Methodology
Overview
Internal pentesting simulates an insider attack starting from a point within the internal network.
The present note does not address Active Directory pentesting. While part of the methodology detailed in this note can be applied for an Active Directory security audit, specific tools and techniques make the overall approach completely different.
After enumerating accessible hosts and their exposed services, the first step in an internal penetration test is to look for the path of least resistance, aka the low hanging fruits that can easily be detected and exploited (unpatched systems, default or guessable passwords, etc.).
The following methodology makes use of several automated tools and is thus not directly implacable to the OSCP exam.
Notable tools used in this methodology
Aquatone
Tool to validates and screenshot websites written in Go
.
https://github.com/michenriksen/aquatone
ffuf
Web fuzzer written in Go
that can be used for directory bruteforcing.
https://github.com/ffuf/ffuf
Interlace
Python utility to use single threaded command line applications in parallel and with CIDR
support.
https://github.com/codingo/Interlace
masscan
Fast asynchronous and stateless network port scanner written in C
.
https://github.com/robertdavidgraham/masscan
metasploit
Offensive framework notably used for vulnerability detection and exploitation.
https://github.com/rapid7/metasploit-framework
Nessus
Proprietary automated vulnerabilities scanner.
https://www.tenable.com/products/nessus
nmap
Network ports and services scanner.
https://nmap.org/download.html
nmap-parse-output
Bash script to parse and extract information from nmap
output.
https://github.com/ernw/nmap-parse-output
NmaptoCSV
Python script to convert nmap
output to CSV.
https://github.com/maaaaz/nmaptocsv
patator
Python login brute-forcer ang fuzzer.
https://github.com/lanjelot/patator
Remote Server Administration Tools (RSAT)
PowerShell ActiveDirectory
module
PowerShell cmdlets to extract AD information if an account is provided.
https://www.microsoft.com/en-us/download/details.aspx?id=45520
RustScan
Fast network port scanner written in Rust
.
https://github.com/RustScan/RustScan
SecLists
Collection of multiple types of lists (directory wordlists, usernames and passwords wordlists, etc.).
https://github.com/danielmiessler/SecLists
Sn1per Community Edition
Opensource automated vulnerabilities scanner.
https://github.com/1N3/Sn1per
sshUsernameEnumExploit.py
Python script to enumerate local users through OpenSSH
services vulnerable to the CVE-2018-15473
vulnerability.
https://github.com/Rhynorater/CVE-2018-15473-Exploit
testssl
sslscan2
Tools to enumerate the supported ciphers and presence of cryptographic flaws of SSL
/ TLS
services.
https://github.com/drwetter/testssl.sh https://github.com/rbsec/sslscan
WhatWeb
Tool to identify technological components, including content management systems, of web applications.
https://github.com/urbanadventurer/WhatWeb
0. Hosts enumeration through Active Directory
AD enrolled systems enumeration
If an AD account is provided for the internal penetration test, AD queries can be used to quickly enumerate th (most-likely Windows) systems.
Note that the IP retrieved may not be up to date or may even correspond to an non accessible IP form another network interface.
DNS hostnames resolution from target file
To resolve a list of DNS hostnames the following commands can be used:
1. Ports and services scan
For more details on techniques and tools to conduct ports and services scan, refer to the [General] Ports scan
note.
Command that may require a long execution time, can be started using the nohup
utility. nohup
will start a process that remain active even after the user that launched it logged out: nohup <COMMAND> &
.
Ping sweep
nmap
can be used to identify live hosts through a "ping sweep":
ARP
ping for hosts on the same local subnet.ICMP
echo
requests andTCP
probes on ports 80 and 443 otherwise.
While a "ping sweep" can be used to quickly identify live hosts, it will miss any targets outside of the local subnet that do not answer to ping or do not expose services on the TCP
80 / 443 ports.
Asynchronous fast ports scan
Masscan
or RustScan
can be used to conduct fast asynchronous and stateless ports scan on targets supporting high inbound network bandwidth. masscan
/ RustScan
's ports scan speed can be combined with nmap
's services detection probes to rapidly conduct a large network ports and services scan.
Note however that the trade-off for the speed achieved using masscan
/ RustScan
is less precision, and potentially missed open ports.
Nmap limited ports scan
Against unresponsive hosts, or for better overall precision, nmap
can be used directly to scan for open ports. As nmap
is significantly slower than the aforementioned ports scanners, only a limited range of ports should be probed (by default the TCP
top 1000 ports).
Nmap services scan
Once the open ports are enumerated, nmap
can be used to conduct a services scan to more precisely identify exposed services and conduct banner probing / versions identification.
nmap
does not currently provide a way to scan specific host/port combinations, which grandly limit the chaining possibility between ports scan outputs and services scans. A GitHub issue is open and an external patch is being reviewed: GitHub issue and Nmap Development mailing list.
Full ports and services scan from IPs / range / CIDR input file
The following command will instruct nmap
to conduct a full ports scan (-p-
) on every host, without first trying to detect live hosts using a probing requests (-Pn
).
From masscan output
The currently optimized approach is to conduct a service scan on all ports identified as open on at least one host.
nmap output parsing
NmaptoCSV
The NmaptoCSV
Python script can be used to convert nmap
output to the CSV
format. The produced CSV file can be loaded in a graphical CSV reader (such as Excel
) for an easier analysis of nmap
scan results.
nmap-parse-output
The nmap-parse-output
bash script can be used to parse and extract information from nmap
results (in the xml
format). It will be used extensively in this note to extract hosts exposing certain services.
Sort file by IP order
The following one-liner can be used to sort a list of IP addresses, or any file in which each line starts by an IP:
2. Automated vulnerabilities discovery
Tenable Nessus
Nessus
is a proprietary automated vulnerability scanner. It can be used to scan for vulnerabilities, various misconfigurations, and empty / default passwords on common services.
Depending, on the number of hosts to scan, Nessus
can be instructed to conduct a full ports scan and / or limit its scan for vulnerabilities that could result in remote code execution.
Sn1per Community Edition
Alternatively or in addition, the Sn1per Community Edition
automated scanner can be used as well.
The NUKE
mode will launch a full audit of multiple hosts specified in text file including:
full ports scan.
sub-domains brute force and
DNS
zone transfers.anonymous
FTP
/LDAP
access,SMB
NULL sessions andSNMP
community strings.Web scan using
WPScan
,Arachni
andNikto
for all detected web services.
3. SMB services enumeration and analysis
Multiple known vulnerabilities affect the SMB
protocol, that could allow if unpatched unauthenticated remote code execution.
Additionally, SMB
network shares could be accessible to unauthenticated users (Anonymous
or Guest
access). If an Active Directory account was provided, or could be compromised, refer to the [ActiveDirectory] GPP and shares searching
note for techniques and tools for authenticated shares enumeration and searches.
SMB RCE vulnerabilities
Nmap
and metasploit
can be used to detect vulnerability on exposed SMB
services. It is recommended to combine both tools to minimize the number of false-negatives.
For vulnerability exploitation, refer to the [L7] SMB - Methodology
note.
Null session and guest access to shares
smbmap
can be used to attempt to list the accessible shares on the hosts exposing an SMB
services. If any share is found to be accessible, refer to the [L7] SMB - Methodology
for techniques and tooling to search and retrieve sensible content in the shares.
Null session enumeration attempts
enum4linux-ng
can be used to attempt in an unauthenticated manner to retrieve information, in addition to exposed shares, such as local users, groups, password policy information, etc. For more information, refer to the [L7] MSRPC
note.
Interlace
is used in combination with enum4linux-ng
to manage multi-threading and parameterize output.
X. HTTP / HTTPS services enumeration and analysis
URL extraction from nmap scan results
nmap-parse-output
can extract hosts with an exposed http service from nmap
's XML
output, in the following format: <http | https>://<IP>:<PORT>
.
The following services are identified as being http services: http
, https
, http-alt
, https-alt
, http-proxy
, sip
, rtsp
, soap
, vnc-http
, and caldav
.
URL validation and screenshotting
Using the extracted list of URLs as input, aquatone
can be used to validate the URL and screenshot the accessible web applications.
Aquatone
produces a report in the HTML
format that embeds the screenshots, web page title, and headers enumerated. Web applications are grouped by similarities for easier visualization and analysis.
Web technologies identification
WhatWeb
can be used to identify the various technological components used by the web applications exposed on the URL validated by aquatone
.
Interlace
is used in combination with WhatWeb
to manage multi-threading and parameterize output.
Files / directory bruteforcing
ffuf
can be used to directories and files names on URL validated by aquatone
. The files / directories wordlist size should be adapted to the number of URL to bruteforce and the network responsiveness.
A combination of wordlists, picked based on the technological components identified by WhatWeb
, from SecLists
may be used.
SSL / TLS configuration analysis
testssl
and sslscan2
can be used to review the SSL
/ TLS
configuration (supported protocols and cyphers, certificates audit, etc.) of HTTPS
services.
Interlace
is used in combination with sslscan
and testssl
to introduce multi-threading and parameterize outputs.
Vulnerabilities / misconfigurations scans with nuclei
nuclei
is a template based scanner that can be used to discover vulnerabilities or misconfigurations on web services.
X. Credentials bruteforcing
Usernames and passwords wordlist
SSH user enumeration
The sshUsernameEnumExploit.py
Python script can be used to enumerate local users against OpenSSH
services, under OpenSSH 7.7
, which are vulnerable to oracle username enumeration (CVE-2018-15473
).
Common services login bruteforce
FTP
TCP 21
anonymous
SSH
TCP 22
rexec
rlogin
TCP 512 TCP 513
MSSQL
TCP 1433
sa
sa
patator mssql_login host=FILE0 user=FILE1 password=FILE2 0="<INPUT_HOSTS>" 1=<WORDLIST_USER> 2=<WORDLIST_PASSWORD> -x ignore:fgrep='Login failed for user'
Tomcat
NA
tomcat manager role role1
tomcat changethis s3cret
Last updated