April 2, 2020

Pentest Planning (draft)

Scope

  • What subnets are in scope?
  • What is out of bounds?
  • What will get me fired if I touch it?
    • What are the production systems?
    • Who are the key individuals ?

Drop Zone

Get tools inside the network or know how to live off of the land.

  • Nessus Scanner VM stood up
  • Kali VM
  • Win10 VM (optional but really handy)

Close Air Support

  • Kali VM in AWS to act as listener
    • msf > use exploit/multi/handler

Actions on the Inside

Depending on the situation and engagement type, there are different paths to achieving the same objective that be taken. If remaining undetected by the blue team is important or you just need to avoid security tools, you will need to move slowly and quietly (aka sneakin & peekin’). Get on the network and just listen to traffic and select targets based on what you’ve heard.

If you are already compromised or it’s internal test that everyone already knows about, then just GO LOUD!! Scan everything at speed.

Sneakin’ and Peekin’

Target Enumeration with PowerShell (ping sweep )

$subnet = "10.13.37"
$start = 1
$end = 254
$pings = 2
while ($start -le $end) {
$IP = "$subnet.$start"
Write-Host "Pinging $IP" -ForegroundColor Cyan
echo "$IP" | Out-File -FilePath results.txt -Append
Test-Connection -ComputerName $IP -count $pings -Quiet | Out-File -FilePath results.txt -Append
$start++
}

TCP Port Enumeration with PowerShell (port scan)

# change target ip address in the Connect method
 21,22,23,53,80,135,137,138,139,443,445,3306,3389,8000,8080,8443,8834 | % {echo ((new-object Net.Sockets.TcpClient).Connect("10.13.37.55",$_)) "TCP $_ is open!"} 2>$null

DNS name from IP Address

PS C:\Users\gstokley> Resolve-DnsName -name "10.13.37.30"

Name                           Type   TTL   Section    NameHost                                                             
----                           ----   ---   -------    --------                                                             
30.37.13.10.in-addr.arpa.      PTR    1200  Question   FS01                                            
  1. Enumeration options
    • Sneakin-and-peekin’ – use netstat to see conversations between hosts. Build the list of hosts that you heard from, then scan with nmap single ports, randomize targets. Don’t scan sequential IP addresses.
    • Go Loud – Just run a Nessus scan on the target networks.
  2. Run Responder to identify hosts running LLMNR & NBT-NS
    1. (optional) Enable WPAD (Web Proxy Auto Discovery) server to grab the password hashes. This will cause disruption, so narrow the target to a small amount of targets or do so after hours.
  3. Run mitm6 to abuse the default IPv6 configuration in Windows networks to spoof DNS replies by acting as a malicious DNS server and redirect traffic to the Kali VM endpoint.
  4. Run nmap NSE script smb-security-mode and MultiRelay.py to locate hosts without SMB Signing enabled.
  5. Run wmic command to locate unquoted service paths
  6. Run SetSPN to use the Service Principle Names (SPN) to locate Kerberos associations between services and service accounts
  7. Run Sharphound (and Bloodhound if possible) to locate unintended relationships in AD
  8. Check if PowerShell is enabled for all hosts encountered. Having PowerShell disabled will make it harder, but not impossible
    1. Run NoPowerShell (NPS) or
    2. HideMyPS
  9. Attempt AV bypass
    1. Run Sharpshooter for payload obfuscation
    2. Run GreatSCT for Application Whitelisting Bypass

Misc Resources