external-recon

#externalrecon

Tools

• Pre2k - A tool for pre-windows 2000 compatibility enumeration (use p2k to find users with weak passwords)

• BloodyAD - Active directory enumeration and exploitation tool

• Kerbrute - A kerberos brute-force tool

• Ensurepath - A tool for managing python-based applications

Engagement

What are we looking for?

IP Space

• ASN/IP registers

  • IANA, arin for searching the Americas, RIPE for searching in Europe, BGP Toolkit

• Domain registration & DNS

  • Domaintools, PTRArchive, ICANN, manual DNS record requests against the domain in question or against well known DNS servers, such as 8.8.8.8.

• Social media

  • Searching LinkedIn, Twitter, Facebook, your region's major social media sites, news articles, and any relevant info you can find about the organization.

• Public-facing company website

  • Often, the public website for a corporation will have relevant info embedded. News articles, embedded documents, and the "About Us" and "Contact Us" pages can also be gold mines.

• Cloud & Dev storage space

  • GitHub, AWS S3 buckets & Azure Blog storage containers, Google searches using "Dorks"

• Breach data sources

  • HaveIBeenPwned to determine if any corporate email accounts appear in public breach data, Dehashed to search for corporate emails with cleartext passwords or hashes we can try to crack offline. We can then try these passwords against any exposed login portals (Citrix, RDS, OWA, 0365, VPN, VMware Horizon, custom applications, etc.) that may use AD

DNS Information

• https://whois.domaintools.com/

• https://viewdns.info/

• nslookup <name server>

Public data

• LinkedIn

• Indeed

• Glassdoor

• Tools

  • Trufflehog and sites like Greyhat Warfare are fantastic resources.

  • For a more detailed introduction to OSINT and external enumeration, check out the Footprinting and OSINT:Corporate Recon modules.

Other resource

• Company website

• Github

• Cloud storage

• https://github.com/trufflesecurity/truffleHog

• https://buckets.grayhatwarfare.com/

Oversearching enumeration principles

• Keep in mind that our goal is to understand our target better. We are looking for every possible venue. First we will use passive resource, and then active enumeration.

Google dorks

inurl:inlanefreight.com filetype:pdf

intext:"@inlanefreight.com" inurl:inlanefreight.com

"Contact us" page of company website

Username harvesting

• https://github.com/initstring/linkedin2username

• Credentials hunting (breach data)

  • http://dehashed.com/

---

Initial enumeration

Identify host and other hints

• Tcpdump (no GUI)

• Wireshark

• Net-creds (no GUI)

• netMiner (no GUI)

Capturing network traffic (monitor mode)

sudo responder -I eth0 -A

Active host check

fping -asgq <network range/23>

Nmap scanning

 sudo nmap -v -A -iL hosts.txt -oN host-enum

sudo nmap -A <host>

Username enumeration (Internal AD) - brute force active directory accounts

• username wordlist: https://github.com/insidetrust/statistically-likely-usernames

• Use google dorks to fetch pdfs or documents by the company to get username.

  • Metadata: Check the document properties and you may get username structure format (randomly generated GUID).

• Generate username combination

for x in {{A..Z},{0..9}}{{A..Z},{0..9}}{{A..Z},{0..9}}{{A..Z},{0..9}}
	do echo $x;
done

• User enumeration

kerbrute userenum -d INLANEFREIGHT.LOCAL --dc <DC IP> <username_list.txt> -o valid_AD_users

---

Theory

LLMNR/NBT-NS poisoning

• Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification that can be used when DNS fails. If a machine attempts to resolve a host but DNS resolution fails, typically, the machine will try to ask all other machines on the local network for the correct host address via LLMNR. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. It uses port 5355 over UDP natively. If LLMNR fails, the NBT-NS will be used. NBT-NS identifies systems on a local network by their NetBIOS name. NBT-NS utilizes port 137 over UDP.

LLMNR/NBT-NS are used for name resolution, any host on the local network can reply, this is where responder comes into play.

Detailed user enumeration - build a user list

A computer object is treated as a domain user account (with some differences, such as authenticating across forest trusts). If you don’t have a valid domain account, and SMB NULL sessions and LDAP anonymous binds are not possible, you can create a user list using external resources such as email harvesting and LinkedIn.