1 - Initial Enum - JA Smith

# External Recon & Enum Principles - External recon can serve many functions: - Validating info provided in scoping doc - Ensuring we are taking actions against the appropriate scope when working remotely - Looking for any info that is publicly accessible such as leaks cred - We are essentially attempting to get the lay of the land or to understand the target better - What are we looking for in this phase? |**Data Point**|**Description**| |---|---| |`IP Space`|Valid ASN for our target, netblocks in use for the organization's public-facing infrastructure, cloud presence and the hosting providers, DNS record entries, etc.| |`Domain Information`|Based on IP data, DNS, and site registrations. Who administers the domain? Are there any subdomains tied to our target? Are there any publicly accessible domain services present? (Mailservers, DNS, Websites, VPN portals, etc.) Can we determine what kind of defenses are in place? (SIEM, AV, IPS/IDS in use, etc.)| |`Schema Format`|Can we discover the organization's email accounts, AD usernames, and even password policies? Anything that will give us information we can use to build a valid username list to test external-facing services for password spraying, credential stuffing, brute forcing, etc.| |`Data Disclosures`|For data disclosures we will be looking for publicly accessible files ( .pdf, .ppt, .docx, .xlsx, etc. ) for any information that helps shed light on the target. For example, any published files that contain `intranet` site listings, user metadata, shares, or other critical software or hardware in the environment (credentials pushed to a public GitHub repo, the internal AD username format in the metadata of a PDF, for example.)| |`Breach Data`|Any publicly released usernames, passwords, or other critical information that can help an attacker gain a foothold.| - Where are we looking? |**Resource**|**Examples**| |---|---| |`ASN / IP registrars`|[IANA](https://www.iana.org/), [arin](https://www.arin.net/) for searching the Americas, [RIPE](https://www.ripe.net/) for searching in Europe, [BGP Toolkit](https://bgp.he.net/)| |`Domain Registrars & DNS`|[Domaintools](https://www.domaintools.com/), [PTRArchive](http://ptrarchive.com/), [ICANN](https://lookup.icann.org/lookup), manual DNS record requests against the domain in question or against well known DNS servers, such as `8.8.8.8`.| |`Social Media`|Searching Linkedin, Twitter, Facebook, your region's major social media sites, news articles, and any relevant info you can find about the organization.| |`Public-Facing Company Websites`|Often, the public website for a corporation will have relevant info embedded. News articles, embedded documents, and the "About Us" and "Contact Us" pages can also be gold mines.| |`Cloud & Dev Storage Spaces`|[GitHub](https://github.com/), [AWS S3 buckets & Azure Blog storage containers](https://grayhatwarfare.com/), [Google searches using "Dorks"](https://www.exploit-db.com/google-hacking-database)| |`Breach Data Sources`|[HaveIBeenPwned](https://haveibeenpwned.com/) to determine if any corporate email accounts appear in public breach data, [Dehashed](https://www.dehashed.com/) to search for corporate emails with cleartext passwords or hashes we can try to crack offline. We can then try these passwords against any exposed login portals (Citrix, RDS, OWA, 0365, VPN, VMware Horizon, custom applications, etc.) that may use AD authentication.| - Example usage `BGP toolkit` ![[images/Pasted image 20251029160715.png]] - Example usage `viewdns.info` ![[images/Pasted image 20251029160954.png]] ![[images/Pasted image 20251029160936.png]] - Example usage `nslookup` against inlanefreight.com and its nameservers ![[images/Pasted image 20251029192911.png]] - Example usage google dorks - Looking for PDFs![[images/Pasted image 20251029192420.png]] - Looking for email addresses ![[images/Pasted image 20251029192527.png]] - [linkedin2username](https://github.com/initstring/linkedin2username) can be used to scrape a company's LinkedIn page to harvest users - [Dehashed](http://dehashed.com/) can be used to hunt for cleartext credentials and password hashes in breach data # Initial Enum of the Domain - Key data points to discover: |**Data Point**|**Description**| |---|---| |`AD Users`|We are trying to enumerate valid user accounts we can target for password spraying.| |`AD Joined Computers`|Key Computers include Domain Controllers, file servers, SQL servers, web servers, Exchange mail servers, database servers, etc.| |`Key Services`|Kerberos, NetBIOS, LDAP, DNS| |`Vulnerable Hosts and Services`|Anything that can be a quick win. ( a.k.a an easy host to| - Initial goals: - Identify internal hosts and services - Identity host roles (e.g., IP address for the DC, MSSQL host, etc.) - Identify users and groups - Identify password policy to avoid lockouts ## Host Discovery - Passive host discovery: - look at ARP and MDNS packets for hosts using one of the tools - `sudo -E wireshark` - `sudo tcpdump -i <interface>` - `sudo responder -I <interface> -A` - Active host discovery - `fping -asgq 172.16.5.0/23` to check a whole subnet ![[images/Pasted image 20251029201709.png]] - `sudo nmap -v -A -iL hosts.txt -oN output.txt` to specify an input file with hosts to scan ## Host Enum - Run `nmap` scans ![[images/Pasted image 20251029201912.png]]![[images/Pasted image 20251029201928.png]]![[images/Pasted image 20251029201940.png]] ## User Discovery - `Kerbrute` is one option for domain account enumeration - Takes advantage of the fact that Kerberos pre-authentication failures often will not trigger logs or alerts - Use `Kerbrute` in conjunction with the `jsmith.txt` or `jsmith2.txt` user lists from [Insidetrust](https://github.com/insidetrust/statistically-likely-usernames) ```bash #compile kerbrute binaries - this is the best option during an engagemnt sudo git clone https://github.com/ropnop/kerbrute.git make help #shows compliation options sudo make all #creates windows, linux, and mac binaries ./kerbrute_linux_amd64 #show options menu echo $PATH # shows directories in $PATH sudo mv kerbrute_linux_amd64 /usr/local/bin/kerbrute #move kerbrute to a directory associated with $PATH kerbrute userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 jsmith.txt -o valid_ad_users #enumerate domain users with jsmith.txt user list ``` - The local system account `NT AUTHORITY\SYSTEM` is a built-in account in Windows operating systems - `NT AUTHORITY\SYSTEM` has the highest level of access in the OS and is used to run most Windows services - A `SYSTEM` account on a `domain-joined` host will be able to enumerate Active Directory by impersonating the computer account, which is essentially just another kind of user account - Thus having SYSTEM-level access within a domain environment is nearly equivalent to having a domain user account - Ways to gain a SYSTEM-level access on a host, including but not limited to: - Remote Windows exploits such as MS08-067, EternalBlue, or BlueKeep. - Abusing a service running in the context of the `SYSTEM account`, or abusing the service account `SeImpersonate` privileges using [Juicy Potato](https://github.com/ohpe/juicy-potato). This type of attack is possible on older Windows OSes but not always possible with Windows Server 2019. - Local privilege escalation flaws in Windows operating systems such as the Windows 10 Task Scheduler 0-day. - Gaining admin access on a domain-joined host with a local account and using `Psexec` to launch a SYSTEM cmd window - By gaining SYSTEM-level access on a domain-joined host, you will be able to perform actions such as, but not limited to: - Enumerate the domain using built-in tools or offensive tools such as `BloodHound` and `PowerView` - Perform Kerberoasting / ASREPRoasting attacks within the same domain - Run tools such as Inveigh to gather Net-NTLMv2 hashes or perform SMB relay attacks - - Perform token impersonation to hijack a privileged domain user account. - Carry out ACL attacks.