Perform Network Reconnaissance/Discovery
The process for internal reconnaissance is the same as the initial reconnaissance step in the cyber kill chain. However, more detailed information can be gathered in the internal network, which can also be used for performing privilege escalation and lateral movement later. Performing local reconnaissance on internal systems and network reconnaissance on internal network, both comes under same group as their main objective is to gather adequate information about internal organization structure. Internal reconnaissance is also referred to as post-exploitation reconnaissance. These attacks are mostly caused by the fact that mechanisms such as Address Resolution Protocol (ARP), Dynamic Host Configuration Protocol (DHCP), and Domain Name System (DNS) are not configured properly. One of the most important attacks that can be encountered is undoubtedly Man-in-the-Middle.
Red Team: Attack vectors and Techniques
Perform internal network scanning to determine the level of network segregation, network architecture, and identify vulnerable services. Depending on the required goal and TTPs, the following additional information can be collected.
- File Shares (SMB, NFS, SharePoint, Proprietary data collections)
- Network segregation
- Domain Controllers
- Proxy settings
The above information can be find using tools and techniques from passive reconnaissance, Active reconnaissance and Domain controllers.
- Passive Reconnaissance: To understand what is happening in a network, sniffing and scanning is performed. Network sniffing refers to using network interface on a system to monitor or Capture information sent over a wired or wireless connection by placing network interface into promiscuous mode to passively access data in transit over the network. Once you compromised a machine create a listener on the victim machine to perform further activities.
- If a sniffer is installed on the machine (like tcpdump or Wireshark’s tshark tool), run it to look for network traffic to identify other possible target machines, as well as cleartext protocols containing sensitive or useful information.
- PowerView is a PowerShell tool to gain network situational awareness on Windows domains.
LLMNR stands for -> Link-Local Multicast Name Resolution, is a protocol that is processed when the local DNS server fails in name resolution.
NBT-NS stands for -> NetBIOS Name Service, an API, not a protocol, used communicate between Windows operating systems.
- LLMNR/NBT-NS Poisoning abuses the default behaviour of Microsoft Window’s name resolution services and steals authentication credentials.
Attack Technique: When a windows host cannot resolve a hostname using DNS, it uses the LLMNR protocol (Link-Local Multicast Name Resolution) to ask neighboring computers about it. If that also fails, then it uses the NBT-NS, So using sniffing tool — Responder, we capture the hash & then perform decoding.
Network sniffing(by Impacket) — NETBIOS Name service poisoning — Responder — MITM
2. Active Reconnaissance: In many cases & many stages of attack, the attackers actually use IT Tools that they manage their n/w in order to perform diff operations.
Networking & Hacking tools: i)Angry IP Scanner ii)Pinginfoview iii)nmap iv) ping v) Mimikatz v)PsExec VI) PowerShell
Admin Utilities: SecureCRT, Putty, BeyondExec, MobaXterm
Remote Desktop: Team viewer, WinVNC, Radmin, Anydesk, LogMein
When you gain access to a target machine, don’t use it to scan for more targets yet, as that might get you detected prematurely. Instead, plunder it for information about other potential targets based on network activity:
ipconfig /displaydns #DNS cache (Windows)
arp -a #ARP cache
netstat -na # Established TCP connections
netstat -nr #Routing table
netsh wlan show networks mode=b #Displays nearby wifi
“I have seen arp spoofing attacking cases at endpoint level wherein the attacker used built-in tools like WMIC, MSIEXEC, ARP for exploitation on a fully patched machine.”
2a) Traceroute — Main purpose of trace route is to fix network problems. This helps you in identifying, while connecting to some network where the connection is actually slowing down, which intermediate router is responsible for that. But adversaries use to map out the route which data flows through the network in route to a target destination.
2b) Ping & Port Scanning — Tools like AngryIP Scanner
2c) DNS & ADS Queries — Tool that is commonly used for internal reconnaissance is BloodHound which can map out paths for an attacker.
Let’s consider If attackers want to determine which user account on which host will enable access to the data they are after, then BloodHound is an ideal tool for finding that information.
ipconfig /display # Complete info of local DNS cache
2d) File Shares — SMB, NFS, SharePoint, Proprietary data collections, Samba Shares, WebDAV
2e) Logon Scanning — Session Enumeration which finds out who is logged on where.
Net Cease is a short PowerShell script is used to change the Registry Key which controls the NetSessionEnum method permissions or use NetSess Tool.
2f) Find Remote Sessions and Processes — When you get on a Windows box, look for ESTABLISHED TCP connections to ports 445 (SMB) and 3389 (RDP), as these other systems may be excellent systems to pivot to,provided they are in scope:
c:\> netstat -na | find “EST” | find “:445”
c:\> netstat -na | find “EST” | find “:3389”
Or using PowerSploit
2g) Locate Domain & Forest admins: Domain forests are collections of domain containers that trust each other. A domain trust establishes the ability for users in one domain to authenticate to resources or act as a security principal in another domain.
Cracking SPN values for Gaining Domain Admin Rights in Active Directory using Impacket module & Powersploit.
SPN is used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account
These groups have the ability to logon to Domain Controllers by default:
• Enterprise Admins
• Domain Admins
• Backup Operators
• Account Operators
- Print Operators
BLUE TEAM: Detective and Preventive Controls -
So once the attacker is operating from authorized host with authorized credentials and accessing n/w resources which he can’t be ..nothing strange we find & he doesn’t search/use any exploits or little use of actual malware to do so — just use the n/w tools. Attacker tries different things, he doesn’t know where the server is ..he performs reconnaissance In order to reach the attack. He might be doing 100 of operations on diff hosts compromising diff user a/c moving laterally and this stage he is acting your home territory and you need to catch him once. This might not be automated attack, the more road block he faces, he becomes more creative .
All these tools usage doesn’t provide enough chances of catching the attacker. We have to really understand how the network operates. In order to provide security we should have visibility at all aspects at 3 levels, Providing partially visibility doesn’t help. Identify suspicious patterns of behavior from network traffic and endpoint activity.
1. Purchase Threat Detection & Prevention tools — Installing A.V tools mitigates the chance of machine getting compromised and if unfortunately happens, atleast it will detect so that we can perform necessary actions to remediate.
2. Implementing Secure Group Policies like b)Restrict Software Installations c) Follow the principle of least privilege d) Control Access to CMD e) Disable Guest Account f) Password length g)Password age limit h) Disabling Anonymous SID Enumeration in A.D h) Moderating access to control panel, I just mentioned few but there are many policies an organization can implement.
3. Installing security patches (Microsoft release the security patches once in every month & core security patches of any 0-day exploits ASAP)
4. Configuring AppLocker and Whitelisting and blacklisting applications based on organization dependency.
5. Implementing SIEM in an organization and integrating with other threat detection sources and monitoring those alerts. (If possible configure sysmon to SIEM, Monitor the above mentioned registry keys for any violation)
6. Use of CanaryTokens — Attackers will explore around a network looking for systems that may have vulnerabilities, misconfigurations or contain high-value information. When an attacker performs a port scan, a brute force attack, downloads files from the file share, accesses a fake website or interacts with the device, it will generate alerts.
7. Maintaining an audit trail of system activity logs(above all) can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks.
8. Implementing File Integrity Monitoring Software’s
9. At an Administrator level
• Reduce Domain and Local Administrators
• Audit special group Memberships (Enterprise Admins, Domain Admins, Administrators, Backup Operators, Account Operators, Print Operators)
• Reset KRBTGT password at least yearly, and every time an admin leaves your org.
- Use LAPS — Randomize Local Administrator Passwords
10. Disable Legacy Protocols • LLMNR, NETBIOS, WPAD
1. Implementing Network segregation — Segregating sensitive data and systems to make them more difficult to access.
2. UEBA -We can check from Endpoint & network, but primary source is metadata from n/w. which used for 3 things
a) Identify diff entities in n/w — helps building behavior profiles ; Eg: if system moving from desk to meeting room
b) What’s the current behavior
c) Build behavior profiles over time.
3. Implementing Tarpit network security mechanism which helps against computer worms and network abuses.
4. Monitoring at network level can be used to detect systems communicating with a C2 server, mostly Web Filtering (github).
1. Preparation is the effective key in identifying & responding. Training end users at regular intervals and providing awareness on cyberattacks can help the organization against cyberattacks.
2. Train staff on the latest security threat and security tools.
3. Implement incident respond procedures for handling security incidents, breaches, and cyber threats.
How to Identify Attacker Reconnaissance on Your Internal Network
The most vulnerable moment for attackers is when they first gain internal access to your corporate network. In order to…