HTDark | Underground Hacking Forum and Cybersecurity Community
  • Earn real money by being active: Hello Guest, earn real money by simply being active on the forum — post quality content, get reactions, and help the community. Once you reach the minimum credit amount, you’ll be able to withdraw your balance directly. Learn how it works.

Pentest Red Team Techniques - Discovery

dEEpEst

dEEpEst

☣☣ In The Depths ☣☣
Staff member
Administrator
Super Moderator
Hacker
Specter
Crawler
Shadow
Joined
Mar 29, 2018
Messages
13,861
Solutions
4
Reputation
27
Reaction score
45,546
Points
1,813
Credits
55,350
‎7 Years of Service‎
 
56%

Discovery​

The Adversary is trying to figure out your environment

Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what's around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.
 

System Time Discovery​

An adversary may gather the system time and/or time zone form a local or remote system. The system is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.

System time information may be gathered in a number of ways, such as with Net on Windows by performing net time \hostname to gather the system time on a remote system. The victims time zone may also be inferred from the current system time or gathered by using w32tm /tz. The information could be useful for performing other techniques, such as executing a file with a Scheduled Task/Job, or to discover locality information based on time zone to assist in victim targeting.

Example

We will use the 2 utilities talked about on this technique to check the time on the host (This can also be done remotely but will require Administrator Privileges)

W32tm /tz

image

Net time

image
 

System Service Disvcovery​

Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc", "tasklist /svc" using Tasklist, and "net start" using Net, but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Example

Previously demonstrated I have used the tasklist command or the cmdlet from PowerShell Get-Process we will also use the sc command to view services and schtasks for tasks

Tasklist

image

Net Start

image

Sc query

image

Schtasks

image
 

System Owner/User Directory​

Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping. The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Utilities and commands that acquire this information include whoami. In Mac and Linux, the currently logged in user can be identified with w and who.

Example

Will work with the whoami command for Windows and check it's different features

Whoami /user : Display information on the current user and SID

image

Whoami /fqdn: Displays information on the fully qualified domain name on the user

image

Whoami /groups: Displays the groups the user is a part of.

image
 

System Network Connections Discovery​

Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.

An adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary's goals. Cloud providers may have different ways in which their virtual networks operate.

Utilities and commands that acquire this information include netstat, "net use", and "net session" with Net. In Mac and Linux, netstat and lsof can be used to list current connections. Who -a and w can be used to show which users are currently logged in, similar to "net session".

Example

Working with the netstat, net use and net session commands to discover connections

NetStat

image

Net use

image

Net sessions

image
 

System Network Configuration Discovery​

Adversaries may look for details about the Network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbstat, and route.

Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Example

Will demonstrate the arp and ipconfig commands from CMD

image

image
 

System Information Discovery​

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Tools such as Systeminfo can be used to gather detailed system information. A breakdown of system data can also be gathered through the macOS systemsetup command, but requires administrative privileges.

Infrastructure as a Service (laaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.

Example

The systeminfo.exe command will help us get the general and detailed information about the host but we can also use the Get-ComputerInfo from PowerShell

CMD

image

PowerShell

image
 

Software Discovery​

Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has version of software i=that is vulnerable to Exploitation for Privilege Escalation.
 

Security Software Discovery​

Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Example commands that can be used to obtain security software information are netsh, reg query with Reg, dir with cmd, and Tasklist, but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.

Adversaries may also utilize cloud APIs to discover the configurations of firewall within an environment.

Example

Will use WMIC to query and search for any installed Antivirus software on the system

image
 

Remote System Discovery​

Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or net view using Net. Adversaries may also use local use local host files (ex: C:\Windows\System32\Drivers\etc\hosts or /etc/hosts) in order to discover the hostname to IP address mapping of remote systems.

Specific to macOS, the bonjour protocol exists to discover additional Mac-based systems within the same broadcast domain.

Example

Pinging computers on the sub-net we can see any of them that are currently alive around the network, we can do a ping sweep for CMD or PowerShell

image
 

Query Registry​

Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.

The Registry contains a significant amount of information about the operating system, configuration, software, and security. Information can easily be queried using the Reg utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within the network. Adversaries may use the information from query Registry during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Example

We can grab information about installed programs from the registry in this Demo we will use this command to check any installed office version

image
 

Process Discovery​

Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

In Windows environments, adversaries could obtain details on running processes using the Task list utility via cmd or Get-Process via PowerShell. Information about processes can also be extracted from the output of Native API calls such as CreateToolhelp32Snapshot. In Mac and Linux this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc.

Example

Using the Get-Process cmdlet from PowerShell we can view the necessary info. Or we can also just use the tasklist

command for CMD

PowerShell

image

CMD

image
 

Permissions Groups Discovery​

Adversaries may attempt to find group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.
 

Local Groups​

Adversaries may attempt to find local system groups and permissions settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.

Commands such as net localgroup of the Net utility, dscl . -list /Groups on macOS, and groups on Linux can list local groups.

Eaxmple

Enumerating local groups is simple with the net localgroup command

image
 

Domain Groups​

Adversaries may attempt to find domain-level groups and permissions settings. The knowledge of domain-level permissions groups can help adversaries determine which group exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.

Commands such as net group /domain of the NET utility, dscacheutil -q group on macOS and ldapsearch on Llinux can list domain-level groups.

Example

We will need a domain user to query this information

image
 

Peripheral Device Discovery​

Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or movable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.

Example

Utilizing the Pnputil utility we can find devices connected to the workstation and see if we can use this for (usually the most common reason) Lateral Movement.

image

Reference:
This link is hidden for visitors. Please Log in or register now.
 

Password Policy Discovery​

Adversaries may attempt to access detailed information about the password policy used within an enterprise network. Password policies for networks are a way to enforce complex passwords that are difficult to guess or crack through Brute Force. This would help adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).

Password policies can be set and discovered on Windows, Linux, macOS systems via various command shell utilities such as net accounts (/domain), Get-ADDefaultDomainPasswordPolicy, chage -l, cat /etc/pam.d/common-password, and pwpolicy get account policies.

Example

Utilizing the net accounts command

image
 

Network Sniffing​

Adversaries may sniff network traffic to capture information about an environment, including material passed over the network. Network sniffing refers to using the Network interface on a system to monitor or capture information sent over the wired or wireless connection. An adversary may place a network into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as LLMNR/NBT-NS Poisoning and SMB Relay, can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to adversary.

Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, host-names, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.

Example

As I have demonstrated this technique with Responder by poisoning requests we can use 2 other methods here Tcpdump for Windows or the built-in Windows utility netsh

We will need Administrator privileges for both commands

tcpdump

image

Netsh

image

Netsh will create files that will need to be change to pcap or any file you are accustomed for analyzing packets
 

Network Share Discovery​

Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.

File sharing over a Windows network occurs over the SMB protocol. Net can be used to query a remote system for available shared drives using the net view \remotesystem command. It can also be used to query shared drives on the local system using net share.

Example

By locating machines on the network we can use this information to find any shares available on the Remote System.

image
 

Network Servie Scanning​

Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system.

Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.

Example

Will use nmap for windows to achieve this goal, sometimes we will use tools that can be moved onto the compromised host and achieve ports scans on other systems, In this example we use it scan a remote system Desktop-Bravo

image
 
You must log in or register to reply here.
Back
Top