In the first of this series, we looked at the absolute basic penetration testing tools that make up the foundation of any competent arsenal. In this part, we are going to look at some of the newer and more sophisticated tools that are available.
Run a packet sniffer on a typical corporate network, and you will see an awful lot of broadcast traffic “noise”. For backward compatibility, Windows networks generate a large number of name requests using legacy protocols such as LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Naming Service). Because these packets are broadcast packets, any local host can see the requests, and because there is no inbuilt validation, any local host can answer the request. Responder is a powerful tool that allows you to create fake answers to these requests, and “steer” the victim’s network traffic to the attack machine. All sorts of network authentication attempts can therefore be captured, some encrypted, others in clear-text. All too often you are merely a dictionary attack away from legitimate credentials.
What started out primarily as an AV evasion toolkit, has since grown into a rapidly expanding framework that’s constantly growing in capability. The original purpose for Veil however remains just as valid: Evading AV solutions. All too often during a penetration test, the target’s AV solution will prevent the compromise of a system using a generic payload. This may, on the surface, appear to be good news: The security solution is doing what it is supposed to. Cook-up something a little more bespoke however, and it will often sail straight past detection. Veil allows the creation of these custom payloads with ease.
Continuing the theme of AV evasion, PowerSploit consists of a powerful suite of tools that enable and maintain the compromise of targets, from invoking shells on targets with PowerShell installed, to grabbing passwords. Did I mention that AV solutions tend to completely ignore PowerShell scripts? Well, it’s a point that cannot be stressed enough.
You’ve compromised a Domain member server, you’ve grabbed and cracked the local password hashes, so you have the local administrator account. Now what? SMBExec is a privilege escalation tool that allows you to test already obtained credentials against a list of hosts to find out where they are valid. It also allows automation of tasks such as grabbing password hashes. In my experience, SMBExec often allows an attacker to go from a single compromised set of credentials to full Domain Admin in the blink of an eye.
Mimikatz is an amazing tool that pulls clear-text (yes, clear-text) passwords , PIN codes and Kerberos tickets from memory in Windows. Of course, you need privileged access to perform these tasks, but if you obtain a Local Administrator account or similar, then you are on the road to full Domain compromise with Mimikatz. A number of other attacks, including pass the hash are also covered in this swiss army knife of password poaching goodness. And of course, the ability to retrieve passwords in clear-text can save an awful lot of time.
The only problem with a blog post such as this, is knowing where to stop. The quality of a penetration test is based on a number of factors, but the right tool for the job is definitely a foundation upon the appropriate skills can be based., often saving time and maximising impact of the access already obtained.
If you missed part one of this series you can find it Here