What's the first thing you do after obtaining elevated privileges on an organization's network? Look for the gold – the valuable data!

While there are a lot of tools and methodologies that support obtaining elevated privileges during a penetration test, there is still a lot of room for tools that assist with looking for valuable data once this level of access is obtained. In this blog post, I'd like to discuss Leprechaun, a new tool to assist with post-exploitation.

Why Leprechaun?

During many of my penetration test engagements, it's usually a matter of time until obtaining at least some level of elevated privileges, allowing me to enumerate systems and services within the internal environment. One of my personal favorite tools to use is Bloodhound, which helps you quickly identify privilege escalation paths and it works great. However, during a black box penetration test, we're not aware of what the network actually looks like and need to conduct as much reconnaissance as possible to build out a network diagram, identify valuable servers and resources, map out data points, etc. Leprechaun assists with this process.

How it Works

Using a tool such as Josh Stone's routehunter, or any other process/tool that can recursively run netstat on multiple hosts, you can provide Leprechaun this output and get a visual representation of the data flow (or network connections) within the environment.

Using the command and arguments ./leprechaun.rb -f results.txt -p all, you can quickly parse the netstat results into the following graph:

Sample output from Leprechaun

In a really large network environment, being able to quickly map out what exactly is going on can save you a lot of time. Using the output above, you can quickly (and very easily) deduce that the system residing at 192.12.70.50 is a pretty important system. Therefore, you'd want to focus your attention on this system and determine what exactly is going on here.

Furthermore, if you'd prefer a text output, you can use the same command as above and get the following results:

[root:vonahisec-kali:~/test]# ./leprechaun.rb -f results.txt -p all                

 [*] Completed! Graph output file located at: ./network_diagram.png

+---------------+-----------------------------+----------------------------------+
| Server        | Number of connected clients | Highest traffic destination port |
+---------------+-----------------------------+----------------------------------+
| 192.12.70.50  | 21                          | 57488/tcp (1 clients)            |
| 192.12.80.115 | 5                           | 64216/tcp (1 clients)            |
| 192.12.70.71  | 4                           | 80/tcp (4 clients)               |
| 192.12.206.48 | 3                           | 5555/tcp (3 clients)             |
| 192.12.71.90  | 2                           | 50471/tcp (1 clients)            |
| 192.12.70.18  | 2                           | 443/tcp (2 clients)              |
| 192.12.70.45  | 1                           | 445/tcp (1 clients)              |
| 192.12.70.40  | 1                           | 50958/tcp (1 clients)            |
| 192.12.70.16  | 1                           | 64744/tcp (1 clients)            |
| 192.12.70.15  | 1                           | 1688/tcp (1 clients)             |
+---------------+-----------------------------+----------------------------------+

In some cases, this could get very complex depending on the network size and the amount of established connections within the environment. It could look like this:

Displaying all destination ports

So, if you'd like just a specific port, replace all in the argument above with a specific port, such as 80, or even 80,443,8080 etc., and you get the following output and chart:

[root:vonahisec-kali:~/test]# ./leprechaun.rb -f results.txt -p 80

 [*] Completed! Graph output file located at: ./network_diagram.png

+--------------+-----------------------------+----------------------------------+
| Server       | Number of connected clients | Highest traffic destination port |
+--------------+-----------------------------+----------------------------------+
| 192.12.70.71 | 4                           | 80/tcp (4 clients)               |
+--------------+-----------------------------+----------------------------------+
Output for port 80/tcp

And lastly, if you're interested in just "common" ports, you can use the hardcoded list of ports or you can modify it to your own liking. Here's an example of looking at common ports.

[root:vonahisec-kali:~/Downloads/test]# ./leprechaun.rb -f netstat.txt -p common

 [*] Completed! Graph output file located at: ./network_diagram.png

+--------------+-----------------------------+----------------------------------+
| Server       | Number of connected clients | Highest traffic destination port |
+--------------+-----------------------------+----------------------------------+
| 192.12.70.71 | 4                           | 80/tcp (4 clients)               |
| 192.12.70.18 | 2                           | 443/tcp (2 clients)              |
| 192.12.70.45 | 1                           | 445/tcp (1 clients)              |
+--------------+-----------------------------+----------------------------------+
Displaying only clients that are connected to well-known ports

If you're curious about what a sample netstat file would look like that it would parse, it can be several lines containing the normal format you'd get from netstat, shown below (IPv4 only):

TCP    192.168.19.25:445       192.168.80.115:64216    ESTABLISHED
TCP    192.168.19.25:445       192.168.80.115:64924    ESTABLISHED
TCP    192.168.19.58:445       192.168.80.115:64923    ESTABLISHED
TCP    192.168.81.10:445       192.168.80.115:64933    ESTABLISHED
TCP    192.168.81.31:445       192.168.80.115:64938    ESTABLISHED
TCP    192.168.19.222:49319    192.168.70.15:1688      ESTABLISHED
TCP    192.168.8.176:1433      192.168.70.16:64744     ESTABLISHED
TCP    192.168.18.128:55276    192.168.70.18:443       ESTABLISHED
TCP    192.168.81.31:59387     192.168.70.18:443       ESTABLISHED
TCP    192.168.81.46:50115     192.168.70.40:50958     ESTABLISHED
TCP    192.168.81.47:63280     192.168.70.45:445       ESTABLISHED
TCP    192.168.81.47:63280     192.168.70.45:445       ESTABLISHED
TCP    192.168.81.47:63280     192.168.70.45:445       ESTABLISHED
TCP    192.168.10.177:49154    192.168.70.50:57488     ESTABLISHED
TCP    192.168.10.178:49154    192.168.70.50:57491     ESTABLISHED
TCP    192.168.10.179:49154    192.168.70.50:57489     ESTABLISHED
TCP    192.168.10.181:135      192.168.70.50:57741     ESTABLISHED
TCP    192.168.10.181:49154    192.168.70.50:57490     ESTABLISHED

Conclusion

The last thing you want to do while on-site is spend hours hunting through data, trying to learn the network. While you can sometimes ask your primary point of contact for information that may be useful, quickly learning more about the network  in a short period of time may demonstrate a lot of value to your customer.

We've used similar techniques to locate important Database Management Systems in the past and eventually was able to obtain other credentials, such as Microsoft SQL Server service accounts by locating SQL clients and servers. This may also be useful for identifying other important resources, such as file servers, intranets, applications servers, and more.

Leprechaun can be obtained at the following GitHub repository: https://github.com/vonahi-security/leprechaun

Reach out to us on Twitter (@vonahi_security) if you have any questions!