Internal Recon Offensive Security Offensive Security Once you
- Slides: 13
Internal Recon Offensive Security
Offensive Security Once you get access, now what? https: //www. swc. com/blog/security/disrupting-cyber-kill-chain-microsoft-solutions 2
Internal Recon • First steps on a machine • Shells Two is one, one is none • Start passive • Frustrating to get caught by defenders on the first box • Information gathered informs the next steps Offensive Security Do not drop software or persistence 3
Goals • Find out about where you are • Figure out what you can do from the context you are in Offensive Security What context you are in Type of system Filesystem Users Network Security 4
Host • OS • System purpose • Users /etc/passwd net users Are any of them logged in? Which are admins? What are they admin of? • Security settings/group policy AV/EDR/Sysmon Offensive Security Release Patches 5
Networking • IP address Ipconfig/ifconfig • Network connections and services • Arp • Firewall Netsh Ufw, iptables, firewallcmd Offensive Security Netstat 6
Services • Typically have higher permissions • Could always be running • Insecure service path • Config files Offensive Security Windows Service users are usually local admins 7
Network (Passive) • Watching network traffic from the local machine • Wireshark Doubt you’ll have this • Tcpdump • Local tools Netsh Iptables/python Offensive Security You might have this 8
Network (Active) • Passive network recon should have provided a starting point • What does your network look like? • Can you route to other internal networks? • Scanning the network Nmap Custom solution Offensive Security DMZ -> Servers 9
Active Directory • Are you on a domain? • Where are your domain controllers • Users/Groups • Trusts • Local/Domain/Enterprise/Server/Exchange Admin Offensive Security Nltest /DCLIST: [domain] 10
Bloodhound. AD • https: //github. com/Blood. Hound. AD/Blood. Hound • Uses graph theory to traverse AD relationships • Scenario • How does it do this? • Group, Local. Admin, RDP, DCOM, GPOLocal. Group, Session, Object. Props, Computer. Only, Logged. On, Trusts, ACL, Container, Dc. Only Offensive Security Blasts the network with queries 11
• Metasploit post modules • Linenum. sh • Les. sh • Nishang • Powersploit Offensive Security Automated Approaches 12
References Mubix’s Online Documents Linux/Unix/BSD - bit. ly/pq. Jx. A 5 Windows - bit. ly/1 em 7 gv. G Offensive Security • 13
- Internal recon
- Internal recon
- Intro to offensive security
- Metasploit pros and cons
- Ao recon course
- Kyc upload process
- Passive recon
- Http //ringkas.kemdikbud.go.id/recon
- Ao recon
- Provate security
- Complaints were made by teachers and administrators also
- Being zealous without being offensive means---
- Drills for defensive lineman
- Chapter 3 lesson 3 expressing emotions in healthful ways