Internal Recon

Host Discovery

These methods assume you are network adjacent. In most networks, not all hosts are reachable on all ports/protocols due to firewalls (either devices or host-based). It's a good idea to scan your subnet using multiple protocols to find as many hosts as possible.

ICMP Ping Sweep

fping -asgq 10.10.10.10/24

SMB Sweep

nxc smb 10.10.10.10/24

ARP

netdiscover
netdiscover -p # Passive mode does not send ARP broadcasts

Web Server Discovery

Discovering web servers in your network is extremely important to lateral movement and data exfiltration. While you can always port scan, screenshot grabbing tools will simplify things and allow you to triage targets.

GoWitness

gowitness scan file -f targets.txt --threads 50 --write-db
gowitness report server # Starts report web server

Aquatone and eyewitness are older alternatives.

Domain Controller Discovery

If you're situated in a network with an Active Directory domain, you can query a domain-joined DNS provider (typically a DC themselves) to discover the LDAP servers associated with the domain. These are domain controllers.

dig _ldap._tcp.dc._msdcs.company.com SRV

PreviousExternal Recon NextWireless Attacks

Last updated 2 months ago