Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/praetorian-inc/pentestly
Python and Powershell internal penetration testing framework
https://github.com/praetorian-inc/pentestly
Last synced: 22 days ago
JSON representation
Python and Powershell internal penetration testing framework
- Host: GitHub
- URL: https://github.com/praetorian-inc/pentestly
- Owner: praetorian-inc
- License: gpl-3.0
- Archived: true
- Created: 2016-02-16T14:24:23.000Z (almost 9 years ago)
- Default Branch: master
- Last Pushed: 2016-02-22T14:01:00.000Z (almost 9 years ago)
- Last Synced: 2024-08-05T17:41:28.063Z (4 months ago)
- Language: Python
- Homepage:
- Size: 3.24 MB
- Stars: 716
- Watchers: 92
- Forks: 154
- Open Issues: 3
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-hacking-lists - praetorian-inc/pentestly - Python and Powershell internal penetration testing framework (Python)
README
# Pentestly
Pentestly is a combination of expanding Python tools for use in penetration tests. The goal is to utilize a familiar user interface while making contributions to the framework easy with the power of Python.
Blog post: [Pentestly Framework: When Pentesting Meets Python and Powershell](https://www.praetorian.com/blog/pentestly-framework-when-pentesting-meets-python-and-powershell)
Author: [@ctfhacker](https://twitter.com/ctfhacker) / Cory Duplantis
# Demo
[![asciicast](https://asciinema.org/a/3grjnat1nrs7lvti5kdjhcg9h.png)](https://asciinema.org/a/3grjnat1nrs7lvti5kdjhcg9h)
# Current features
* Import NMAP XML
* Test SMB authentication using:
- individual credentials
- file containing credentials
- null credentials
- NTLM hash
* Test local administrator privileges for successful SMB authentication
* Identify readable SMB shares for valid credentials
* Store Domain/Enterprise Admin account names
* Determine location of running Domain Admin processes
* Determine systems of logged in Domain Admins
* Execute Powershell commands in memory and exfil results
* Execute Mimikatz to gather plaintext password from memory ([Invoke-Mimikatz.ps1](https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikat://github.com/PowerShellMafia/PowerSploit))
* Receive a command shell ([Powercat](https://github.com/besimorhino/powercat))
* Receive a meterpreter session ([Invoke-Shellcode.ps1](https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1))# Shoulders of Giants
Pentestly stands on the shoulders of giants. Below are the current tools utilized in Pentestly:
* [recon-ng](https://bitbucket.org/LaNMaSteR53/recon-ng) - Backend database for recon-ng is beautifully made and leveraged in Pentestly for data manipulation
* [wmiexec.py](https://github.com/CoreSecurity/impacket/blob/master/examples/wmiexec.py) - Allows us to execute Powershell commands quickly and easily via WMI
* [smbmap.py](https://github.com/ShawnDEvans/smbmap) - Useful utility for enumerating SMB shares
* [Invoke-Mimikatz.ps1](https://github.com/clymb3r/PowerShell/blob/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1) - Implementation of Mimikatz in Powershell
* [powercat.ps1](https://github.com/besimorhino/powercat) - Netcat-esque functionality in Powershell
* [Invoke-Shellcode.ps1](https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1) - Deploy Meterpreter in Powershell* [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec) - Source of inspiration for the simple Mimikatz server in Pentestly
# Install
```
git clone https://github.com/praetorian-inc/pentestly.git
./install.sh
./pentestly
```# Usage
Let's walk through several functions currently implemented.
## Change workspace
```
[pentestly][default] > workspaces list+------------+
| Workspaces |
+------------+
| default |
+------------+[pentestly][default] > workspaces add project
[pentestly][project] > workspaces select project
```## Load from nmap
```
[pentestly][project][nmap_xml] > load nmap
[pentestly][project][nmap_xml] > set filename /root/PROJECT/full-all-alive.xml
FILENAME => /root/PROJECT/full-all-alive.xml
[pentestly][project][nmap_xml] > show optionsName Current Value Required Description
-------- ------------- -------- -----------
FILENAME /root/PROJECT/full-all-alive.xml yes Path and filename for nmap XML input[pentestly][project][nmap_xml] > run
```## Test logins
Use file with creds to test login
```
[pentestly][project][login] > cat /tmp/creds
[*] Command: cat /tmp/creds
user1 pass1
user2 pass2
[pentestly][project][login] > load login
[pentestly][project][login] > set userpass_file /tmp/creds
USERPASS_FILE => /tmp/creds
[pentestly][project][login] > set username ''
USERNAME => ''
[pentestly][project][login] > set password ''
PASSWORD => ''
[pentestly][project][login] > run
```Use single username password
```
[pentestly][project][login] > load login
[pentestly][project][login] > set username admin
USERNAME => admin
[pentestly][project][login] > set password password
PASSWORD => password
[pentestly][project][login] > set userpass_file ''
USERPASS_FILE => ''
[pentestly][project][login] > run
```Use credentials over a small subset of IPs
i.e. over the 192.168.8.0/24 found in the table
```
[pentestly][project][login] > load login
[pentestly][project][login] > set username admin
USERNAME => admin
[pentestly][project][login] > set password password
PASSWORD => password
[pentestly][project][login] > set userpass_file ''
USERPASS_FILE => ''
[pentestly][project][login] > run
[pentestly][project][login] > set source query select * from pentestly_creds where host like '192.168.8.%'
```## Gather Domain and Enterprise admins
```
[pentestly][project][login] > load get_domain # Notice fuzzy searching - get_domain finds get_domain_admin_names
[pentestly][project][get_domain_admin_names] > show optionsName Current Value Required Description
------ ------------- -------- -----------
SOURCE default yes source of input (see 'show info' for details)[pentestly][project][get_domain_admin_names] > run
[*] Found Domain Admin: domain\admin1
[*] Found Domain Admin: domain\admin2
```## Run mimikatz over IPs with executable rights
```
[pentestly][default][get_domain_admin_names] > load mimi
[pentestly][default][mimikatz] > run
Select local interface for hosting scripts0. 127.0.0.1
1. 10.220.8.94
2. 172.27.67.14
> 1[*] Execution creds: domain\Admin:[email protected]
[*] Success! Admin.DA:p@$$w0rd - DOMAIN ADMIN!
```## Show local admins
```
[pentestly][default][show_local_admins] > load show_local_admins
[pentestly][default][show_local_admins] > run+---------------------------------------------------------------------------------------------------------------+
| host | access | username | password | domain | process | logged_in | success | execute | module |
+---------------------------------------------------------------------------------------------------------------+
| 10.202.208.112 | | nsportsman | password1! | zojix | | | True | True | login |
+---------------------------------------------------------------------------------------------------------------+
```## Show domain admins
```
[pentestly][default][show_domain_admins] > load show_domain_admins
[pentestly][default][show_domain_admins] > run+--------------------------------------------------------------------------------------------------------------------------+
| host | access | username | password | domain | process | logged_in | success | execute | module |
+--------------------------------------------------------------------------------------------------------------------------+
| 10.202.208.112 | Domain Admin | TheRealDA | | zojix | | | True | True | login |
+--------------------------------------------------------------------------------------------------------------------------+
```## Enumshares
```
[pentestly][default] > load enums
[pentestly][default][enumshares] > run
[*] Execution creds: workgroup\Administrator:[email protected]
defaultdict(, {'readonly': [u'ADMIN$', u'C', u'C$', u'Users'], 'noaccess': [u'IPC$']})
```## Show new shares
```
[pentestly][default][interesting_files] > show pentestly_shares+------------------------------------------------------------------------------------------------+
| rowid | host | username | readwrite | readonly | noaccess | module |
+-------------------------------------------------------------------------------------------------+
| 1 | 192.168.224.252 | Administrator | | ADMIN$,C,C$,Users | IPC$ | enumshares |
+-------------------------------------------------------------------------------------------------+
```## Find/Download interesting files
```
[pentestly][default][interesting_files] > show optionsName Current Value Required Description
------- ------------- -------- -----------
PATTERN (Groups.xml|Services.xml|Printers.xml|Drives.xml|DataSources.xml|ScheduledTasks.xml|unattend|important|passw|backup|setup).*[^dll][^exe]$ yes Regex pattern to look for in filenames
SOURCE default yes source of input (see 'show info' for details)
```Can change the `pattern` to something a bit more specialized
```
[pentestly][default][interesting_files] > set pattern important.txt|super_secret
PATTERN => important.txt|super_secret
[pentestly][default][interesting_files] > show optionsName Current Value Required Description
------- ------------- -------- -----------
PATTERN important.txt|super_secret yes Regex pattern to look for in filenames
SOURCE default yes source of input (see 'show info' for details)
```Execute and download found files
```
[pentestly][default][interesting_files] > run
[*] Administrator
[*] Execution creds: workgroup\Administrator:[email protected]
[+] Match found! Downloading: Users\Administrator\Desktop\important.txt.txt
192.168.224.252-Users_Administrator_Desktop_important.txt.txt
[+] Match found! Downloading: Users\Administrator\Desktop\super_secret.txt
192.168.224.252-Users_Administrator_Desktop_super_secret.txt
```# Contributing
Creating new modules is easy in Pentestly. Begin with the code provided in `skeleton.py`:
```
from libs.pentestlymodule import PentestlyModuleclass Module(PentestlyModule):
meta = {
'name': 'Your module name goes here',
'author': 'Developer name goes here',
'description': 'Description of the module goes here',
'query': 'SQL QUERY whose result is passed to your module',
'options': (
('Option1', 'Default Value', Required-True/False, 'Description of option'),
),
}def module_pre(self):
# Optional
# Happens before your moduledef module_run(self, data):
# Required
# data is the result from the SQL query set in the options
### Few magic functions
# self.query - Perform an SQL query on the internal database
results = self.query("select * from pentestly_creds")
# self.output - print default information to the user
self.output("Performed an SQL query")
self.output(results)# self.alert - print successful message to the user
self.success("Yay! We performed successful work")def module_post(self):
# Optional
# Happens after your module
```The key points here are to fill the `meta` dict with the corresponding information as well as the `module_run` function for module functionality.
This script is then placed in the `modules/` folder or in your personal `~/.pentestly/modules` folder for portability.
Stay tuned for a detailed example script explanation in the coming weeks.
# TODO
* Implement `secretsdump.py` module
* Add utility functions for database queries similar to `creds`, `services`
* Rework draw_table function to have fixed width columns
* Import credentials from [Gladius](https://github.com/praetorian-inc/gladius)
* Implement GPP password search and decrypt module
* Look into utilizing Invoke-Shellcode# Changelog
0.1.0 (2016-02-18)
------------------
Initial release