Let's face it, we all love pentesting infrastructure!! There is nothing more exiting than being routed into a corporate network and pop shells left, right and center. These networks often have complicated structures and restrictions which require serious network gymnastics to achieve what we want and get where we’re going. As time progresses I have come to develop my own post-exploitation/network migration methodology (as most pentesters do I guess). I want to share with you a tool-kit which is really useful to have on hand. For easy deployment these tools can be dropped in you local ftp server or webserver (many other ways exist of course).
These tools are collected below in an archive and are up-to-date as of this post but I have included links to the various sources if you want to grab the latest versions.
Ncat is nmap's version of NetCat, it comes packaged with newer versions of nmap. The archive includes a standalone pre-compiled version of Ncat. Ncat is much improved over the original NetCat, it supports TCP, UDP, SSL and it can proxy connections via SOCKS4 and HTTP proxies. It also bears mentioning that Ncat has not made it into the virus signature databases unlike NetCat.
This is a portable command line version of PUTTY for all your Windows SSH-Tunneling needs (totally irreplaceable). Traverse the network in seemingly impossible ways and surprise even yourself on occasion!!
- Microsoft Sysinternals Suite
Do not underestimate Microsoft-Fu there are allot of tools included in the Sysinternals Suite (way to many to sum up here). These tools offer you powerful leverage on the localhost and network. I highly suggest you take time to investigate their various uses (I plan to dedicate a whole tutorial to Microsoft's psexec combined with WCE as I believe they are often poorly understood). Again we have the added bonus here that these tools are signed Microsoft binaries w00t!
- Windows Credential Editor
The archive includes the 32-bit version but 64-bit is also available. Windows Credential Editor is basically a post-exploitation tool to "steal" and reuse NTLM hashes, Kerberos tickets and plaintext passwords which can then be used to compromise other machines. Under certain circumstances, WCE can allow you to compromise the whole Windows domain after compromising only one server or workstation. WCE will get detected by AV but I have obfuscated it and so can you!
Mimikatz is an epic tool to leverage pwnd hosts and extract their plain-text passwords. Yes yes I know hashes are all-powerful but I guarantee you will come across cases where you will be happy to have plain-text credentials. Consider (1) host A with a SYSTEM-level compromise and user accounts for John and Jane and (2) host B no access at all but John has an account on that box. If John is not and administrator on B then passing the hash won't work but using the plain-text credentials over RDP probably will. I recommend you read up on the advanced functionality of Mimikatz here. This probably will get detected by AV but with some effort I managed to obfuscate it and so can you!!
PowerShell for the win!! PowerShell is awesome guys, it is basically Microsoft's attempt to provide a command line environment for system administrators. PowerShell has been integrated into Windows since Server 2008 and Windows 7 and upwards, it has full access to the .NET Framework which means that you can do pretty much anything with it (not to mention that Microsoft's restrictions on PowerShell are a joke)! PowerSploit is essentially a set of scripts developed by Matt Graeber to automate all kinds of cool and indispensable tasks you will be doing regularly during network penetration and post-exploitation. For more arcane PowerShell Magic I suggest you take a look at Matt Graeber's website here.
Shellcodeexec is essentially a payload stager. It can be dropped on the remote host and can be called through the commandline, when giving it a pure ASCII shellcode text string as input it will directly inject the shellcode into memory and execute it. There are also some interesting posts online about embedding it in word macros for social engineering attacks. It will be detected by AV but shellcodeexec includes source-code which can modified to make it undetectable.
- IKAT - Binaries That Bypass Group Policy
These are 32-bit binaries (64-bit also available) that bypass Group Policy. When compromising locked down Windows boxes (such as in Citrix environments) you will often have to deal with enhanced restrictions that try to hinder your progress. In my experience these locked down environments are fundamentally flawed and are almost impossible to protect if they want to provide the end-user with any kind of functionality. In these cases one of the more useful things to have in your bag of tricks are binaries which ignore Group Policy and provide you with an efficient way to set up your forward HQ.