🦹♂️Initial Enumeration
What Are We Looking For?
In an initial enumeration, we are looking for key items that could help us later on such as:
IP Space -> Cloud presence, DNS records, valid ASN etc...
Domain Information -> Who administers the domain? Are there any subdomains tied to our target? Are there any publicly accessible domain services present? (Mailservers, DNS, Websites, VPN portals, etc.) What defenses in place
Schema Format -> password policies, username policies, email accounts, AD usernames etc...
Data Disclosures -> publicly accessible files ( .pdf, .ppt, .docx, .xlsx, etc. ), credentials pushed to a public GitHub repo etc...
Breached Data -> publicly released usernames, passwords, or other critical information
Where Are We Looking?
ASN / IP registrars -> RIPE for searching in Europe
Domain Registrars & DNS -> Domaintools, PTRArchive, ICANN or manual DNS record requests
Social media -> LinkedIn, Twitter, Facebook etc...
Public-Facing Company Websites -> The website of the target company can be a goldmine with an "About us" or "Contact Us" section
Cloud & Dev Storage Spaces -> GitHub, AWS S3 buckets & Azure Blog storage containers, Google searches using "Dorks"
Breach Data Sources -> HaveIBeenPwned to determine if any corporate email accounts appear in public breach data, Dehashed to search for corporate emails with cleartext passwords or hashes we can try to crack offline.
Finding Address Spaces
To research what address blocks are assigned to an organization and what ASN they reside within, the go to tool is the BGP-Toolkit
hosted by Hurricane Electric
Finding more DNS
We could find out about reachable hosts the customer did not disclose in their scoping document and see if any of them should indeed be included in the scope with domaintools, and viewdns.info
Example Enumeration Process
Let's imagine a light enumeration on inlanefreight.com
domain
Check for ASN/IP & Domain Data
So we find some interesting information:
IP Address: 134.209.24.248
Mail Server: mail1.inlanefreight.com
Nameservers: NS1.inlanefreight.com & NS2.inlanefreight.com
Viewdns Results
This validates the IP address of our target, we can do some more for the enumeration part:
We now have two
new IP addresses to add to our list for validation and testing.
Hunting For Files
We can utilize google dorking for this hunting process:
filetype:pdf inurl:inlanefreight.com
Same for email addresses:
intext:"@inlanefreight.com" inurl:inlanefreight.com
Username & credential Harvesting
For the username harvesting, we can use a tool such as linkedin2username to scrape data from a company's LinkedIn page and create various mashups of usernames
and for the breached credentials, Dehashed is an excellent tool for hunting for cleartext credentials and password
Start of the domain enumeration
Here are some key data that we look for while enumerating the domain:
| While looking for valid user accounts, we can target for password spraying. |
| Key Computers include Domain Controllers, file servers, SQL servers, web servers, Exchange mail servers, database servers, etc. |
| Kerberos, NetBIOS, LDAP, DNS |
| Anything that can be a quick win. ( a.k.a an easy host to exploit and gain a foothold) |
Identifying Hosts
After connecting to my target via RDP with this command:
I fire up wirehsark with the following:
and look at the ARP packets that go through the network ->
We filter the packets that use ARP and look at the hosts, we can find the hosts:
172.16.5.5, 172.16.5.25 172.16.5.50, 172.16.5.100, and 172.16.5.125.
And we can discover hosts with some MDNS packets:
We could also use TCPDUMP to create a .pcap file and open it on our local machine
Using Responser:
Responder is a tool built to listen, analyze, and poison LLMNR
, NBT-NS
, and MDNS
requests and responses. The following commands will passively listen to the network and not send any poisoned packets.
Notice below that we found a few unique hosts not previously mentioned in our Wireshark captures. It's worth noting these down as we are starting to build a nice target list of IPs and DNS hostnames.
To go even more in enumeration depth, we can perform a quick ICMP sweep using fping:
FPing Active Checks
a
to show targets that are alive, s
to print stats at the end of the scan, g
to generate a target list from the CIDR network, and q
to not show per-target results
After finding alive hosts, we can enumerate those hosts with NMAP
Nmap Scanning
The scan pointed us in the direction of the primary Domain Controller
for the INLANEFREIGHT.LOCAL domain (ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL).
Identifying Users
If our client does not provide us with a user to start testing with (which is often the case), we will need to find a way to establish a foothold in the domain by either obtaining clear text credentials or an NTLM password hash for a user, a SYSTEM shell on a domain-joined host, or a shell in the context of a domain user account
Kerbrute can be a stealthier option for domain account enumeration. It takes advantage of the fact that Kerberos pre-authentication failures often will not trigger logs or alerts.
Kerbrute - Internal AD Username Enumeration
And finally, we can try some:
To enumerate users, we can follow this syntax:
Let's Find a User - Practical exercise:
First we connect via SSH to our target and try to find alive hosts ->
ip a
command reveals the ip 172.16.5.225/23, so for our fping scan we can go with the following command
So now we can scan those hosts to find some juicy information and we are able to grep out of each scan, the answers to the questions that are asked
Last updated