Internal Infrastructure Logfile
Test Details & Scope
Paste and scope or exclusion details here.
Test Accounts
Include any accounts created here for mop-up!
user1:password1 admin1:password1
Legend
-
- confirmed vulnerbility
-
- no issue or false positive ! - warnings about issues or possible vulnerabilities ? - still needs checking
Pre-Flight Checks
-
Check the scope for additional details on the test:
-
Read all previous emails related to test:
-
Check previous year’s report if exists:
Situational Awareness
Turn on netdiscover Turn on responder Turn on wireshark nmap -sn full range Portscan top 10 ports full range Portscan top 10 UDP full range Portscan top 100 TCP full range Portscan top 1000 TCP full range Portscan top 10000 TCP full range If no targets found masscan whole range for port 445 Check IP phones for ip address Check printers for IP address Eyewitness on all web servers Scan for SNMP community strings SMBMap for unprotected shares Scan for FTP, Telnet, VNC, RDP, SMB Scan for MS17-010 Search for anonymous FTP login Search for open printers Crack domain users account Find all domain controllers Find local citrix servers Data exfiltration NAC in place Find hosts with RDP open Find all hosts with smbsigning disabled for ntlmrelay.py
Scan with ms17masscan.py Crack domain users passwords with hashcat NTLMRelay.py to get local hashes If sucessful login via psexec Out of date software exploits Search open file shares Responder to get cleartext passwords Responder to get domain usernames Password reuse on all other services Kerberoasting mitm6 Default credentials Bruteforce web applications Bruteforce FTP, SSH, Telnet servers
rpcclient to get all domain users smb_login to password spray psexec to login to machines remotely Bloodhound to get Domain Admin location Login to physical machine via RDP Identify file server Look for passwords in filestore using SMBMap Gitconfig files
Login to machnies as local admin and impersonate tokens Find where the domain admins are logged in Sherlock Powerup Run systeminfo on target and put output through
Get WIFI passwords Dump DC Hashes and crack offline
SNMP Community Strings Anonymous FTP login rservices VNC services Screenshot all RDP sessions with Eyewitness NC to every login service such as telnet Search fileshares for passwords Search SYSVOL on DC for groups.xml cpassword