Introduction
Occasionally I larn asked past times clients how I approach the technical aspects of a Penetration Test, you lot know, what are all those piddling dark boxes amongst light-green text that I’ve got opened upward on my screen? Also occasionally, when I’m talking to novel testers together with people interested inwards becoming a penetration tester, they sympathise tool exercise together with they oftentimes sympathise the specifics of vulnerabilities but don’t necessarily know how it all goes together.Additionally, GracefulSecurity.com is filled amongst data on Infrastructure security, but there’s no guide close how it all fits together! So I conception here, to write upward a step-by-step instance of how I become from plugging inwards to a corporate network together with terminate upward leaving that solar daytime equally a Domain Administrator.
Every network is different, but my intention equally ‘an attacker’ is by together with large the same together with thence this won’t hold upward a consummate guide to compromising networks, but hopefully volition fill upward inwards just about of the blanks for you lot if you’ve ever had a tester on site, are considering getting a tester to assess your security or if you’ve just cracked the spine on your starting fourth dimension penetration testing mass together with desire to know a piddling to a greater extent than close the total process.
Real World vs. Realistic
Something worth pointing out, is that when nosotros comport a penetration test, we’re oftentimes inwards a worse seat than a real-world aggressor would be. This by together with large due to penetration tests beingness restricted inwards scope, whilst attackers tin play whatsoever menu inwards the deck. Generally, when I’m performing an internal network assessment things such equally social engineering, phishing, together with external assets are out of scope. It’s a kind of assess one-thing-at-a-time approach. However equally most penetration tests are done amongst the information technology squad beingness fully aware of activities, there’s no requirement to hold upward “quiet” on the network, pregnant scans tin hold upward ran equally efficiently equally possible amongst piddling requirement to cover activities.Whereas a real attacker during their engagement volition exercise a mix of techniques equally required together with probable starts the ‘internal’ aspect of an laid on armed amongst a user work organization human relationship from the start – for example, past times compromising credentials through a phishing campaign. The disadvantage that they direct hold nonetheless is the obvious requirement to rest undetected.
Additionally a existent aggressor volition direct hold to enumerate the IP addressing scheme currently inwards exercise together with where devices are. Whilst this is a trivial work together with takes no existent travail on the purpose of the attacker it should hold upward noted that penetration testers cannot operate without accurate IP address information, the ground for this is legality. For a penetration testers to hold upward able to perform an assessment, which would otherwise hold upward illegal if non done inwards this setting, they require an accurate control to move which must document just which systems they direct hold permission to attack.
The Attack
When it comes to the attack, the actual deed of plugging inwards together with attacking a network, a methodology is followed – inquire your penetration tester together with they’ll hold upward able to provide you lot amongst a written re-create of their methodology – but remember, every network is different together with every laid on is different. Influenza A virus subtype H5N1 criterion way for a tester to operate is to regain the path of to the lowest degree resistance together with exercise that to gain equally high a privilege flat equally possible, thence utilise this privilege flat to regain additional methods of entry.Influenza A virus subtype H5N1 penetration assay is non similar vulnerability analysis. Generally amongst vulnerability analysis you lot volition provide the assessor amongst a high flat of data together with privileges from the outset together with they’ll perform authenticated scans of the network inwards guild to create upward one's take heed all issues, or equally many equally possible. Vulnerability assessments by together with large degree issues independently together with produce non accept inwards to work organization human relationship the existent earth exploit-ability of an issues or how issues tin hold upward chained together to increase their overall impact. It could hold upward argued that a vulnerability assessment gives a wide, but non deep, impression of the security of the network together with volition highlight issues amongst systems such equally piece management.
Whereas Penetration Tests aim to larn equally deep equally possible together with may sacrifice breadth to enable this, but volition give a meliorate persuasion of what a human aggressor could draw off. These assessments volition really probable involve actual exploitation of issues, the intentional compromising of systems, chaining of vulnerabilities, together with volition highlight the worst instance scenario for a determined aggressor aiming to gain a high flat of access.
The tester volition displace through stages such as:
- Enumeration together with Mapping
- Vulnerability Discovery
- Exploitation
- Lateral Movement
- Privilege Escalation
- Clean-up/Removal of Evidence
Enumeration together with Mapping
Generally whatsoever mass that concentrates on Penetration Testing volition direct hold a large department devoted to enumeration, nonetheless most of the difficulty comes on external penetration tests. Once we’re within the network there’s less move to produce it’s only a instance of taking the in-scope addresses together with determining what’s hold upward together with what services are available, plus noting fundamental systems similar domain controllers.One of the starting fourth dimension things to regain out though is the DNS suffix inwards exercise on the domain. There’s a few ways to larn this information.
Finding the Domain
On linux you lot tin exercise i of the following commands:hostname -A truthful cat /etc/resolv.confon Windows you lot could exercise i of these:
wmic computersystem larn domain echo %COMPUTERNAME%.%USERDNSDOMAIN% ipconfig /allIf you lot prefer Python, thence here’s a one-liner, where you lot tin provide a target machine IP:
python -c 'import socket; impress socket.gethostbyaddr("TARGET-IP")[0];' example: python -c 'import socket; impress socket.gethostbyaddr("172.20.10.11")[0];'
Finding Domain Controllers
From here you tin gain a listing of Domain Controllers for the domain too, using the DNS suffix – for instance state the dns suffix is example.org:nslookup laid q=SRV _ldap._tcp.dc._msdcs.example.org
Finding Alive Hosts
It’s probable that the ambit given past times the customer is just the local IP address infinite that they use, pregnant that it’s probable that many of the in-scope IP addresses aren’t genuinely inwards use. Nmap is a uncomplicated yet powerful tool which has a decent capability to detect which hosts are alive, the default options are by together with large pretty proficient but commonly I select -n (no cite resolution) to croak on the output listing neat. I’ll commonly become amongst something similar this:sudo nmap -iL scope.txt -n -oN alive-scan.txt -snThis is the default host regain banking concern check against a listing of IP addresses (given inwards the text file scope.txt) amongst no cite resolution (so all output is consistent), output inwards Nmap’s default cast to the file alive-scan.txt, amongst no port scanning except the default host regain ports. This is the equivalent of this command:
sudo nmap -iL scope.txt -n -oN alive-scan.txt -sn -PE -PS443 -PA80 -PPNmap should hold upward ran equally origin thence that it tin brand exercise of ‘incorrect’ TCP sequences, such equally those specified past times -PS443 together with -PA80 (just a TCP SYN to 443, and just an ACK to TCP 80) otherwise it volition require to produce a total TCP connection. The resulting listing of Nmap output tin hold upward cleaned upward farther amongst a command similar this:
cat alive-scan.txt | grep "report for" | awk '{print $5}' | tee alive-IPs.txtThe inwards a higher house command volition display a listing of IP addresses for hold upward hosts together with also salvage that listing to the file alive-IPs.txt. This is useful for loading the discovered hosts inwards to tools such equally Nessus or Metasploit.
Vulnerability Discovery
Armed amongst the hold upward hosts, together with a listing of Domain Controllers, the aggressor has a few options to displace forward. At just about betoken they’re going to require a user account, to a greater extent than enumeration is potentially possible – such equally causing the Domain Controller to output a listing of usernames through a NULL session. However to a greater extent than oftentimes than non additional enumeration requires a user account.At this phase I volition probable aim to gain a user account, at that topographic point are 3 principal ways I volition approach this, by together with large inwards this order
- LLMNR/NetBios-NS spoofing
- Checking Shares
- Gentle Bruteforce
LLMNR/NetBios-NS Spoofing
Attacking Link-Local Multicast Name Resolution together with NetBIOS Name Services is something that I’ve covered inwards item inwards the article Stealing Accounts: LLMNR together with NBT-NS Spoofing, thence I’ll just postal service a summary here.What are LLMNR together with NetBIOS-NS? They’re both methods of resolving hostnames to IP addresses. On your network if you lot assay to contact a organization past times cite starting fourth dimension of all DNS volition hold upward used, but if that fails LLMNR volition hold upward attempted followed past times NetBIOS. An aggressor tin answer to LLMNR/NetBIOS-NS requests together with create the victim to connect to the attacker’s machine instead together with allow them to capture credentials inwards hashed form.
They tin hold upward exploited inwards 2 principal ways, the starting fourth dimension is past times using Metasploit, the next modules volition help:
auxiliary/spoof/llmnr/llmnr_response auxiliary/spoof/nbns/nbns_response auxiliary/server/capture/smbAttentively there’s a tool called Responder which does the heavy lifting for you lot together with supports lots of protocols:
python Responder.py -i local-ip -I interface example: python Responder.py -i 192.168.1.77 -I enp0s20Full details are in Stealing Accounts: LLMNR together with NBT-NS Spoofing. However inwards curt this tool allows you lot to capture hashed credentials on a Windows network due to a default configuration options. You tin thence fissure these hashes using a tool similar John the Ripper. I’ve written close John the Ripper together with Custom Rules here.
Sharecheck
Sharecheck is a tool which allows you lot to chop-chop scan a subnet for Windows machines together with it extracts useful data from those machines, for instance it tin demo you lot the local lockout policy, the local administrator usernames, together with available shares that you lot direct hold read/write permissions to. Sharecheck is available here, it’s gratis but closed source.Generally I exercise this tool multiple times during an engagement, starting fourth dimension of all anonymously thence I’ll exercise it amongst each user work organization human relationship that I capture. Sharecheck volition highlight to you lot which shares you lot direct hold read permissions to, together with it’s surprising how oftentimes shares volition direct hold plaintext or reversibly-encrypted passwords inwards them.
Once I direct hold access to an work organization human relationship or two, sharecheck tin chop-chop highlight if that work organization human relationship is a local administrator of whatsoever machine on the network. It’s non uncommon for sure users (like executives) to hold upward given local administrative permission to their ain machine, this tin hold upward the downfall of the whole domain. It’ll highlight that you’re an admin, if you’ve got write access to the Admin$ share.
Gentle Bruteforce
Generally at this betoken I’ll ever direct hold a user account, it’s rare that responder doesn’t yield anything on a network, nonetheless if it gets downwards to Plan C what I hateful past times a “Gentle Bruteforce” is what is covered inwards my postal service The Myth of Account Lockout. The summary hither is that most networks are configured to exercise the observation window offered past times Active Directory for work organization human relationship lockout pregnant that, past times default, accounts produce non lock out after 5 bad password attempts but lock out after 5 bad password attempts within 30 minutes. Meaning that an aggressor tin assay 3 or 4 every 30 minutes amongst relative security from locking out an account.Generally I regain that it takes really very few attempts before I soil an account. Password1, Password123, Companyname1. An aggressor alone needs i domain user work organization human relationship to force a piddling farther inwards to the network. If you’re lucky thence a domain controller volition just provide you lot a listing of valid user names if you lot inquire it nicely:
enum4linux.pl -a 172.31.16.12Alternatively most usernames are based on the persons cite just about how, thence amongst lists of mutual names you lot tin come upward up amongst your ain listing to larn you lot started, thence when you lot larn whatsoever valid work organization human relationship you lot tin run enum4linux amongst credentials:
enum4linux.pl -u administrator -p password -U 172.31.16.12
If you’re really lucky the LLMNR spoofing, looking through shares or password guessing tin inwards fact soil you lot a domain admin (DA) account, or possibly just a local administrator work organization human relationship for i or 2 machines. If non thence we’re got a domain user at to the lowest degree together with tin start looking at privilege escalation together with Lateral Movement. It’s soundless really mutual to regain networks which direct hold the same local administrator work organization human relationship configured on all machines, Microsoft LAPS is soundless fairly novel together with non widely deployed inwards my experience. If this is the instance thence an aggressor may perform lateral displace together with aim to gain command execution on equally many hosts equally possible, to brand privilege escalation easier.
Privilege Escalation
If I’m armed amongst a domain user work organization human relationship at this point, thence I’ll revisit Sharecheck first, to banking concern check if that user has Local Administrative permissions to whatsoever devices on the network, thence I’ll assay an escalate from domain user to local administrator (of equally many devices equally possible).Escalating to Local Administrator:
- Sharecheck
- CPasswords
- Build Level Escalations
- Incognito
- Mimikatz
- Password Reuse
CPasswords
There’s an former number (circa 2014) amongst Microsoft Windows Domain Controllers where they may store Group Policy Passwords inwards an encrypted, but reversible way. Again, I’ve done a total write upward on Privilege Escalation through Group Policy Preference Passwords, but here’s a summary:Group Policy Preferences (GPP) was an add-on to Group Policy to extend its capabilities to, amidst other things, allow an administrator to configure: local administrator accounts (including their cite together with password), services or schedule tasks (including credentials to run as), together with mountain network drives when a user logs inwards (including connecting amongst alternative credentials). The passwords are protected inwards storage, they are encrypted amongst AES…however Microsoft released the fundamental here.
Which agency if you lot accept a facial expression at each of the Domain Controllers that were discovered before together with access the SYSVOL share, you lot may just regain an XML file which contains an entry called <cpassword> which is by together with large a local administrator or above. If all of that sounds besides manual, thence GP3Finder from GrimHacker volition produce it for you. Usage is insanely simple:
gp3finder.py -A -t DOMAIN_CONTROLLER -u DOMAINUSER
Build Level Escalations
In the unlikely trial that we’ve non gained a local administrator work organization human relationship on at to the lowest degree i machine at this point, we’ve soundless got a lot of options but they require a piddling to a greater extent than manual move together with definitely require you lot to gyre upward your sleeves. I wrote 3 different articles to encompass the details of approaching this type of escalation: Unquoted Service Path. Insecure Service Permissions, and DLL Hijacking.The starting fourth dimension 2 are local alone attacks, thence an aggressor would by together with large direct hold to larn command execution on a device, nonetheless this tin commonly just hold upward achieved past times using Microsoft Remote Desktop at this stage. The 3rd i tin potentially hold upward performed remotely if whatsoever software is loaded from a Windows portion together with the aggressor has write access to that share, that would sure allow for a lot of lateral movement.
To summarise this section, we’re looking for misconfiguration inwards the permissions model of software together with services installed on local machiens inwards guild to gain administrative access to that machine. For example, it’s non uncommon to regain a service which executes equally NT-Authority/System, but is reconfigurable past times members of the “Authenticated Users” grouping (or similar). So an aggressor tin only modify which executable is launched when the service starts, a uncomplicated way to exploit this is to create an executable which creates an novel local administrator work organization human relationship amongst a known password together with direct hold that execute instead of the legitimate service. Reboot, lay the files dorsum to how they were together with you’re at nowadays armed amongst a local administrator work organization human relationship on at to the lowest degree i machine.
Getting Domain Administrator Level Access
Local Administrator accounts direct hold total command over a organization together with tin access all resources, storage together with retentiveness – including for processes owned past times other users. I’ve written a slice on privilege escalation inwards Windows domain, for gaining Domain Admin flat access. To summarise that slice at that topographic point are 2 principal ways of getting higher privileges, the starting fourth dimension is token impersonation together with the 2nd is extracting plaintext passwords from memory. These methods exercise the tools Incognito together with Mimikatz.Mimikatz
To summarise their write ups: Mimikatz tin extract plaintext passwords. Personally I prefer to exercise these tools through Meterpreter although at that topographic point are stand upward lonely EXEs for them. There are lots of ways of running commands remotely if you lot prefer to exercise the EXE version. There’s a full write upward here for using Mimikatz, but inwards short:meterpreter > exercise mimikatz meterpreter > mimikatz_command -f "sekurlsa::logonPasswords"With whatsoever luck the inwards a higher house volition dump a handful of plaintext passwords, if a Domain Admin is logged inwards you lot tin larn theirs too.
Incognito
Incognito allows you lot to enumerate together with impersonate tokens institute on a compromised machine.Through Meterpeter usage is similar this:
meterpreter > exercise incognito meterpreter > list_tokens -u Delegation Tokens Available ============================================ HollNet\Holly.da meterpreter > impersonate_token HollNet\\Holly.da
Here Meterpreter is loading incognito into memory, listing the available tokens together with I’ve chosen to impersonate a specific user, at nowadays if I drib inwards to a musical rhythm amongst this token I tin bag the privileges of that user together with I’ll probable just exercise the commands:net user holly Holly123 /add /domain internet grouping "Domain Admins" holly /add /domain
Boom. Domain Admin.
I’ll by together with large become i measurement farther though, at nowadays that I’ve got a high flat of privilege I’ll dump all the domain password hashes together with perform an audit on those, at that topographic point mightiness hold upward an work organization human relationship amongst a terrible password that I just missed but could hold upward a huge risk. Maybe an work organization human relationship has Companyname123 together with I alone tried Company1? This volition encompass that. There’s a lot of ways to extract hashes from a domain, full details here.
In summary though, if you lot popular a Meterpreter musical rhythm on a Domain Controller you lot tin dump them similar this:
meterpreter > hashdumpOn tests though, I commonly prefer to exercise the mass shadow re-create method covered in this article as that way I’m using built inwards tools together with thence anti-virus tools are unlikely to brand it the way together with all the extraction happens on my machine thence there’s less hazard of a work occurring on the of import domain controller machine itself.
Clean-up/Removal of Evidence
Now if this was a malicious aggressor performing these steps there’s much to a greater extent than move to hold upward done. Such equally the creation of Kerberos Golden Tickets, log carving, by together with large removing all traces of activity equally you’d expect. However equally a penetration tester there’s soundless move to hold upward done too. Generally we’ll displace dorsum through the network together with undo whatsoever changes that direct hold been made to whatsoever system. Removing tools, resetting permissions, etc. We’ll croak on detailed notes of where nosotros were together with when to ensure that the network tin hold upward lay dorsum to equally unopen a soil equally it was inwards before nosotros larn there. With i of import difference:Now equally nosotros were on the race for Domain Administrator flat access, i time we’d compromised the credentials or token for an existing domain administrator work organization human relationship nosotros could direct hold just used that work organization human relationship for whatever remaining steps nosotros had left to produce nonetheless nosotros purposely created our ain account. This is for 2 reasons, the starting fourth dimension is that it’s genuinely slow for the customer to validate that yes, inwards fact, nosotros did care to compromise the entire domain.
The 2nd ground is that it’s really probable that Domain Admin wasn’t the target of the assessment, but at that topographic point was just about flag or trophy that the customer wanted us to capture together with gaining DA flat access was only a prerequisite to capturing the flag. Alternatively nosotros may perform additional steps such equally piece administration analysis using this novel account, either way whatsoever additional steps nosotros perform volition hold upward done through our work organization human relationship pregnant that if the customer checks through the logs it’ll hold upward instantly obvious which actions were purpose of the engagement together with which are potentially unrelated malicious activity that was unfortunately timed.
When the engagement is over nosotros won’t delete this work organization human relationship but only expire its access, inform the customer that it exists together with that they may withdraw it if they wishing to, but past times leaving it inwards house it ensure that log entries are against the username, just about systems volition supercede the username amongst the work organization human relationship SID i time the work organization human relationship is removed, thence keeping it inwards house but locked downwards helps croak on everything neat.
Now it’s fourth dimension to write that assessment report…