Skip to content

Latest commit

 

History

History
73 lines (49 loc) · 2.96 KB

3 - Recon.md

File metadata and controls

73 lines (49 loc) · 2.96 KB

Packet Capture

Save a packet capture:

tcpdump -i <interface> -s0 -w pcapfile.pcap

Ctrl-C to stop after about 5 minutes. Replay capture and look for interesting protocols:

tcpdump -r pcapfile.pcap not <host IP address> and not arp

Do you see LLMNR and NetBIOS (NBNS)? Responder and SMB relay. DHCPv6 broadcasts? mitm6 and ntlmrelay. Make a note of the domain name found in the pcap to use in following later steps in the Recon section. Do you see routing protocols? If yes, scp the pcap file over to your system and open in Wireshark. An example to look for is OSPF. It should only be broadcasting on links to other routers, not on user subnet interfaces. The default for Cisco OSPF configurations is to broadcast to all interfaces with null authentication which could allow anyone to exploit it.

Tcpdump filter for DHCPv6: tcpdump -i eth0 -n -vv '(udp port 546 or 547) or icmp6'

Enumerate DNS

fierce -d <domain.name> amass -ip -active -d example.com

With credentials: Install: pip install git+https://github.com/dirkjanm/adidnsdump#egg=adidnsdump Enumerate: adidnsdump -r -u <domain>\\<username> <DC>

mDNS

apt install avahi-utils avahi-browse -a -v -r

Responder - LLMNR and NBNS

Start in Analyze mode (passive) ./Responder.py -I <interface> -A Do you see any obvious honeypot systems? If yes, blacklist them in the configuration before switching to an active attack. Do you see LLNR and NetBIOS (NBNS)? If Yes, proceed to SMB Relaying. If no, check your packet capture for DHCPv6. If found, proceed to SMB Relaying.

Locate Active Directory Domain Controllers

First you'll need the domain name. You should be able to find that in the tcpdump output. Next, run: nslookup -type=srv _ldap._tcp.<domain.name> | grep ldap | cut -d ' ' -f 6 | sed 's/\.$//g' > domaincontrollers.out

Null Session Enumeration

while read -r line;do echo $line && rpcclient -U "" $line -c enumdomusers;done <domaincontrollers.txt | tee nullsession.out

Also, enum4linux has a lot of good features you can use if you find null session enumeration here. enum4linux -a [DC IP Address]

If you get usernames, grep them from the output and if you don't get creds through other methods, use the list to password spray. However, password spraying shouldn't be your first effort to gain credentials. Hopefully you asked for your client's password policy during the kickoff call so that you can avoid locking out users.

Active Directory Enumeration with Credentials

Run the CrackMapExec gpp_password and gpp_autologon modules to search for passwords in Group Policy Preferences:

Interactive: rpcclient -U "DOMAIN/username%password" <domaincontroller name/IP"

Common rpcclient commands (suffix to the above command):

-c dsr_enumtrustdom
-c enumdomains
-c enumdomusers
-c enumdomgroups
-c getdompwinfo

Windapsearch: https://github.com/ropnop/windapsearch (has a nice feature that will display DA's through nested groups which doesn't show up when you use 'net groups "Domain Admins" /domain')