How to: Execute passive internal recon during continuous penetration testing
Do you know how to spell recon...n...i...???? lakdfjlasdkfjh;a
When we launch continuous penetration testing in a new network, we don't want to raise suspicion of our presence.
For one reason, we may be able to get credentials without doing anything intrusive at all. To do it, we use packet captures and some external tooling. Below, we’ll break down how to do it, along with a few of our favorite tools you can use.
Sniff The Network
To start a packet capture from terminal, do the following on your Dropbox:
Create a 'screen' sessions:
screen -S pcap
Start the network capture for eight hours
timeout 28800 tcpdump -i $IFACE -w $DATE-capture.pcap port not 22 and host $YOURI P
Let it run for however long you would like. We recommend you run it for the full first workday when starting a network penetration test.
We’ve listed a few tools you can use on your host or local machine for testing. Doing all analysis on your local host provides a bit more flexibility and access to the Wireshark GUI.
Prebellico is a great tool for mapping a network and extracting sensitive information from pcap files. Run the command below to extract information from the packet capture shown above.
PCredz does similar things as Prebellico but also has some extra regular-expression credential extraction features. Installing this tool can be cumbersome, so feel free to use the script below to get it installed on Debian-based distributions.
dpkg -i python-libpcap_0.6.4-1_amd64.deb
git clone https://github.com/lgandx/PCredz.git
Use PCredz to extract data from our pcap file collected earlier.
./Pcredz -f file-to-parse.pcap | tee $DATE-pcredz.txt
NTLM(DCE-RPC, HTTP, SQL, LDAP, etc.), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP credentials and hashes will be printed too stdout and saved to a file.
Why use termshark The tool’s creator says it best:
"If you're debugging on a remote machine with a large pcap and no desire to scp it back to your desktop, termshark can help!"
The tool termshark allows you to analyze pcap files on the terminal in an ncurses-like interface. Install termshark commands below.
apt install tshark tcell gowid
go install github.com/gcla/termshark/v2/cmd/termshark
To read in a capture file to termshark use the command below.
termshark -r $PCAPFILE
Look for the following during analysis with termshark:
DHCPv6 broadcasts ( mitm6 )
NETBIOS / LLMNR broadcasts ( Responder )
Internal webservers with plaintext login forms
Peak user activity timeframes
Knowing this information will prevent the use of any attacks that won't work in the first place.
Need help with continuous penetration testing?
Continuous Human & Automated Security
The Expert-Driven Offensive
Continuously monitor your attack surface with advanced change detection. Upon change, testers and systems perform security testing. You are alerted and assisted in remediation efforts all contained in a single security application, the Sprocket Platform.
Expert-Driven Offensive Security Platform
- Attack Surface Management
- Continuous Penetration Testing
- Adversary Simulations