Post-Exploitation Basics Conducting Internal Network Enumeration

Once you have successfully compromised a machine, your next step is to understand its value and map the surrounding internal network. This phase, known as post-exploitation enumeration, helps you identify sensitive data, uncover communication channels, and find relationships with other network devices that can be used to gain further access.

Strict Adherence to Rules of Engagement (RoE)
Never modify critical services, implement persistence, or exfiltrate real sensitive data without explicit, written consent from the client. All actions must be documented, and all data gathered must be encrypted and eventually destroyed.

Protecting the Client and Yourself

Always ensure you have a signed contract and a clear understanding of the client's Acceptable Use Policy. Use full drive encryption on your own testing machines and never use third-party tools for password cracking without prior consent.

Infrastructure Analysis

The network configuration of a compromised machine is a goldmine. It reveals additional subnets, routers, critical servers, and trust relationships.

flowchart TD
    A["Compromised Host"] --> B("Network Interfaces")
    A --> C("Routing & ARP")
    A --> D("DNS & Proxies")
    B --> E["Discover Subnets"]
    C --> F["Identify Neighbors"]
    D --> G["Find High-Value Targets"]
    E --> H{"Plan Next Attack"}
    F --> H
    G --> H

Key Network Artifacts to Enumerate

ArtifactWhat to look forWhy it matters
InterfacesIP addresses, subnet masks, gatewaysPrioritizes which networks and services to target next.
Routing TablesStatic and dynamic routesHelps you escape segmented networks and find new hosts.
ARP EntriesCached and static ARP table entriesReveals other hosts that actively interact with the compromised machine.
DNS CacheHigh-value entries (Intranets, management panels)Highlights the most frequently used internal services.
VPN ConnectionsInbound and outbound tunnelsVPNs often bypass internal firewalls, providing ideal attack paths.

Pillaging for Sensitive Data

Pillaging is the process of extracting valuable information from the compromised host. This data can satisfy your assessment goals or provide credentials for pivoting.

Look closely at startup items and installed applications. This information often reveals the presence of countermeasures like Host-based Intrusion Detection Systems (HIDS), Application Whitelisting, or File Integrity Monitoring (FIM).

Investigating Installed Services

A host's running services often serve the wider network. Understanding these services helps you profile the machine and find new attack vectors.

Security & Deployment Services

Security Services: Identify Anti-Virus, firewalls, and IDS/IPS. This tells you what alerts you might have triggered and what to expect on other network machines.
Deployment Services: Look for unattended answer files, deployment repositories, and update servers. These often contain hardcoded credentials or allow for backdoor installations.

File, Print, and Database Servers

File/Print Shares: Examine share names, Access Control Lists (ACLs), and content. Look for source code, backups, and confidential data (like financial spreadsheets).
Databases: Enumerate database names, tables, and columns. You can often search across all columns for specific strings (e.g., %CCN% for credit card numbers) to locate regulated data.

Directory & Virtualization Services

Directory Services: Extract user lists, passwords, and machine objects. Compromising a directory service often grants control over all dependent hosts.
Virtualization: Enumerate virtual machines, administration certificates, and host configurations. You may be able to intercept traffic from virtual hosts or access their underlying data.

Harvesting User Information

Users frequently leave behind traces of sensitive data. Check these common locations:

  • System Files: Command history files (which often contain typed passwords), SSH/PGP encryption keys, and clear-text documents (e.g., password.txt or .xlsx files).

  • Web Browsers: Browser history, bookmarks, saved credentials, and configured proxies.

  • IM Clients: Chat logs and account configurations.

Great care must be taken when capturing user data (including keystrokes or screen captures). Ensure you filter out personal, non-company data to protect user privacy and comply with local laws.

Pivoting: Further Penetration

Pivoting uses your presence on the compromised system to enumerate and attack other systems in the client's infrastructure.

  1. 1

    Enumerate from the host

    Use the compromised machine's local tools to perform ARP scans, ping sweeps, and internal DNS enumeration without uploading noisy external tools.

  2. 2

    Establish a proxy or tunnel

    Set up port forwarding, an SSH proxy, or a VPN connection through the compromised system to route your attacking traffic into the internal network.

  3. 3

    Execute remote attacks

    Abuse harvested credentials (via WinRM, WMI, SMB, or SSH) or execute remote exploits against newly discovered internal targets.

Persistence and Data Exfiltration

If your Rules of Engagement permit it, you may need to demonstrate the ability to maintain access or exfiltrate data.

  • Persistence: Install backdoors that require authentication (e.g., SSH, RDP with complex passwords or cryptographic keys). Ensure the backdoor survives system reboots. Never leave an unauthenticated listener open.

  • Exfiltration: Map all possible outbound paths. Test these paths by safely exfiltrating dummy data to a server you control to measure the strength of the client's Data Loss Prevention (DLP) controls.

Cleanup

Once the penetration test is complete, you must return the environment to its original state.

  1. Remove all tools: Securely delete all executables, scripts, and temporary files you uploaded.

  2. Revert configurations: Restore any system settings, firewall rules, or application parameters you modified.

  3. Remove access: Delete any backdoors, rootkits, or alternate user accounts created during the engagement.

[!IMPORTANT]
A detailed list of all actions taken, files modified, and accounts created must be kept throughout the engagement and provided to the client to ensure complete and accurate cleanup.