Security Summary
HAVE A RUNNING REPORT / RECORDING OF STEPS AND FINDINGS
Phases
- Reconnaissance
- Scanning and Enumeration
- Gaining Access
Windows
Covering Tracks
Delete stuff we added for testing
Enumerate
- winpeas
- powerup
- hashdump
- https://github.com/GhostPack/Seatbelt
Post Exploitation
http://www.pentest-standard.org/index.php/Post_Exploitation
Things to try
- LLMNR Poisoning
- SMB Relay
- IPv6 Attacks / DNS Takeover
- Passback Attacks / Check multifunction devices (printers etc)
- Look for multiple networks and mdt/pxe boot servers
- Pass the hash
- Pass the password
- Password dumping
- Token impersonation
- GPP / cpassword attack
- URL File attack
- Golden/Silver ticket
Active Directory
Understand domain trust relationships for exploitation PowerView enum Run sharphound ps1 to get info to pass into bloodhound
Domain Controller Target
Contains the NTDS.dit - a database that contains all of the information of an Active Directory domain controller as well as password hashes for domain users
Stored by default in %SystemRoot%\NTDS
accessible only by the domain controller
Linux
https://sevenlayers.com/index.php/212-linux-mount-vhd-vhdx
Guide to pivoting:: https://artkond.com/2017/03/23/pivoting-guide/#3proxy
Things to try
- Kernel Exploits
- Passwords & File Permissions
- SUDO
- SUID
- Capabilities (getcap)
- Scheduled Tasks
- NFS Root Squashing
- Docker / LXD
- Buffer Overflow / Binary Exploit
Tools
pspy
https://karol-mazurek95.medium.com/pwn-methodolodgy-linux-5c8355a8c9c2
Recon
Look for multiple networks and mdt/pxe boot servers
linenum
linpeas