Pentest Methodology

Early Game

The goal of this phase is to gather as much information as possible from the network and to establish an initial foothold by performing common initial attacks. You should be able to gather credential hashes (NTLM, NTLMv2), running services, and other important information.

Initial Attacks (Active Directory)

• Run Responder or SMB Relay attack to capture NTLMv2 or NTLM hashes.

• Save captured hashes to a file for Password Cracking.

• Run MITM6 if necessary.

• Password Cracking (Once you capture hashes).

• SSH Brute forcing.

• Read the Outputs.

Vulnerability Scanning

• Run Nessus Scan

• Manual vulnerability assessment once you have the version of the applications that are running. (Google, Searchploit).

  • Check CVEs.

Scanning and Enumeration

• Host/Network Enumeration.

  • Gather IP addresses and Hostnames.

  • Run arp-scan.

• Run Nmap Scan

  • Check open ports.

  • Check common ports (80,445,21,22,23, etc.).

  • Check the version of running services.

  • Run Nmap scripts to gather more info or check vulnerabilities of services/applications.

• Check for File Shares.

  • SMB Enumeration.

    • Check smb2-security-mode in Nmap.

      • Message signing enabled but not required.

    • Run smbclient.

    • Metasploit - auxiliary/scanner/smb/smb_version.

    • Check open SMB Shares (Can be accessed without credentials).

  • Check FTP and NFS.

    • run showmount.

    • Check anonymous:anonymous login

  • Check files for sensitive information (usernames, passwords, PII, etc.).

  • Check IT Procedures/Documents (This can sometimes store credentials).

• Check running web applications on the network.

  • Check running technologies (Wappalyzer).

  • Check Default pages.

  • Check for web portals/consoles (Printers, iDrac, etc.).

  • Check default credentials.

  • Check Error messages.

  • Check Information disclosures on web pages (Server information, application version).

  • Check subdirectories (directory busting).

  • Check accessible config files (XML, txt, JSON, etc.).

  • Run web vulnerability scanning (nikto).

Mid Game

You’ve managed to crack the hashes you’ve captured from the Early Game stage or at least save them to a file, now what? The goal of this phase is to be able to move laterally on the network to gather more information until you can move vertically to compromise the network.

In this phase, you will be doing mostly exploitation, lateral movement, and some enumeration. You should be able to perform pass-the-password/pass-the-hash attacks, perform domain enumeration and exploitation, perform web exploitation, establish persistence, and perform other domain/network attacks.

Post-Compromise Attacks (Active Directory)

• Kerberoasting

• Pass-the-Password / Pass-the-Hash.

  • Run CrackMapExec.

  • Run Secretsdump.

  • Gather Hashes

    • NTLM

    • DCC2

• Crack newly found hashes.

• Run CME/SecretsDump again on newly found hashes/passwords.

• Gain Shell Access.

• Perform Token Impersonation.

  • Create a New User (Local/Domain), preferably an Admin account for persistence.

• Dump credentials using Mimikatz.

Post-Compromise Enumeration (Active Directory)

• Gather Domain Information (LDAPDomainDump)

  • Check Domain Users and Domain Admins.

  • Check Service accounts.

  • Check GPOs.

• Analyze Domain using BloodHound.

Web App

• Web App Pentesting

Late Game

Once you’ve reached this phase, you have already compromised the domain by gaining access to a domain admin account or through exploitation. You should now have the ability to dump the domain database (ntds.dit) and gather all domain account credentials. In a Pentest engagement, if you were able to quickly compromise a domain, try to do it again and find other ways to compromise a domain or find other vulnerabilities that the network may have.

Make sure you remove any persistence you set on the network and exploits that you used. Make sure you leave the network in the same state as when you started so that you won’t leave any holes in the network that real attackers can use.

Once the pentest is done, it is time for report writing. Make sure you include evidence/screenshots of the exploit that you performed, and include any helpful details for the clients such as the details of the attacks, remediation, etc. When doing pentest, a good strategy is to keep detailed notes and start drafting your report right away, filling it in as you go so that when you are in the report writing stage, you’re now just polishing your report.

Post-Domain Compromise Attacks (Active Directory)

• Dump NTDS.dit (secretsdump)

• Crack hashes from NTDS.dit

• If you still have plenty of time, try to find other vulnerabilities on the network.

  • Stored sensitive information.

  • Vulnerable Applications.

  • Outdated applications.

Cleaning Up

• Make sure you leave the network in the same state as when you started.

• Remove any Accounts (Local/Domain) that you’ve created.

• Delete any files/payloads that you transferred to the machines.

• Revert any configurations that you’ve modified.

Report Writing

• A good strategy is to keep detailed notes and start drafting your report right away, filling it in as you go.

• Confidentiality Statement.

• Disclaimer.

• Contact Information.

• Assessment Overview.

• Assessment Components.

• Scope.

  • Scope exclusions.

• Executive Summary.

  • Testing Summary.

  • Tester Notes and Recommendations.

  • Indicate key strengths and weaknesses.

• Vulnerability Summary.

  • List all findings, severity, and recommendations.

• Technical Findings

  • List Pentest findings.

  • Include a detailed description of the findings.

  • Risk. Likelihood of the attack and Impact of the attack.

  • Systems affected.

  • Tools used.

  • References for the attacks.

  • Evidence (Screenshots) of successful attack. Make sure to obfuscate sensitive information in those screenshots.

  • Remediation. Also include Standards/Frameworks (NIST, MITRE, etc.)