Skip to content

Information gathering

Mindmap


ocd-mindmaps

Key Data Points


Data Point Description
AD Users We are trying to enumerate valid user accounts we can target for password spraying.
AD Joined Computers Key Computers include Domain Controllers, file servers, SQL servers, web servers, Exchange mail servers, database servers, etc.
Key Services Kerberos, NetBIOS, LDAP, DNS
Vulnerable Hosts and Services Anything that can be a quick win. ( a.k.a an easy host to exploit and gain a foothold)

Identifying Hosts


wireshark

sudo wireshark
tcpdump
sudo tcpdump -i tun0
responder
sudo responder -I tun0 -A 
fping
fping -asgq 172.16.5.0/23
nmap
sudo nmap -v -A 172.16.5.0/23

Ping Sweep


Ping Sweep (on linux)

for i in {1..254} ;do (ping -c 1 172.16.5.$i | grep "bytes from" &) ;done
Ping Sweep (on windows/cmd)
for /L %i in (1 1 254) do @ping -n 1 -w 100 172.16.5.%i | find "Reply"
for /L %i in (1 1 255) do @ping -n 1 -w 172.16.6.%i > nul && echo 172.16.6.%i is up.
#for /L %i in (1,1,255) do @ping -n 1 -w 200 172.16.5.%i > nul && echo 172.16.5.%i is up.
Ping Sweep (on windows/ps)
1..254 | % {"172.16.5.$($_): $(Test-Connection -count 1 -comp 172.16.5.$($_) -quiet)"}
1..254 | % {"172.16.6.$($_): $(Test-Connection -count 1 -comp 172.16.6.$($_) -quiet)"}
Ping Sweep (from meterpreter)
meterpreter > run post/multi/gather/ping_sweep RHOSTS=172.16.5.0/23