OSINT:
Don’t forget to work recursively. When you get new info, go back and search again to relate it to other info.
Initial Access (start this while doing OSINT):
- Nmap scan
- SMB?
- Login and list directories
- check directories and try to find files or notes or backups or whatever you could access
- Responder for NTLM hash potentially
- Crack with Hashcat or Pass The Hash
- Website?
- check page source
- Default credentials on apps
- like Jenkins
- What does the webpage use to run?
- Google exploits for them, include version
- searchsploit
- msfconsole search
- None? Dirbuster
- Use specific list if applicable (like SharePoint list for SharePoint)
- SQL?
- Can we get credentials at all?
- mssqlclient.py potential shell or NTLM hash for Responder
- (not included in the course) Port 5985
- evil winrm
First shell:
- Enumerate the system
- Can we use automated tools?
- Try Win/LinPEAS, PowerUp, Sherlock, or sysinfo+suggester
- If we can’t use automated tools:
- run commands in Initial Enumeration (Windows)
- run commands in Initial Enumeration (Linux)
- look in directories for installed software that isn’t default from Windows and search for exploits for it (could give us unquoted path or service permissions)
- Linux:
- crontabs or files that run constantly (can be found with pspy64)
unrelated:
Website