Once you have gained access to a host, the next crucial phase is profiling the compromised system. This involves gathering detailed information about the host's network configuration, installed services, and user data to identify further targets, escalate privileges, and demonstrate business risk.
Analyzing the Infrastructure
Understanding where the compromised machine sits on the network and what it communicates with is essential for discovering new targets.
Network Configuration
Reviewing the host's network settings can reveal additional subnets, critical servers, and trust relationships.
Interfaces and Routing
Identify all network interfaces, IP addresses, subnet masks, and gateways. Check routing tables (static and dynamic) and ARP tables to discover other hosts interacting with the machine. For multi-homed hosts, check if they are acting as a router to escape segmented networks.
DNS and Proxies
Review configured DNS servers and cached DNS entries. High-value cached entries often reveal intranet sites, management interfaces, or frequently used external sites. Additionally, identify any network or application-level proxy servers, which are excellent targets for monitoring or modifying traffic flow.
Neighbors and Directory Services
Look for neighbor discovery protocols like CDP, LLDP, mDNS, or NetBios to find details about hosts on the same subnet. If the host interacts with Directory Services (like Active Directory), use it to enumerate user accounts, hosts, and services.
Network Services and VPNs
Identify all listening network services on the target machine. This often reveals services missed during initial external scanning and can highlight non-standard ports or keyless authentication trusts (like SSH).
Pay special attention to VPN connections (both inbound and outbound). VPNs frequently bypass internal firewalls and intrusion detection systems, making them ideal paths for discovering new systems and launching further assessments.
Pillaging and Service Enumeration
"Pillaging" refers to extracting valuable configuration data, credentials, and business information from the host to satisfy your assessment goals or facilitate further network access.
Different services yield different types of valuable data. Here is a quick reference for what to look for based on the services running on the host:
| Service Type | Key Information to Target | Potential Impact |
|---|---|---|
| File/Printer Shares | Source code, backups, confidential data (financials, passwords), ACL permissions. | Data compromise; placing authorized payloads for lateral movement. |
| Databases | Table names, column metadata, row counts for regulated data, user roles. | Accessing PII, financial records, or application backend data. |
| Virtualization | VM names, configurations, admin passwords, digital certificates. | Controlling VM states (DoS risk) or intercepting virtual traffic. |
| Deployment & CI/CD | Unattended answer files, source code repositories, developer credentials. | Discovering hardcoded passwords, modifying code, or installing backdoors. |
| Backup Systems | Backup data archives, backup service credentials, scheduled task configs. | Accessing historical sensitive data or introducing misconfigurations. |
Always check Startup Items and Security Services (Firewalls, HIDS/HIPS, Anti-virus). Knowing what security software is running helps you understand what alerts may have been triggered and allows you to tailor your lateral movement to avoid detection.
Gathering User and Sensitive Data
Users often leave traces of sensitive information directly on the system. Focus your search on:
History files: Command line history (e.g.,
.bash_history) often contains cleartext passwords, system configurations, and data locations.Cleartext documents: Search for
.doc,.xls, or.txtfiles with names likepasswordorcredentials.Web Browsers: Review browser history, bookmarks, saved credentials, and proxy settings.
IM Clients: Check account configurations and chat logs for shared credentials or internal system names.
System Configuration: Enumerate password policies (e.g., minimum length) to optimize brute-force attacks, and extract configured wireless networks and keys.
Strictly Adhere to Scope and Local Laws
Techniques like key-logging, screen capture, and network traffic capture can easily expose Personal Identifiable Information (PII) or violate local wiretap laws. Only capture traffic and data explicitly covered in your engagement scope, and immediately filter out personal employee data.
Expanding Access (Pivoting & Persistence)
Once you have profiled the system, you can use it as a staging ground to move deeper into the network (pivoting) and ensure you don't lose your access (persistence).
Pivoting
Pivoting allows you to route your attacks through the compromised system to access isolated internal networks.
flowchart TD
A["Attacker Machine"] -->|SSH / VPN| B["Compromised Host"]
B -->|Port Forwarding| C["Internal Database"]
B -->|Proxy| D["Internal Web App"]
B -->|Ping Sweep| E["Isolated Subnet"]You can execute actions from the system (uploading tools, running ARP scans, brute-forcing) or through the system (port forwarding, proxying, VPN tunneling).
Data Exfiltration Testing
To measure the strength of the organization's egress controls:
Map paths: Identify all possible routes to the outside world (primary and secondary subnets).
Test exfiltration: Simulate real-world threat actor behaviors (e.g., archiving data into encrypted
.7zfiles and sending via HTTP/FTP) to a server you control.Measure response: Determine if the blue team detected the exfiltration and how effectively they mitigated it.
Post-Engagement Cleanup
Leaving artifacts behind can cause system instability or leave the client vulnerable to real threat actors. Always perform a thorough cleanup once the assessment is complete.
- 1
Remove all tools and payloads
Delete all executables, scripts, and temporary files uploaded to the compromised system. Use secure deletion methods where possible.
- 2
Revert configuration changes
Return all system settings, registry keys, and application configuration parameters to their original values.
- 3
Eliminate persistence mechanisms
Remove all backdoors, rootkits, or scheduled tasks installed during the engagement.
- 4
Delete assessment accounts
Remove any user accounts created for connecting back to the compromised systems.
Detailed documentation of every change made during the profiling and pivoting phases is critical. You cannot reliably clean up a system if you haven't tracked what you altered.
