Antisyphon KB

1. Internal Checklist

Nov 04, 20244 min read

Internal Penetration Test Checklist

title: Want to Add Stuff to the Internal Testing Section of the KB? Modify the checklist? Add tools? 
 
Reach out to one of the subject matter experts (SMEs) to ensure the content additions align with testing expectations and deliverables. Or, depending on your confidence, go for it!
 
Current Internal Network SMEs:
- Jordan jordan@blackhillsinfosec.com
- Alyssa alyssa@blackhillsinfosec.com
- Phil phil@blackhillsinfosec.com
- David david@blackhillsinfosec.com

Before testing begins

One week before the test

  • Test remote access to testing system (Nexus implant) and verify that the minimum host requirements are met
  • Request a Nessus license from Systems (“help desk” helpdesk@bhis.io) and set up Nessus on implant
  • Start the report in SharePoint by using the “New…” button in the project’s folder and choosing the pentest report template. Update the filename to match the standard: ${CustomerName}-${TestType}-${Date}.docx
  • Start the “Internal Network Penetration Test” section with a brief description of the local network. “…BHIS was provisioned access via Nexus or some other means. The local network configuration appeared as follows. The entirety of the provided scope can be reviewed in Appendix X of the report.”

Test start

  • Review the ROE notes for special requests/requirements, status update requests, etc.
    • Is password spraying acceptable?
    • Is the customer more interested in exploitation or broad coverage of vulnerabilities?
  • Send the start email to the customer.
  • Run the install-tools.sh script on your implant/s.

Requirements

Summary - Five things required:

  • Vulnerability Scan all listed assets
  • Network layer testing - LLMNR, NBNS, mDNS
  • Web services screenshots and triage
  • Password sprays
  • Triage of vulnerabilities with exploitation and validation on selected high interest issues
    • To-Do if you get ahold of any credential: ADCS, SCCMHunter

Day one - broad perspective

  • Run vulnerability scan with Nessus (Follow the Nessus Interaction documentation)
    • Run scans and find a balance between the customer’s desire and coverage
      • Evaluate results from a “critical down” perspective
      • Evaluate results from a “professional opinion” perspective
      • Evaluate results from an “exploitable” perspective
  • Test for LLMNR, NBNS, mDNS
    • If present, prepare relay tools and get impacket and ntlmrelayx operational
  • Run EyeWitness or similar web screenshot tool like GoWitness against Nessus file
  • Find a password spray target
    • SMB is a popular destination from an internal perspective
    • A first spray is not required on day one

Day two through four (exploitation focus)

  • Start hacking things! (don’t break things)
    • Start cracking NetNTLMv2 hashes if you have any
    • Reconfigure Responder config: smb off, http off
    • Run ntlmrelayx against the hosts lacking smb signing
      • -smb2support
      • if a user with sufficient privileges is relayed, we get a SAM dump
        • Use SAM hashes with something like CrackMapExec to check for widespread admins.

          BE CAREFUL, USE LOCAL AUTH TO AVOID LOCKOUTS

    • Run ntlmrelayx against the domain controllers (from implant: cat /etc/resolv.conf, nslookup resolverIPs)
      • So many configurations possible for this tool
        • ntlmrelayx.py -t ldap://dc |tee -a relaylog
        • ntlmrelayx.py -t ldaps://dc
    • Active Directory Certificate Services (ADCS)
      • Any credential, you have to check on this
  • Review Nessus and look for criticals and highs first.
    • Treat this as a race-condition, go as fast as possible
      • Critical - research it, prove it, exploit where applicable, document it, write up the finding
      • High - research it, prove it, exploit where applicable, document it, write up the finding
      • Medium - there are a few interesting findings that Nessus will produce in the Mediums category: SMB Signing mostly, target these systems with ntlmrelayx
      • Low - do not overlook these
      • Info - do not overlook these, Cisco SMI is here
  • Use EyeWitness to take screenshots of web services
    • Review this report through Burp Suite
  • Try mitm6

    not advisable to walk away from a console with this running

    this tool can break DNS services and cause DoS

    • -d domain.local
  • Password spray something
    • CrackMapExec smb targetIP -u users.txt -p Winter2022! | tee -a /opt/cme-spray-datetime

Day five - Get to wrapping up

  • Findings already pulled over? If not, get going!
  • You want to be done by the end of day? Get writing!
  • You should have been reporting the whole way
  • Reach out to the customer and ask if there is anything else in which they might be interested
  • Did you compromise something? anything?
    • Be sure to inform the customer of any compromises via a Post Test Cleanup Finding
    • Add computer accounts? Add to the Post Test Cleanup Finding
    • Leave LNK files lying around? Add to the Post Test Cleanup Finding

Tools of interest

  • Certipy
  • Coercer
  • PetitPotam
  • NetExec
  • EavesARP
  • Responder
  • mitm6
  • impacket
  • eyewitness
  • rdp-sec-check
  • nikto
  • sqlmap
  • dirsearch
  • PKINITTools
  • SCCMHunter
  • WebclientServiceScanner

Tip: Search the KB for tool info using tags!

for example for Certipy - search: “tag:tool certipy”

Graph View

Backlinks

  • No backlinks found