- This test will be simulated on an "assumed breach" pentest where the attacker is already inside the network
- This is a common way that a client prefers an assessment
Others include:
- SSH'ing into their environment via bastion/jump host
- Physically present in the office with a laptop plugged into an ethernet port
- VDI
- Enumerate the internal network
- Identify hosts
- Critical services
- Potential opportunities for a foothold
Note: This can include active and passive measures to identify users, hosts, and vulnerabilities we may be able to take advantage of to further our access
- Be sure to document all findings for later use!!!
- We will start from the Linux attack host without domain user credentials (it is common to start off this way because it provides a more realistic approach)
- It is common for the customer to provide you with access to a domain-joined host or a set of credentials for the network to expedite testing and allow us to cover as much ground as possible
AS Users:
- We are trying to enumerate VALID user accounts we can target for password spraying
AD Joined Computers:
- Identify Domain Controllers, File Servers, SQL Servers, Web Servers, Exchange Mail Servers, DB Servers, etc.
Key Services:
- Kerberos, NetBIOS, LDAP, and DNS
Vulnerable Hosts & Services:
- Can any of our findings result in a quick win?
- A.K.A. Low-hanging fruit
Phase 1: Passive identification of hosts
Phase 2: Active validation of the results to learn more about these hosts
- What services are running, names, vulnerabilities, etc.
Once we know what hosts exist, we can probe them and attempt to extract useful information from them
- Hopefully, we can find a pair of credentials somewhere in order to leverage our access in the network
- What can we see on the network?
Tools: Wireshark or TCPdump
TCPdump:
sudo tcpdump -i tun0
- We can see lots of ARP traffic from existing hosts in the network
- We can now use Responder to listen, analyze, and poison LLMNR, NBT-NS, and MDNS requests and responses
Syntax:
sudo responder -I ens224 -A
- Be sure to record all hosts that are detected in these outputs!
- FPing is the same as the ping utility (still utilizes ICMP) to verify connectivity between hosts
- Except for one exception, it can provide that ICMP request to numerous IP addresses or a list
Active Hosts:
FPing Flags:
- -a: Show alive targets
- -s: Print stats at the end of the scan
- -g: Generate a target list from the CIDR network
- -q: do not show per-target results; quiet mode
Syntax:
fping -asgq 172.16.5.0/23
- Gather list of live hosts with FPing
fping -asgq 172.16.5.0/23
2. Place live hosts in hosts.txt
3. Nmap hosts.txt
sudo nmap -sV -sC -iL hosts.txt -oN host-enum
{% embed url="https://github.com/ropnop/kerbrute/releases/tag/v1.0.3" %} Pre-compiled binaries {% endembed %}
- wget one of the precompiled binaries
- Add the tool to your path variable
echo $PATH
sudo mv kerbrute_linux_amd64 /usr/local/bin/kerbrute
- You can now type kerbrute and it will execute from anywhere on the system
Enumerating Users with Kerbrute:
kerbrute userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 jsmith.txt -o valid_ad_users