πŸ”Initial Enumeration

Basic Enumeration

We should begin by doing an external reconnaissance of the target. This can include identifying potential leaks and breaches of data.

We can attempt to get usernames and even credentials from many sources, these could be from Gihub repos to leaked documents.

Our main goal is to understand the target and look for every possible avenue we can find/

What to Look For

The table shows what are the main things to search for

Data Point

Description

IP Space

Valid ASN for our target, netblocks in use for the organization's public-facing infrastructure, cloud presence and the hosting providers, DNS record entries, etc.

Domain Information

Based on IP data, DNS, and site registrations. Who administers the domain? Are there any subdomains tied to our target? Are there any publicly accessible domain services present? (Mailservers, DNS, Websites, VPN portals, etc.) Can we determine what kind of defenses are in place? (SIEM, AV, IPS/IDS in use, etc.)

Schema Format

Can we discover the organization's email accounts, AD usernames, and even password policies? Anything that will give us information we can use to build a valid username list to test external-facing services for password spraying, credential stuffing, brute forcing, etc.

Data Disclosures

For data disclosures we will be looking for publicly accessible files ( .pdf, .ppt, .docx, .xlsx, etc. ) for any information that helps shed light on the target. For example, any published files that contain intranet site listings, user metadata, shares, or other critical software or hardware in the environment (credentials pushed to a public GitHub repo, the internal AD username format in the metadata of a PDF, for example.)

Breach Data

Any publicly released usernames, passwords, or other critical information that can help an attacker gain a foothold.

Where to Look

Resource

Examples

ASN / IP registrars

IANA, arin for searching the Americas, RIPE for searching in Europe, BGP Toolkit

Domain Registrars & DNS

Domaintools, PTRArchive, ICANN, manual DNS record requests against the domain in question or against well known DNS servers, such as 8.8.8.8.

Social Media

Searching Linkedin, Twitter, Facebook, your region's major social media sites, news articles, and any relevant info you can find about the organization.

Public-Facing Company Websites

Often, the public website for a corporation will have relevant info embedded. News articles, embedded documents, and the "About Us" and "Contact Us" pages can also be gold mines.

Cloud & Dev Storage Spaces

GitHub, AWS S3 buckets & Azure Blog storage containers, Google searches using "Dorks"

Breach Data Sources

HaveIBeenPwned to determine if any corporate email accounts appear in public breach data, Dehashed to search for corporate emails with cleartext passwords or hashes we can try to crack offline. We can then try these passwords against any exposed login portals (Citrix, RDS, OWA, 0365, VPN, VMware Horizon, custom applications, etc.) that may use AD authentication.

Finding Address Spaces

We can use sites like https://bgp.he.net/ to find what address blocks are assigned to an organization. All we need to provide is a domain or IP and the toolkit will search for any results.

DNS

We can use the sites https://whois.domaintools.com/ and https://viewdns.info/ to validate our scope about reachable hosts the client may not have disclosed.

Public Data

Social media and job listing sites can reveal a lot about a company from how it is organized to potential languages used and even usernames. User credentials can be left hardcoded in a project this might be available for us to see in a GitHub repo or some cloud storage. option.

Tools like https://github.com/trufflesecurity/truffleHog and https://buckets.grayhatwarfare.com/ are great options for helping us find these.

Hunting for Extra Information

We can try and use Google to find files and emails with a few different dorks

filetype:pdf inurl:victim.com,

intext:"@victim.com" inurl:victim.com,

Harvesting Usernames

We can scrape data from a company's LinkedIn page and create a list of usernames that we can use for password spraying. We can use the following tool to achieve this https://github.com/initstring/linkedin2username

Credential Hunting

http://dehashed.com/ is a tool for finding cleartext creds and password hashes from breached data.

Initial Enumeration of Domain

Below are some key data points we should be focusing on and adding to our notes when we can

Key Data Points

Data Point

Description

AD Users

We are trying to enumerate valid user accounts we can target for password spraying.

AD Joined Computers

Key Computers include Domain Controllers, file servers, SQL servers, web servers, Exchange mail servers, database servers, etc.

Key Services

Kerberos, NetBIOS, LDAP, DNS

Vulnerable Hosts and Services

Anything that can be a quick win. ( a.k.a an easy host to exploit and gain a foothold)

Identifying Hosts

If our host has GUI we can use Wireshark to start capturing traffic otherwise we can use programs like tcpdump, net-creds. It's always a great idea to save the .pcap file for later use or including in a written report.

sudo -E wireshark
sudo tcpdump -i ens224

Responder

A tool used to listen, analyze and poison LLMNR, NBT-NS and MDNS requests and responses.

Starting in analyze mode we should be able to see some unique hosts appear, these are worth noting down for later use.

sudo responder -I ens224 -A

FPing Active Checks

Fping is similar to ping in that it uses ICMP requests and replies to reach out to a host, the difference is fping can run against multiple hosts at once.

We can use the following flags

  • a to show targets alive

  • s prints stats

  • g generate a target list from the CIDR network

  • q to not show per-target results

fping -asgq IP/CIDR

Nmap Scanning

With a list of active targets, we can now enumerate them further with Nmap

sudo nmap -v -A -iL hosts.txt -oN /home/user/host-enum

We should be on the lookout for outdated OS as they have the potential for older exploits like EternalBlue, MS08-067 etc.

Identifying Users

Our next step is to find a way to a domain user account or SYSTEM-level access on a domain joined host so we can gain a foothold.

Kerbrute - Interanl AD Username Eneumeration

It can be a stealthier option for domain account enumeration, it takes advantage of the fact Kerberos pre-authentication failures will not trigger logs or alerts.

We can use Kerbrute along wiht user lists from https://github.com/insidetrust/statistically-likely-usernames such as jsmith.txt or jsmith2.txt.

Installl

sudo git clone https://github.com/ropnop/kerbrute.git
sudo make all

## list binaries
ls dist/

./kerbrute_linux_amd64 

## add to PATH
sudo mv kerbrute_linux_amd64 /usr/local/bin/kerbrute

User Enumeration w Kerbrute

kerbrute userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 jsmith.txt -o valid_ad_users
PreviousActive DirectoryNextGetting a Foothold

Last updated

Was this helpful?