🦹‍♂️Initial Enumeration

What Are We Looking For?

In an initial enumeration, we are looking for key items that could help us later on such as:

IP Space -> Cloud presence, DNS records, valid ASN etc...

Domain Information -> Who administers the domain? Are there any subdomains tied to our target? Are there any publicly accessible domain services present? (Mailservers, DNS, Websites, VPN portals, etc.) What defenses in place

Schema Format -> password policies, username policies, email accounts, AD usernames etc...

Data Disclosures -> publicly accessible files ( .pdf, .ppt, .docx, .xlsx, etc. ), credentials pushed to a public GitHub repo etc...

Breached Data -> publicly released usernames, passwords, or other critical information

Where Are We Looking?

ASN / IP registrars -> RIPE for searching in Europe

Domain Registrars & DNS -> Domaintools, PTRArchive, ICANN or manual DNS record requests

Social media -> LinkedIn, Twitter, Facebook etc...

Public-Facing Company Websites -> The website of the target company can be a goldmine with an "About us" or "Contact Us" section

Cloud & Dev Storage Spaces -> GitHub, AWS S3 buckets & Azure Blog storage containers, Google searches using "Dorks"

Breach Data Sources -> HaveIBeenPwned to determine if any corporate email accounts appear in public breach data, Dehashed to search for corporate emails with cleartext passwords or hashes we can try to crack offline.

Finding Address Spaces

To research what address blocks are assigned to an organization and what ASN they reside within, the go to tool is the BGP-Toolkit hosted by Hurricane Electric

Finding more DNS

We could find out about reachable hosts the customer did not disclose in their scoping document and see if any of them should indeed be included in the scope with domaintools, and viewdns.info

Example Enumeration Process

Let's imagine a light enumeration on inlanefreight.com domain

Check for ASN/IP & Domain Data

So we find some interesting information:

  • IP Address: 134.209.24.248

  • Mail Server: mail1.inlanefreight.com

  • Nameservers: NS1.inlanefreight.com & NS2.inlanefreight.com

Viewdns Results

This validates the IP address of our target, we can do some more for the enumeration part:

ElFelixio@htb[/htb]$ nslookup ns1.inlanefreight.com

Server:		192.168.186.1
Address:	192.168.186.1#53

Non-authoritative answer:
Name:	ns1.inlanefreight.com
Address: 178.128.39.165

nslookup ns2.inlanefreight.com
Server:		192.168.86.1
Address:	192.168.86.1#53

Non-authoritative answer:
Name:	ns2.inlanefreight.com
Address: 206.189.119.186

We now have two new IP addresses to add to our list for validation and testing.

Hunting For Files

We can utilize google dorking for this hunting process:

filetype:pdf inurl:inlanefreight.com

Same for email addresses:

intext:"@inlanefreight.com" inurl:inlanefreight.com

Username & credential Harvesting

For the username harvesting, we can use a tool such as linkedin2username to scrape data from a company's LinkedIn page and create various mashups of usernames

and for the breached credentials, Dehashed is an excellent tool for hunting for cleartext credentials and password

Start of the domain enumeration

Here are some key data that we look for while enumerating the domain:

AD Users

While looking for valid user accounts, we can target for password spraying.

AD Joined Computers

Key Computers include Domain Controllers, file servers, SQL servers, web servers, Exchange mail servers, database servers, etc.

Key Services

Kerberos, NetBIOS, LDAP, DNS

Vulnerable Hosts and Services

Anything that can be a quick win. ( a.k.a an easy host to exploit and gain a foothold)

Identifying Hosts

After connecting to my target via RDP with this command:

xfreerdp /v:10.129.119.234

I fire up wirehsark with the following:

sudo -E wirehsark

and look at the ARP packets that go through the network ->

We filter the packets that use ARP and look at the hosts, we can find the hosts:

172.16.5.5, 172.16.5.25 172.16.5.50, 172.16.5.100, and 172.16.5.125.

And we can discover hosts with some MDNS packets:

We could also use TCPDUMP to create a .pcap file and open it on our local machine

Using Responser:

Responder is a tool built to listen, analyze, and poison LLMNR, NBT-NS, and MDNS requests and responses. The following commands will passively listen to the network and not send any poisoned packets.

sudo responder -I ens224 -A

Notice below that we found a few unique hosts not previously mentioned in our Wireshark captures. It's worth noting these down as we are starting to build a nice target list of IPs and DNS hostnames.

To go even more in enumeration depth, we can perform a quick ICMP sweep using fping:

FPing Active Checks

ElFelixio@htb[/htb]$ fping -asgq 172.16.5.0/23

172.16.5.5
172.16.5.25
172.16.5.50
172.16.5.100
172.16.5.125
172.16.5.200
172.16.5.225
172.16.5.238
172.16.5.240

     510 targets
       9 alive
     501 unreachable
       0 unknown addresses

    2004 timeouts (waiting for response)
    2013 ICMP Echos sent
       9 ICMP Echo Replies received
    2004 other ICMP received

 0.029 ms (min round trip time)
 0.396 ms (avg round trip time)
 0.799 ms (max round trip time)
       15.366 sec (elapsed real time)

a to show targets that are alive, s to print stats at the end of the scan, g to generate a target list from the CIDR network, and q to not show per-target results

After finding alive hosts, we can enumerate those hosts with NMAP

Nmap Scanning

nmap -sCV $IP > nmap.out
cat nmap.out
Nmap scan report for inlanefreight.local (172.16.5.5)
Host is up (0.069s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-04-04 15:12:06Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: INLANEFREIGHT.LOCAL0., Site: Default-First-Site-Name)
|_ssl-date: 2022-04-04T15:12:53+00:00; -1s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
| Issuer: commonName=INLANEFREIGHT-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-03-30T22:40:24
| Not valid after:  2023-03-30T22:40:24
| MD5:   3a09 d87a 9ccb 5498 2533 e339 ebe3 443f
|_SHA-1: 9731 d8ec b219 4301 c231 793e f913 6868 d39f 7920
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: INLANEFREIGHT.LOCAL0., Site: Default-First-Site-Name)
<SNIP>  
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: INLANEFREIGHT.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: INLANEFREIGHT.LOCAL0., Site: Default-First-Site-Name)
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
|   Target_Name: INLANEFREIGHT
|   NetBIOS_Domain_Name: INLANEFREIGHT
|   NetBIOS_Computer_Name: ACADEMY-EA-DC01
|   DNS_Domain_Name: INLANEFREIGHT.LOCAL
|   DNS_Computer_Name: ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
|   DNS_Tree_Name: INLANEFREIGHT.LOCAL
|   Product_Version: 10.0.17763
|_  System_Time: 2022-04-04T15:12:45+00:00
<SNIP>
5357/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Service Unavailable
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: ACADEMY-EA-DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

The scan pointed us in the direction of the primary Domain Controller for the INLANEFREIGHT.LOCAL domain (ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL).

Identifying Users

If our client does not provide us with a user to start testing with (which is often the case), we will need to find a way to establish a foothold in the domain by either obtaining clear text credentials or an NTLM password hash for a user, a SYSTEM shell on a domain-joined host, or a shell in the context of a domain user account

Kerbrute can be a stealthier option for domain account enumeration. It takes advantage of the fact that Kerberos pre-authentication failures often will not trigger logs or alerts.

Kerbrute - Internal AD Username Enumeration

sudo git clone https://github.com/ropnop/kerbrute.git
sudo make all
#now we need to look at the list of binaries we compiled:
ls dist/

And finally, we can try some:

./kerbrute_linux_amd64

To enumerate users, we can follow this syntax:

ElFelixio@htb[/htb]$ kerbrute userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 jsmith.txt -o valid_ad_users

2021/11/17 23:01:46 >  Using KDC(s):
2021/11/17 23:01:46 >   172.16.5.5:88
2021/11/17 23:01:46 >  [+] VALID USERNAME:       jjones@INLANEFREIGHT.LOCAL
2021/11/17 23:01:46 >  [+] VALID USERNAME:       sbrown@INLANEFREIGHT.LOCAL
2021/11/17 23:01:46 >  [+] VALID USERNAME:       tjohnson@INLANEFREIGHT.LOCAL
2021/11/17 23:01:50 >  [+] VALID USERNAME:       evalentin@INLANEFREIGHT.LOCAL

 <SNIP>
 
2021/11/17 23:01:51 >  [+] VALID USERNAME:       sgage@INLANEFREIGHT.LOCAL
2021/11/17 23:01:51 >  [+] VALID USERNAME:       jshay@INLANEFREIGHT.LOCAL
2021/11/17 23:01:51 >  [+] VALID USERNAME:       jhermann@INLANEFREIGHT.LOCAL
2021/11/17 23:01:51 >  [+] VALID USERNAME:       whouse@INLANEFREIGHT.LOCAL
2021/11/17 23:01:51 >  [+] VALID USERNAME:       emercer@INLANEFREIGHT.LOCAL
2021/11/17 23:01:52 >  [+] VALID USERNAME:       wshepherd@INLANEFREIGHT.LOCAL
2021/11/17 23:01:56 >  Done! Tested 48705 usernames (56 valid) in 9.940 seconds

Let's Find a User - Practical exercise:

First we connect via SSH to our target and try to find alive hosts ->

ip a command reveals the ip 172.16.5.225/23, so for our fping scan we can go with the following command

fping -asgq 172.16.5.0/23

So now we can scan those hosts to find some juicy information and we are able to grep out of each scan, the answers to the questions that are asked

PreviousActive Directory Enumeration & AttacksNextSniffing out a Foothold

Last updated