Identify (Scope)

(last edited: 08/23/2019) Key Documents - Scanning & Vulnerabilities - nmap - nessus - OpenVAS - Network Discovery - DHCP - DNS - Hashing - NetBIOS - User Activity - Passwords - MBSA - Active Directory - Linux - Network Discovery - DHCP - DNS - Hashing - NetBIOS - Passwords

Key Documents

• Organization Chart
• Network Diagrams
• Data Flow Diagrams
• Critical Asset, Data and Services List
• Rules of Engagement (ROE) Boundaries
• Incident Response Plan
• Business Continuity Plan
• Disaster Recovery Plan
• Required Notification Guidance
• Actions to Date
• Physical Access Requirements
• On call/contracted resources
• Communication Plan
• Authority and Legal Conditions
• Threat Intelligence Summary
• Meetings and Deliverable Reporting Requirements
• Physical Security Plan
• Risk Assessment Decision Matrix
• Data and Info Disclosure Procedures
• Consent to Monitor, Collect and Assess Data
• MOA/MOU/NDA Documents and Requirements

Top - Home


Scanning & Vulnerabilities

nmap

Ping sweep for network:

# nmap -sn -PE <IP ADDRESS OR RANGE>

Scan and show open ports:

# nmap --open <IP ADDRESS OR RANGE>

Determine open services:

# nmap -sV <IP ADDRESS>

Scan two common TCP ports, HTTP and HTTPS:

# nmap -p 80,443 <IP ADDRESS OR RANGE>

Scan common UDP port, DNS:

# nmap -sU sp 53 <IP ADDRESS OR RANGE>

Scan UDP and TCP together, be verbose on a single host and include optional skip ping:

# nmap -v -Pn -sU -sT -p U:53,111,137,T:21-25,80,139,8080 <IP ADDRESS>

Nessus

Basic Nessus scan: 

# nessus -q -x -T html <NESSUS SERVER IP ADDRESS> <NESSUS SERVER PORT 1241> <ADMIN ACCOUNT> 
<ADMIN PASSWORD> <FILE WITH TARGETS>.txt <RESULTS FILE NAME>.html 
# nessus [-vnh] [-c .rcfile] [-V] [-T <format>]

Batch-mode scan:

# nessus -q [-pPS] <HOST> <PORT> <USER NAME> <PASSWORD> <targets-file> <result-file>

Report conversion: 

# nessus -i in.[nsr|nbe] -o out.[xml|nsr|nbe|html|txt]

OpenVAS

Step 1: Install the server, client and plugin packages: 
#apt—get install openvas-server openvas-client openvas-plugins-base openvas—plugins-dfsg  

Step 2: Update the vulnerability database 
# openvas—nvt-sync 

Step 3: Add a user to run the client:
openvas-adduser

Step 4: Login:
sysadm 

Step 5: Authentication (pass/cert) [pass]: [HIT ENTER] 

Step 6: Login password: <PASSWORD>
You will then be asked to add "User rules". 

Step 7: Allow this user to scan authorized network by typing:
accept <YOUR IP ADDRESS OR RANGE> 
default deny

Step 8: type ctrl-D to exit, and then accept. 

Step 9: Start the server:
# service openvas-server start 

Step 10: Set targets to scan:
Create a text file with a list of hosts/networks to scan.
# vi scanme.txt

Step 11: Add one host, network per line:
<IP ADDRESS OR RANGE>

Step 12: Run scan"
# openvas-client -q 127.0.0.1 9390 sysadm nsrc+ws
scanme.txt openvas-output-.html -T txt -V -x

Step 13: (Optional) run scan with HTML format:
# openvas-client -q 127.0.0.1 9390 sysadm nsrc+ws
scanme.txt openvas-output-.txt -T html -V -x

Network Discovery

Basic network discovery: 

C:\> net view /all 
C:\> net view \\<HOST NAME>

Basic ping scan and write output to file: 

C:\> for /L %I in (1,1,254) do ping -w 30 -n 1
192.168.1.%T | find "Reply" >> <OUTPUT FILE NAME>.txt

DHCP

Enable DHCP server logging: 

C:\> reg add HKLM\System\CurrentCoptrolSet\Services\DhcpServer\Parameters /v ActivityLogFlag /t REG_DWORD /d 1

Default Location Windows 2003/2008/2012:

C:\> WindiryfleM32\Dhcp

DNS

Default location Windows 2003:

C:\> %SystemRoot%\System32\dns

Default location Windows 2008:

C:\> %SystemRoot%\System32\Winevt\Logs\DNS Servers.evtx

Default location of enhanced DNS Windows 2012 R2:

c:\> %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-DNSServer%4Analytical.etl

Ref. https://technet.microsoft.com/en-us/library/cc940779.aspx

Enable DNS Logging:

C:\> DNSCmd <DNS SERVER NAME> /config /logLevel Ox8100F331

Set log location: 

C:\> DNSCmd <DNS SERVER NAME> /config /LogFilePath <PATH TO LOG FILE>

Set size of log file: 

C:\> DNSCmd <DNS SERVER NAME> /logfilemaxsize Oxffffffff

Hashing

File Checksum Integrity Verifier (FCIV):

Ref. http://support2.microsoft.com/kb/841290

Hash a file:

C:\> fciv.exe <FILE TO HASH>

Hash all files on C:\ into a database file:

C:\> fciv.exe C:\ -r -md5 -xml <FILE NAME>.xml

List all hashed files: 

C:\> fciv.exe -list -sha1 -xml <FILE NAME>.xml

Verify previous hashes in db with file system: 

C:\> fciv.exe -sha1 -xml <FILE NAME>.xml

Note: May be possible to create a master db and compare to all systems from a cmd line. Fast baseline and difference. Ref. https://technet.microsoft.com/en us/library/dn520872.aspx 

PS C:\> Get-FileHash <FILE TO HASH> | Format-List

PS C:\>. Get-FileHash-algorithm md5 <FILE TO HASH>
c:\> certutil -hashfile <FILE TO HASH> SHA1 
C:\> certutil -hashfile <FILE TO HASH> MD5

NetBIOS

Basic nbtstat scan: 

C:\> nbtstat -A <IP ADDRESS>

Cached NetBIOS info on localhost: 

C:\> nbtstat mmsc

Script loop scan: 

C:\> for /L %I in (1,1,254) do nbstat -An 192.168.1.%I

User Activity

Ref • https://technet.microsoft.com/en us/sysinternats/pstoggedon.aspx

Get users logged on : 

C:\> psloggedon \\computername

Script loop scan: 

C:\> for /L %i in (1,1,254) do psloggedon \\192.168.1.%i >› c:\users_output.txt

Passwords

Password guessing or checks: 

# for /f %i in (‹PASSWORD FILE NAME>.txt) do 
@echo %i & net use \\<TARGET IP ADDRESS> %i /u:<USER NAME> 2›nul && pause

# for /f %i in (<USER NAME FILE>.txt) do @(for /f %j 
in (<PASSWORD FILE NAME>.txt) do @echo %i:%j & @net 
use \\<TARGET IP AODRESS> %j /u:%i 2>nul && 
echo %i:%j » success.txt && net use \\<IP ADDRESS> /del)

Microsoft Baseline Security Analyzer

Basic scan of a target IP address: 

C:\> mbsacli.exe /target <TARGET IP ADDRESS> /n os+iis+sql+password

Basic scan of a target IP range:

C:\> mbsacli.exe /r <IP ADDRESS RANGE> /nos+iis+sql+password

Basic scan of a target domain: 

C:\> mbsacli.exe /d <TARGET DOMAIN> /n os+iis+sql+password

Basic scan of a target computer names in text file: 

C:\> mbsacli.exe /listfile <LISTNAME OF COMPUTER NAMES>.txt /n os+iis+sql+password

Active Directory Inventory

List all OUs: 

C:\> dsquery ou DC=<DOMAIN›,DC=<DOMAIN EXTENSION>

List of workstations in the domain:

C:\> netdom query WORKSTATION

List of servers in the domain:

C:\> netdom query SERVER

List of domain controllers:

C:\> netdom query DC

List of organizational units under which thespecified user can create a machine object:

C:\> netdom query OU

List of primary domain controller:

C:\> netdom query PDC

List of domain trusts:

C:\> netdom query TRUST

Query the domain for current list of FMSO owners

C:\> netdom query FSMO

List all computers in Active Directory:

C:\> dsquery COMPUTER "OU-server,DC=<DOMAIN NAME>,
DC=<DOMAIN EXTENSION>" -o rdn -limit 0 >
C:\machines.txt

List user accounts inactive longer than 3 weeks:

C:\> dsquery user domainroot -inactive 3

Find anthing (or user) created on date in UTC usingtimestamp format YYYYMMDDHHMMSS.sZ:

C:\> dsquery * -filter "(whenCreated>=20101022083730.0Z)"
C:\> dsquery * -filter "((whenCreated>=20101022083730.0Z)&(objectClass=user))"

Alt option:

C:\> ldifde -d ou=<OU NAME>,dc=<DOMAIN NAME>,dc=<DOMAIN EXTENSION>
-l whencreated, whenchanged -p onelevel -r "(ObjectCategory=user)" <
-f <OUTPUT FILENAME>

The last Isogon timestamp format YYYYMMDDHHMMSS

Alt option:

C:\> dsquery * dc=<DOMAIN NAME>,dc=<DOMAIN EXNTENSION> 
-filter "(&(objectCategory=Person)
(objectClass=User)(whenCreated>=20190829000000.0Z))"

Alt option: 

C:\> adfind -csv -b dc=<DOMAIN NAME>,dc=<DOMAIN EXTENSION>
-f "(&(objectCategory=Person)
(objectClass=User)(whenCreated>=20190829000000.0Z))"

Using PowerShell, dump new AD accountsin last 90 Days: 

PS C:\> import-module activedirectoy
PS C:\> Get-QADUser -CreatedAfter (Get-Date).AddDays(-90)
PS C:\> Get-ADUser -Filter * -Properties whenCreated
| Where-Object {$_.whenCreated -ge ((Get-Date).AddDays(-90)).Date}
Top - Home


Linux

Network Discovery

Net view scan: 

# smbtree -b
# smbtree -D
# smbtree -S

View open SMB shares: 

# smbclient -L <HOST NAME>
# smbstatus

Basic ping scan:

# for ip in $(seq 1 254); do ping -c 1
192.168.1.$ip>/dev/null; [ $? -eq 0 ] && echo
"192.168.1.$ip UP" || : ; done

DHCP

View DHCP lease logs:

Red Hat 3:

cat /var/lib/dhcpd.leases

Ubuntu: 

grep -Ei 'dhcp' /var/log/syslog.1

Ubuntu DHCP logs: 

# tail -f dhcpd.log

DNS

Start DNS Logging:

# rndc querylog

View DNS Logs:

# tail -f /var/log/messages | grep named

Hashing

Hash all executable files in the locations:

# find /<PATHNAME TO ENUMERATE> -type f -exec md5sum
{} >> md5sums.txt

NETBIOS

Basic nbtstat scan:

# nbtscan <IP ADDRESS OR RANGE>

Passwords

Password and username guessing or checks:

# while read line; do username=$line; while read
line; do smbclient -L <TARGET UP> -U
$username%$line -g -d 0; echo $username:$line;
done<<PASSWORDS>.txt; done<<USER NAMES>.txt
Top - Home