July 14, 2020

Pentest Planning (draft)

Scope

  • What subnets are in scope?
  • What is out of bounds?
  • What will get me fired if I touch it?
  • What are the production systems?
  • Who are the key individuals ?

Drop Zone

Get tools inside the network or know how to live off of the land.

  • Nessus Scanner VM stood up
  • Kali VM
  • Win10 VM (optional but really handy)

Close Air Support

  • Kali VM in AWS to act as listener
    • msf > use exploit/multi/handler

Actions on the Inside

Depending on the situation and engagement type, there are different paths to achieving the same objective that be taken. If remaining undetected by the blue team is important or you just need to avoid security tools, you will need to move slowly and quietly (aka sneakin & peekin’). Get on the network and just listen to traffic and select targets based on what you’ve heard.

If you are already compromised or it’s internal test that everyone already knows about, then just GO LOUD!! Scan everything at speed.

Sneakin’ and Peekin’

Target Enumeration with PowerShell (ping sweep )

$subnet = "10.13.37"
$start = 1
$end = 254
$pings = 2
while ($start -le $end) {
$IP = "$subnet.$start"
Write-Host "Pinging $IP" -ForegroundColor Cyan
echo "$IP" | Out-File -FilePath results.txt -Append
Test-Connection -ComputerName $IP -count $pings -Quiet | Out-File -FilePath results.txt -Append
$start++
}

TCP Port Enumeration with PowerShell (port scan)

# change target ip address in the Connect method
 21,22,23,53,80,135,137,138,139,443,445,3306,3389,8000,8080,8443,8834 | % {echo ((new-object Net.Sockets.TcpClient).Connect("10.13.37.55",$_)) "TCP $_ is open!"} 2>$null

DNS name from IP Address

PS C:\Users\gstokley> Resolve-DnsName -name "10.13.37.30"

Name                           Type   TTL   Section    NameHost                                                             
----                           ----   ---   -------    --------                                                             
30.37.13.10.in-addr.arpa.      PTR    1200  Question   FS01                                            

Intercept Traffic

  1. Run Responder to identify hosts running LLMNR & NBT-NS
    1. (optional) Enable WPAD (Web Proxy Auto Discovery) server to grab the password hashes. This will cause disruption, so narrow the target to a small amount of targets or do so after hours.
  2. Run mitm6 to abuse the default IPv6 configuration in Windows networks to spoof DNS replies by acting as a malicious DNS server and redirect traffic to the Kali VM endpoint.
  3. Run nmap NSE script smb-security-mode and MultiRelay.py to locate hosts without SMB Signing enabled.
  4. Run wmic command to locate unquoted service paths
  5. Run SetSPN to use the Service Principle Names (SPN) to locate Kerberos associations between services and service accounts
  6. Run Sharphound (and Bloodhound if possible) to locate unintended relationships in AD
  7. Check if PowerShell is enabled for all hosts encountered. Having PowerShell disabled will make it harder, but not impossible
    1. Run NoPowerShell (NPS) or
    2. HideMyPS
  8. Attempt AV bypass
    1. Run Sharpshooter for payload obfuscation
    2. Run GreatSCT for Application Whitelisting Bypass

Checking for LLMNR

Misc Resources