-computer feature Deliverables Statement of Work (SOW) Timelines Sweep entire network for websites Quotation HTTP_Version (Metasploit) Lot of people don't secure their printers Look for printers Others: Sample Report, Recommendation Letters etc.. Jenkins Instances What we can and can't do often set aside as its own assessment Rules of Engagement (ROE) Enumerate as much as you can nmap --script=smb-enum-users.nse It's Snapshot in time GetADUsers.py -dc-ip 10.10.10.161 htb.local/ kerbrute userenum --dc 10.10.222.155 -d spookysec.local usernames.txt -t 100 Timeframe Attempt to list and get TGTs for those users that have the pr oper ty “Do not r equi re Ker beros preauthenti cati on” set (UF_DONT_REQUI RE_PREAUTH) Guidelines Planning Assessment Overview (high level) GetNPUsers.py -dc-ip 10.10.10.161 htb.local/ Users Enumeration Hashcat Phases of Pentest Attacking Think outside the box Try all possible ways in Don't just focus on the exploit We are under a time limited engagement We are targeting what we can in that period of time Discovery Often wide open Search for low hanging fruits You can not start your penetration test until the Rules of Engagement document is signed We are not responsible for anything happening after Get TGT hash, for those users with such configuration GetNPUsers.py -request -dc-ip 10.10.10.161 htb.local/ Reporting What type of penetration test it is Easy-win Strategy Assessments Components Brute force discovery of users, passwords and password spray Common Legal Documents Findings Severity Ratings IPs No Denial of Service attacks Did the client had to assist us in any way ? Active Directory Legal Documents and Report Writing Scope Scope Exclusions Exploiting Kerberos Client Allowances CEO Findings Report Quick summary about vulnerabilities you found, and what they could lead to What you managed to do Actions Get Hashes GetNPUsers.py Crack the hashes Give them kudos where they need it Unrestricted Logon Attempts No-technical people will understand Shares Enum secretsdump LSA Secrets Dumping DPAPI_SYSTEM KEY Metasploit Crack NTLM Hashes Security Weaknesses psexec Pass-the-Hash not Pwn3d! Cannot pass NTLMv2 Share technical details no cracking needed Pass-the-Password crackmapexec no SMB access Dump local SAM hashes Technical Summary Who Mimikatz Token Impersonation Remediation Meterpreter - Incognito Request TGT, provide NTLM hash Action Receive TGT encrypted with krbtgt hash Additional Reports and Scans (Informational) Kerberoasting 'How to' video on writing a pentest report https://www.youtube.com/watch?v=EOoBAq6z4Zk https://github.com/hmaverickadams/TCM-Security-Sample-Pentest-Report Request TGS for Server (Presents TGT) GetUserSPNs.py Receive TGS encrypted with Server's account hash Crack the hash Sample Pentest Report prompt off Legal Documentation for Physical Security Testing https://github.com/trustedsec/physical-docs smbclient GPP / cPassword No password recurse on mget * Groups.xml cpassword gpp_decrypt Invoke-GPP Separation of networks How well is the network segmented smb_enum_gpp module in Metasploit Guest Network privilege::debug Reduced funtionalities NTLM Access Employs' things / IPs / servers Open network sekurlsa::logonpasswords Attack Evaluate what networks are around Logged in accounts wdigest Hidden networks lsadump::sam Walk around lsadump::sam /patch Rogue Devices shell with Metasploit WPS secretsdump.py Place wireless card in monitor mode Channel 1, 6 and 11 are the most used (no overlap) Channel WPA2 PSK Discover info about network BSSID SAM dump Post-Compromise crackmapexec sam dump not working Wi-Fi Select network and capture data Speed-up the process Perform Deauth attack windows/system32/config/SECURITY windows/system32/config/SYSTEM crack with secretsdump.py Credential Dumping lsadump::lsa /patch Hacking Process Capture WPA handshake SID Company Name Mimikatz NTLM Phone numbers LSA dump Many companies use something familiar to them Street address CEWL windows/system32/config/SAM just download the SAM SSID Substitute 1 with i. 0 with O get a shell Try get a shell with Psexec not Pwn3d! Chained exploit of attacks Try to authenticate with Psexec no SMB access Pwn3d! Exploitation hashdump Pwn3d! or green [+] Charts Penetration Testing meterpreter Hashcat crackmapexec Vector evil-winrm Bloodhound Dump the Hashes Security Strengths Intended for technical people References psexec SAM Dumping Identify weaknesses at a high level Exploitation Proof of Concept check where you can authenticate PowerView Enumeration Executive Summary Vulnerabilities by Impact Pass-the-Hash smbclient Get system shell Missing Multi-Factor Authentication Weak Password Policy NTDS.DIT secrets dump Secretsdump After you test Attack Summary Recommendations We were scanning they identified and blocked us Metasploit auxiliary/gather/kerberos_enumusers PowerView ASREPRoasting Elevate Privileges Attempt to crack the handshake Strength evaluation Create a wordlist from thei website opens cmd prompt lsadump::lsa /inject /name:krbtgt Pull down krbtgt account Golden Ticket WPA2 PSK Weak Passwords Silver Ticket WPA2 Enterprise ./run.sh tesla.com Assetfinder Find Alive Domains GoWitness Screenshot Websites Subjack Features SQL Injection Silver Ticket Avoid re-using local admin password Limit account re-use Disable Guest and Administrator accounts Limit who is a local administrator Weak or well-known Passwords The longer the better (>14 characters) Weak or Ineffective Credential Recovery Pass Attack Weak forgot-password processes Utilize strong passwords Avoid using common words I like long sentences Broken Authentication Missing or Ineffective two-factor authentication Check out/in sensitive accounts when needed Mitigation Session ID exposed in URL Privilege Access Management (PAM) Does not rotate Session ID after successful login Session Fixation Limit user/group token creation permissions User Sessions or Authentication Tokens Token Impersonation Find all directories dirbuster navigate all directories BurpSuite nmap --script=ssl-enum-ciphers -p 443 tesla.com Kerberoasting Sensitive Data Exposure Spiking https://securityheaders.com Fuzzing Attacking Systems that parse XML Input Finding the Offset Abuse SYSTEM entity and get malitious XML External Entities (XXE) Buffer Overflow Overwriting the EIP dos, local file disclosure, remote code execution, and more Finding Bad Characters User gets access to somewhere they shouldn't Finding the Right Module Are you able to bypass access ? Can you access admin areas or even other user areas from an account ? Generating Shellcode / Getting Root Web Applications Broken Access Control Metasploit unauthenticated, authenticated, admin Hydra IDOR - Insecure Direct Object Reference OWASP Top Ten Default Credentials Brute Force Attacks Stack Traces - Error Handling Crdential Stuffing Password Spraying https://github.com/danielmiessler/SecLists Left behind applications https://github.com/initstring/passphrase-wordlist Unnecessary features Default features not in use Password dumping Security Misconfiguration Password dumping in memory Kiwi Out-of-date Software Hash dumping Unnecessary ports open, activated accounts File upload Stored XSS Hash dumping Golden Tickets Cross-Site Scripting (XSS) Default Creds Preventing XSS Validating Password dumping in memory Mimikats Server-side Encoding Filtering Password dumping Credentials Client-side DOM XSS Golden Tickets Metasploit Deprecated Interface Reflected XSS Common Bad Password List CEWL Word List Generator Sanitization Metasploit smb_ms17_010 Eternal Blue MS17_010 Serialization Deserialization Insecure Deserialization AutoBlue alternative to metasploit smbclient ysoserial SAM Software is vulnerable, unsuported, or out of date SAM No frequent scan for vulnerabilities Using Components with Known Vulnerabilities Hashes Dumping / Cracking Have Logs, Auditable Events Track anyone logging into the application Insufficient Logging & Monitoring Stealing & Manipulation Tokens exploit/windows/local/persistence Persistence Scripts WEB exploit/windows/local/registry_persistence run scheduleme run schtaskabuse Maintaining Access Scheduled Tasks net user hacker password123 /add Add a user route print connect to target psexec arp -a run autoroute -s 169.254.0.0/24 Post-Exploitation Metasploit Pivoting run autoroute -p use auxiliary/scanner/portscan/tcp proxychains SSH Pivoting Remove executables, scripts, and added files Set settings back to original configurations Pass-The-Hash psexec Pass-The-Hash Metasploit Incognito Privilege Escalation run persistence -h Remove malware, rootkits, and added user accounts John crackmapexec Serialization poc secretsdump Hashcat Monitor if anyine is attacking your application ipconfig SECURITY SYSTEM No Patching, no fix, no update Track failed login attempts Account tiering Local admin restriction nmap Left behind directories Automatically rotate passwords on check out and check in Limits pass attacks as hash/password is strong and costantly rotated Dows not properly invalidate Session IDs during logout or inactivity Application should not throw errors Kerberos Ticket Granting Ticket Pass-the-Ticket Brute Forcing or other automated attacks Disclosure of Sensitive Information strong password policy Golden Ticket Credential Stuffing Response Headers weak password policy Over-Pass-the-Hash Blind SQL Injection HTTP Strict Transport Security (HSTS) % we are able to crack Pass-the-Hash Scraping Wayback data Sanitized Input Crack passwords offline Golden Ticket attack Parameterized Statements knowledge-based answers Passwords Enumeration Subdomain takeover Make the System/Network as it was when you entered it Covering Tracks SQL Injection XXS Strong Passwords Least privilege Stealthier Usernames Why do we dump ? HTTProbe Waybackurls ntds.dit Finding Subdomains Amass Response tab Pass-the-Ticket Persistence rockyou.txt Search for 'key' 'keys' 'password' 'passw' psexec Kerbrute crackmapexec Intended for people with no technical background Evil-winrm ntlmrelayx Abuse WriteDACL permissions C-level executive CISO John the Ripper Get a shell What we are attacking get passwords for SMB user Less likely to be picked-up Before you test Common 'don'ts' Social Engineering dump creds in clear text Use this if scans are taking too long What we can and can't attack (IP addresses) Denial of Service might get domain admin off using individual user accounts Will cover specifics of you testing unless that's a specific thing the client wants to test Is user domain admin on that printer ? misc::cmd Access any computer dir \\THEPUNISHER\c$ psexec.exe PsExec64.exe -accepteula \\THEPUNISHER cmd.exe shell
