• XSS.stack #1 – первый литературный журнал от юзеров форума

VPN VPN Pentest Questions

Отслеживать

RocketRacoon

RAM
Пользователь
Регистрация
27.05.2022
Сообщения
120
Реакции
15
Гарант сделки
2
Hey guys, hope you are doing well im here with some quick questions...

Lets say play with this scenario:
I have successfully logged into a VPN session...
Scanned and identified the DC, Domain, workstations, DB´s etc with the user and password from the VPN i ran a smb scan with crackmapexec and got access into one machine in the domain and one in the workstation...
image attached

Screenshot

Captured with Lightshot
prnt.sc

whats the next step?
what are your suggestions?

Scanned for bluekeep and eternalblue just one vuln with bluekeep but no success!
is not vuln to zerologon...

any recommendations on how to keep going?

thanks in advance
 
RocketRacoon сказал(а):
Hey guys, hope you are doing well im here with some quick questions...

Lets say play with this scenario:
I have successfully logged into a VPN session...
Scanned and identified the DC, Domain, workstations, DB´s etc with the user and password from the VPN i ran a smb scan with crackmapexec and got access into one machine in the domain and one in the workstation...
image attached

Screenshot

Captured with Lightshot
prnt.sc

whats the next step?
what are your suggestions?

Scanned for bluekeep and eternalblue just one vuln with bluekeep but no success!
is not vuln to zerologon...

any recommendations on how to keep going?

thanks in advance
I always work with VPN access, most fun thing for me.

The first thing you would do is continue enumeration, collect as much info as possible, such as:
users: for more password spraying.
computers: check if there are RDP ports running on the system, or any other port that let you connect with, such as impacket-psexec, wmiexec, impacket-smbclient and more...
policy's: make sure you won't get locked out for too much brute forcing, (use the options --continue-on-success, --no-bruteforce).
Low hanging fruits: check for vuln in the network it self.
those are simple examples, there are many more ways.

if you have access to one of the computers, the first thing you do is enumeration, check where you are and who you are. And if you have any other IP's in the network range which have SMB running, check the network share for possible files and more.


I recommend you to check this mindmap, this might help you a lot: https://orange-cyberdefense.github.io/ocd-mindmaps/img/pentest_ad_dark_2023_02.svg

if you have any more questions, you can always send me a message.
 
notactive сказал(а):
I always work with VPN access, most fun thing for me.

The first thing you would do is continue enumeration, collect as much info as possible, such as:
users: for more password spraying.
computers: check if there are RDP ports running on the system, or any other port that let you connect with, such as impacket-psexec, wmiexec, impacket-smbclient and more...
policy's: make sure you won't get locked out for too much brute forcing, (use the options --continue-on-success, --no-bruteforce).
Low hanging fruits: check for vuln in the network it self.
those are simple examples, there are many more ways.

if you have access to one of the computers, the first thing you do is enumeration, check where you are and who you are. And if you have any other IP's in the network range which have SMB running, check the network share for possible files and more.


I recommend you to check this mindmap, this might help you a lot: https://orange-cyberdefense.github.io/ocd-mindmaps/img/pentest_ad_dark_2023_02.svg

if you have any more questions, you can always send me a message.
Man, if the forum allowed two likes, I'd give you two for this link!

Thanks from the bottom of my heart for such a systematic material!
 
RocketRacoon сказал(а):
and got access into one machine in the domain and one in the workstation.
based on what you said, the only way to get into the net so far is through VPN. so first of all you have to set persistence in this pc you got access to, otherwise you may lose access to this corp.
notactive сказал(а):
https://orange-cyberdefense.github.io/ocd-mindmaps/img/pentest_ad_dark_2023_02.svg
this is a good material and may help you. as there is a DC in the net, most important is to get DA as soon as possible, so that you can log in in any host, switch, router and whatever is a AD member.

In addition to that, i would check network traffic, routing and arp table, as well as established connections in the hosts you get access to.

Keep in mind that AD basically works with the following protocols: kerberos, ldap, dns and ntp. therefore try to get as much as information you can like dns zone transfer and AD enumeration and entities relationship . Always remember pass-the-hash and pass-the-ticket.

NAS and SAN are always welcomed since they usually hold many files such as VMs disks, databases and so on.

Be stealthy, pacient and work hard )))
 
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх