I'm going to <semi> live tweet this Internal Penetration Test. Calling the company Acme
Important notes:
Assumed Breach (Already have a Debian based image, no creds, but solely for the sake of having tools locally)
Landing in the SWIFT gateway network
Flags: DA/SWIFT 1/x
Important notes:
Assumed Breach (Already have a Debian based image, no creds, but solely for the sake of having tools locally)
Landing in the SWIFT gateway network
Flags: DA/SWIFT 1/x
Non-Evasive (we can sound alarms, they're only monitoring and validating our actions, this is not a purple team assessment to fill gaps in their NIPS)
Crystal/Glass/Full-Disclosure whatever your org calls "we'll give you any info you need to progress in terms of network topology"
Crystal/Glass/Full-Disclosure whatever your org calls "we'll give you any info you need to progress in terms of network topology"
Starting off with good old Nessus/Nmap one-two punch against the in-scope ranges provided to us during our kick off. #nessus #nmap
Next up:
Mitm6, NTLMRelayX, Responder, and CME in gen-relay-list mode. Gotta get some creds!
Oh and don't forget PCredz!
#pcredz #crackmapexec #ntlmrelayx #impacket #mitm6
Mitm6, NTLMRelayX, Responder, and CME in gen-relay-list mode. Gotta get some creds!
Oh and don't forget PCredz!
#pcredz #crackmapexec #ntlmrelayx #impacket #mitm6
Having been dropped into an Azure VM, relaying may be a pain. LLMNR/mDNS/NBNS, etc are not explicitly allowed by default in these virtual environments. I think it has something to do with how cloud providers virtualize Layer 2.
Since this is a Non-Evasive assessment, it's safe to do something like Aquatone or WitnessMe/EyeWitness even if the hosts "may" not have a web port.
Saw something about a LibSSH authentication bypass while running Aquatone. Digging in a bit with github.com/blacknbunny/CV…
Quick, simple tool. Thanks to the developer!
Quick, simple tool. Thanks to the developer!
Nope, wasn't vulnerable. Looked like it, but when you break down the actual packets, the command being sent was being blocked by authentication requirements!
Oh lookie! Null Session enumeration against the domain controller!
github.com/cddmp/enum4lin…
enum4linux-ng -A DC1.acme.local
github.com/cddmp/enum4lin…
enum4linux-ng -A DC1.acme.local
529 accounts from that! Time to Kerbrute.
github.com/ropnop/kerbrute
github.com/ropnop/kerbrute
After cleanup, looks like 383 enabled, sprayable accounts. Note, I got the password policy from the client and from the null session, so we can follow that to avoid lockouts! Here we go!
Also, since I got the _general_ overview of how these accounts look, I can use a username list like this:
github.com/insidetrust/st…
to try to pry out some more, in case I didn't get all of them from Null Sessions for some reason. I'll do that while I'm waiting on things
github.com/insidetrust/st…
to try to pry out some more, in case I didn't get all of them from Null Sessions for some reason. I'll do that while I'm waiting on things
kerbrute userenum -d acme.local -o statistically_valid_users.txt /opt/statistically-likely-usernames/johns.txt
for those of you curious.
for those of you curious.
Ok, Kerbrute is running, Relays are up, Nessus, Nmap are all running as intended. Let's go dig into some of the preliminaries.
Nessus has reported some Web Directory Enumeration! Never Ever discount the "Info" classification in Nessus!
Nessus has reported some Web Directory Enumeration! Never Ever discount the "Info" classification in Nessus!
Time to run FFUF! One of my favorite tools. Based on the OS fingerprinting from Nessus/Nmap, my target is IIS on Windows, so We'll take out some PHP stuff, it's unlikely they're using PHP and not XAMPP.
github.com/ffuf/ffuf
#ffuf
github.com/ffuf/ffuf
#ffuf
My command:
pastebin.com/HLkpPDvF
pastebin.com/HLkpPDvF
No hits on the normal password spray attempts yet, and nothing "exciting" from automated scanners. Manual enumeration shows a couple outlying web servers that are probably not as protected as are thought to be. I'll mess with those for now.
I TAKE THAT BACK! One hit on a VERY common password.
OK. Had to change the password for the user because it was expired, (I also believe it to be an unused service account, we'll get to that once we kick off the authenticated enumeration). HERE WE GOOOOOO
Currently working on getting a reverse VPN setup so I can connect to my windows box for some powershell magic. IPtables got me like
Ok fixed all that. Weird routing with Docker. All better now. Connected this Linux "landing box" to my Windows attack VM so I can do things with Rubeus and other .NET stuff to enumerate AD. This includes running Bloodhound from MY Windows device. No artifacts on clients ;)
To do this, you need to have a way to connect back to a Windows device. I have a VPN server listening on 127.0.0.1 on the Linux device, and I SSH to the linux device with a dynamic port forward (-D). By specifying that port in the OpenVPN client file, it will use that to connect.
From there, as long as you don't have any silly routing issues (like I did this time) and you have IP forwarding enabled on your linux device, you should be able to communicate with the internal network.
runas /netonly /acme.local\pwndusr powershell
Sharphound away!
runas /netonly /acme.local\pwndusr powershell
Sharphound away!
Kerberoasting succeeded! Time to crack some SPNs!
Note: I ended up not needing runas just yet. Coming soon.
Note: I ended up not needing runas just yet. Coming soon.
Still waiting on the password cracker to chug through these SPNs, but while I'm at it, I'm installing some tools for an in-house tool (that I thought were installed already, oh well!) so that I can identify some gaps in AD, that may allow me to escalate privileges while BH runs.
First pass of Kerberos cracking was unsuccessful!
Also, No AS-REP roastable users... bummer.
BloodHound came back! Let's take a look (probably won't post too many screenshots for Opsec)
Also, No AS-REP roastable users... bummer.
BloodHound came back! Let's take a look (probably won't post too many screenshots for Opsec)
GPP-Passwords and GPP-Autologin came back with zilch. Bloodhound is tiny... only ~600 users and about 40-50% are disabled.
Scanners are at full throttle, just waiting on some data to return. Password Spraying continues, and then the fun starts. Sometimes it's an instant win, others it's not. In this case, I'm super glad it's not because of how close I am to the SWIFT gateway!
I've got about an hour left of manual validation for the day. I'll post a few more tweets before signing off. I'll start a new thread in the morning!
Some of the enumeration data from our internal tool came back. Currently enumerating some shares that seem to have lax permissions. What's that? A golden image? Yes, please.
Time to wind down and get the listeners back up for the evening. Automated scanning overnight is in scope, so that will at least give me something to wake up to.
One more Password Spray before I close up!
One more Password Spray before I close up!
Closing up for the day. Conclusion email sent to client (this is important!) with info on what to expect overnight.
Looping the thread:
I'll create a new one tomorrow. ✌
Looping the thread:
https://twitter.com/offsec_ginger/status/1521460337463246848
I'll create a new one tomorrow. ✌
• • •
Missing some Tweet in this thread? You can try to
force a refresh
