Internal Network Initial Access Cheatsheet

Internal Network Initial Access

No Creds

1. Discover hosts
   • How to Perform Host Discovery
2. Discover Open Ports
   • How to Perform Internal Port Scanning
3. Discover SCCM/MECM Infrastructure
   • How to Identify is SCCM (MECM) is Present
4. If SCCM/MECM environment:
   • How To Enumerate SCCM (MECM) using LDAP
   • Dump PXE Passwords from Windows (No PXE Password Protection)
   • How To Dump PXE Boot Creds that are protected by PXE Password
   • SCCM Computer Account SMB Relay Coercion to MSSQL Server Admin
5. compile list of hosts with SMB signing disabled
   • netexec smb [ip/cidr] --gen-relay-list
6. Start Network Poisoning Attacks
   • SMB Relaying: SMB Relaying
   • MiTm6 Poisoning MITM6 Poisoning
   • ASREQ Roasting ASREQ-Roasting
   • Spin up evilssdp to start capturing creds
7. TimeRoasting Time Roasting
8. ASREPRoasting ASREP Roasting
9. Check for null/anonymous authentication (unlikely)
   • Guest SMB Auth
10. Enumerate Domain Users
    • Enumerate Users using Kerberos
    • enumerate-users-and-groups-via-smb
11. Password spraying with kerbrute
    • How to Password Spray Kerberos
12. Attempt WSUS techniques
13. Attempt Coercion techniques

Related

Related Notes

All Related Notes

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "windows") OR contains(tags, "active-directory") OR contains(tags, "internal") OR contains(tags, "initial-access")
SORT file.ctime DESC

windows

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "windows")
SORT file.ctime DESC

active-directory

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "active-directory")
SORT file.ctime DESC

internal

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "internal")
SORT file.ctime DESC

initial-access

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "initial-access")
SORT file.ctime DESC