Internal Infrastructure Pentest - Repos For Internal Pentest
-
Impacket: Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (for instance NMB, SMB1-3 and MS-DCERPC) the protocol implementation itself. Packets can be constructed from scratch, as well as parsed from raw data, and the object oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library. A description of some of the tools can be found at: http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=Impacket
https://github.com/CoreSecurity/impacket -
Pywinrm: pywinrm is a Python client for the Windows Remote Management (WinRM) service. It allows you to invoke commands on target Windows machines from any machine that can run Python.
https://github.com/diyan/pywinrm -
pywerview: As a pentester, I love using PowerView during my assignments. It makes it so easy to find vulnerable machines, or list what domain users were added to the local Administrators group of a machine, and much more.
However, running PowerView on a computer which is not connected to the domain is a pain: I always find myself using mimikatz’s sekurlsa::pth to run a Powershell prompt with stolen domain credentials, and that’s not easy to script. Plus, I’m a Linux guy and I’ve always found it a shame that there were no complete Windows/Active Directory enumeration tool on Linux.
That’s why I decided to rewrite some of PowerView’s functionalities in Python, using the wonderful impacket library.
Update: I haven’t tested the last version of PowerView yet, which can run from a machine not connected to a domain. I don’t know if it works correctly under Linux using Powershell. If anyone has had any experience with this at all, you can contact me, I’m really interested. We’ll see if pywerview has become obsoleted ;) but I think I’ll continue working on it eitherway: I’d still rather use Python than Powershell on Linux, and I’m learning a lot! Plus, it may integrated in existing Linux tools written in Python. It’s still great news that PowerView now supports machines not connected to the domain!
https://github.com/the-useless-one/pywerview
-
PowerSploit: PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts
https://github.com/PowerShellMafia/PowerSploit -
Invoke-Obfuscation : It is a PowerShell v2.0+ compatible PowerShell command and script obfuscator.
https://github.com/danielbohannon/Invoke-Obfuscation -
Invoke-Vnc: Invoke-Vnc executes a VNC agent in-memory and initiates a reverse connection, or binds to a specified port. Password authentication is supported.
https://github.com/artkond/Invoke-Vnc -
mimikittenz: mimikittenz is a post-exploitation powershell tool that utilizes the Windows function ReadProcessMemory() in order to extract plain-text passwords from various target processes.
mimikittenz can also easily extract other kinds of juicy info from target processes using regex patterns including but not limited to:
TRACK2 (CreditCard) data from merchant/POS processes
PII data
Encryption Keys & All the other goodstuff
note: This tool is targeting running process memory address space, once a process is killed it’s memory ‘should’ be cleaned up and inaccessible however there are some edge cases in which this does not happen.
https://github.com/putterpanda/mimikittenz
-
NetRipper: It is a post exploitation tool targeting Windows systems which uses API hooking in order to intercept network traffic and encryption related functions from a low privileged user, being able to capture both plain-text traffic and encrypted traffic before encryption/after decryption.
https://github.com/NytroRST/NetRipper -
https://github.com/xorrior/RandomPS-Scripts
-
SessionGopher: SessionGopher is a PowerShell tool that finds and decrypts saved session information for remote access tools. It has WMI functionality built in so it can be run remotely. Its best use case is to identify systems that may connect to Unix systems, jump boxes, or point-of-sale terminals.
SessionGopher works by querying the HKEY_USERS hive for all users who have logged onto a domain-joined box at some point. It extracts PuTTY, WinSCP, SuperPuTTY, FileZilla, and RDP saved session information. It automatically extracts and decrypts WinSCP, FileZilla, and SuperPuTTY saved passwords. When run in Thorough mode, it also searches all drives for PuTTY private key files (.ppk) and extracts all relevant private key information, including the key itself, as well as for Remote Desktop (.rdp) and RSA (.sdtid) files.
https://github.com/fireeye/SessionGopher
- mimipenguin: A tool to dump the login password from the current linux desktop user. Adapted from the idea behind the popular Windows tool mimikatz.
https://github.com/huntergregal/mimipenguin