Nmap

Netdiscover
arp-scan
Scanning
Masscan
Metasploit
Nessus
Nikto
Dirbuster
Dirb
Gobuster HTTP/HTTPS
Source Code
Burp Suite
Test Server upload Davtest
Msfconsole - smb_version
Scanning &
Enumeration
smbclient SMB Enumeration LLMNR
enum4linux (not working properly) Responder NBT-NS
Connection attempt SSH DNS/MDNS
LLMNR Poisoning
anonymous access Disable LLMNR and NBT-NS
FTP
binary Defences Require Network Access Control
ipconfig /all Require Strong User Passwords
arp -a Capturing NTLMv2 Hashes Responder
Network
route print Password Cracking (Hashcat)
netstat -ano Host Discovery Nessus
Google SMB Signing Disabled Nmap script
Searchsploit HTTP Off
Vulnerability Research Responder
Exploit Database SMB Off
Metasploit - search Crack offline
SAM Hashes Dump
Pass-the-Hash
WHOIS Interactive shell -i Netcat
nslookup Target Validation ntlmrelayx Powershell
dnsrecon Command execute -c Reverse shell msf web_delivery
Google Fu SMB Relay Attacks other
dig Execute .exe file -e msfvenom meterpreter
Nmap It will completely stop the attack
Finding Subdomains Enable SMB signing on all devices
Sublist3r Performance issues with file copy
Bluto Stops the attack
Defences Disable NTLM Authentication
crt.sh If Kerberos stops working, back to NTLM
Nmap Overview Admin only logging into their accounts / servers / domain controllers
Account tiering
Wappalyzer Local Admin restriction No local Admin prevent lateral movement
WhatWeb Fingerprinting exploit/windows/smb/psexec
msfconsole
BuiltWith exploit/windows/smb/psexec_psh
Netcat Gain Shell Access psexec.py AV noisy
HaveIbeenPwned smbexec.py Less noisy / Half-shell
Breach-Parse wmiexec.py Less noisy / Half-shell
WeLeakInfo Data Breaches aclpwn restore
mitm6
scylla.sh new user creation on DC
Reconaissance LDAP Relay
leakedsource.ru info dump (loot folder)
ntlmrelayx
Hunter.io (Domain Search) Email Address Gathering delegate access
IPv6 Attacks
bugcrowd.com Identify Target Disable IPv6 Possible unwanted side effects Define Block Rules / instead of Allow Rules
Breach-Parse Disable wpad if not in use
Defenses
email:*bbc.co.uk Breached Credentials Enable LDAP signing and channel binding usually not enabled
scylla.sh
email:username* Put admin users into the protected users group prevent impersonation or delegation
The Harvester OSINT Get loot back
Sublist3r Get account created on Domain Controller Easy win
mitm6
crt.sh Early morning
Subdomains
OWASP Amass Lunch time
Tomnomnom HTTPprobe Are they giving us hashes ?
BuiltWith Initial Attack Vectors Are those hashes easy to crack ?
Identify Website
Wappalizer See how the network responds Easy win
Technologies
whatweb might have had Pentest before
Responder If LMNR is disabled
Information Gathering with Burp Suite might know common attacks
Google Fu Looking for hashes
LinkedIn Early morning
Social Media
Twitter Lunch time
Nessus scan
Mutual Non-Disclosure Agreement (NDA) Nmap scan
Performance Objectives Morning Pickup targets / hashes for SMB Relay attacks
Other Attack Vectors and Strategies Day begins with Look for SMB open / signing disbled
Outline the Responsabilities Master Service Agreement (MSA) Afternoon Relay hashes
https://www.rapid7.com/legal/msa/ Rapid7 MSA example Loot at logins Check for default creds

Activities Sales Check for Vulns

Scan-to-computer feature
Deliverables
Statement of Work (SOW) Lot of people don't secure their printers
Timelines Sweep entire network for websites
Look for printers might get domain admin off
Quotation HTTP_Version (Metasploit) Is user domain admin on that printer ?
dump creds in clear text get passwords for SMB user
Others: Sample Report, Recommendation Letters etc..
using individual user accounts
Will cover specifics of you testing
Jenkins Instances Often wide open
What we can and can't do
Use this if scans are taking too long
What we can and can't attack (IP addresses) Less likely to be picked-up
Rules of Engagement (ROE) Before you test
unless that's a specific thing the client wants to test Denial of Service Search for low hanging fruits
Common 'don'ts'
often set aside as its own assessment Social Engineering Think outside the box
Try all possible ways in
You can not start your penetration test until the Rules of Engagement document is signed Enumerate as much as you can
We are not responsible for Don't just focus on the exploit
anything happening after nmap --script=smb-enum-users.nse
It's Snapshot in time
We are under a time limited engagement GetADUsers.py -dc-ip 10.10.10.161 htb.local/
We are targeting what we can in that period of time
kerbrute userenum --dc 10.10.222.155 -d spookysec.local usernames.txt -t 100
Timeframe
Attempt to list and get TGTs for those users that
Guidelines have the pr oper ty “Do not r equi re Ker beros GetNPUsers.py -dc-ip 10.10.10.161 htb.local/
preauthenti cati on” set (UF_DONT_REQUI RE_PREAUTH)
Planning Assessment Overview Users Enumeration Hashcat
Discovery (high level)
Phases of Pentest John the Ripper
Attacking Get TGT hash, for those users with such configuration GetNPUsers.py -request -dc-ip 10.10.10.161 htb.local/
Evil-winrm
Reporting Get a shell
psexec
What we are attacking Easy-win Strategy
Assessments Components Kerbrute
What type of penetration test it is Common Legal Documents Brute force discovery of users, passwords and password spray
Metasploit auxiliary/gather/kerberos_enumusers
Findings Severity Ratings Active Directory ntlmrelayx
Legal Documents Abuse WriteDACL permissions
IPs Scope PowerView
and Report Writing
No Denial of Service attacks Scope Exclusions Get Hashes
Exploiting Kerberos ASREPRoasting GetNPUsers.py
Did the client had to assist us in any way ? Client Allowances Crack the hashes Shares Enum smbclient
C-level executive crackmapexec check where you can authenticate
CISO Intended for people with no technical background NTDS.DIT psexec
Elevate Privileges Secretsdump Pass-the-Hash
secrets dump evil-winrm
CEO
Findings Report After you test Get system shell
Quick summary about vulnerabilities you found,
and what they could lead to PowerView
Enumeration
What you managed to do Actions Bloodhound
Attack Summary
Recommendations SAM Dumping
Executive Summary
We were scanning secretsdump LSA Secrets Dumping
Give them kudos where they need it Security Strengths Dump the Hashes
they identified and blocked us DPAPI_SYSTEM KEY
Missing Multi-Factor Authentication Metasploit psexec meterpreter hashdump
Weak Password Policy Crack NTLM Hashes Hashcat
Security Weaknesses
Unrestricted Logon Attempts Pwn3d! or green [+] Try to authenticate with Psexec get a shell
crackmapexec
No-technical people will understand Identify weaknesses at a high level not Pwn3d! no SMB access
Pass-the-Hash
Vulnerabilities by Impact Charts Cannot pass NTLMv2
no cracking needed
Share technical details
Pwn3d! Try get a shell with Psexec
Intended for technical people
Penetration Testing Exploitation Pass-the-Password crackmapexec not Pwn3d! no SMB access
Exploitation Proof of Concept
Chained exploit of attacks Dump local SAM hashes
References
Technical Summary Mimikatz
Who Token Impersonation
Meterpreter - Incognito
Vector Remediation
Request TGT, provide NTLM hash
Action Receive TGT encrypted with krbtgt hash
Additional Reports and Scans (Informational) Kerberoasting Request TGS for Server (Presents TGT) GetUserSPNs.py
'How to' video Receive TGS encrypted with Server's account hash
https://www.youtube.com/watch?v=EOoBAq6z4Zk
on writing a pentest report
Crack the hash
https://github.com/hmaverickadams/TCM-Security-Sample-Pentest-Report Sample Pentest Report
prompt off
Legal Documentation smbclient recurse on
https://github.com/trustedsec/physical-docs
for Physical Security Testing
mget *
GPP / cPassword
Groups.xml cpassword gpp_decrypt
No password
Invoke-GPP
Separation of networks
smb_enum_gpp module in Metasploit
How well is the network segmented Guest Network
privilege::debug
Reduced funtionalities
NTLM
Access Employs' things / IPs / servers
sekurlsa::logonpasswords Logged in accounts
Open network Attack
wdigest
Hidden networks
lsadump::sam
Evaluate what networks are around Walk around
lsadump::sam /patch
Rogue Devices
shell with Metasploit
WPS
secretsdump.py
Place wireless card in monitor mode
SAM dump crackmapexec
Channel 1, 6 and 11 are the most used Post-Compromise
Channel WPA2 PSK
(no overlap) Wi-Fi sam dump not working windows/system32/config/SAM
Discover info about network
BSSID windows/system32/config/SECURITY
just download the SAM
SSID windows/system32/config/SYSTEM
Select network and capture data crack with secretsdump.py
Credential Dumping
Speed-up the process Perform Deauth attack lsadump::lsa /patch
Hacking Process
Capture WPA handshake SID
Substitute 1 with i. 0 with O Company Name Mimikatz NTLM
Phone numbers opens cmd prompt
Many companies use LSA dump
Street address Attempt to crack the handshake lsadump::lsa /inject /name:krbtgt Pull down krbtgt account Pass-the-Ticket misc::cmd dir \\THEPUNISHER\c$
something familiar to them Golden Ticket Access any computer
CEWL Create a wordlist from thei website Strength evaluation psexec.exe PsExec64.exe -accepteula \\THEPUNISHER cmd.exe shell
WPA2 PSK Persistence
rockyou.txt Weak Passwords Silver Ticket Stealthier
WPA2 Enterprise Usernames
ntds.dit
Passwords
./run.sh tesla.com Assetfinder weak password policy
Finding Subdomains Crack passwords offline % we are able to crack
Amass Why do we dump ? strong password policy
HTTProbe Find Alive Domains Golden Ticket attack Kerberos Ticket Granting Ticket
Enumeration
GoWitness Screenshot Websites Pass-the-Hash
Subjack Subdomain takeover Over-Pass-the-Hash
Waybackurls Scraping Wayback data Features Pass-the-Ticket
Parameterized Statements Golden Ticket
Sanitized Input SQL Injection Silver Ticket
Blind SQL Injection Avoid re-using local admin password
Credential Stuffing Limit account re-use Disable Guest and Administrator accounts
Brute Forcing or other automated attacks Limit who is a local administrator
Weak or well-known Passwords The longer the better (>14 characters)
Weak or Ineffective Credential Recovery Pass Attack Utilize strong passwords Avoid using common words
knowledge-based answers Weak forgot-password processes I like long sentences
Broken Authentication
Missing or Ineffective two-factor authentication Check out/in sensitive accounts when needed
Mitigation
Session ID exposed in URL Privilege Access Management (PAM) Automatically rotate passwords on check out and check in
Does not rotate Session ID after successful login Limits pass attacks as hash/password is strong and costantly rotated
Dows not properly invalidate Session IDs during logout or inactivity Session Fixation Limit user/group token creation permissions
User Sessions or Authentication Tokens Token Impersonation Account tiering
Find all directories dirbuster Local admin restriction
Search for 'key' 'keys' 'password' 'passw' Strong Passwords
Response tab navigate all directories BurpSuite Kerberoasting
HTTP Strict Transport Security (HSTS) Response Headers Sensitive Data Exposure Least privilege
nmap --script=ssl-enum-ciphers -p 443 tesla.com nmap Spiking
https://securityheaders.com Fuzzing
Attacking Systems that parse XML Input Finding the Offset
Abuse SYSTEM entity and get malitious XML External Entities (XXE) Buffer Overflow Overwriting the EIP
dos, local file disclosure, remote code execution, and more Finding Bad Characters
User gets access to somewhere they shouldn't Finding the Right Module
Are you able to bypass access ? Generating Shellcode / Getting Root
Web Applications
Can you access admin areas or even other user areas from an account ? Broken Access Control Metasploit
unauthenticated, authenticated, admin Hydra
IDOR - Insecure Direct Object Reference Crdential Stuffing
OWASP Top Ten Brute Force Attacks
Disclosure of Sensitive Information Default Credentials Password Spraying
Application should not throw errors Stack Traces - Error Handling https://github.com/danielmiessler/SecLists
Left behind applications https://github.com/initstring/passphrase-wordlist
Left behind directories Unnecessary features Password dumping
Security Misconfiguration
Default features not in use Password dumping in memory
Kiwi
Out-of-date Software Hash dumping
Unnecessary ports open, activated accounts Golden Tickets
Metasploit
File upload Deprecated Interface Password dumping
Reflected XSS Credentials Password dumping in memory
Client-side Mimikats
DOM XSS Hash dumping
Stored XSS Server-side Golden Tickets
Encoding Cross-Site Scripting (XSS) Default Creds Common Bad Password List
Filtering CEWL
Preventing XSS Word List Generator
Validating
Sanitization Metasploit smb_ms17_010
Serialization Eternal Blue
AutoBlue alternative to metasploit
MS17_010
Deserialization Insecure Deserialization smbclient
ysoserial SAM
Software is vulnerable, unsuported, or out of date SAM SECURITY
No frequent scan for vulnerabilities Using Components with Known Vulnerabilities SYSTEM
No Patching, no fix, no update secretsdump
Hashes Dumping / Cracking
Have Logs, Auditable Events John
Track anyone logging into the application Hashcat
Track failed login attempts Insufficient Logging & Monitoring crackmapexec Pass-The-Hash
Monitor if anyine is attacking your application psexec Pass-The-Hash
Serialization Privilege Escalation
Stealing &
Tokens Metasploit Incognito
run persistence -h Manipulation
exploit/windows/local/persistence Persistence Scripts SQL Injection
WEB
exploit/windows/local/registry_persistence XXS
Maintaining Access
run scheduleme
Scheduled Tasks
run schtaskabuse
net user hacker password123 /add Add a user
route print
ipconfig connect to target psexec
arp -a Post-Exploitation
Metasploit
run autoroute -s 169.254.0.0/24
Pivoting
run autoroute -p
poc use auxiliary/scanner/portscan/tcp
proxychains
SSH Pivoting
Remove executables, scripts, and added files
Make the System/Network as
Remove malware, rootkits, and added user accounts
it was when you entered it Covering Tracks
Set settings back to original configurations